current/SOURCES/ip6tables.init

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
#
# chkconfig: 2345 03 92
#
# description: Automates a packet filtering firewall with ip6tables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author:        Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#   -- changed to ip6tables by Ben Reser <ben@reser.org>
#
# config: /etc/sysconfig/ip6tables
#
### BEGIN INIT INFO
# Provides: ip6tables firewall
# Default-Start: 2 3 4 5
# Short-Description: iptables packet filtering
# Description: Automates a packet filtering firewall with ip6tables,
#              using /etc/sysconfig/ip6tables pre-defined rules.
### END INIT INFO

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/ip6tables

if [ ! -x /sbin/ip6tables ]; then
        exit 0
fi

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
        exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
        exit 0
fi


if  /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
        # Don't do both
        exit 0
fi

iftable() {
        if fgrep -qsx $1 /proc/net/ip6_tables_names; then
                ip6tables -t "$@"
        fi
}

start() {
        # don't do squat if we don't have the config file
        if [ -f $IPTABLES_CONFIG ]; then
            # We do not need to flush/clear anything if using ip6tables-restore
            echo $"Applying ip6tables firewall rules: "
            grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/ip6tables-restore -c && \
                    success $"Applying ip6tables firewall rules" || \
                    failure $"Applying ip6tables firewall rules"
            echo
            touch /var/lock/subsys/ip6tables
        fi
}

stop() {
        chains=`cat /proc/net/ip6_tables_names 2>/dev/null`
        for i in $chains; do ip6tables -t $i -F; done && \
                success $"Flushing all chains:" || \
                failure $"Flushing all chains:"
        for i in $chains; do ip6tables -t $i -X; done && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"
        echo -n $"Resetting built-in chains to the default ACCEPT policy:"
        iftable filter -P INPUT ACCEPT && \
           iftable filter -P OUTPUT ACCEPT && \
           iftable filter -P FORWARD ACCEPT && \
           iftable nat -P PREROUTING ACCEPT && \
           iftable nat -P POSTROUTING ACCEPT && \
           iftable nat -P OUTPUT ACCEPT && \
           iftable mangle -P PREROUTING ACCEPT && \
           iftable mangle -P OUTPUT ACCEPT && \
           success $"Resetting built-in chains to the default ACCEPT policy" || \
           failure $"Resetting built-in chains to the default ACCEPT policy"
        echo
        rm -f /var/lock/subsys/ip6tables
}

case "$1" in
  start)
        start
        ;;

  stop)
        stop
        ;;

  restart|reload)
        # "restart" is really just "start" as this isn't a daemon,
        #  and "start" clears any pre-defined rules anyway.
        #  This is really only here to make those who expect it happy
        start
        ;;

  condrestart)
        [ -e /var/lock/subsys/ip6tables ] && start
        ;;

  status)
        tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
        for table in $tables; do
                echo $"Table: $table"
                ip6tables -t $table --list
        done
        ;;

  panic)
        echo -n $"Changing target policies to DROP: "   
        iftable filter -P INPUT DROP && \
            iftable filter -P FORWARD DROP && \
            iftable filter -P OUTPUT DROP && \
            iftable nat -P PREROUTING DROP && \
            iftable nat -P POSTROUTING DROP && \
            iftable nat -P OUTPUT DROP && \
            iftable mangle -P PREROUTING DROP && \
            iftable mangle -P OUTPUT DROP && \
            success $"Changing target policies to DROP" || \
            failure $"Changing target policies to DROP"
        echo
        iftable filter -F INPUT && \
                iftable filter -F FORWARD && \
                iftable filter -F OUTPUT && \
                iftable nat -F PREROUTING && \
                iftable nat -F POSTROUTING && \
                iftable nat -F OUTPUT && \
                iftable mangle -F PREROUTING && \
                iftable mangle -F OUTPUT && \
                success $"Flushing all chains:" || \
                failure $"Flushing all chains:"
        iftable filter -X INPUT && \
                iftable filter -X FORWARD && \
                iftable filter -X OUTPUT && \
                iftable nat -X PREROUTING && \
                iftable nat -X POSTROUTING && \
                iftable nat -X OUTPUT && \
                iftable mangle -X PREROUTING && \
                iftable mangle -X OUTPUT && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"
        ;;

  save)
        echo -n $"Saving current rules to $IPTABLES_CONFIG: "
        touch $IPTABLES_CONFIG
        chmod 600 $IPTABLES_CONFIG
        /sbin/ip6tables-save -c > $IPTABLES_CONFIG  2>/dev/null && \
          success $"Saving current rules to $IPTABLES_CONFIG" || \
          failure $"Saving current rules to $IPTABLES_CONFIG"
        echo
        ;;

  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
        exit 1
esac

exit 0

1	#!/bin/sh
2	#
3	# Startup script to implement /etc/sysconfig/ip6tables pre-defined rules.
4	#
5	# chkconfig: 2345 03 92
6	#
7	# description: Automates a packet filtering firewall with ip6tables.
8	#
9	# by bero@redhat.com, based on the ipchains script:
10	# Script Author: Joshua Jensen <joshua@redhat.com>
11	# -- hacked up by gafton with help from notting
12	# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
13	# modified by Nils Philippsen <nils@redhat.de>
14	# -- changed to ip6tables by Ben Reser <ben@reser.org>
15	#
16	# config: /etc/sysconfig/ip6tables
17	#
18	### BEGIN INIT INFO
19	# Provides: ip6tables firewall
20	# Default-Start: 2 3 4 5
21	# Short-Description: iptables packet filtering
22	# Description: Automates a packet filtering firewall with ip6tables,
23	# using /etc/sysconfig/ip6tables pre-defined rules.
24	### END INIT INFO
25
26	# Source 'em up
27	. /etc/init.d/functions
28
29	IPTABLES_CONFIG=/etc/sysconfig/ip6tables
30
31	if [ ! -x /sbin/ip6tables ]; then
32	exit 0
33	fi
34
35	KERNELMAJ=`uname -r \| sed -e 's,\..*,,'`
36	KERNELMIN=`uname -r \| sed -e 's,[^\.]\.,,' -e 's,\..,,'`
37
38	if [ "$KERNELMAJ" -lt 2 ] ; then
39	exit 0
40	fi
41	if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
42	exit 0
43	fi
44
45
46
47	if /sbin/lsmod 2>/dev/null \|grep -q ipchains ; then
48	# Don't do both
49	exit 0
50	fi
51
52	iftable() {
53	if fgrep -qsx $1 /proc/net/ip6_tables_names; then
54	ip6tables -t "$@"
55	fi
56	}
57
58	start() {
59	# don't do squat if we don't have the config file
60	if [ -f $IPTABLES_CONFIG ]; then
61	# We do not need to flush/clear anything if using ip6tables-restore
62	echo $"Applying ip6tables firewall rules: "
63	grep -v "^[[:space:]]#" $IPTABLES_CONFIG \| grep -v '^[[:space:]]$' \| /sbin/ip6tables-restore -c && \
64	success $"Applying ip6tables firewall rules" \|\| \
65	failure $"Applying ip6tables firewall rules"
66	echo
67	touch /var/lock/subsys/ip6tables
68	fi
69	}
70
71	stop() {
72	chains=`cat /proc/net/ip6_tables_names 2>/dev/null`
73	for i in $chains; do ip6tables -t $i -F; done && \
74	success $"Flushing all chains:" \|\| \
75	failure $"Flushing all chains:"
76	for i in $chains; do ip6tables -t $i -X; done && \
77	success $"Removing user defined chains:" \|\| \
78	failure $"Removing user defined chains:"
79	echo -n $"Resetting built-in chains to the default ACCEPT policy:"
80	iftable filter -P INPUT ACCEPT && \
81	iftable filter -P OUTPUT ACCEPT && \
82	iftable filter -P FORWARD ACCEPT && \
83	iftable nat -P PREROUTING ACCEPT && \
84	iftable nat -P POSTROUTING ACCEPT && \
85	iftable nat -P OUTPUT ACCEPT && \
86	iftable mangle -P PREROUTING ACCEPT && \
87	iftable mangle -P OUTPUT ACCEPT && \
88	success $"Resetting built-in chains to the default ACCEPT policy" \|\| \
89	failure $"Resetting built-in chains to the default ACCEPT policy"
90	echo
91	rm -f /var/lock/subsys/ip6tables
92	}
93
94	case "$1" in
95	start)
96	start
97	;;
98
99	stop)
100	stop
101	;;
102
103	restart\|reload)
104	# "restart" is really just "start" as this isn't a daemon,
105	# and "start" clears any pre-defined rules anyway.
106	# This is really only here to make those who expect it happy
107	start
108	;;
109
110	condrestart)
111	[ -e /var/lock/subsys/ip6tables ] && start
112	;;
113
114	status)
115	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
116	for table in $tables; do
117	echo $"Table: $table"
118	ip6tables -t $table --list
119	done
120	;;
121
122	panic)
123	echo -n $"Changing target policies to DROP: "
124	iftable filter -P INPUT DROP && \
125	iftable filter -P FORWARD DROP && \
126	iftable filter -P OUTPUT DROP && \
127	iftable nat -P PREROUTING DROP && \
128	iftable nat -P POSTROUTING DROP && \
129	iftable nat -P OUTPUT DROP && \
130	iftable mangle -P PREROUTING DROP && \
131	iftable mangle -P OUTPUT DROP && \
132	success $"Changing target policies to DROP" \|\| \
133	failure $"Changing target policies to DROP"
134	echo
135	iftable filter -F INPUT && \
136	iftable filter -F FORWARD && \
137	iftable filter -F OUTPUT && \
138	iftable nat -F PREROUTING && \
139	iftable nat -F POSTROUTING && \
140	iftable nat -F OUTPUT && \
141	iftable mangle -F PREROUTING && \
142	iftable mangle -F OUTPUT && \
143	success $"Flushing all chains:" \|\| \
144	failure $"Flushing all chains:"
145	iftable filter -X INPUT && \
146	iftable filter -X FORWARD && \
147	iftable filter -X OUTPUT && \
148	iftable nat -X PREROUTING && \
149	iftable nat -X POSTROUTING && \
150	iftable nat -X OUTPUT && \
151	iftable mangle -X PREROUTING && \
152	iftable mangle -X OUTPUT && \
153	success $"Removing user defined chains:" \|\| \
154	failure $"Removing user defined chains:"
155	;;
156
157	save)
158	echo -n $"Saving current rules to $IPTABLES_CONFIG: "
159	touch $IPTABLES_CONFIG
160	chmod 600 $IPTABLES_CONFIG
161	/sbin/ip6tables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
162	success $"Saving current rules to $IPTABLES_CONFIG" \|\| \
163	failure $"Saving current rules to $IPTABLES_CONFIG"
164	echo
165	;;
166
167	*)
168	echo $"Usage: $0 {start\|stop\|restart\|condrestart\|status\|panic\|save}"
169	exit 1
170	esac
171
172	exit 0
173