3 # Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
5 # chkconfig: 2345 08 92
7 # description: Automates a packet filtering firewall with ip6tables.
9 # by bero@redhat.com, based on the ipchains script:
10 # Script Author: Joshua Jensen <joshua@redhat.com>
11 # -- hacked up by gafton with help from notting
12 # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
13 # modified by Nils Philippsen <nils@redhat.de>
15 # config: /etc/sysconfig/ip6tables
18 . /etc/rc.d/init.d/functions
20 IPTABLES_CONFIG=/etc/sysconfig/ip6tables
22 if [ ! -x /usr/sbin/ip6tables ]; then
26 KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
27 KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
29 if [ "$KERNELMAJ" -lt 2 ] ; then
32 if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
38 if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
44 if fgrep -qsx $1 /proc/net/ip6_tables_names; then
50 # don't do squat if we don't have the config file
51 if [ -f $IPTABLES_CONFIG ]; then
52 # If we don't clear these first, we might be adding to
54 chains=`cat /proc/net/ip6_tables_names 2>/dev/null`
55 show "Flushing all current rules and user defined chains:"
57 for i in $chains; do ip6tables -t $i -F; let ret+=$?; done
60 if [ $ret -eq 0 ]; then
65 show "Clearing all current rules and user defined chains:"
67 for i in $chains; do ip6tables -t $i -X; let ret+=$?; done
70 if [ $ret -eq 0 ]; then
76 for i in $chains; do ip6tables -t $i -Z; done
78 show "Applying ip6tables firewall rules:"
79 grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore -c && \
82 touch /var/lock/subsys/ip6tables
87 chains=`cat /proc/net/ip6_tables_names 2>/dev/null`
88 show "Flushing all chains:"
90 for i in $chains; do ip6tables -t $i -F; let ret+=$?; done
91 ip6tables -F; let ret+=$?
92 if [ $ret -eq 0 ]; then
98 show "Removing user defined chains:"
100 for i in $chains; do ip6tables -t $i -X; let ret+=$?; done
101 ip6tables -X; let ret+=$?
102 if [ $ret -eq 0 ]; then
107 show "Resetting built-in chains to the default ACCEPT policy:"
108 iftable filter -P INPUT ACCEPT && \
109 iftable filter -P OUTPUT ACCEPT && \
110 iftable filter -P FORWARD ACCEPT && \
111 iftable nat -P PREROUTING ACCEPT && \
112 iftable nat -P POSTROUTING ACCEPT && \
113 iftable nat -P OUTPUT ACCEPT && \
114 iftable mangle -P PREROUTING ACCEPT && \
115 iftable mangle -P OUTPUT ACCEPT && \
118 rm -f /var/lock/subsys/ip6tables
130 restart|force-reload)
131 # "restart" is really just "start" as this isn't a daemon,
132 # and "start" clears any pre-defined rules anyway.
133 # This is really only here to make those who expect it happy
138 # [ -e /var/lock/subsys/ip6tables ] && start
142 tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
143 for table in $tables; do
145 ip6tables -t $table -n --list
150 show "Changing target policies to DROP: "
151 iftable filter -P INPUT DROP && \
152 iftable filter -P FORWARD DROP && \
153 iftable filter -P OUTPUT DROP && \
154 iftable nat -P PREROUTING DROP && \
155 iftable nat -P POSTROUTING DROP && \
156 iftable nat -P OUTPUT DROP && \
157 iftable mangle -P PREROUTING DROP && \
158 iftable mangle -P OUTPUT DROP && \
159 ok "Changing target policies to DROP" || \
160 fail "Changing target policies to DROP"
161 iftable filter -F INPUT && \
162 iftable filter -F FORWARD && \
163 iftable filter -F OUTPUT && \
164 iftable nat -F PREROUTING && \
165 iftable nat -F POSTROUTING && \
166 iftable nat -F OUTPUT && \
167 iftable mangle -F PREROUTING && \
168 iftable mangle -F OUTPUT && \
169 ok "Flushing all chains:" || \
170 fail "Flushing all chains:"
171 iftable filter -X INPUT && \
172 iftable filter -X FORWARD && \
173 iftable filter -X OUTPUT && \
174 iftable nat -X PREROUTING && \
175 iftable nat -X POSTROUTING && \
176 iftable nat -X OUTPUT && \
177 iftable mangle -X PREROUTING && \
178 iftable mangle -X OUTPUT && \
179 ok "Removing user defined chains:" || \
180 fail "Removing user defined chains:"
184 show "Saving current rules to $IPTABLES_CONFIG: "
185 touch $IPTABLES_CONFIG
186 chmod 600 $IPTABLES_CONFIG
187 /usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
188 ok "Saving current rules to $IPTABLES_CONFIG" || \
189 fail "Saving current rules to $IPTABLES_CONFIG"
193 echo "Usage: $0 {start|stop|restart|force-reload|status|panic|save}"