projects / packages / iptables.git / blame
| Commit | Line | Data |
|---|---|---|
| 6aa126ea | 1 | #!/bin/sh |
| 2 | # | |
| 3 | # Startup script to implement /etc/sysconfig/ip6tables pre-defined rules. | |
| 4 | # | |
| 5 | # chkconfig: 2345 08 92 | |
| 6 | # | |
| 7 | # description: Automates a packet filtering firewall with ip6tables. | |
| 8 | # | |
| 9 | # by bero@redhat.com, based on the ipchains script: | |
| 10 | # Script Author: Joshua Jensen <joshua@redhat.com> | |
| 11 | # -- hacked up by gafton with help from notting | |
| 12 | # modified by Anton Altaparmakov <aia21@cam.ac.uk>: | |
| 13 | # modified by Nils Philippsen <nils@redhat.de> | |
| 14 | # | |
| 15 | # config: /etc/sysconfig/ip6tables | |
| 16 | ||
| 674da384 | 17 | IPTABLES_CONFIG=/etc/sysconfig/ip6tables |
| 674da384 | 18 | if [ ! -f $IPTABLES_CONFIG ]; then |
| df74bc70 | 19 | case "$1" in |
| 674da384 ER |
20 | start|restart|force-reload) |
| 21 | exit 0 | |
| df74bc70 | 22 | ;; |
| 674da384 ER |
23 | esac |
| 24 | fi | |
| 25 | ||
| 6aa126ea | 26 | # Source 'em up |
| 27 | . /etc/rc.d/init.d/functions | |
| 28 | ||
| 8c98cbae | 29 | if [ "$(kernelver)" -lt "002003000" ]; then |
| 6aa126ea | 30 | exit 0 |
| 31 | fi | |
| 32 | ||
| 8c98cbae | 33 | if /sbin/lsmod 2>/dev/null | grep -q ipchains; then |
| 6aa126ea | 34 | # Don't do both |
| 35 | exit 0 | |
| 36 | fi | |
| 37 | ||
| a94df067 JR |
38 | IP6TABLES_SAVE_ON_STOP="no" |
| 39 | IP6TABLES_SAVE_COUNTER="no" | |
| 40 | IP6TABLES_STATUS_NUMERIC="yes" | |
| 41 | IP6TABLES_STATUS_VERBOSE="no" | |
| 42 | IP6TABLES_STATUS_LINENUMBERS="yes" | |
| 43 | [ -f /etc/sysconfig/ip6tables-config ] && . /etc/sysconfig/ip6tables-config | |
| 44 | _SAVEOPT= | |
| 45 | is_yes $IP6TABLES_SAVE_COUNTER && _SAVEOPT="-c" | |
| 46 | ||
| 28c4b6ff JR |
47 | if [ "$1" = "--quiet" ]; then |
| 48 | shift | |
| 49 | show() { return 0; } | |
| 50 | ok() { return 0; } | |
| 51 | fail() { return 1; } | |
| 52 | fi | |
| 53 | ||
| 6aa126ea | 54 | iftable() { |
| e53dbed5 | 55 | if fgrep -qsx $1 /proc/net/ip6_tables_names; then |
| 6aa126ea | 56 | ip6tables -t "$@" |
| 57 | fi | |
| 58 | } | |
| 59 | ||
| 60 | start() { | |
| 61 | # don't do squat if we don't have the config file | |
| 62 | if [ -f $IPTABLES_CONFIG ]; then | |
| 8dd60b88 ER |
63 | # If we don't clear these first, we might be adding to |
| 64 | # pre-existing rules. | |
| 65 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` | |
| eb27dd27 | 66 | show "Flushing all current rules and user defined chains" |
| 8dd60b88 ER |
67 | let ret=0 |
| 68 | for i in $tables; do ip6tables -t $i -F; let ret+=$?; done | |
| 69 | if [ $ret -eq 0 ]; then | |
| 70 | ok | |
| 71 | else | |
| 72 | fail | |
| 73 | fi | |
| eb27dd27 | 74 | show "Clearing all current rules and user defined chains" |
| 8dd60b88 ER |
75 | let ret=0 |
| 76 | for i in $tables; do ip6tables -t $i -X; let ret+=$?; done | |
| 77 | if [ $ret -eq 0 ]; then | |
| 78 | ok | |
| 79 | else | |
| 80 | fail | |
| 81 | fi | |
| 82 | ||
| 83 | for i in $tables; do ip6tables -t $i -Z; done | |
| 84 | ||
| eb27dd27 | 85 | show "Applying ip6tables firewall rules" |
| a94df067 | 86 | grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore $_SAVEOPT && \ |
| c5369a56 | 87 | ok || fail |
| 8dd60b88 | 88 | touch /var/lock/subsys/ip6tables |
| 6aa126ea | 89 | fi |
| 90 | } | |
| 91 | ||
| 92 | stop() { | |
| a2c2db2b | 93 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` |
| c5369a56 ER |
94 | show "Flushing all chains" |
| 95 | let ret=0 | |
| 96 | for i in $tables; do ip6tables -t $i -F; let ret+=$?; done | |
| 97 | if [ $ret -eq 0 ]; then | |
| 98 | ok | |
| 99 | else | |
| 100 | fail | |
| 101 | fi | |
| 8dd60b88 | 102 | |
| c5369a56 ER |
103 | show "Removing user defined chains" |
| 104 | let ret=0 | |
| 105 | for i in $tables; do ip6tables -t $i -X; let ret+=$?; done | |
| 106 | if [ $ret -eq 0 ]; then | |
| 107 | ok | |
| 108 | else | |
| 109 | fail | |
| 110 | fi | |
| 111 | show "Resetting built-in chains to the default ACCEPT policy" | |
| 6aa126ea | 112 | iftable filter -P INPUT ACCEPT && \ |
| c5369a56 ER |
113 | iftable filter -P OUTPUT ACCEPT && \ |
| 114 | iftable filter -P FORWARD ACCEPT && \ | |
| 115 | iftable nat -P PREROUTING ACCEPT && \ | |
| 116 | iftable nat -P POSTROUTING ACCEPT && \ | |
| 117 | iftable nat -P OUTPUT ACCEPT && \ | |
| 118 | iftable mangle -P PREROUTING ACCEPT && \ | |
| 119 | iftable mangle -P OUTPUT ACCEPT && \ | |
| 120 | ok || fail | |
| 6aa126ea | 121 | rm -f /var/lock/subsys/ip6tables |
| 122 | } | |
| 123 | ||
| a94df067 JR |
124 | save() { |
| 125 | show "Saving current rules to %s" $IPTABLES_CONFIG | |
| 126 | touch $IPTABLES_CONFIG | |
| 127 | chmod 600 $IPTABLES_CONFIG | |
| 128 | /usr/sbin/ip6tables-save $_SAVEOPT > $IPTABLES_CONFIG 2>/dev/null && ok || fail | |
| 129 | } | |
| 130 | ||
| df74bc70 ER |
131 | upstart_controlled --except status panic load save clear |
| 132 | ||
| 6aa126ea | 133 | case "$1" in |
| cf239a77 | 134 | start|load) |
| 6aa126ea | 135 | start |
| 136 | ;; | |
| a94df067 JR |
137 | stop) |
| 138 | is_yes $IP6TABLES_SAVE_ON_STOP && save | |
| 139 | stop | |
| 140 | ;; | |
| 141 | clear) | |
| 6aa126ea | 142 | stop |
| 143 | ;; | |
| 6aa126ea | 144 | restart|force-reload) |
| 145 | # "restart" is really just "start" as this isn't a daemon, | |
| 146 | # and "start" clears any pre-defined rules anyway. | |
| 147 | # This is really only here to make those who expect it happy | |
| 148 | start | |
| 149 | ;; | |
| 6aa126ea | 150 | panic) |
| eb27dd27 | 151 | show "Changing target policies to DROP" |
| 6aa126ea | 152 | iftable filter -P INPUT DROP && \ |
| c5369a56 ER |
153 | iftable filter -P FORWARD DROP && \ |
| 154 | iftable filter -P OUTPUT DROP && \ | |
| 155 | iftable nat -P PREROUTING DROP && \ | |
| 156 | iftable nat -P POSTROUTING DROP && \ | |
| 157 | iftable nat -P OUTPUT DROP && \ | |
| 158 | iftable mangle -P PREROUTING DROP && \ | |
| 159 | iftable mangle -P OUTPUT DROP && \ | |
| 160 | ok || fail | |
| 161 | iftable filter -F INPUT && \ | |
| 162 | iftable filter -F FORWARD && \ | |
| 163 | iftable filter -F OUTPUT && \ | |
| 164 | iftable nat -F PREROUTING && \ | |
| 165 | iftable nat -F POSTROUTING && \ | |
| 166 | iftable nat -F OUTPUT && \ | |
| 167 | iftable mangle -F PREROUTING && \ | |
| 168 | iftable mangle -F OUTPUT && \ | |
| 169 | ok || fail | |
| 170 | iftable filter -X INPUT && \ | |
| 171 | iftable filter -X FORWARD && \ | |
| 172 | iftable filter -X OUTPUT && \ | |
| 173 | iftable nat -X PREROUTING && \ | |
| 174 | iftable nat -X POSTROUTING && \ | |
| 175 | iftable nat -X OUTPUT && \ | |
| 176 | iftable mangle -X PREROUTING && \ | |
| 177 | iftable mangle -X OUTPUT && \ | |
| 178 | ok || fail | |
| 179 | ;; | |
| 6aa126ea | 180 | save) |
| a94df067 | 181 | save |
| 6aa126ea | 182 | ;; |
| 396a51c8 | 183 | status) |
| a94df067 JR |
184 | is_yes $IP6TABLES_STATUS_NUMERIC && _NUMERIC="-n" |
| 185 | is_yes $IP6TABLES_STATUS_VERBOSE && _VERBOSE="--verbose" | |
| 186 | is_yes $IP6TABLES_STATUS_LINENUMBERS && _LINES="--line-numbers" | |
| 396a51c8 ER |
187 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` |
| 188 | for table in $tables; do | |
| 189 | echo "Table: $table" | |
| 53ff372c | 190 | ip6tables -t $table --list $_NUMERIC $_VERBOSE $_LINES |
| 396a51c8 ER |
191 | done |
| 192 | ;; | |
| 6aa126ea | 193 | *) |
| 396a51c8 | 194 | msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}" |
| 6aa126ea | 195 | exit 3 |
| 196 | esac | |
| 197 | ||
| 198 | exit 0 |