Subversion Repositories configs

Rev

Rev 4 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
4 - 1
#!/bin/sh
2
#
3
# ip6tables	Start ip6tables firewall
4
#
5
# chkconfig: 2345 08 92
6
# description:	Starts, stops and saves ip6tables firewall
7
#
8
# config: /etc/sysconfig/ip6tables
9
# config: /etc/sysconfig/ip6tables-config
10
#
11
### BEGIN INIT INFO
12
# Provides: ip6tables
13
# Required-Start:
14
# Required-Stop:
15
# Default-Start: 2 3 4 5
16
# Default-Stop: 0 1 6
17
# Short-Description: start and stop ip6tables firewall
18
# Description: Start, stop and save ip6tables firewall
19
### END INIT INFO
20
 
21
# Source function library.
22
. /etc/init.d/functions
23
 
24
IP6TABLES=ip6tables
25
IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES
26
IP6TABLES_FALLBACK_DATA=${IP6TABLES_DATA}.fallback
27
IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config
28
IPV=${IP6TABLES%tables} # ip for ipv4 | ip6 for ipv6
29
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
30
PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names
31
VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES
32
 
33
# only usable for root
34 - 34
if [ $EUID != 0 ]; then
35
    echo -n $"${IP6TABLES}: Only usable by root."; warning; echo
36
    exit 4
37
fi
4 - 38
 
39
if [ ! -x /sbin/$IP6TABLES ]; then
40
    echo -n $"${IP6TABLES}: /sbin/$IP6TABLES does not exist."; warning; echo
41
    exit 5
42
fi
43
 
44
# Old or new modutils
45
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
46
    && NEW_MODUTILS=1 \
47
    || NEW_MODUTILS=0
48
 
49
# Default firewall configuration:
50
IP6TABLES_MODULES=""
51
IP6TABLES_MODULES_UNLOAD="yes"
52
IP6TABLES_SAVE_ON_STOP="no"
53
IP6TABLES_SAVE_ON_RESTART="no"
54
IP6TABLES_SAVE_COUNTER="no"
55
IP6TABLES_STATUS_NUMERIC="yes"
56
IP6TABLES_STATUS_VERBOSE="no"
57
IP6TABLES_STATUS_LINENUMBERS="yes"
58
IP6TABLES_SYSCTL_LOAD_LIST=""
59
 
60
# Load firewall configuration.
61
[ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG"
62
 
63
# Netfilter modules
64
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
65
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
66
 
67
# Get active tables
68
NF_TABLES=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)
69
 
70
 
71
rmmod_r() {
72
    # Unload module with all referring modules.
73
    # At first all referring modules will be unloaded, then the module itself.
74
    local mod=$1
75
    local ret=0
76
    local ref=
77
 
78
    # Get referring modules.
79
    # New modutils have another output format.
80
    [ $NEW_MODUTILS = 1 ] \
81
	&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
82
	|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
83
 
84
    # recursive call for all referring modules
85
    for i in $ref; do
86
	rmmod_r $i
87
	let ret+=$?;
88
    done
89
 
90
    # Unload module.
91
    # The extra test is for 2.6: The module might have autocleaned,
92
    # after all referring modules are unloaded.
93
    if grep -q "^${mod}" /proc/modules ; then
94
	modprobe -r $mod > /dev/null 2>&1
95
	res=$?
96
	[ $res -eq 0 ] || echo -n " $mod"
97
	let ret+=$res;
98
    fi
99
 
100
    return $ret
101
}
102
 
103
flush_n_delete() {
104
    # Flush firewall rules and delete chains.
105
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0
106
 
107
    # Check if firewall is configured (has tables)
108
    [ -z "$NF_TABLES" ] && return 1
109
 
110
    echo -n $"${IP6TABLES}: Flushing firewall rules: "
111
    ret=0
112
    # For all tables
113
    for i in $NF_TABLES; do
114
        # Flush firewall rules.
115
	$IP6TABLES -t $i -F;
116
	let ret+=$?;
117
 
118
        # Delete firewall chains.
119
	$IP6TABLES -t $i -X;
120
	let ret+=$?;
121
 
122
	# Set counter to zero.
123
	$IP6TABLES -t $i -Z;
124
	let ret+=$?;
125
    done
126
 
127
    [ $ret -eq 0 ] && success || failure
128
    echo
129
    return $ret
130
}
131
 
132
set_policy() {
133
    # Set policy for configured tables.
134
    policy=$1
135
 
136
    # Check if iptable module is loaded
137
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0
138
 
139
    # Check if firewall is configured (has tables)
140
    tables=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)
141
    [ -z "$tables" ] && return 1
142
 
143
    echo -n $"${IP6TABLES}: Setting chains to policy $policy: "
144
    ret=0
145
    for i in $tables; do
146
	echo -n "$i "
147
	case "$i" in
148
	    raw)
149
		$IP6TABLES -t raw -P PREROUTING $policy \
150
		    && $IP6TABLES -t raw -P OUTPUT $policy \
151
		    || let ret+=1
152
		;;
153
	    filter)
154
                $IP6TABLES -t filter -P INPUT $policy \
155
		    && $IP6TABLES -t filter -P OUTPUT $policy \
156
		    && $IP6TABLES -t filter -P FORWARD $policy \
157
		    || let ret+=1
158
		;;
159
	    nat)
160
		$IP6TABLES -t nat -P PREROUTING $policy \
161
		    && $IP6TABLES -t nat -P POSTROUTING $policy \
162
		    && $IP6TABLES -t nat -P OUTPUT $policy \
163
		    || let ret+=1
164
		;;
165
	    mangle)
166
	        $IP6TABLES -t mangle -P PREROUTING $policy \
167
		    && $IP6TABLES -t mangle -P POSTROUTING $policy \
168
		    && $IP6TABLES -t mangle -P INPUT $policy \
169
		    && $IP6TABLES -t mangle -P OUTPUT $policy \
170
		    && $IP6TABLES -t mangle -P FORWARD $policy \
171
		    || let ret+=1
172
		;;
173
	    *)
174
	        let ret+=1
175
		;;
176
        esac
177
    done
178
 
179
    [ $ret -eq 0 ] && success || failure
180
    echo
181
    return $ret
182
}
183
 
184
load_sysctl() {
185
    # load matched sysctl values
186
    if [ -n "$IP6TABLES_SYSCTL_LOAD_LIST" ]; then
187
        echo -n $"Loading sysctl settings: "
188
        ret=0
189
        for item in $IP6TABLES_SYSCTL_LOAD_LIST; do
190
            fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
191
            let ret+=$?;
192
        done
193
        [ $ret -eq 0 ] && success || failure
194
        echo
195
    fi
196
    return $ret
197
}
198
 
199
start() {
200
    # Do not start if there is no config file.
34 - 201
    if [ ! -f "$IP6TABLES_DATA" ]; then
202
	echo -n $"${IP6TABLES}: No config file."; warning; echo
203
	return 6
204
    fi
4 - 205
 
206
    # check if ipv6 module load is deactivated
207
    if [ "${_IPV}" = "ipv6" ] \
208
	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
209
	echo $"${IP6TABLES}: ${_IPV} is disabled."
210
	return 150
211
    fi
212
 
213
    echo -n $"${IP6TABLES}: Applying firewall rules: "
214
 
215
    OPT=
216
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
217
 
218
    $IP6TABLES-restore $OPT $IP6TABLES_DATA
219
    if [ $? -eq 0 ]; then
220
	success; echo
221
    else
222
	failure; echo;
223
	if [ -f "$IP6TABLES_FALLBACK_DATA" ]; then
224
	    echo -n $"${IP6TABLES}: Applying firewall fallback rules: "
225
	    $IP6TABLES-restore $OPT $IP6TABLES_FALLBACK_DATA
226
	    if [ $? -eq 0 ]; then
227
		success; echo
228
	    else
229
		failure; echo; return 1
230
	    fi
231
	else
232
	    return 1
233
	fi
234
    fi
235
 
236
    # Load additional modules (helpers)
237
    if [ -n "$IP6TABLES_MODULES" ]; then
238
	echo -n $"${IP6TABLES}: Loading additional modules: "
239
	ret=0
240
	for mod in $IP6TABLES_MODULES; do
241
	    echo -n "$mod "
242
	    modprobe $mod > /dev/null 2>&1
243
	    let ret+=$?;
244
	done
245
	[ $ret -eq 0 ] && success || failure
246
	echo
247
    fi
248
 
249
    # Load sysctl settings
250
    load_sysctl
251
 
252
    touch $VAR_SUBSYS_IP6TABLES
253
    return $ret
254
}
255
 
256
stop() {
257
    # Do not stop if ip6tables module is not loaded.
258
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0
259
 
260
    # Set default chain policy to ACCEPT, in order to not break shutdown
261
    # on systems where the default policy is DROP and root device is
262
    # network-based (i.e.: iSCSI, NFS)
263
    set_policy ACCEPT
264
    # And then, flush the rules and delete chains
265
    flush_n_delete
266
 
267
    if [ "x$IP6TABLES_MODULES_UNLOAD" = "xyes" ]; then
268
	echo -n $"${IP6TABLES}: Unloading modules: "
269
	ret=0
270
	for mod in ${NF_MODULES[*]}; do
271
	    rmmod_r $mod
272
	    let ret+=$?;
273
	done
274
	# try to unload remaining netfilter modules used by ipv4 and ipv6
275
	# netfilter
276
	for mod in ${NF_MODULES_COMMON[*]}; do
277
	    rmmod_r $mod >/dev/null
278
	done
279
	[ $ret -eq 0 ] && success || failure
280
	echo
281
    fi
282
 
283
    rm -f $VAR_SUBSYS_IP6TABLES
284
    return $ret
285
}
286
 
287
save() {
288
    # Check if iptable module is loaded
34 - 289
    if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then
290
	echo -n $"${IP6TABLES}: Nothing to save."; warning; echo
291
	return 0
292
    fi
4 - 293
 
294
    # Check if firewall is configured (has tables)
34 - 295
    if [ -z "$NF_TABLES" ]; then
296
	echo -n $"${IP6TABLES}: Nothing to save."; warning; echo
297
	return 6
298
    fi
4 - 299
 
300
    echo -n $"${IP6TABLES}: Saving firewall rules to $IP6TABLES_DATA: "
301
 
302
    OPT=
303
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
304
 
305
    ret=0
306
    TMP_FILE=$(/bin/mktemp -q $IP6TABLES_DATA.XXXXXX) \
307
	&& chmod 600 "$TMP_FILE" \
308
	&& $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \
309
	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
310
	|| ret=1
311
    if [ $ret -eq 0 ]; then
312
	if [ -e $IP6TABLES_DATA ]; then
313
	    cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \
314
		&& chmod 600 $IP6TABLES_DATA.save \
315
		&& restorecon $IP6TABLES_DATA.save \
316
		|| ret=1
317
	fi
318
	if [ $ret -eq 0 ]; then
319
	    mv -f $TMP_FILE $IP6TABLES_DATA \
320
		&& chmod 600 $IP6TABLES_DATA \
321
		&& restorecon $IP6TABLES_DATA \
322
	        || ret=1
323
	fi
324
    fi
325
    rm -f $TMP_FILE
326
    [ $ret -eq 0 ] && success || failure
327
    echo
328
    return $ret
329
}
330
 
331
status() {
332
    if [ ! -f "$VAR_SUBSYS_IP6TABLES" -a -z "$NF_TABLES" ]; then
333
	echo $"${IP6TABLES}: Firewall is not running."
334
	return 3
335
    fi
336
 
337
    # Do not print status if lockfile is missing and ip6tables modules are not
338
    # loaded.
339
    # Check if iptable modules are loaded
340
    if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then
341
	echo $"${IP6TABLES}: Firewall modules are not loaded."
342
	return 3
343
    fi
344
 
345
    # Check if firewall is configured (has tables)
346
    if [ -z "$NF_TABLES" ]; then
347
	echo $"${IP6TABLES}: Firewall is not configured. "
348
	return 3
349
    fi
350
 
351
    NUM=
352
    [ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
353
    VERBOSE=
354
    [ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
355
    COUNT=
356
    [ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
357
 
358
    for table in $NF_TABLES; do
359
	echo $"Table: $table"
360
	$IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo
361
    done
362
 
363
    return 0
364
}
365
 
366
reload() {
367
    # Do not reload if there is no config file.
34 - 368
    if [ ! -f "$IP6TABLES_DATA" ]; then
369
	echo -n $"${IP6TABLES}: No config file."; warning; echo
370
	return 6
371
    fi
4 - 372
 
373
    # check if ipv6 module load is deactivated
374
    if [ "${_IPV}" = "ipv6" ] \
375
	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
376
	echo $"${IP6TABLES}: ${_IPV} is disabled."
377
	return 150
378
    fi
379
 
380
    echo -n $"${IP6TABLES}: Trying to reload firewall rules: "
381
 
382
    OPT=
383
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
384
 
385
    $IP6TABLES-restore $OPT $IP6TABLES_DATA
386
    if [ $? -eq 0 ]; then
387
	success; echo
388
    else
389
	failure; echo; echo "Firewall rules are not changed."; return 1
390
    fi
391
 
392
    # Load additional modules (helpers)
393
    if [ -n "$IP6TABLES_MODULES" ]; then
394
	echo -n $"${IP6TABLES}: Loading additional modules: "
395
	ret=0
396
	for mod in $IP6TABLES_MODULES; do
397
	    echo -n "$mod "
398
	    modprobe $mod > /dev/null 2>&1
399
	    let ret+=$?;
400
	done
401
	[ $ret -eq 0 ] && success || failure
402
	echo
403
    fi
404
 
405
    # Load sysctl settings
406
    load_sysctl
407
 
408
    return $ret
409
}
410
 
411
restart() {
412
    [ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save
413
    stop
414
    start
415
}
416
 
417
 
418
case "$1" in
419
    start)
420
	[ -f "$VAR_SUBSYS_IP6TABLES" ] && exit 0
421
	start
422
	RETVAL=$?
423
	;;
424
    stop)
425
	[ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save
426
	stop
427
	RETVAL=$?
428
	;;
429
    restart|force-reload)
430
	restart
431
	RETVAL=$?
432
	;;
433
    reload)
434
	[ -e "$VAR_SUBSYS_IP6TABLES" ] && reload
435
	RETVAL=$?
436
	;;
437
    condrestart|try-restart)
438
	[ ! -e "$VAR_SUBSYS_IP6TABLES" ] && exit 0
439
	restart
440
	RETVAL=$?
441
	;;
442
    status)
443
	status
444
	RETVAL=$?
445
	;;
446
    panic)
447
	set_policy DROP
448
	RETVAL=$?
449
        ;;
450
    save)
451
	save
452
	RETVAL=$?
453
	;;
454
    *)
455
	echo $"Usage: ${IP6TABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
456
	RETVAL=2
457
	;;
458
esac
459
 
460
exit $RETVAL