5 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7 default=/etc/default/adt-xen
8 if test -f $default; then
12 chains='AdtXenIn AdtXenFwd AdtXenIcmp'
14 if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
19 iptables -I INPUT -j DROP
20 iptables -I FORWARD -j DROP
22 for chain in $chains; do iptables -I $chain -j DROP; done
29 iptables -D INPUT -j DROP
30 iptables -D FORWARD -j DROP
37 for chain in $chains; do
38 if iptables -L $chain >/dev/null 2>&1; then
46 start|restart|force-reload)
49 echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
53 echo >&2 "init.d/adt-xen unsupported action $1"
59 for chain in $chains; do
60 iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
61 iptables -I $chain -j DROP
65 iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
66 # per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
70 destination-unreachable source-quench \
71 time-exceeded parameter-problem \
73 iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
74 -p icmp --icmp-type $oktype
79 for i in $LOCAL_MIRROR_IPS; do
80 iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
81 iptables -A $main -d $i -j AdtXenIcmp -p icmp
84 exec </etc/resolv.conf
85 while read command rest; do
86 if [ "x$command" = "xnameserver" ]; then
87 iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
88 iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
89 iptables -A $main -d $rest -j AdtXenIcmp -p icmp
93 for i in $LOCAL_CLIENT_IPS; do
94 iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
95 iptables -A $main -d $i -j AdtXenIcmp -p icmp
98 for i in $LOCAL_NETWORKS; do
99 iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
102 case "$ALLOW_GLOBAL_HTTP" in
104 iptables -A $main -p tcp --dport 80 -j ACCEPT
105 iptables -A $main -p icmp -j AdtXenIcmp
109 if test -f $default-rules; then
113 iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
114 iptables -A $main -j ACCEPT
115 iptables -D $main -j DROP
117 iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
118 iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
119 iptables -A AdtXenIn -j AdtXenFwd
120 iptables -D AdtXenIn -j DROP
122 echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp