[packages/iptables.git] / ip6tables.init

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with ip6tables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/ip6tables

IPTABLES_CONFIG=/etc/sysconfig/ip6tables
if [ ! -f $IPTABLES_CONFIG ]; then
	case "$1" in
	start|restart|force-reload)
		exit 0
	;;
	esac
fi

# Source 'em up
. /etc/rc.d/init.d/functions

if [ "$(kernelver)" -lt "002003000" ]; then
	exit 0
fi

if /sbin/lsmod 2>/dev/null | grep -q ipchains; then
	# Don't do both
	exit 0
fi

iftable() {
	if fgrep -qsx $1 /proc/net/ip6_tables_names; then
		ip6tables -t "$@"
	fi
}

start() {
	# don't do squat if we don't have the config file
	if [ -f $IPTABLES_CONFIG ]; then
		# If we don't clear these first, we might be adding to
		#  pre-existing rules.
		tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
		show "Flushing all current rules and user defined chains"
		let ret=0
		for i in $tables; do ip6tables -t $i -F; let ret+=$?; done
		if [ $ret -eq 0 ]; then
			ok
		else
			fail
		fi
		show "Clearing all current rules and user defined chains"
		let ret=0
		for i in $tables; do ip6tables -t $i -X; let ret+=$?; done
		if [ $ret -eq 0 ]; then
			ok
		else
			fail
		fi

		for i in $tables; do ip6tables -t $i -Z; done

		show "Applying ip6tables firewall rules"
		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore -c && \
			ok || fail
		touch /var/lock/subsys/ip6tables
	fi
}

stop() {
	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
	show "Flushing all chains"
	let ret=0
	for i in $tables; do ip6tables -t $i -F; let ret+=$?; done
	if [ $ret -eq 0 ]; then
		ok
	else
		fail
	fi

	show "Removing user defined chains"
	let ret=0
	for i in $tables; do ip6tables -t $i -X; let ret+=$?; done
	if [ $ret -eq 0 ]; then
		ok
	else
		fail
	fi
	show "Resetting built-in chains to the default ACCEPT policy"
	iftable filter -P INPUT ACCEPT && \
	iftable filter -P OUTPUT ACCEPT && \
	iftable filter -P FORWARD ACCEPT && \
	iftable nat -P PREROUTING ACCEPT && \
	iftable nat -P POSTROUTING ACCEPT && \
	iftable nat -P OUTPUT ACCEPT && \
	iftable mangle -P PREROUTING ACCEPT && \
	iftable mangle -P OUTPUT ACCEPT && \
	ok || fail
	rm -f /var/lock/subsys/ip6tables
}

upstart_controlled --except status panic load save clear

case "$1" in
  start|load)
	start
	;;

  stop|clear)
	stop
	;;

  restart|force-reload)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	start
	;;

  panic)
	show "Changing target policies to DROP"
	iftable filter -P INPUT DROP && \
	iftable filter -P FORWARD DROP && \
	iftable filter -P OUTPUT DROP && \
	iftable nat -P PREROUTING DROP && \
	iftable nat -P POSTROUTING DROP && \
	iftable nat -P OUTPUT DROP && \
	iftable mangle -P PREROUTING DROP && \
	iftable mangle -P OUTPUT DROP && \
	ok || fail
	iftable filter -F INPUT && \
	iftable filter -F FORWARD && \
	iftable filter -F OUTPUT && \
	iftable nat -F PREROUTING && \
	iftable nat -F POSTROUTING && \
	iftable nat -F OUTPUT && \
	iftable mangle -F PREROUTING && \
	iftable mangle -F OUTPUT && \
	ok || fail
	iftable filter -X INPUT && \
	iftable filter -X FORWARD && \
	iftable filter -X OUTPUT && \
	iftable nat -X PREROUTING && \
	iftable nat -X POSTROUTING && \
	iftable nat -X OUTPUT && \
	iftable mangle -X PREROUTING && \
	iftable mangle -X OUTPUT && \
	ok || fail
	;;

  save)
	show "Saving current rules to %s" $IPTABLES_CONFIG
	touch $IPTABLES_CONFIG
	chmod 600 $IPTABLES_CONFIG
	/usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG  2>/dev/null && ok || fail
	;;

  status)
	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
	for table in $tables; do
		echo "Table: $table"
		ip6tables -t $table -n --list
	done
	;;

  *)
	msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"
	exit 3
esac

exit 0
Commit	Line	Data
6aa126ea	1	#!/bin/sh
	2	#
	3	# Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
	4	#
	5	# chkconfig: 2345 08 92
	6	#
	7	# description: Automates a packet filtering firewall with ip6tables.
	8	#
	9	# by bero@redhat.com, based on the ipchains script:
	10	# Script Author: Joshua Jensen <joshua@redhat.com>
	11	# -- hacked up by gafton with help from notting
	12	# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
	13	# modified by Nils Philippsen <nils@redhat.de>
	14	#
	15	# config: /etc/sysconfig/ip6tables
	16
674da384	17	IPTABLES_CONFIG=/etc/sysconfig/ip6tables
674da384	18	if [ ! -f $IPTABLES_CONFIG ]; then
df74bc70	19	case "$1" in
674da384 ER	20	start\|restart\|force-reload)
674da384 ER	21	exit 0
df74bc70	22	;;
674da384 ER	23	esac
	24	fi
	25
6aa126ea	26	# Source 'em up
	27	. /etc/rc.d/init.d/functions
	28
8c98cbae	29	if [ "$(kernelver)" -lt "002003000" ]; then
6aa126ea	30	exit 0
	31	fi
	32
8c98cbae	33	if /sbin/lsmod 2>/dev/null \| grep -q ipchains; then
6aa126ea	34	# Don't do both
	35	exit 0
	36	fi
	37
	38	iftable() {
e53dbed5	39	if fgrep -qsx $1 /proc/net/ip6_tables_names; then
6aa126ea	40	ip6tables -t "$@"
	41	fi
	42	}
	43
	44	start() {
	45	# don't do squat if we don't have the config file
	46	if [ -f $IPTABLES_CONFIG ]; then
8dd60b88 ER	47	# If we don't clear these first, we might be adding to
	48	# pre-existing rules.
	49	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
eb27dd27	50	show "Flushing all current rules and user defined chains"
8dd60b88 ER	51	let ret=0
	52	for i in $tables; do ip6tables -t $i -F; let ret+=$?; done
	53	if [ $ret -eq 0 ]; then
	54	ok
	55	else
	56	fail
	57	fi
eb27dd27	58	show "Clearing all current rules and user defined chains"
8dd60b88 ER	59	let ret=0
	60	for i in $tables; do ip6tables -t $i -X; let ret+=$?; done
	61	if [ $ret -eq 0 ]; then
	62	ok
	63	else
	64	fail
	65	fi
	66
	67	for i in $tables; do ip6tables -t $i -Z; done
	68
eb27dd27	69	show "Applying ip6tables firewall rules"
6aa126ea	70	grep -v "^[[:space:]]#" $IPTABLES_CONFIG \| grep -v '^[[:space:]]$' \| /usr/sbin/ip6tables-restore -c && \
c5369a56	71	ok \|\| fail
8dd60b88	72	touch /var/lock/subsys/ip6tables
6aa126ea	73	fi
	74	}
	75
	76	stop() {
a2c2db2b	77	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
c5369a56 ER	78	show "Flushing all chains"
	79	let ret=0
	80	for i in $tables; do ip6tables -t $i -F; let ret+=$?; done
	81	if [ $ret -eq 0 ]; then
	82	ok
	83	else
	84	fail
	85	fi
8dd60b88	86
c5369a56 ER	87	show "Removing user defined chains"
	88	let ret=0
	89	for i in $tables; do ip6tables -t $i -X; let ret+=$?; done
	90	if [ $ret -eq 0 ]; then
	91	ok
	92	else
	93	fail
	94	fi
	95	show "Resetting built-in chains to the default ACCEPT policy"
6aa126ea	96	iftable filter -P INPUT ACCEPT && \
c5369a56 ER	97	iftable filter -P OUTPUT ACCEPT && \
	98	iftable filter -P FORWARD ACCEPT && \
	99	iftable nat -P PREROUTING ACCEPT && \
	100	iftable nat -P POSTROUTING ACCEPT && \
	101	iftable nat -P OUTPUT ACCEPT && \
	102	iftable mangle -P PREROUTING ACCEPT && \
	103	iftable mangle -P OUTPUT ACCEPT && \
	104	ok \|\| fail
6aa126ea	105	rm -f /var/lock/subsys/ip6tables
	106	}
	107
df74bc70 ER	108	upstart_controlled --except status panic load save clear
df74bc70 ER	109
6aa126ea	110	case "$1" in
cf239a77	111	start\|load)
6aa126ea	112	start
	113	;;
	114
396a51c8	115	stop\|clear)
6aa126ea	116	stop
	117	;;
	118
	119	restart\|force-reload)
	120	# "restart" is really just "start" as this isn't a daemon,
	121	# and "start" clears any pre-defined rules anyway.
	122	# This is really only here to make those who expect it happy
	123	start
	124	;;
	125
6aa126ea	126	panic)
eb27dd27	127	show "Changing target policies to DROP"
6aa126ea	128	iftable filter -P INPUT DROP && \
c5369a56 ER	129	iftable filter -P FORWARD DROP && \
	130	iftable filter -P OUTPUT DROP && \
	131	iftable nat -P PREROUTING DROP && \
	132	iftable nat -P POSTROUTING DROP && \
	133	iftable nat -P OUTPUT DROP && \
	134	iftable mangle -P PREROUTING DROP && \
	135	iftable mangle -P OUTPUT DROP && \
	136	ok \|\| fail
	137	iftable filter -F INPUT && \
	138	iftable filter -F FORWARD && \
	139	iftable filter -F OUTPUT && \
	140	iftable nat -F PREROUTING && \
	141	iftable nat -F POSTROUTING && \
	142	iftable nat -F OUTPUT && \
	143	iftable mangle -F PREROUTING && \
	144	iftable mangle -F OUTPUT && \
	145	ok \|\| fail
	146	iftable filter -X INPUT && \
	147	iftable filter -X FORWARD && \
	148	iftable filter -X OUTPUT && \
	149	iftable nat -X PREROUTING && \
	150	iftable nat -X POSTROUTING && \
	151	iftable nat -X OUTPUT && \
	152	iftable mangle -X PREROUTING && \
	153	iftable mangle -X OUTPUT && \
	154	ok \|\| fail
	155	;;
6aa126ea	156
6aa126ea	157	save)
eb27dd27	158	show "Saving current rules to %s" $IPTABLES_CONFIG
6aa126ea	159	touch $IPTABLES_CONFIG
6aa126ea	160	chmod 600 $IPTABLES_CONFIG
c5369a56	161	/usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG 2>/dev/null && ok \|\| fail
6aa126ea	162	;;
6aa126ea	163
396a51c8 ER	164	status)
	165	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
	166	for table in $tables; do
	167	echo "Table: $table"
	168	ip6tables -t $table -n --list
	169	done
	170	;;
	171
6aa126ea	172	*)
396a51c8	173	msg_usage "$0 {start\|stop\|restart\|force-reload\|panic\|load\|save\|clear\|status}"
6aa126ea	174	exit 3
	175	esac
	176
	177	exit 0