#!/bin/sh # # ip6tables Start ip6tables firewall # # chkconfig: 2345 08 92 # description: Starts, stops and saves ip6tables firewall # # config: /etc/sysconfig/ip6tables # config: /etc/sysconfig/ip6tables-config # Source function library. . /etc/init.d/functions IP6TABLES=ip6tables IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config IPV=${IP6TABLES%tables} # ip for ipv4 | ip6 for ipv6 PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES if [ ! -x /sbin/$IP6TABLES ]; then echo -n $"/sbin/$IP6TABLES does not exist."; warning; echo exit 0 fi if lsmod 2>/dev/null | grep -q ipchains ; then echo -n $"ipchains and $IP6TABLES can not be used together."; warning; echo exit 1 fi # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ && NEW_MODUTILS=1 \ || NEW_MODUTILS=0 # Default firewall configuration: IP6TABLES_MODULES="" IP6TABLES_MODULES_UNLOAD="yes" IP6TABLES_SAVE_ON_STOP="no" IP6TABLES_SAVE_ON_RESTART="no" IP6TABLES_SAVE_COUNTER="no" IP6TABLES_STATUS_NUMERIC="yes" # Load firewall configuration. [ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG" rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod=$1 local ret=0 local ref= # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 let ret+=$?; fi return $ret } flush_n_delete() { # Flush firewall rules and delete chains. [ -e "$PROC_IP6TABLES_NAMES" ] || return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IP6TABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Flushing firewall rules: " ret=0 # For all tables for i in $tables; do # Flush firewall rules. $IP6TABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IP6TABLES -t $i -X; let ret+=$?; # Set counter to zero. $IP6TABLES -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IP6TABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) $IP6TABLES -t raw -P PREROUTING $policy \ && $IP6TABLES -t raw -P OUTPUT $policy \ || let ret+=1 ;; filter) $IP6TABLES -t filter -P INPUT $policy \ && $IP6TABLES -t filter -P OUTPUT $policy \ && $IP6TABLES -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) $IP6TABLES -t nat -P PREROUTING $policy \ && $IP6TABLES -t nat -P POSTROUTING $policy \ && $IP6TABLES -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) $IP6TABLES -t mangle -P PREROUTING $policy \ && $IP6TABLES -t mangle -P POSTROUTING $policy \ && $IP6TABLES -t mangle -P INPUT $policy \ && $IP6TABLES -t mangle -P OUTPUT $policy \ && $IP6TABLES -t mangle -P FORWARD $policy \ || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } start() { # Do not start if there is no config file. [ -f "$IP6TABLES_DATA" ] || return 1 echo -n $"Applying $IP6TABLES firewall rules: " OPT= [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IP6TABLES-restore $OPT $IP6TABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi # Load additional modules (helpers) if [ -n "$IP6TABLES_MODULES" ]; then echo -n $"Loading additional $IP6TABLES modules: " ret=0 for mod in $IP6TABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi touch $VAR_SUBSYS_IP6TABLES return $ret } stop() { # Do not stop if ip6tables module is not loaded. [ -e "$PROC_IP6TABLES_NAMES" ] || return 1 flush_n_delete set_policy ACCEPT if [ "x$IP6TABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"Unloading $IP6TABLES modules: " ret=0 rmmod_r ${IPV}_tables let ret+=$?; rmmod_r ${IPV}_conntrack let ret+=$?; [ $ret -eq 0 ] && success || failure echo fi rm -f $VAR_SUBSYS_IP6TABLES return $ret } save() { # Check if iptable module is loaded [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IP6TABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Saving firewall rules to $IP6TABLES_DATA: " OPT= [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 TMP_FILE=`/bin/mktemp -q /tmp/$IP6TABLES.XXXXXX` \ && chmod 600 "$TMP_FILE" \ && $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \ && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IP6TABLES_DATA ]; then cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \ && chmod 600 $IP6TABLES_DATA.save \ || ret=1 fi if [ $ret -eq 0 ]; then cp -f $TMP_FILE $IP6TABLES_DATA \ && chmod 600 $IP6TABLES_DATA \ || ret=1 fi fi [ $ret -eq 0 ] && success || failure echo rm -f $TMP_FILE return $ret } status() { tables=`cat $PROC_IP6TABLES_NAMES 2>/dev/null` # Do not print status if lockfile is missing and ip6tables modules are not # loaded. # Check if iptable module is loaded if [ ! -f "$VAR_SUBSYS_IP6TABLES" -a -z "$tables" ]; then echo $"Firewall is stopped." return 1 fi # Check if firewall is configured (has tables) if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then echo $"Firewall is not configured. " return 1 fi if [ -z "$tables" ]; then echo $"Firewall is not configured. " return 1 fi NUM= [ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" VERBOSE= [ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" for table in $tables; do echo $"Table: $table" $IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 } restart() { [ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) stop start RETVAL=$? ;; stop) [ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart) restart RETVAL=$? ;; condrestart) [ -e "$VAR_SUBSYS_IP6TABLES" ] && restart ;; status) status RETVAL=$? ;; panic) flush_n_delete set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" exit 1 ;; esac exit $RETVAL