Subversion Repositories configs

Rev

Rev 33 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
3 - 1
#!/bin/sh
2
#
3
# ip6tables	Start ip6tables firewall
4
#
5
# chkconfig: 2345 08 92
6
# description:	Starts, stops and saves ip6tables firewall
7
#
8
# config: /etc/sysconfig/ip6tables
9
# config: /etc/sysconfig/ip6tables-config
10
#
11
### BEGIN INIT INFO
12
# Provides: ip6tables
13
# Required-Start:
14
# Required-Stop:
15
# Default-Start: 2 3 4 5
16
# Default-Stop: 0 1 6
17
# Short-Description: start and stop ip6tables firewall
18
# Description: Start, stop and save ip6tables firewall
19
### END INIT INFO
20
 
21
# Source function library.
22
. /etc/init.d/functions
23
 
24
IP6TABLES=ip6tables
25
IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES
26
IP6TABLES_FALLBACK_DATA=${IP6TABLES_DATA}.fallback
27
IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config
28
IPV=${IP6TABLES%tables} # ip for ipv4 | ip6 for ipv6
29
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
30
PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names
31
VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES
32
 
33
# only usable for root
33 - 34
if [ $EUID != 0 ]; then
35
    echo -n $"${IP6TABLES}: Only usable by root."; warning; echo
36
    exit 4
37
fi
3 - 38
 
39
if [ ! -x /sbin/$IP6TABLES ]; then
40
    echo -n $"${IP6TABLES}: /sbin/$IP6TABLES does not exist."; warning; echo
41
    exit 5
42
fi
43
 
44
# Old or new modutils
45
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
46
    && NEW_MODUTILS=1 \
47
    || NEW_MODUTILS=0
48
 
49
# Default firewall configuration:
50
IP6TABLES_MODULES=""
51
IP6TABLES_MODULES_UNLOAD="yes"
52
IP6TABLES_SAVE_ON_STOP="no"
53
IP6TABLES_SAVE_ON_RESTART="no"
54
IP6TABLES_SAVE_COUNTER="no"
55
IP6TABLES_STATUS_NUMERIC="yes"
56
IP6TABLES_STATUS_VERBOSE="no"
57
IP6TABLES_STATUS_LINENUMBERS="yes"
58
IP6TABLES_SYSCTL_LOAD_LIST=""
59
 
60
# Load firewall configuration.
61
[ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG"
62
 
63
# Netfilter modules
64
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
65
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
66
 
67
# Get active tables
68
NF_TABLES=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)
69
 
70
 
71
rmmod_r() {
72
    # Unload module with all referring modules.
73
    # At first all referring modules will be unloaded, then the module itself.
74
    local mod=$1
75
    local ret=0
76
    local ref=
77
 
78
    # Get referring modules.
79
    # New modutils have another output format.
80
    [ $NEW_MODUTILS = 1 ] \
81
	&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
82
	|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
83
 
84
    # recursive call for all referring modules
85
    for i in $ref; do
86
	rmmod_r $i
87
	let ret+=$?;
88
    done
89
 
90
    # Unload module.
91
    # The extra test is for 2.6: The module might have autocleaned,
92
    # after all referring modules are unloaded.
93
    if grep -q "^${mod}" /proc/modules ; then
94
	modprobe -r $mod > /dev/null 2>&1
95
	res=$?
96
	[ $res -eq 0 ] || echo -n " $mod"
97
	let ret+=$res;
98
    fi
99
 
100
    return $ret
101
}
102
 
103
flush_n_delete() {
104
    # Flush firewall rules and delete chains.
105
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0
106
 
107
    # Check if firewall is configured (has tables)
108
    [ -z "$NF_TABLES" ] && return 1
109
 
110
    echo -n $"${IP6TABLES}: Flushing firewall rules: "
111
    ret=0
112
    # For all tables
113
    for i in $NF_TABLES; do
114
        # Flush firewall rules.
115
	$IP6TABLES -t $i -F;
116
	let ret+=$?;
117
 
118
        # Delete firewall chains.
119
	$IP6TABLES -t $i -X;
120
	let ret+=$?;
121
 
122
	# Set counter to zero.
123
	$IP6TABLES -t $i -Z;
124
	let ret+=$?;
125
    done
126
 
127
    [ $ret -eq 0 ] && success || failure
128
    echo
129
    return $ret
130
}
131
 
132
set_policy() {
133
    # Set policy for configured tables.
134
    policy=$1
135
 
136
    # Check if iptable module is loaded
137
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0
138
 
139
    # Check if firewall is configured (has tables)
140
    tables=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)
141
    [ -z "$tables" ] && return 1
142
 
143
    echo -n $"${IP6TABLES}: Setting chains to policy $policy: "
144
    ret=0
145
    for i in $tables; do
146
	echo -n "$i "
147
	case "$i" in
148
	    raw)
149
		$IP6TABLES -t raw -P PREROUTING $policy \
150
		    && $IP6TABLES -t raw -P OUTPUT $policy \
151
		    || let ret+=1
152
		;;
153
	    filter)
154
                $IP6TABLES -t filter -P INPUT $policy \
155
		    && $IP6TABLES -t filter -P OUTPUT $policy \
156
		    && $IP6TABLES -t filter -P FORWARD $policy \
157
		    || let ret+=1
158
		;;
159
	    nat)
160
		$IP6TABLES -t nat -P PREROUTING $policy \
161
		    && $IP6TABLES -t nat -P POSTROUTING $policy \
162
		    && $IP6TABLES -t nat -P OUTPUT $policy \
163
		    || let ret+=1
164
		;;
165
	    mangle)
166
	        $IP6TABLES -t mangle -P PREROUTING $policy \
167
		    && $IP6TABLES -t mangle -P POSTROUTING $policy \
168
		    && $IP6TABLES -t mangle -P INPUT $policy \
169
		    && $IP6TABLES -t mangle -P OUTPUT $policy \
170
		    && $IP6TABLES -t mangle -P FORWARD $policy \
171
		    || let ret+=1
172
		;;
128 - 173
	    security)
174
		# Ignore the security table
175
		;;
3 - 176
	    *)
177
	        let ret+=1
178
		;;
179
        esac
180
    done
181
 
182
    [ $ret -eq 0 ] && success || failure
183
    echo
184
    return $ret
185
}
186
 
187
load_sysctl() {
188
    # load matched sysctl values
189
    if [ -n "$IP6TABLES_SYSCTL_LOAD_LIST" ]; then
190
        echo -n $"Loading sysctl settings: "
191
        ret=0
192
        for item in $IP6TABLES_SYSCTL_LOAD_LIST; do
128 - 193
            fgrep -hs $item /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
3 - 194
            let ret+=$?;
195
        done
196
        [ $ret -eq 0 ] && success || failure
197
        echo
198
    fi
199
    return $ret
200
}
201
 
202
start() {
203
    # Do not start if there is no config file.
33 - 204
    if [ ! -f "$IP6TABLES_DATA" ]; then
205
	echo -n $"${IP6TABLES}: No config file."; warning; echo
206
	return 6
207
    fi
3 - 208
 
209
    # check if ipv6 module load is deactivated
210
    if [ "${_IPV}" = "ipv6" ] \
211
	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
212
	echo $"${IP6TABLES}: ${_IPV} is disabled."
213
	return 150
214
    fi
215
 
216
    echo -n $"${IP6TABLES}: Applying firewall rules: "
217
 
218
    OPT=
219
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
220
 
221
    $IP6TABLES-restore $OPT $IP6TABLES_DATA
222
    if [ $? -eq 0 ]; then
223
	success; echo
224
    else
225
	failure; echo;
226
	if [ -f "$IP6TABLES_FALLBACK_DATA" ]; then
227
	    echo -n $"${IP6TABLES}: Applying firewall fallback rules: "
228
	    $IP6TABLES-restore $OPT $IP6TABLES_FALLBACK_DATA
229
	    if [ $? -eq 0 ]; then
230
		success; echo
231
	    else
232
		failure; echo; return 1
233
	    fi
234
	else
235
	    return 1
236
	fi
237
    fi
238
 
239
    # Load additional modules (helpers)
240
    if [ -n "$IP6TABLES_MODULES" ]; then
241
	echo -n $"${IP6TABLES}: Loading additional modules: "
242
	ret=0
243
	for mod in $IP6TABLES_MODULES; do
244
	    echo -n "$mod "
245
	    modprobe $mod > /dev/null 2>&1
246
	    let ret+=$?;
247
	done
248
	[ $ret -eq 0 ] && success || failure
249
	echo
250
    fi
251
 
252
    # Load sysctl settings
253
    load_sysctl
254
 
255
    touch $VAR_SUBSYS_IP6TABLES
256
    return $ret
257
}
258
 
259
stop() {
260
    # Do not stop if ip6tables module is not loaded.
261
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0
262
 
263
    # Set default chain policy to ACCEPT, in order to not break shutdown
264
    # on systems where the default policy is DROP and root device is
265
    # network-based (i.e.: iSCSI, NFS)
266
    set_policy ACCEPT
267
    # And then, flush the rules and delete chains
268
    flush_n_delete
269
 
270
    if [ "x$IP6TABLES_MODULES_UNLOAD" = "xyes" ]; then
271
	echo -n $"${IP6TABLES}: Unloading modules: "
272
	ret=0
273
	for mod in ${NF_MODULES[*]}; do
274
	    rmmod_r $mod
275
	    let ret+=$?;
276
	done
277
	# try to unload remaining netfilter modules used by ipv4 and ipv6
278
	# netfilter
279
	for mod in ${NF_MODULES_COMMON[*]}; do
280
	    rmmod_r $mod >/dev/null
281
	done
282
	[ $ret -eq 0 ] && success || failure
283
	echo
284
    fi
285
 
286
    rm -f $VAR_SUBSYS_IP6TABLES
287
    return $ret
288
}
289
 
290
save() {
291
    # Check if iptable module is loaded
33 - 292
    if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then
293
	echo -n $"${IP6TABLES}: Nothing to save."; warning; echo
294
	return 0
295
    fi
3 - 296
 
297
    # Check if firewall is configured (has tables)
33 - 298
    if [ -z "$NF_TABLES" ]; then
299
	echo -n $"${IP6TABLES}: Nothing to save."; warning; echo
300
	return 6
301
    fi
3 - 302
 
303
    echo -n $"${IP6TABLES}: Saving firewall rules to $IP6TABLES_DATA: "
304
 
305
    OPT=
306
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
307
 
308
    ret=0
309
    TMP_FILE=$(/bin/mktemp -q $IP6TABLES_DATA.XXXXXX) \
310
	&& chmod 600 "$TMP_FILE" \
311
	&& $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \
312
	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
313
	|| ret=1
314
    if [ $ret -eq 0 ]; then
315
	if [ -e $IP6TABLES_DATA ]; then
316
	    cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \
317
		&& chmod 600 $IP6TABLES_DATA.save \
318
		&& restorecon $IP6TABLES_DATA.save \
319
		|| ret=1
320
	fi
321
	if [ $ret -eq 0 ]; then
322
	    mv -f $TMP_FILE $IP6TABLES_DATA \
323
		&& chmod 600 $IP6TABLES_DATA \
324
		&& restorecon $IP6TABLES_DATA \
325
	        || ret=1
326
	fi
327
    fi
328
    rm -f $TMP_FILE
329
    [ $ret -eq 0 ] && success || failure
330
    echo
331
    return $ret
332
}
333
 
334
status() {
335
    if [ ! -f "$VAR_SUBSYS_IP6TABLES" -a -z "$NF_TABLES" ]; then
336
	echo $"${IP6TABLES}: Firewall is not running."
337
	return 3
338
    fi
339
 
340
    # Do not print status if lockfile is missing and ip6tables modules are not
341
    # loaded.
342
    # Check if iptable modules are loaded
343
    if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then
344
	echo $"${IP6TABLES}: Firewall modules are not loaded."
345
	return 3
346
    fi
347
 
348
    # Check if firewall is configured (has tables)
349
    if [ -z "$NF_TABLES" ]; then
350
	echo $"${IP6TABLES}: Firewall is not configured. "
351
	return 3
352
    fi
353
 
354
    NUM=
355
    [ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
356
    VERBOSE=
357
    [ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
358
    COUNT=
359
    [ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
360
 
361
    for table in $NF_TABLES; do
362
	echo $"Table: $table"
363
	$IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo
364
    done
365
 
366
    return 0
367
}
368
 
369
reload() {
370
    # Do not reload if there is no config file.
33 - 371
    if [ ! -f "$IP6TABLES_DATA" ]; then
372
	echo -n $"${IP6TABLES}: No config file."; warning; echo
373
	return 6
374
    fi
3 - 375
 
376
    # check if ipv6 module load is deactivated
377
    if [ "${_IPV}" = "ipv6" ] \
378
	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
379
	echo $"${IP6TABLES}: ${_IPV} is disabled."
380
	return 150
381
    fi
382
 
383
    echo -n $"${IP6TABLES}: Trying to reload firewall rules: "
384
 
385
    OPT=
386
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
387
 
388
    $IP6TABLES-restore $OPT $IP6TABLES_DATA
389
    if [ $? -eq 0 ]; then
390
	success; echo
391
    else
392
	failure; echo; echo "Firewall rules are not changed."; return 1
393
    fi
394
 
395
    # Load additional modules (helpers)
396
    if [ -n "$IP6TABLES_MODULES" ]; then
397
	echo -n $"${IP6TABLES}: Loading additional modules: "
398
	ret=0
399
	for mod in $IP6TABLES_MODULES; do
400
	    echo -n "$mod "
401
	    modprobe $mod > /dev/null 2>&1
402
	    let ret+=$?;
403
	done
404
	[ $ret -eq 0 ] && success || failure
405
	echo
406
    fi
407
 
408
    # Load sysctl settings
409
    load_sysctl
410
 
411
    return $ret
412
}
413
 
414
restart() {
415
    [ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save
416
    stop
417
    start
418
}
419
 
420
 
421
case "$1" in
422
    start)
423
	[ -f "$VAR_SUBSYS_IP6TABLES" ] && exit 0
424
	start
425
	RETVAL=$?
426
	;;
427
    stop)
428
	[ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save
429
	stop
430
	RETVAL=$?
431
	;;
432
    restart|force-reload)
433
	restart
434
	RETVAL=$?
435
	;;
436
    reload)
437
	[ -e "$VAR_SUBSYS_IP6TABLES" ] && reload
438
	RETVAL=$?
439
	;;
440
    condrestart|try-restart)
441
	[ ! -e "$VAR_SUBSYS_IP6TABLES" ] && exit 0
442
	restart
443
	RETVAL=$?
444
	;;
445
    status)
446
	status
447
	RETVAL=$?
448
	;;
449
    panic)
450
	set_policy DROP
451
	RETVAL=$?
452
        ;;
453
    save)
454
	save
455
	RETVAL=$?
456
	;;
457
    *)
458
	echo $"Usage: ${IP6TABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
459
	RETVAL=2
460
	;;
461
esac
462
 
463
exit $RETVAL