File: //opt/cpguard/app/scripts/reset_iptables.sh
#!/bin/bash
#
# Selective CPGuard Firewall Reset Script
# Removes only CPGuard-related chains and sets without affecting other firewall rules
#
set -e
echo "Starting selective CPGuard firewall cleanup..."
# Function to check if command exists
command_exists() {
command -v "$1" >/dev/null 2>&1
}
# Function to safely remove jump rules
remove_jump_rules() {
local ipt="$1"
local base_chain="$2"
local target_chain="$3"
# Check if base chain exists
if ! $ipt -L "$base_chain" -n >/dev/null 2>&1; then
return
fi
# Find and remove all jump rules to target chain
while $ipt -C "$base_chain" -j "$target_chain" 2>/dev/null; do
echo " Removing jump from $base_chain to $target_chain"
$ipt -D "$base_chain" -j "$target_chain" 2>/dev/null || true
done
}
# Function to flush and delete cpg_ chains
cleanup_chains() {
local ipt="$1"
local ipt_name="$2"
echo "Processing $ipt_name chains..."
# Get list of all chains
local chains=$($ipt -L -n 2>/dev/null | grep "^Chain cpg" | awk '{print $2}' || true)
if [ -z "$chains" ]; then
echo " No cpg_ chains found in $ipt_name"
return
fi
# First, remove all references (jump rules) to cpg_ chains from base chains
for chain in $chains; do
echo " Removing references to chain: $chain"
remove_jump_rules "$ipt" "INPUT" "$chain"
remove_jump_rules "$ipt" "OUTPUT" "$chain"
remove_jump_rules "$ipt" "FORWARD" "$chain"
# Also check custom chains that might reference cpg_ chains
local all_chains=$($ipt -L -n 2>/dev/null | grep "^Chain" | awk '{print $2}' | grep -v "^cpg" || true)
for parent_chain in $all_chains; do
# Remove any rules that jump to cpg_ chains
while $ipt -L "$parent_chain" -n --line-numbers 2>/dev/null | grep -q "cpg"; do
local line_num=$($ipt -L "$parent_chain" -n --line-numbers 2>/dev/null | grep "cpg" | head -1 | awk '{print $1}')
if [ -n "$line_num" ]; then
echo " Removing rule $line_num from $parent_chain"
$ipt -D "$parent_chain" "$line_num" 2>/dev/null || true
else
break
fi
done
done
done
# Now flush and delete the chains
for chain in $chains; do
echo " Flushing chain: $chain"
$ipt -F "$chain" 2>/dev/null || true
echo " Deleting chain: $chain"
$ipt -X "$chain" 2>/dev/null || true
done
echo " Completed $ipt_name chain cleanup"
}
# Function to destroy c_ prefixed ipsets
cleanup_ipsets() {
if ! command_exists ipset; then
echo "ipset not found, skipping ipset cleanup"
return
fi
echo "Processing ipsets..."
# Get list of all sets with c_ prefix
local sets=$(ipset list -name 2>/dev/null | grep "^c_" || true)
if [ -z "$sets" ]; then
echo " No c_ ipsets found"
return
fi
# Destroy each set
for set in $sets; do
echo " Destroying ipset: $set"
ipset destroy "$set" 2>/dev/null || true
done
echo " Completed ipset cleanup"
}
# Main cleanup process
# Clean up IPv4 iptables only
if command_exists iptables; then
cleanup_chains "iptables" "iptables"
else
echo "iptables not found, cannot proceed"
exit 1
fi
# Clean up ipsets
cleanup_ipsets
echo ""
echo "Selective CPGuard firewall cleanup completed successfully!"
echo ""
echo "Summary:"
echo " - Removed all IPv4 chains starting with 'cpg_'"
echo " - Removed all ipsets starting with 'c_'"
echo " - IPv6 and other firewall rules remain intact"