3 # Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
5 # chkconfig: 2345 08 92
7 # description: Automates a packet filtering firewall with ip6tables.
9 # by bero@redhat.com, based on the ipchains script:
10 # Script Author: Joshua Jensen <joshua@redhat.com>
11 # -- hacked up by gafton with help from notting
12 # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
13 # modified by Nils Philippsen <nils@redhat.de>
15 # config: /etc/sysconfig/ip6tables
17 IPTABLES_CONFIG=/etc/sysconfig/ip6tables
19 if [ ! -f $IPTABLES_CONFIG ]; then
21 start|restart|force-reload)
28 . /etc/rc.d/init.d/functions
30 if [ "$(kernelver)" -lt "002003000" ]; then
34 if /sbin/lsmod 2>/dev/null | grep -q ipchains; then
40 if fgrep -qsx $1 /proc/net/ip6_tables_names; then
46 # don't do squat if we don't have the config file
47 if [ -f $IPTABLES_CONFIG ]; then
48 # If we don't clear these first, we might be adding to
50 tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
51 show "Flushing all current rules and user defined chains"
53 for i in $tables; do ip6tables -t $i -F; let ret+=$?; done
54 if [ $ret -eq 0 ]; then
59 show "Clearing all current rules and user defined chains"
61 for i in $tables; do ip6tables -t $i -X; let ret+=$?; done
62 if [ $ret -eq 0 ]; then
68 for i in $tables; do ip6tables -t $i -Z; done
70 show "Applying ip6tables firewall rules"
71 grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore -c && \
73 touch /var/lock/subsys/ip6tables
78 tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
79 show "Flushing all chains"
81 for i in $tables; do ip6tables -t $i -F; let ret+=$?; done
82 if [ $ret -eq 0 ]; then
88 show "Removing user defined chains"
90 for i in $tables; do ip6tables -t $i -X; let ret+=$?; done
91 if [ $ret -eq 0 ]; then
96 show "Resetting built-in chains to the default ACCEPT policy"
97 iftable filter -P INPUT ACCEPT && \
98 iftable filter -P OUTPUT ACCEPT && \
99 iftable filter -P FORWARD ACCEPT && \
100 iftable nat -P PREROUTING ACCEPT && \
101 iftable nat -P POSTROUTING ACCEPT && \
102 iftable nat -P OUTPUT ACCEPT && \
103 iftable mangle -P PREROUTING ACCEPT && \
104 iftable mangle -P OUTPUT ACCEPT && \
106 rm -f /var/lock/subsys/ip6tables
118 restart|force-reload)
119 # "restart" is really just "start" as this isn't a daemon,
120 # and "start" clears any pre-defined rules anyway.
121 # This is really only here to make those who expect it happy
126 show "Changing target policies to DROP"
127 iftable filter -P INPUT DROP && \
128 iftable filter -P FORWARD DROP && \
129 iftable filter -P OUTPUT DROP && \
130 iftable nat -P PREROUTING DROP && \
131 iftable nat -P POSTROUTING DROP && \
132 iftable nat -P OUTPUT DROP && \
133 iftable mangle -P PREROUTING DROP && \
134 iftable mangle -P OUTPUT DROP && \
136 iftable filter -F INPUT && \
137 iftable filter -F FORWARD && \
138 iftable filter -F OUTPUT && \
139 iftable nat -F PREROUTING && \
140 iftable nat -F POSTROUTING && \
141 iftable nat -F OUTPUT && \
142 iftable mangle -F PREROUTING && \
143 iftable mangle -F OUTPUT && \
145 iftable filter -X INPUT && \
146 iftable filter -X FORWARD && \
147 iftable filter -X OUTPUT && \
148 iftable nat -X PREROUTING && \
149 iftable nat -X POSTROUTING && \
150 iftable nat -X OUTPUT && \
151 iftable mangle -X PREROUTING && \
152 iftable mangle -X OUTPUT && \
157 show "Saving current rules to %s" $IPTABLES_CONFIG
158 touch $IPTABLES_CONFIG
159 chmod 600 $IPTABLES_CONFIG
160 /usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG 2>/dev/null && ok || fail
164 tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
165 for table in $tables; do
167 ip6tables -t $table -n --list
172 msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"