3 . ${ADT_XENLVM_SHARE:=/usr/share/autopkgtest/xenlvm}/readconfig
4 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
6 default=/etc/default/adt-xen
7 if test -f $default; then
11 chains='AdtXenIn AdtXenFwd AdtXenIcmp'
13 if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
18 iptables -I INPUT -j DROP
19 iptables -I FORWARD -j DROP
21 for chain in $chains; do iptables -I $chain -j DROP; done
28 iptables -D INPUT -j DROP
29 iptables -D FORWARD -j DROP
36 for chain in $chains; do
37 if iptables -L $chain >/dev/null 2>&1; then
45 start|restart|force-reload)
48 echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
52 echo >&2 "init.d/adt-xen unsupported action $1"
58 for chain in $chains; do
59 iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
60 iptables -I $chain -j DROP
64 iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
65 # per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
69 destination-unreachable source-quench \
70 time-exceeded parameter-problem \
72 iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
73 -p icmp --icmp-type $oktype
78 for i in $adt_fw_localmirrors; do
79 iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
80 iptables -A $main -d $i -j AdtXenIcmp -p icmp
83 exec </etc/resolv.conf
84 while read command rest; do
85 if [ "x$command" = "xnameserver" ]; then
86 iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
87 iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
88 iptables -A $main -d $rest -j AdtXenIcmp -p icmp
92 for i in $adt_fw_testbedclients; do
93 iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
94 iptables -A $main -d $i -j AdtXenIcmp -p icmp
97 for i in $adt_fw_prohibnets; do
98 iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
101 if [ x"$adt_fw_allowglobalports" != x ]; then
102 iptables -A $main -p icmp -j AdtXenIcmp
104 for port in $adt_fw_allowglobalports; do
105 iptables -A $main -p tcp --dport $port -j ACCEPT
108 if test -f $default-rules; then
112 iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
113 iptables -A $main -j ACCEPT
114 iptables -D $main -j DROP
116 iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
117 iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
118 iptables -A AdtXenIn -j AdtXenFwd
119 iptables -D AdtXenIn -j DROP
121 echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp