/usr/sbin/iptables-apply is in iptables 1.4.12-1ubuntu4.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 | #!/bin/bash
#
# iptables-apply -- a safer way to update iptables remotely
#
# Copyright © Martin F. Krafft <madduck@madduck.net>
# Released under the terms of the Artistic Licence 2.0
#
set -eu
PROGNAME="${0##*/}";
VERSION=1.0
TIMEOUT=10
function blurb()
{
cat <<-_eof
$PROGNAME $VERSION -- a safer way to update iptables remotely
_eof
}
function copyright()
{
cat <<-_eof
$PROGNAME is C Martin F. Krafft <madduck@madduck.net>.
The program has been published under the terms of the Artistic Licence 2.0
_eof
}
function about()
{
blurb
echo
copyright
}
function usage()
{
cat <<-_eof
Usage: $PROGNAME [options] ruleset
The script will try to apply a new ruleset (as output by iptables-save/read
by iptables-restore) to iptables, then prompt the user whether the changes
are okay. If the new ruleset cut the existing connection, the user will not
be able to answer affirmatively. In this case, the script rolls back to the
previous ruleset.
The following options may be specified, using standard conventions:
-t | --timeout Specify the timeout in seconds (default: $TIMEOUT)
-V | --version Display version information
-h | --help Display this help text
_eof
}
SHORTOPTS="t:Vh";
LONGOPTS="timeout:,version,help";
OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $?
for opt in $OPTS; do
case "$opt" in
(-*) unset OPT_STATE;;
(*)
case "${OPT_STATE:-}" in
(SET_TIMEOUT)
eval TIMEOUT=$opt
case "$TIMEOUT" in
([0-9]*) :;;
(*)
echo "E: non-numeric timeout value." >&2
exit 1
;;
esac
;;
esac
;;
esac
case "$opt" in
(-h|--help) usage >&2; exit 0;;
(-V|--version) about >&2; exit 0;;
(-t|--timeout) OPT_STATE=SET_TIMEOUT;;
(--) break;;
esac
shift
done
case "$PROGNAME" in
(*6*)
SAVE=ip6tables-save
RESTORE=ip6tables-restore
DEFAULT_FILE=/etc/network/ip6tables
;;
(*)
SAVE=iptables-save
RESTORE=iptables-restore
DEFAULT_FILE=/etc/network/iptables
;;
esac
FILE="${1:-$DEFAULT_FILE}";
if [[ -z "$FILE" ]]; then
echo "E: missing file argument." >&2
exit 1
fi
if [[ ! -r "$FILE" ]]; then
echo "E: cannot read $FILE" >&2
exit 2
fi
COMMANDS=(tempfile "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
echo "E: command not found: $cmd" >&2
exit 127
fi
done
umask 0700
TMPFILE=$(tempfile -p iptap)
trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
if ! "$SAVE" >"$TMPFILE"; then
if ! grep -q ipt /proc/modules 2>/dev/null; then
echo "E: iptables support lacking from the kernel." >&2
exit 3
else
echo "E: unknown error saving current iptables ruleset." >&2
exit 4
fi
fi
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop
echo -n "Applying new ruleset... "
if ! "$RESTORE" <"$FILE"; then
echo "failed."
echo "E: unknown error applying new iptables ruleset." >&2
exit 5
else
echo done.
fi
echo -n "Can you establish NEW connections to the machine? (y/N) "
read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
case "${ret:-}" in
(y*|Y*)
echo
echo ... then my job is done. See you next time.
;;
(*)
if [[ -z "${ret:-}" ]]; then
echo "apparently not..."
else
echo
fi
echo "Timeout. Something happened (or did not). Better play it safe..."
echo -n "Reverting to old ruleset... "
"$RESTORE" <"$TMPFILE";
echo done.
exit 255
;;
esac
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start
exit 0
# vim:noet:sw=8
|