notes/linux: change_tables.sh

File change_tables.sh, 4.3 KB (added by root, at 2015-06-06T06:29:36Z)
Line 
1#!/bin/sh
2#
3# Copyright (c) 2000 Alexandre Peixoto
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26#
27# $FreeBSD: stable/10/share/examples/ipfw/change_rules.sh 119833 2003-09-07 07:52:56Z jmg $
28
29# Change ipfw(8) rules with safety guarantees for remote operation
30#
31# Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
32# or vi(1) if the environment variable is not set, for you to edit
33# ${firewall_script}, ask for confirmation, and then run
34# ${firewall_script}. You can then examine the output of ipfw list and
35# confirm whether you want the new version or not.
36#
37# If no answer is received in 30 seconds, the previous
38# ${firewall_script} is run, restoring the old rules (this assumes ipfw
39# flush is present in it).
40#
41# If the new rules are confirmed, they'll replace ${firewall_script} and
42# the previous ones will be copied to ${firewall_script}.{date}. Mail
43# will also be sent to root with a unified diff of the rule change.
44#
45# Unapproved rules are kept in ${firewall_script}.new, and you are
46# offered the option of changing them instead of the present rules when
47# you call this script.
48#
49# This script could be improved by using version control
50# software.
51
52#if [ -r /etc/defaults/rc.conf ]; then
53#       . /etc/defaults/rc.conf
54#       source_rc_confs
55#elif [ -r /etc/rc.conf ]; then
56#       . /etc/rc.conf
57#fi
58
59EDITOR=${EDITOR:-/bin/vi}
60PAGER=${PAGER:-/bin/more}
61FWDIR=${FWDIR:-/etc/firewall}
62
63tempfoo=`basename $0`
64TMPFILE=`mktemp -t ${tempfoo}XXXX` || exit 1
65
66get_yes_no() {
67        while true
68        do
69                echo -n "$1 (Y/N) ? "
70                read -t 30 a
71                if [ $? != 0 ]; then
72                        a="No";
73                        return;
74                fi
75                case $a in
76                        [Yy]) a="Yes";
77                              return;;
78                        [Nn]) a="No";
79                              return;;
80                        *);;
81                esac
82        done
83}
84
85restore_rules() {
86        iptables-restore ${firewall_script} </dev/null >/dev/null 2>&1
87        rm ${TMPFILE}
88        exit 1
89}
90
91firewall_script="/etc/sysconfig/iptables"
92edit_file="${firewall_script}"
93
94if [ -f ${edit_file}.new ]; then
95        get_yes_no "A new rules file already exists, do you want to use it"
96        [ $a = 'No' ] && cp ${edit_file} ${edit_file}.new
97else
98        cp ${edit_file} ${edit_file}.new
99fi
100
101trap restore_rules SIGHUP
102
103${EDITOR} ${edit_file}.new
104
105get_yes_no "Do you want to install the new rules"
106
107[ $a = 'No' ] && exit 1
108
109cat <<!
110The rules will be changed now. If the message 'Type y to keep the new
111rules' does not appear on the screen or the y key is not pressed in 30
112seconds, the original rules will be restored.
113The TCP/IP connections might be broken during the change. If so, restore
114the ssh/telnet connection being used.
115!
116
117iptables-restore ${firewall_script}.new \
118 < /dev/null > ${TMPFILE} 2>&1 &&
119iptables-save \
120 < /dev/null > ${TMPFILE} 2>&1
121
122sleep 2;
123get_yes_no "Would you like to see the resulting new rules"
124[ $a = 'Yes' ] && ${PAGER} ${TMPFILE}
125get_yes_no "Type y to keep the new rules"
126[ $a != 'Yes' ] && restore_rules
127
128arch_file=${FWDIR}/`basename ${edit_file}`.`date "+%Y%m%d%H%M"`
129cp ${edit_file} ${arch_file}
130mv ${edit_file}.new ${edit_file}
131cat <<!
132The new rules are now installed. The previous rules have been preserved in
133the file ${arch_file}
134!
135diff -F "^# .*[A-Za-z]" -u ${arch_file} ${edit_file} \
136    | mail -s "`hostname` Firewall rule change" root
137rm ${TMPFILE}
138exit 0