3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
5 lsbif=/lib/lsb/init-functions
6 if test -e $lsbif; then
9 log_daemon_msg () { printf "%s: " "$1"; }
10 log_progress_msg () { printf "%s " "$1"; }
11 log_end_msg () { echo "done."; }
15 chains='AdtXenIn AdtXenFwd AdtXenIcmp'
17 if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
22 log_progress_msg block
23 iptables -I INPUT -j DROP
24 iptables -I FORWARD -j DROP
26 for chain in $chains; do iptables -I $chain -j DROP; done
33 log_progress_msg unblock
34 iptables -D INPUT -j DROP
35 iptables -D FORWARD -j DROP
41 log_daemon_msg "adtxenlvm: removing firewall rules"
43 log_progress_msg clear
44 for chain in $chains; do
45 if iptables -L -n $chain >/dev/null 2>&1; then
46 log_progress_msg $chain
55 start|restart|force-reload)
58 echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
62 echo >&2 "init.d/adt-xen unsupported action $1"
71 no) exec >/dev/null ;;
74 printf "adtxenlvm: reading configuration for firewall setup:\n"
75 . ${ADT_XENLVM_SHARE:=/usr/share/autopkgtest/xenlvm}/readconfig
79 log_daemon_msg "adtxenlvm: installing firewall rules"
83 log_progress_msg create
84 for chain in $chains; do
85 log_progress_msg $chain
86 iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
87 iptables -I $chain -j DROP
91 log_progress_msg rules
93 iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
94 # per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all
98 destination-unreachable source-quench \
99 time-exceeded parameter-problem \
101 iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
102 -p icmp --icmp-type $oktype
107 for i in $adt_fw_localmirrors; do
108 iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
109 iptables -A $main -d $i -j AdtXenIcmp -p icmp
112 exec </etc/resolv.conf
113 while read command rest; do
114 if [ "x$command" = "xnameserver" ]; then
115 iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
116 iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
117 iptables -A $main -d $rest -j AdtXenIcmp -p icmp
121 for i in $adt_fw_testbedclients; do
122 iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
123 iptables -A $main -d $i -j AdtXenIcmp -p icmp
126 for i in $adt_fw_prohibnets; do
127 iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
130 if [ x"$adt_fw_allowglobalports" != x ]; then
131 iptables -A $main -p icmp -j AdtXenIcmp
133 for port in $adt_fw_allowglobalports; do
134 iptables -A $main -p tcp --dport $port -j ACCEPT
137 if [ "x$adt_fw_hook" != x ]; then
138 log_progress_msg hook
142 log_progress_msg confirm
144 iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
145 iptables -D $main -j DROP
147 log_progress_msg engage
149 iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
150 iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
151 iptables -A AdtXenIn -j AdtXenFwd
152 iptables -D AdtXenIn -j DROP
154 iptables -D AdtXenIcmp -j DROP
156 log_progress_msg proxyarp
158 echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp