]>
Commit | Line | Data |
---|---|---|
6aa126ea | 1 | #!/bin/sh |
2 | # | |
3 | # Startup script to implement /etc/sysconfig/ip6tables pre-defined rules. | |
4 | # | |
5 | # chkconfig: 2345 08 92 | |
6 | # | |
7 | # description: Automates a packet filtering firewall with ip6tables. | |
8 | # | |
9 | # by bero@redhat.com, based on the ipchains script: | |
10 | # Script Author: Joshua Jensen <joshua@redhat.com> | |
11 | # -- hacked up by gafton with help from notting | |
12 | # modified by Anton Altaparmakov <aia21@cam.ac.uk>: | |
13 | # modified by Nils Philippsen <nils@redhat.de> | |
14 | # | |
15 | # config: /etc/sysconfig/ip6tables | |
16 | ||
674da384 | 17 | IPTABLES_CONFIG=/etc/sysconfig/ip6tables |
674da384 | 18 | if [ ! -f $IPTABLES_CONFIG ]; then |
df74bc70 | 19 | case "$1" in |
674da384 ER |
20 | start|restart|force-reload) |
21 | exit 0 | |
df74bc70 | 22 | ;; |
674da384 ER |
23 | esac |
24 | fi | |
25 | ||
6aa126ea | 26 | # Source 'em up |
27 | . /etc/rc.d/init.d/functions | |
28 | ||
8c98cbae | 29 | if [ "$(kernelver)" -lt "002003000" ]; then |
6aa126ea | 30 | exit 0 |
31 | fi | |
32 | ||
8c98cbae | 33 | if /sbin/lsmod 2>/dev/null | grep -q ipchains; then |
6aa126ea | 34 | # Don't do both |
35 | exit 0 | |
36 | fi | |
37 | ||
38 | iftable() { | |
e53dbed5 | 39 | if fgrep -qsx $1 /proc/net/ip6_tables_names; then |
6aa126ea | 40 | ip6tables -t "$@" |
41 | fi | |
42 | } | |
43 | ||
44 | start() { | |
45 | # don't do squat if we don't have the config file | |
46 | if [ -f $IPTABLES_CONFIG ]; then | |
8dd60b88 ER |
47 | # If we don't clear these first, we might be adding to |
48 | # pre-existing rules. | |
49 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` | |
eb27dd27 | 50 | show "Flushing all current rules and user defined chains" |
8dd60b88 ER |
51 | let ret=0 |
52 | for i in $tables; do ip6tables -t $i -F; let ret+=$?; done | |
53 | if [ $ret -eq 0 ]; then | |
54 | ok | |
55 | else | |
56 | fail | |
57 | fi | |
eb27dd27 | 58 | show "Clearing all current rules and user defined chains" |
8dd60b88 ER |
59 | let ret=0 |
60 | for i in $tables; do ip6tables -t $i -X; let ret+=$?; done | |
61 | if [ $ret -eq 0 ]; then | |
62 | ok | |
63 | else | |
64 | fail | |
65 | fi | |
66 | ||
67 | for i in $tables; do ip6tables -t $i -Z; done | |
68 | ||
eb27dd27 | 69 | show "Applying ip6tables firewall rules" |
6aa126ea | 70 | grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore -c && \ |
c5369a56 | 71 | ok || fail |
8dd60b88 | 72 | touch /var/lock/subsys/ip6tables |
6aa126ea | 73 | fi |
74 | } | |
75 | ||
76 | stop() { | |
a2c2db2b | 77 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` |
c5369a56 ER |
78 | show "Flushing all chains" |
79 | let ret=0 | |
80 | for i in $tables; do ip6tables -t $i -F; let ret+=$?; done | |
81 | if [ $ret -eq 0 ]; then | |
82 | ok | |
83 | else | |
84 | fail | |
85 | fi | |
8dd60b88 | 86 | |
c5369a56 ER |
87 | show "Removing user defined chains" |
88 | let ret=0 | |
89 | for i in $tables; do ip6tables -t $i -X; let ret+=$?; done | |
90 | if [ $ret -eq 0 ]; then | |
91 | ok | |
92 | else | |
93 | fail | |
94 | fi | |
95 | show "Resetting built-in chains to the default ACCEPT policy" | |
6aa126ea | 96 | iftable filter -P INPUT ACCEPT && \ |
c5369a56 ER |
97 | iftable filter -P OUTPUT ACCEPT && \ |
98 | iftable filter -P FORWARD ACCEPT && \ | |
99 | iftable nat -P PREROUTING ACCEPT && \ | |
100 | iftable nat -P POSTROUTING ACCEPT && \ | |
101 | iftable nat -P OUTPUT ACCEPT && \ | |
102 | iftable mangle -P PREROUTING ACCEPT && \ | |
103 | iftable mangle -P OUTPUT ACCEPT && \ | |
104 | ok || fail | |
6aa126ea | 105 | rm -f /var/lock/subsys/ip6tables |
106 | } | |
107 | ||
df74bc70 ER |
108 | upstart_controlled --except status panic load save clear |
109 | ||
6aa126ea | 110 | case "$1" in |
cf239a77 | 111 | start|load) |
6aa126ea | 112 | start |
113 | ;; | |
114 | ||
396a51c8 | 115 | stop|clear) |
6aa126ea | 116 | stop |
117 | ;; | |
118 | ||
119 | restart|force-reload) | |
120 | # "restart" is really just "start" as this isn't a daemon, | |
121 | # and "start" clears any pre-defined rules anyway. | |
122 | # This is really only here to make those who expect it happy | |
123 | start | |
124 | ;; | |
125 | ||
6aa126ea | 126 | panic) |
eb27dd27 | 127 | show "Changing target policies to DROP" |
6aa126ea | 128 | iftable filter -P INPUT DROP && \ |
c5369a56 ER |
129 | iftable filter -P FORWARD DROP && \ |
130 | iftable filter -P OUTPUT DROP && \ | |
131 | iftable nat -P PREROUTING DROP && \ | |
132 | iftable nat -P POSTROUTING DROP && \ | |
133 | iftable nat -P OUTPUT DROP && \ | |
134 | iftable mangle -P PREROUTING DROP && \ | |
135 | iftable mangle -P OUTPUT DROP && \ | |
136 | ok || fail | |
137 | iftable filter -F INPUT && \ | |
138 | iftable filter -F FORWARD && \ | |
139 | iftable filter -F OUTPUT && \ | |
140 | iftable nat -F PREROUTING && \ | |
141 | iftable nat -F POSTROUTING && \ | |
142 | iftable nat -F OUTPUT && \ | |
143 | iftable mangle -F PREROUTING && \ | |
144 | iftable mangle -F OUTPUT && \ | |
145 | ok || fail | |
146 | iftable filter -X INPUT && \ | |
147 | iftable filter -X FORWARD && \ | |
148 | iftable filter -X OUTPUT && \ | |
149 | iftable nat -X PREROUTING && \ | |
150 | iftable nat -X POSTROUTING && \ | |
151 | iftable nat -X OUTPUT && \ | |
152 | iftable mangle -X PREROUTING && \ | |
153 | iftable mangle -X OUTPUT && \ | |
154 | ok || fail | |
155 | ;; | |
6aa126ea | 156 | |
157 | save) | |
eb27dd27 | 158 | show "Saving current rules to %s" $IPTABLES_CONFIG |
6aa126ea | 159 | touch $IPTABLES_CONFIG |
160 | chmod 600 $IPTABLES_CONFIG | |
c5369a56 | 161 | /usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG 2>/dev/null && ok || fail |
6aa126ea | 162 | ;; |
163 | ||
396a51c8 ER |
164 | status) |
165 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` | |
166 | for table in $tables; do | |
167 | echo "Table: $table" | |
168 | ip6tables -t $table -n --list | |
169 | done | |
170 | ;; | |
171 | ||
6aa126ea | 172 | *) |
396a51c8 | 173 | msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}" |
6aa126ea | 174 | exit 3 |
175 | esac | |
176 | ||
177 | exit 0 |