#!/bin/bash # info: stop system firewall # options: NONE # # example: v-stop-firewall # # This function stops iptables #----------------------------------------------------------# # Variables & Functions # #----------------------------------------------------------# # Defining absolute path for iptables iptables="/sbin/iptables" # Includes # shellcheck source=/etc/hestiacp/hestia.conf source /etc/hestiacp/hestia.conf # shellcheck source=/usr/local/hestia/func/main.sh source $HESTIA/func/main.sh # shellcheck source=/usr/local/hestia/func/firewall.sh source $HESTIA/func/firewall.sh # load config file source_conf "$HESTIA/conf/hestia.conf" #----------------------------------------------------------# # Verifications # #----------------------------------------------------------# # Perform verification if read-only mode is enabled check_hestia_demo_mode #----------------------------------------------------------# # Action # #----------------------------------------------------------# # Self heal iptables links heal_iptables_links # Creating temporary file tmp="$(mktemp)" # Flushing INPUT chain echo "$iptables -P INPUT ACCEPT" >> $tmp echo "$iptables -F INPUT" >> $tmp # Deleting hestia chain echo "$iptables -X hestia" >> $tmp # Deleting custom chains IFS=$'\n' for chain in $(cat $HESTIA/data/firewall/chains.conf 2> /dev/null); do parse_object_kv_list "$chain" echo "$iptables -F fail2ban-$CHAIN" >> $tmp echo "$iptables -X fail2ban-$CHAIN" >> $tmp done # Applying rules bash $tmp 2> /dev/null # Deleting temporary file rm -f $tmp # Clean up and saving rules to the master iptables file if [ -d "/etc/sysconfig" ]; then /sbin/iptables-save | sed -e 's/[[0-9]\+:[0-9]\+]/[0:0]/g' -e '/^-A fail2ban-[A-Z]\+ -s .\+$/d' > /etc/sysconfig/iptables else /sbin/iptables-save | sed -e 's/[[0-9]\+:[0-9]\+]/[0:0]/g' -e '/^-A fail2ban-[A-Z]\+ -s .\+$/d' > /etc/iptables.rules iptablesversion="$(iptables --version | head -1 | awk '{print $2}' | cut -f -2 -d .)" sd_unit="/lib/systemd/system/hestia-iptables.service" if [ ! -e "$sd_unit" ]; then echo "[Unit]" >> $sd_unit echo "Description=Loading Hestia firewall rules" >> $sd_unit echo "DefaultDependencies=no" >> $sd_unit echo "Wants=network-pre.target local-fs.target" >> $sd_unit echo "Before=network-pre.target" >> $sd_unit echo "After=local-fs.target" >> $sd_unit echo "" >> $sd_unit echo "[Service]" >> $sd_unit echo "Type=oneshot" >> $sd_unit echo "RemainAfterExit=yes" >> $sd_unit echo "ExecStartPre=-${HESTIA}/bin/v-update-firewall-ipset load" >> $sd_unit if [ "$iptablesversion" = "v1.6" ]; then echo "ExecStart=/sbin/iptables-restore /etc/iptables.rules" >> $sd_unit else echo "ExecStart=/sbin/iptables-restore --wait=10 /etc/iptables.rules" >> $sd_unit fi echo "" >> $sd_unit echo "[Install]" >> $sd_unit echo "WantedBy=multi-user.target" >> $sd_unit systemctl -q daemon-reload fi systemctl -q is-enabled hestia-iptables 2> /dev/null && systemctl -q disable hestia-iptables if [ -z "$FIREWALL_SYSTEM" ]; then rm -f $sd_unit systemctl -q daemon-reload fi fi #----------------------------------------------------------# # Hestia # #----------------------------------------------------------# exit