-
Notifications
You must be signed in to change notification settings - Fork 10
/
apply-firewall.sh
executable file
·35 lines (30 loc) · 1.05 KB
/
apply-firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env bash
# Apply the firewall atomically as soon as it appears.
#
# The firewall files are generated by `iptables-save`/`ip6tables-save`
# in a separate container for building the firewall rules.
#
# Where to get the iptables dump files.
: ${IPTABLES_FILE_V4:="/tmp/iptables.txt"}
: ${IPTABLES_FILE_V6:="/tmp/ip6tables.txt"}
# New with every new container (e.g. on restarts).
timestamp_v4=/tmp/timestamp-v4
timestamp_v6=/tmp/timestamp-v6
# For the first start, always apply the rules.
if [[ ${1:-} == initial ]]; then
rm -f "${timestamp_v4}" "${timestamp_v6}"
fi
if [[ -e "${IPTABLES_FILE_V4}" ]]; then
if [[ ! -e "${timestamp_v4}" || "${IPTABLES_FILE_V4}" -nt "${timestamp_v4}" ]]; then
iptables-restore <"${IPTABLES_FILE_V4}"
touch "${timestamp_v4}"
echo "The firewall is applied (v4)."
fi
fi
if [[ -e "${IPTABLES_FILE_V6}" ]]; then
if [[ ! -e "${timestamp_v6}" || "${IPTABLES_FILE_V6}" -nt "${timestamp_v6}" ]]; then
ip6tables-restore <"${IPTABLES_FILE_V6}"
touch "${timestamp_v6}"
echo "The firewall is applied (v6)."
fi
fi