1#!/bin/sh
2
3$XT_MULTI iptables -w -L -n > /dev/null || exit 1
4$XT_MULTI iptables -w2 -L -n > /dev/null || exit 1
5
6echo -n '#foo' | $XT_MULTI iptables-restore -w || exit 1
7
8# table probing
9for table in security raw mangle nat filter;do
10	$XT_MULTI iptables -w2 -t $table -L -n > /dev/null
11done
12
13$XT_MULTI iptables -w2 -p icmp --help | grep -q 'Valid ICMP Types' || exit 1
14
15cat <<EOF | $XT_MULTI iptables-restore -w -n
16*nat
17-F
18-X
19-Z
20-N PREROUTING_direct
21-I PREROUTING 1 -j PREROUTING_direct
22-N PREROUTING_ZONES_SOURCE
23-N PREROUTING_ZONES
24-I PREROUTING 2 -j PREROUTING_ZONES_SOURCE
25-I PREROUTING 3 -j PREROUTING_ZONES
26-N POSTROUTING_direct
27-I POSTROUTING 1 -j POSTROUTING_direct
28-N POSTROUTING_ZONES_SOURCE
29-N POSTROUTING_ZONES
30-I POSTROUTING 2 -j POSTROUTING_ZONES_SOURCE
31-I POSTROUTING 3 -j POSTROUTING_ZONES
32-N OUTPUT_direct
33-I OUTPUT 1 -j OUTPUT_direct
34COMMIT
35*mangle
36-F
37-X
38-Z
39-N PREROUTING_direct
40-I PREROUTING 1 -j PREROUTING_direct
41-N PREROUTING_ZONES_SOURCE
42-N PREROUTING_ZONES
43-I PREROUTING 2 -j PREROUTING_ZONES_SOURCE
44-I PREROUTING 3 -j PREROUTING_ZONES
45-N POSTROUTING_direct
46-I POSTROUTING 1 -j POSTROUTING_direct
47-N INPUT_direct
48-I INPUT 1 -j INPUT_direct
49-N OUTPUT_direct
50-I OUTPUT 1 -j OUTPUT_direct
51-N FORWARD_direct
52-I FORWARD 1 -j FORWARD_direct
53COMMIT
54*raw
55-F
56-X
57-Z
58-N PREROUTING_direct
59-I PREROUTING 1 -j PREROUTING_direct
60-N PREROUTING_ZONES_SOURCE
61-N PREROUTING_ZONES
62-I PREROUTING 2 -j PREROUTING_ZONES_SOURCE
63-I PREROUTING 3 -j PREROUTING_ZONES
64-N OUTPUT_direct
65-I OUTPUT 1 -j OUTPUT_direct
66COMMIT
67*filter
68-F
69-X
70-Z
71-N INPUT_direct
72-N INPUT_ZONES_SOURCE
73-N INPUT_ZONES
74-I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
75-I INPUT 2 -i lo -j ACCEPT
76-I INPUT 3 -j INPUT_direct
77-I INPUT 4 -j INPUT_ZONES_SOURCE
78-I INPUT 5 -j INPUT_ZONES
79-I INPUT 6 -m conntrack --ctstate INVALID -j DROP
80-I INPUT 7 -j REJECT --reject-with icmp-host-prohibited
81-N FORWARD_direct
82-N FORWARD_IN_ZONES_SOURCE
83-N FORWARD_IN_ZONES
84-N FORWARD_OUT_ZONES_SOURCE
85-N FORWARD_OUT_ZONES
86-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
87-I FORWARD 2 -i lo -j ACCEPT
88-I FORWARD 3 -j FORWARD_direct
89-I FORWARD 4 -j FORWARD_IN_ZONES_SOURCE
90-I FORWARD 5 -j FORWARD_IN_ZONES
91-I FORWARD 6 -j FORWARD_OUT_ZONES_SOURCE
92-I FORWARD 7 -j FORWARD_OUT_ZONES
93-I FORWARD 8 -m conntrack --ctstate INVALID -j DROP
94-I FORWARD 9 -j REJECT --reject-with icmp-host-prohibited
95-N OUTPUT_direct
96-I OUTPUT 1 -j OUTPUT_direct
97COMMIT
98EOF
99
100if [ $? -ne 0 ]; then
101	echo "Error during first iptables-restore"
102	exit 1
103fi
104
105cat <<EOF | $XT_MULTI iptables-restore -w -n
106*raw
107-N PRE_public
108-N PRE_public_log
109-N PRE_public_deny
110-N PRE_public_allow
111-I PRE_public 1 -j PRE_public_log
112-I PRE_public 2 -j PRE_public_deny
113-I PRE_public 3 -j PRE_public_allow
114-A PREROUTING_ZONES -i + -g PRE_public
115COMMIT
116*filter
117-N IN_public
118-N IN_public_log
119-N IN_public_deny
120-N IN_public_allow
121-I IN_public 1 -j IN_public_log
122-I IN_public 2 -j IN_public_deny
123-I IN_public 3 -j IN_public_allow
124-A IN_public_allow -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
125-A IN_public_allow -p udp --dport 5353 -d 224.0.0.251 -m conntrack --ctstate NEW -j ACCEPT
126-N FWDI_public
127-N FWDI_public_log
128-N FWDI_public_deny
129-N FWDI_public_allow
130-I FWDI_public 1 -j FWDI_public_log
131-I FWDI_public 2 -j FWDI_public_deny
132-I FWDI_public 3 -j FWDI_public_allow
133-I IN_public 4 -p icmp -j ACCEPT
134-I FWDI_public 4 -p icmp -j ACCEPT
135-A INPUT_ZONES -i + -g IN_public
136-A FORWARD_IN_ZONES -i + -g FWDI_public
137-N FWDO_public
138-N FWDO_public_log
139-N FWDO_public_deny
140-N FWDO_public_allow
141-I FWDO_public 1 -j FWDO_public_log
142-I FWDO_public 2 -j FWDO_public_deny
143-I FWDO_public 3 -j FWDO_public_allow
144-A FORWARD_OUT_ZONES -o + -g FWDO_public
145COMMIT
146*nat
147-N PRE_public
148-N PRE_public_log
149-N PRE_public_deny
150-N PRE_public_allow
151-I PRE_public 1 -j PRE_public_log
152-I PRE_public 2 -j PRE_public_deny
153-I PRE_public 3 -j PRE_public_allow
154-A PREROUTING_ZONES -i + -g PRE_public
155-N POST_public
156-N POST_public_log
157-N POST_public_deny
158-N POST_public_allow
159-I POST_public 1 -j POST_public_log
160-I POST_public 2 -j POST_public_deny
161-I POST_public 3 -j POST_public_allow
162-A POSTROUTING_ZONES -o + -g POST_public
163COMMIT
164*mangle
165-N PRE_public
166-N PRE_public_log
167-N PRE_public_deny
168-N PRE_public_allow
169-I PRE_public 1 -j PRE_public_log
170-I PRE_public 2 -j PRE_public_deny
171-I PRE_public 3 -j PRE_public_allow
172-A PREROUTING_ZONES -i + -g PRE_public
173COMMIT
174EOF
175
176if [ $? -ne 0 ]; then
177	echo "Error during 2nd iptables-restore"
178	exit 1
179fi
180
181cat <<EOF | $XT_MULTI iptables-restore -w -n
182*mangle
183-P PREROUTING ACCEPT
184-P POSTROUTING ACCEPT
185-P INPUT ACCEPT
186-P OUTPUT ACCEPT
187-P FORWARD ACCEPT
188COMMIT
189*raw
190-P PREROUTING ACCEPT
191-P OUTPUT ACCEPT
192COMMIT
193*filter
194-P INPUT ACCEPT
195-P OUTPUT ACCEPT
196-P FORWARD ACCEPT
197COMMIT
198EOF
199
200if [ $? -ne 0 ]; then
201	echo "Error during 3rd iptables-restore"
202	exit 1
203fi
204
205cat <<EOF | $XT_MULTI iptables-restore -w -n
206*filter
207-I INPUT_ZONES 1 -i enp3s0 -g IN_public
208-I FORWARD_IN_ZONES 1 -i enp3s0 -g FWDI_public
209-I FORWARD_OUT_ZONES 1 -o enp3s0 -g FWDO_public
210COMMIT
211*nat
212-I PREROUTING_ZONES 1 -i enp3s0 -g PRE_public
213-I POSTROUTING_ZONES 1 -o enp3s0 -g POST_public
214COMMIT
215*mangle
216-I PREROUTING_ZONES 1 -i enp3s0 -g PRE_public
217COMMIT
218*raw
219-I PREROUTING_ZONES 1 -i enp3s0 -g PRE_public
220COMMIT
221EOF
222
223if [ $? -ne 0 ]; then
224	echo "Error during 4th iptables-restore"
225	exit 1
226fi
227
228tmpfile=$(mktemp) || exit 1
229for table in nat mangle raw filter;do
230	$XT_MULTI iptables-save -t $table | grep -v '^#' >> "$tmpfile"
231done
232
233diff -u $tmpfile  $(dirname "$0")/dumps/ipt-save-completed.txt
234RET=$?
235
236rm -f "$tmpfile"
237
238exit $RET
239