]>
Commit | Line | Data |
---|---|---|
6aa126ea | 1 | #!/bin/sh |
2 | # | |
3 | # Startup script to implement /etc/sysconfig/ip6tables pre-defined rules. | |
4 | # | |
5 | # chkconfig: 2345 08 92 | |
6 | # | |
7 | # description: Automates a packet filtering firewall with ip6tables. | |
8 | # | |
9 | # by bero@redhat.com, based on the ipchains script: | |
10 | # Script Author: Joshua Jensen <joshua@redhat.com> | |
11 | # -- hacked up by gafton with help from notting | |
12 | # modified by Anton Altaparmakov <aia21@cam.ac.uk>: | |
13 | # modified by Nils Philippsen <nils@redhat.de> | |
14 | # | |
15 | # config: /etc/sysconfig/ip6tables | |
16 | ||
674da384 | 17 | IPTABLES_CONFIG=/etc/sysconfig/ip6tables |
674da384 | 18 | if [ ! -f $IPTABLES_CONFIG ]; then |
df74bc70 | 19 | case "$1" in |
674da384 ER |
20 | start|restart|force-reload) |
21 | exit 0 | |
df74bc70 | 22 | ;; |
674da384 ER |
23 | esac |
24 | fi | |
25 | ||
6aa126ea | 26 | # Source 'em up |
27 | . /etc/rc.d/init.d/functions | |
28 | ||
8c98cbae | 29 | if [ "$(kernelver)" -lt "002003000" ]; then |
6aa126ea | 30 | exit 0 |
31 | fi | |
32 | ||
8c98cbae | 33 | if /sbin/lsmod 2>/dev/null | grep -q ipchains; then |
6aa126ea | 34 | # Don't do both |
35 | exit 0 | |
36 | fi | |
37 | ||
a94df067 JR |
38 | IP6TABLES_SAVE_ON_STOP="no" |
39 | IP6TABLES_SAVE_COUNTER="no" | |
40 | IP6TABLES_STATUS_NUMERIC="yes" | |
41 | IP6TABLES_STATUS_VERBOSE="no" | |
42 | IP6TABLES_STATUS_LINENUMBERS="yes" | |
43 | [ -f /etc/sysconfig/ip6tables-config ] && . /etc/sysconfig/ip6tables-config | |
44 | _SAVEOPT= | |
45 | is_yes $IP6TABLES_SAVE_COUNTER && _SAVEOPT="-c" | |
46 | ||
28c4b6ff JR |
47 | if [ "$1" = "--quiet" ]; then |
48 | shift | |
49 | show() { return 0; } | |
50 | ok() { return 0; } | |
51 | fail() { return 1; } | |
52 | fi | |
53 | ||
6aa126ea | 54 | iftable() { |
e53dbed5 | 55 | if fgrep -qsx $1 /proc/net/ip6_tables_names; then |
6aa126ea | 56 | ip6tables -t "$@" |
57 | fi | |
58 | } | |
59 | ||
60 | start() { | |
61 | # don't do squat if we don't have the config file | |
62 | if [ -f $IPTABLES_CONFIG ]; then | |
8dd60b88 ER |
63 | # If we don't clear these first, we might be adding to |
64 | # pre-existing rules. | |
65 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` | |
eb27dd27 | 66 | show "Flushing all current rules and user defined chains" |
8dd60b88 ER |
67 | let ret=0 |
68 | for i in $tables; do ip6tables -t $i -F; let ret+=$?; done | |
69 | if [ $ret -eq 0 ]; then | |
70 | ok | |
71 | else | |
72 | fail | |
73 | fi | |
eb27dd27 | 74 | show "Clearing all current rules and user defined chains" |
8dd60b88 ER |
75 | let ret=0 |
76 | for i in $tables; do ip6tables -t $i -X; let ret+=$?; done | |
77 | if [ $ret -eq 0 ]; then | |
78 | ok | |
79 | else | |
80 | fail | |
81 | fi | |
82 | ||
83 | for i in $tables; do ip6tables -t $i -Z; done | |
84 | ||
eb27dd27 | 85 | show "Applying ip6tables firewall rules" |
a94df067 | 86 | grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore $_SAVEOPT && \ |
c5369a56 | 87 | ok || fail |
8dd60b88 | 88 | touch /var/lock/subsys/ip6tables |
6aa126ea | 89 | fi |
90 | } | |
91 | ||
92 | stop() { | |
a2c2db2b | 93 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` |
c5369a56 ER |
94 | show "Flushing all chains" |
95 | let ret=0 | |
96 | for i in $tables; do ip6tables -t $i -F; let ret+=$?; done | |
97 | if [ $ret -eq 0 ]; then | |
98 | ok | |
99 | else | |
100 | fail | |
101 | fi | |
8dd60b88 | 102 | |
c5369a56 ER |
103 | show "Removing user defined chains" |
104 | let ret=0 | |
105 | for i in $tables; do ip6tables -t $i -X; let ret+=$?; done | |
106 | if [ $ret -eq 0 ]; then | |
107 | ok | |
108 | else | |
109 | fail | |
110 | fi | |
111 | show "Resetting built-in chains to the default ACCEPT policy" | |
6aa126ea | 112 | iftable filter -P INPUT ACCEPT && \ |
c5369a56 ER |
113 | iftable filter -P OUTPUT ACCEPT && \ |
114 | iftable filter -P FORWARD ACCEPT && \ | |
115 | iftable nat -P PREROUTING ACCEPT && \ | |
116 | iftable nat -P POSTROUTING ACCEPT && \ | |
117 | iftable nat -P OUTPUT ACCEPT && \ | |
118 | iftable mangle -P PREROUTING ACCEPT && \ | |
119 | iftable mangle -P OUTPUT ACCEPT && \ | |
120 | ok || fail | |
6aa126ea | 121 | rm -f /var/lock/subsys/ip6tables |
122 | } | |
123 | ||
a94df067 JR |
124 | save() { |
125 | show "Saving current rules to %s" $IPTABLES_CONFIG | |
126 | touch $IPTABLES_CONFIG | |
127 | chmod 600 $IPTABLES_CONFIG | |
128 | /usr/sbin/ip6tables-save $_SAVEOPT > $IPTABLES_CONFIG 2>/dev/null && ok || fail | |
129 | } | |
130 | ||
df74bc70 ER |
131 | upstart_controlled --except status panic load save clear |
132 | ||
6aa126ea | 133 | case "$1" in |
cf239a77 | 134 | start|load) |
6aa126ea | 135 | start |
136 | ;; | |
a94df067 JR |
137 | stop) |
138 | is_yes $IP6TABLES_SAVE_ON_STOP && save | |
139 | stop | |
140 | ;; | |
141 | clear) | |
6aa126ea | 142 | stop |
143 | ;; | |
6aa126ea | 144 | restart|force-reload) |
145 | # "restart" is really just "start" as this isn't a daemon, | |
146 | # and "start" clears any pre-defined rules anyway. | |
147 | # This is really only here to make those who expect it happy | |
148 | start | |
149 | ;; | |
6aa126ea | 150 | panic) |
eb27dd27 | 151 | show "Changing target policies to DROP" |
6aa126ea | 152 | iftable filter -P INPUT DROP && \ |
c5369a56 ER |
153 | iftable filter -P FORWARD DROP && \ |
154 | iftable filter -P OUTPUT DROP && \ | |
155 | iftable nat -P PREROUTING DROP && \ | |
156 | iftable nat -P POSTROUTING DROP && \ | |
157 | iftable nat -P OUTPUT DROP && \ | |
158 | iftable mangle -P PREROUTING DROP && \ | |
159 | iftable mangle -P OUTPUT DROP && \ | |
160 | ok || fail | |
161 | iftable filter -F INPUT && \ | |
162 | iftable filter -F FORWARD && \ | |
163 | iftable filter -F OUTPUT && \ | |
164 | iftable nat -F PREROUTING && \ | |
165 | iftable nat -F POSTROUTING && \ | |
166 | iftable nat -F OUTPUT && \ | |
167 | iftable mangle -F PREROUTING && \ | |
168 | iftable mangle -F OUTPUT && \ | |
169 | ok || fail | |
170 | iftable filter -X INPUT && \ | |
171 | iftable filter -X FORWARD && \ | |
172 | iftable filter -X OUTPUT && \ | |
173 | iftable nat -X PREROUTING && \ | |
174 | iftable nat -X POSTROUTING && \ | |
175 | iftable nat -X OUTPUT && \ | |
176 | iftable mangle -X PREROUTING && \ | |
177 | iftable mangle -X OUTPUT && \ | |
178 | ok || fail | |
179 | ;; | |
6aa126ea | 180 | save) |
a94df067 | 181 | save |
6aa126ea | 182 | ;; |
396a51c8 | 183 | status) |
a94df067 JR |
184 | is_yes $IP6TABLES_STATUS_NUMERIC && _NUMERIC="-n" |
185 | is_yes $IP6TABLES_STATUS_VERBOSE && _VERBOSE="--verbose" | |
186 | is_yes $IP6TABLES_STATUS_LINENUMBERS && _LINES="--line-numbers" | |
396a51c8 ER |
187 | tables=`cat /proc/net/ip6_tables_names 2>/dev/null` |
188 | for table in $tables; do | |
189 | echo "Table: $table" | |
53ff372c | 190 | ip6tables -t $table --list $_NUMERIC $_VERBOSE $_LINES |
396a51c8 ER |
191 | done |
192 | ;; | |
6aa126ea | 193 | *) |
396a51c8 | 194 | msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}" |
6aa126ea | 195 | exit 3 |
196 | esac | |
197 | ||
198 | exit 0 |