You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
105 lines
3.3 KiB
105 lines
3.3 KiB
#!/bin/bash
|
|
# info: stop system firewall
|
|
# options: NONE
|
|
#
|
|
# example: v-stop-firewall
|
|
#
|
|
# This function stops iptables
|
|
|
|
#----------------------------------------------------------#
|
|
# Variables & Functions #
|
|
#----------------------------------------------------------#
|
|
|
|
# Defining absolute path for iptables
|
|
iptables="/sbin/iptables"
|
|
|
|
# Includes
|
|
# shellcheck source=/etc/hestiacp/hestia.conf
|
|
source /etc/hestiacp/hestia.conf
|
|
# shellcheck source=/usr/local/hestia/func/main.sh
|
|
source $HESTIA/func/main.sh
|
|
# shellcheck source=/usr/local/hestia/func/firewall.sh
|
|
source $HESTIA/func/firewall.sh
|
|
# load config file
|
|
source_conf "$HESTIA/conf/hestia.conf"
|
|
|
|
#----------------------------------------------------------#
|
|
# Verifications #
|
|
#----------------------------------------------------------#
|
|
|
|
# Perform verification if read-only mode is enabled
|
|
check_hestia_demo_mode
|
|
|
|
#----------------------------------------------------------#
|
|
# Action #
|
|
#----------------------------------------------------------#
|
|
|
|
# Self heal iptables links
|
|
heal_iptables_links
|
|
|
|
# Creating temporary file
|
|
tmp="$(mktemp)"
|
|
|
|
# Flushing INPUT chain
|
|
echo "$iptables -P INPUT ACCEPT" >> $tmp
|
|
echo "$iptables -F INPUT" >> $tmp
|
|
|
|
# Deleting hestia chain
|
|
echo "$iptables -X hestia" >> $tmp
|
|
|
|
# Deleting custom chains
|
|
IFS=$'\n'
|
|
for chain in $(cat $HESTIA/data/firewall/chains.conf 2> /dev/null); do
|
|
parse_object_kv_list "$chain"
|
|
echo "$iptables -F fail2ban-$CHAIN" >> $tmp
|
|
echo "$iptables -X fail2ban-$CHAIN" >> $tmp
|
|
done
|
|
|
|
# Applying rules
|
|
bash $tmp 2> /dev/null
|
|
|
|
# Deleting temporary file
|
|
rm -f $tmp
|
|
|
|
# Clean up and saving rules to the master iptables file
|
|
if [ -d "/etc/sysconfig" ]; then
|
|
/sbin/iptables-save | sed -e 's/[[0-9]\+:[0-9]\+]/[0:0]/g' -e '/^-A fail2ban-[A-Z]\+ -s .\+$/d' > /etc/sysconfig/iptables
|
|
else
|
|
/sbin/iptables-save | sed -e 's/[[0-9]\+:[0-9]\+]/[0:0]/g' -e '/^-A fail2ban-[A-Z]\+ -s .\+$/d' > /etc/iptables.rules
|
|
iptablesversion="$(iptables --version | head -1 | awk '{print $2}' | cut -f -2 -d .)"
|
|
sd_unit="/lib/systemd/system/hestia-iptables.service"
|
|
if [ ! -e "$sd_unit" ]; then
|
|
echo "[Unit]" >> $sd_unit
|
|
echo "Description=Loading Hestia firewall rules" >> $sd_unit
|
|
echo "DefaultDependencies=no" >> $sd_unit
|
|
echo "Wants=network-pre.target local-fs.target" >> $sd_unit
|
|
echo "Before=network-pre.target" >> $sd_unit
|
|
echo "After=local-fs.target" >> $sd_unit
|
|
echo "" >> $sd_unit
|
|
echo "[Service]" >> $sd_unit
|
|
echo "Type=oneshot" >> $sd_unit
|
|
echo "RemainAfterExit=yes" >> $sd_unit
|
|
echo "ExecStartPre=-${HESTIA}/bin/v-update-firewall-ipset load" >> $sd_unit
|
|
if [ "$iptablesversion" = "v1.6" ]; then
|
|
echo "ExecStart=/sbin/iptables-restore /etc/iptables.rules" >> $sd_unit
|
|
else
|
|
echo "ExecStart=/sbin/iptables-restore --wait=10 /etc/iptables.rules" >> $sd_unit
|
|
fi
|
|
echo "" >> $sd_unit
|
|
echo "[Install]" >> $sd_unit
|
|
echo "WantedBy=multi-user.target" >> $sd_unit
|
|
systemctl -q daemon-reload
|
|
fi
|
|
systemctl -q is-enabled hestia-iptables 2> /dev/null && systemctl -q disable hestia-iptables
|
|
if [ -z "$FIREWALL_SYSTEM" ]; then
|
|
rm -f $sd_unit
|
|
systemctl -q daemon-reload
|
|
fi
|
|
fi
|
|
|
|
#----------------------------------------------------------#
|
|
# Hestia #
|
|
#----------------------------------------------------------#
|
|
|
|
exit
|