3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7 # Required-Start: $network $local_fs
9 # Should-Start: $remote_fs
10 # Should-Stop: $remote_fs
11 # Default-Start: 2 3 4 5
13 # Short-Description: Prepare firewall tables for autopkgtest Xen guests
16 lsbif=/lib/lsb/init-functions
17 if test -e $lsbif; then
20 log_daemon_msg () { printf "%s: " "$1"; }
21 log_progress_msg () { printf "%s " "$1"; }
22 log_end_msg () { echo "done."; }
26 chains='AdtXenIn AdtXenFwd AdtXenIcmp'
28 if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
33 log_progress_msg block
34 iptables -I INPUT -j DROP
35 iptables -I FORWARD -j DROP
37 for chain in $chains; do iptables -I $chain -j DROP; done
44 log_progress_msg unblock
45 iptables -D INPUT -j DROP
46 iptables -D FORWARD -j DROP
52 log_daemon_msg "adtxenlvm: removing firewall rules"
54 log_progress_msg clear
55 for chain in $chains; do
56 if iptables -L -n $chain >/dev/null 2>&1; then
57 log_progress_msg $chain
66 start|restart|force-reload)
69 echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
73 echo >&2 "init.d/adt-xen unsupported action $1"
82 no) exec >/dev/null ;;
85 printf "adtxenlvm: reading configuration for firewall setup:\n"
86 . ${ADT_XENLVM_SHARE:=/usr/share/autopkgtest/xenlvm}/readconfig
90 log_daemon_msg "adtxenlvm: installing firewall rules"
94 log_progress_msg create
95 for chain in $chains; do
96 log_progress_msg $chain
97 iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
98 iptables -I $chain -j DROP
102 log_progress_msg rules
104 iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
105 # per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
109 destination-unreachable source-quench \
110 time-exceeded parameter-problem \
112 iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
113 -p icmp --icmp-type $oktype
118 for i in $adt_fw_localmirrors; do
119 iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
120 iptables -A $main -d $i -j AdtXenIcmp -p icmp
123 exec </etc/resolv.conf
124 while read command rest; do
125 if [ "x$command" = "xnameserver" ]; then
126 iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
127 iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
128 iptables -A $main -d $rest -j AdtXenIcmp -p icmp
132 for i in $adt_fw_testbedclients; do
133 iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
134 iptables -A $main -d $i -j AdtXenIcmp -p icmp
137 for i in $adt_fw_prohibnets; do
138 iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
141 if [ x"$adt_fw_allowglobalports" != x ]; then
142 iptables -A $main -p icmp -j AdtXenIcmp
144 for port in $adt_fw_allowglobalports; do
145 iptables -A $main -p tcp --dport $port -j ACCEPT
148 if [ "x$adt_fw_hook" != x ]; then
149 log_progress_msg hook
153 log_progress_msg confirm
155 iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
156 iptables -D $main -j DROP
158 log_progress_msg engage
160 iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
161 iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
162 iptables -A AdtXenIn -j AdtXenFwd
163 iptables -D AdtXenIn -j DROP
165 iptables -D AdtXenIcmp -j DROP
167 log_progress_msg proxyarp
169 echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp