Subversion Repositories configs

Rev

Rev 33 | Blame | Compare with Previous | Last modification | View Log | RSS feed 

#!/bin/sh
#
# ip6tables     Start ip6tables firewall
#
# chkconfig: 2345 08 92
# description:  Starts, stops and saves ip6tables firewall
#
# config: /etc/sysconfig/ip6tables
# config: /etc/sysconfig/ip6tables-config
#
### BEGIN INIT INFO
# Provides: ip6tables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop ip6tables firewall
# Description: Start, stop and save ip6tables firewall
### END INIT INFO

# Source function library.
. /etc/init.d/functions

IP6TABLES=ip6tables
IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES
IP6TABLES_FALLBACK_DATA=${IP6TABLES_DATA}.fallback
IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config
IPV=${IP6TABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES

# only usable for root
if [ $EUID != 0 ]; then
    echo -n $"${IP6TABLES}: Only usable by root."; warning; echo
    exit 4
fi

if [ ! -x /sbin/$IP6TABLES ]; then
    echo -n $"${IP6TABLES}: /sbin/$IP6TABLES does not exist."; warning; echo
    exit 5
fi

# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
    && NEW_MODUTILS=1 \
    || NEW_MODUTILS=0

# Default firewall configuration:
IP6TABLES_MODULES=""
IP6TABLES_MODULES_UNLOAD="yes"
IP6TABLES_SAVE_ON_STOP="no"
IP6TABLES_SAVE_ON_RESTART="no"
IP6TABLES_SAVE_COUNTER="no"
IP6TABLES_STATUS_NUMERIC="yes"
IP6TABLES_STATUS_VERBOSE="no"
IP6TABLES_STATUS_LINENUMBERS="yes"
IP6TABLES_SYSCTL_LOAD_LIST=""

# Load firewall configuration.
[ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG"

# Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6

# Get active tables
NF_TABLES=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)


rmmod_r() {
    # Unload module with all referring modules.
    # At first all referring modules will be unloaded, then the module itself.
    local mod=$1
    local ret=0
    local ref=

    # Get referring modules.
    # New modutils have another output format.
    [ $NEW_MODUTILS = 1 ] \
        && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
        || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)

    # recursive call for all referring modules
    for i in $ref; do
        rmmod_r $i
        let ret+=$?;
    done

    # Unload module.
    # The extra test is for 2.6: The module might have autocleaned,
    # after all referring modules are unloaded.
    if grep -q "^${mod}" /proc/modules ; then
        modprobe -r $mod > /dev/null 2>&1
        res=$?
        [ $res -eq 0 ] || echo -n " $mod"
        let ret+=$res;
    fi

    return $ret
}

flush_n_delete() {
    # Flush firewall rules and delete chains.
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0

    # Check if firewall is configured (has tables)
    [ -z "$NF_TABLES" ] && return 1

    echo -n $"${IP6TABLES}: Flushing firewall rules: "
    ret=0
    # For all tables
    for i in $NF_TABLES; do
        # Flush firewall rules.
        $IP6TABLES -t $i -F;
        let ret+=$?;

        # Delete firewall chains.
        $IP6TABLES -t $i -X;
        let ret+=$?;

        # Set counter to zero.
        $IP6TABLES -t $i -Z;
        let ret+=$?;
    done

    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

set_policy() {
    # Set policy for configured tables.
    policy=$1

    # Check if iptable module is loaded
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0

    # Check if firewall is configured (has tables)
    tables=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null)
    [ -z "$tables" ] && return 1

    echo -n $"${IP6TABLES}: Setting chains to policy $policy: "
    ret=0
    for i in $tables; do
        echo -n "$i "
        case "$i" in
            raw)
                $IP6TABLES -t raw -P PREROUTING $policy \
                    && $IP6TABLES -t raw -P OUTPUT $policy \
                    || let ret+=1
                ;;
            filter)
                $IP6TABLES -t filter -P INPUT $policy \
                    && $IP6TABLES -t filter -P OUTPUT $policy \
                    && $IP6TABLES -t filter -P FORWARD $policy \
                    || let ret+=1
                ;;
            nat)
                $IP6TABLES -t nat -P PREROUTING $policy \
                    && $IP6TABLES -t nat -P POSTROUTING $policy \
                    && $IP6TABLES -t nat -P OUTPUT $policy \
                    || let ret+=1
                ;;
            mangle)
                $IP6TABLES -t mangle -P PREROUTING $policy \
                    && $IP6TABLES -t mangle -P POSTROUTING $policy \
                    && $IP6TABLES -t mangle -P INPUT $policy \
                    && $IP6TABLES -t mangle -P OUTPUT $policy \
                    && $IP6TABLES -t mangle -P FORWARD $policy \
                    || let ret+=1
                ;;
            security)
                # Ignore the security table
                ;;
            *)
                let ret+=1
                ;;
        esac
    done

    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

load_sysctl() {
    # load matched sysctl values
    if [ -n "$IP6TABLES_SYSCTL_LOAD_LIST" ]; then
        echo -n $"Loading sysctl settings: "
        ret=0
        for item in $IP6TABLES_SYSCTL_LOAD_LIST; do
            fgrep -hs $item /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi
    return $ret
}

start() {
    # Do not start if there is no config file.
    if [ ! -f "$IP6TABLES_DATA" ]; then
        echo -n $"${IP6TABLES}: No config file."; warning; echo
        return 6
    fi

    # check if ipv6 module load is deactivated
    if [ "${_IPV}" = "ipv6" ] \
        && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
        echo $"${IP6TABLES}: ${_IPV} is disabled."
        return 150
    fi

    echo -n $"${IP6TABLES}: Applying firewall rules: "

    OPT=
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    $IP6TABLES-restore $OPT $IP6TABLES_DATA
    if [ $? -eq 0 ]; then
        success; echo
    else
        failure; echo;
        if [ -f "$IP6TABLES_FALLBACK_DATA" ]; then
            echo -n $"${IP6TABLES}: Applying firewall fallback rules: "
            $IP6TABLES-restore $OPT $IP6TABLES_FALLBACK_DATA
            if [ $? -eq 0 ]; then
                success; echo
            else
                failure; echo; return 1
            fi
        else
            return 1
        fi
    fi
    
    # Load additional modules (helpers)
    if [ -n "$IP6TABLES_MODULES" ]; then
        echo -n $"${IP6TABLES}: Loading additional modules: "
        ret=0
        for mod in $IP6TABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi
    
    # Load sysctl settings
    load_sysctl

    touch $VAR_SUBSYS_IP6TABLES
    return $ret
}

stop() {
    # Do not stop if ip6tables module is not loaded.
    [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0

    # Set default chain policy to ACCEPT, in order to not break shutdown
    # on systems where the default policy is DROP and root device is
    # network-based (i.e.: iSCSI, NFS)
    set_policy ACCEPT
    # And then, flush the rules and delete chains
    flush_n_delete
    
    if [ "x$IP6TABLES_MODULES_UNLOAD" = "xyes" ]; then
        echo -n $"${IP6TABLES}: Unloading modules: "
        ret=0
        for mod in ${NF_MODULES[*]}; do
            rmmod_r $mod
            let ret+=$?;
        done
        # try to unload remaining netfilter modules used by ipv4 and ipv6 
        # netfilter
        for mod in ${NF_MODULES_COMMON[*]}; do
            rmmod_r $mod >/dev/null
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi
    
    rm -f $VAR_SUBSYS_IP6TABLES
    return $ret
}

save() {
    # Check if iptable module is loaded
    if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then
        echo -n $"${IP6TABLES}: Nothing to save."; warning; echo
        return 0
    fi

    # Check if firewall is configured (has tables)
    if [ -z "$NF_TABLES" ]; then
        echo -n $"${IP6TABLES}: Nothing to save."; warning; echo
        return 6
    fi

    echo -n $"${IP6TABLES}: Saving firewall rules to $IP6TABLES_DATA: "

    OPT=
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    ret=0
    TMP_FILE=$(/bin/mktemp -q $IP6TABLES_DATA.XXXXXX) \
        && chmod 600 "$TMP_FILE" \
        && $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \
        && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
        || ret=1
    if [ $ret -eq 0 ]; then
        if [ -e $IP6TABLES_DATA ]; then
            cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \
                && chmod 600 $IP6TABLES_DATA.save \
                && restorecon $IP6TABLES_DATA.save \
                || ret=1
        fi
        if [ $ret -eq 0 ]; then
            mv -f $TMP_FILE $IP6TABLES_DATA \
                && chmod 600 $IP6TABLES_DATA \
                && restorecon $IP6TABLES_DATA \
                || ret=1
        fi
    fi
    rm -f $TMP_FILE
    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

status() {
    if [ ! -f "$VAR_SUBSYS_IP6TABLES" -a -z "$NF_TABLES" ]; then
        echo $"${IP6TABLES}: Firewall is not running."
        return 3
    fi

    # Do not print status if lockfile is missing and ip6tables modules are not 
    # loaded.
    # Check if iptable modules are loaded
    if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then
        echo $"${IP6TABLES}: Firewall modules are not loaded."
        return 3
    fi

    # Check if firewall is configured (has tables)
    if [ -z "$NF_TABLES" ]; then
        echo $"${IP6TABLES}: Firewall is not configured. "
        return 3
    fi

    NUM=
    [ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
    VERBOSE= 
    [ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
    COUNT=
    [ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

    for table in $NF_TABLES; do
        echo $"Table: $table"
        $IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo
    done

    return 0
}

reload() {
    # Do not reload if there is no config file.
    if [ ! -f "$IP6TABLES_DATA" ]; then
        echo -n $"${IP6TABLES}: No config file."; warning; echo
        return 6
    fi

    # check if ipv6 module load is deactivated
    if [ "${_IPV}" = "ipv6" ] \
        && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
        echo $"${IP6TABLES}: ${_IPV} is disabled."
        return 150
    fi

    echo -n $"${IP6TABLES}: Trying to reload firewall rules: "

    OPT=
    [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    $IP6TABLES-restore $OPT $IP6TABLES_DATA
    if [ $? -eq 0 ]; then
        success; echo
    else
        failure; echo; echo "Firewall rules are not changed."; return 1
    fi

    # Load additional modules (helpers)
    if [ -n "$IP6TABLES_MODULES" ]; then
        echo -n $"${IP6TABLES}: Loading additional modules: "
        ret=0
        for mod in $IP6TABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi

    # Load sysctl settings
    load_sysctl

    return $ret
}

restart() {
    [ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save
    stop
    start
}


case "$1" in
    start)
        [ -f "$VAR_SUBSYS_IP6TABLES" ] && exit 0
        start
        RETVAL=$?
        ;;
    stop)
        [ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save
        stop
        RETVAL=$?
        ;;
    restart|force-reload)
        restart
        RETVAL=$?
        ;;
    reload)
        [ -e "$VAR_SUBSYS_IP6TABLES" ] && reload
        RETVAL=$?
        ;;      
    condrestart|try-restart)
        [ ! -e "$VAR_SUBSYS_IP6TABLES" ] && exit 0
        restart
        RETVAL=$?
        ;;
    status)
        status
        RETVAL=$?
        ;;
    panic)
        set_policy DROP
        RETVAL=$?
        ;;
    save)
        save
        RETVAL=$?
        ;;
    *)
        echo $"Usage: ${IP6TABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
        RETVAL=2
        ;;
esac

exit $RETVAL