3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7 # Required-Start: $network $local_fs
9 # Should-Start: $remote_fs
10 # Should-Stop: $remote_fs
11 # Default-Start: 2 3 4 5
13 # Short-Description: Prepare firewall tables for autopkgtest Xen guests
16 lsbif=/lib/lsb/init-functions
17 if test -e $lsbif; then
20 log_daemon_msg () { printf "%s: " "$1"; }
21 log_progress_msg () { printf "%s " "$1"; }
22 log_end_msg () { echo "done."; }
26 chains='AdtXenIn AdtXenFwd AdtXenIcmp'
28 if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
33 log_progress_msg block
34 iptables -I INPUT -j DROP
35 iptables -I FORWARD -j DROP
37 for chain in $chains; do iptables -I $chain -j DROP; done
44 log_progress_msg unblock
45 iptables -D INPUT -j DROP
46 iptables -D FORWARD -j DROP
52 log_daemon_msg "adtxenlvm: removing firewall rules"
54 log_progress_msg clear
55 for chain in $chains; do
56 if iptables -L -n $chain >/dev/null 2>&1; then
57 log_progress_msg $chain
66 start|restart|force-reload)
69 echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
73 echo >&2 "init.d/adt-xen unsupported action $1"
82 no) exec >/dev/null ;;
85 adt_readconfig_initscript=y
86 printf "adtxenlvm: reading configuration for firewall setup:\n"
87 . ${ADT_XENLVM_SHARE:=/usr/share/autopkgtest/xenlvm}/readconfig
91 log_daemon_msg "adtxenlvm: installing firewall rules"
95 log_progress_msg create
96 for chain in $chains; do
97 log_progress_msg $chain
98 iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
99 iptables -I $chain -j DROP
103 log_progress_msg rules
105 iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
106 # per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
110 destination-unreachable source-quench \
111 time-exceeded parameter-problem \
113 iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
114 -p icmp --icmp-type $oktype
119 for i in $adt_fw_localmirrors; do
120 iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
121 iptables -A $main -d $i -j AdtXenIcmp -p icmp
124 exec </etc/resolv.conf
125 while read command rest; do
126 if [ "x$command" = "xnameserver" ]; then
127 iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
128 iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
129 iptables -A $main -d $rest -j AdtXenIcmp -p icmp
133 for i in $adt_fw_testbedclients; do
134 iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
135 iptables -A $main -d $i -j AdtXenIcmp -p icmp
138 for i in $adt_fw_prohibnets; do
139 iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
142 if [ x"$adt_fw_allowglobalports" != x ]; then
143 iptables -A $main -p icmp -j AdtXenIcmp
145 for port in $adt_fw_allowglobalports; do
146 iptables -A $main -p tcp --dport $port -j ACCEPT
149 if [ "x$adt_fw_hook" != x ]; then
150 log_progress_msg hook
154 log_progress_msg confirm
156 iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
157 iptables -D $main -j DROP
159 log_progress_msg engage
161 iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
162 iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
163 iptables -A AdtXenIn -j AdtXenFwd
164 iptables -D AdtXenIn -j DROP
166 iptables -D AdtXenIcmp -j DROP
168 log_progress_msg proxyarp
170 echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp