3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7 # Required-Start: $network $remote_fs
8 # Required-Stop: $network $remote_fs
9 # Default-Start: 2 3 4 5
11 # Short-Description: Prepare firewall tables for autopkgtest Xen guests
14 lsbif=/lib/lsb/init-functions
15 if test -e $lsbif; then
18 log_daemon_msg () { printf "%s: " "$1"; }
19 log_progress_msg () { printf "%s " "$1"; }
20 log_end_msg () { echo "done."; }
22 if test -f /etc/default/rcS; then . /etc/default/rcS; fi
24 chains='AdtXenIn AdtXenFwd AdtXenIcmp'
26 if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
31 log_progress_msg block
32 iptables -I INPUT -j DROP
33 iptables -I FORWARD -j DROP
35 for chain in $chains; do iptables -I $chain -j DROP; done
42 log_progress_msg unblock
43 iptables -D INPUT -j DROP
44 iptables -D FORWARD -j DROP
50 log_daemon_msg "adtxenlvm: removing firewall rules"
52 log_progress_msg clear
53 for chain in $chains; do
54 if iptables -L -n $chain >/dev/null 2>&1; then
55 log_progress_msg $chain
64 start|restart|force-reload)
67 echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
71 echo >&2 "init.d/adt-xen unsupported action $1"
80 no) exec >/dev/null ;;
83 adt_readconfig_initscript=y
84 printf "adtxenlvm: reading configuration for firewall setup:\n"
85 . ${ADT_XENLVM_SHARE:=/usr/share/autopkgtest/xenlvm}/readconfig
89 log_daemon_msg "adtxenlvm: installing firewall rules"
93 log_progress_msg create
94 for chain in $chains; do
95 log_progress_msg $chain
96 iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
97 iptables -I $chain -j DROP
101 log_progress_msg rules
103 iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
104 # per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
108 destination-unreachable source-quench \
109 time-exceeded parameter-problem \
111 iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
112 -p icmp --icmp-type $oktype
117 for i in $adt_fw_localmirrors; do
118 iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
119 iptables -A $main -d $i -j AdtXenIcmp -p icmp
122 exec </etc/resolv.conf
123 while read command rest; do
124 if [ "x$command" = "xnameserver" ]; then
125 iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
126 iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
127 iptables -A $main -d $rest -j AdtXenIcmp -p icmp
131 for i in $adt_fw_testbedclients; do
132 iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
133 iptables -A $main -d $i -j AdtXenIcmp -p icmp
136 for i in $adt_fw_prohibnets; do
137 iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
140 if [ x"$adt_fw_allowglobalports" != x ]; then
141 iptables -A $main -p icmp -j AdtXenIcmp
143 for port in $adt_fw_allowglobalports; do
144 iptables -A $main -p tcp --dport $port -j ACCEPT
147 if [ "x$adt_fw_hook" != x ]; then
148 log_progress_msg hook
152 log_progress_msg confirm
154 iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
155 iptables -D $main -j DROP
157 log_progress_msg engage
159 iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
160 iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
161 iptables -A AdtXenIn -j AdtXenFwd
162 iptables -D AdtXenIn -j DROP
164 iptables -D AdtXenIcmp -j DROP
166 log_progress_msg proxyarp
168 echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp