Bug#634368: Feature request : disable firewall by flushing rules

Mon, 18 Jul 2011 13:03:16 -0700 

Package: iptables-persistent
Version: 0.5.1
Severity: wishlist

Hello,
I like the init.d script but sometimes I would like to disable the firewall.
It could be great if the stop argument flushes the rules so as there are no
more filtering.
I attached a patch which is inspired from the RHEL /etc/init.d/iptables that
could do the job.

--- /etc/init.d/iptables-persistent	2011-07-18 21:55:44.000000000 +0200
+++ iptables-persistent	2011-07-18 21:55:32.000000000 +0200
@@ -19,6 +19,9 @@
 
 rc=0
 
+IPT=/sbin/iptables
+IPT6=/sbin/ip6tables
+
 load_rules()
 {
 	log_action_begin_msg "Loading iptables rules"
@@ -52,19 +55,61 @@
 	if [ -x /sbin/iptables-save ]; then
 		log_action_cont_msg " IPv4"
 		iptables-save > /etc/iptables/rules.v4
-                if [ $? -ne 0 ]; then
-                        rc=1
-                fi
+		if [ $? -ne 0 ]; then
+			rc=1
+		fi
 	fi
 
-        #save IPv6 rules
-        if [ -x /sbin/ip6tables-save ]; then
-                log_action_cont_msg " IPv6"
-                ip6tables-save > /etc/iptables/rules.v6
-                if [ $? -ne 0 ]; then
-                        rc=1
-                fi
-        fi
+	#save IPv6 rules
+	if [ -x /sbin/ip6tables-save ]; then
+		log_action_cont_msg " IPv6"
+		ip6tables-save > /etc/iptables/rules.v6
+		if [ $? -ne 0 ]; then
+				rc=1
+		fi
+	fi
+
+	log_action_end_msg $rc
+}
+
+flush_rules()
+{
+	log_action_begin_msg "Flushing rules"
+	# flush ipv4 rules
+	if [ -x $IPT ]; then
+		log_action_cont_msg " IPv4"
+		$IPT -F
+		$IPT -X
+		$IPT -Z
+		for table in $(</proc/net/ip_tables_names)
+		do
+			$IPT -t $table -F
+			$IPT -t $table -X
+			$IPT -t $table -Z
+		done
+		$IPT -P INPUT ACCEPT
+		$IPT -P OUTPUT ACCEPT
+		$IPT -P FORWARD ACCEPT
+	fi
+
+	# flush ipv6 rules
+	if [ -x $IPT6 ]; then
+		log_action_cont_msg " IPv6"
+		$IPT6 -F
+		$IPT6 -X
+		$IPT6 -Z
+		for table in $(</proc/net/ip6_tables_names)
+		do
+			$IPT6 -t $table -F
+			$IPT6 -t $table -X
+			$IPT6 -t $table -Z
+		done
+		$IPT6 -P INPUT ACCEPT
+		$IPT6 -P OUTPUT ACCEPT
+		$IPT6 -P FORWARD ACCEPT
+	fi
+	
+	rc=0
 
 	log_action_end_msg $rc
 }
@@ -77,11 +122,12 @@
 	save_rules
 	;;
 stop)
+	flush_rules
 	;;
 *)
-    echo "Usage: $0 {start|restart|reload|force-reload|save}" >&2
-    exit 1
-    ;;
+	echo "Usage: $0 {start|restart|reload|force-reload|save}" >&2
+	exit 1
+	;;
 esac
 
 exit $rc

Reply via email to