korsygfhrtzangaiide
Elepffwdsff
/
usr
/
libexec
/
iptables
/
Upload FileeE
HOME
#!/bin/bash # # ip6tables Start ip6tables firewall # # chkconfig: 2345 08 92 # description: Starts, stops and saves ip6tables firewall # # config: /etc/sysconfig/ip6tables # config: /etc/sysconfig/ip6tables-config # ### BEGIN INIT INFO # Provides: ip6tables # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop ip6tables firewall # Description: Start, stop and save ip6tables firewall ### END INIT INFO # Source function library. . /etc/init.d/functions IP6TABLES=ip6tables IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES IP6TABLES_FALLBACK_DATA=${IP6TABLES_DATA}.fallback IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config IPV=${IP6TABLES%tables} # ip for ipv4 | ip6 for ipv6 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES RESTORECON=$(which restorecon 2>/dev/null) [ ! -x "$RESTORECON" ] && RESTORECON=/bin/true # only usable for root if [ $EUID != 0 ]; then echo -n $"${IP6TABLES}: Only usable by root."; warning; echo exit 4 fi if [ ! -x /sbin/$IP6TABLES ]; then echo -n $"${IP6TABLES}: /sbin/$IP6TABLES does not exist."; warning; echo exit 5 fi # Default firewall configuration: IP6TABLES_MODULES="" IP6TABLES_SAVE_ON_STOP="no" IP6TABLES_SAVE_ON_RESTART="no" IP6TABLES_SAVE_COUNTER="no" IP6TABLES_STATUS_NUMERIC="yes" IP6TABLES_STATUS_VERBOSE="no" IP6TABLES_STATUS_LINENUMBERS="yes" IP6TABLES_SYSCTL_LOAD_LIST="" IP6TABLES_RESTORE_WAIT=600 IP6TABLES_RESTORE_WAIT_INTERVAL=1000000 # Load firewall configuration. [ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG" # Get active tables NF_TABLES=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null) # Prepare commands for wait options IP6TABLES_CMD="$IP6TABLES" IP6TABLES_RESTORE_CMD="$IP6TABLES-restore" if [ $IP6TABLES_RESTORE_WAIT -ne 0 ]; then OPT="--wait ${IP6TABLES_RESTORE_WAIT}" if [ $IP6TABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then OPT+=" --wait-interval ${IP6TABLES_RESTORE_WAIT_INTERVAL}" fi IP6TABLES_CMD+=" $OPT" IP6TABLES_RESTORE_CMD+=" $OPT" fi flush_n_delete() { local ret=0 # Flush firewall rules and delete chains. [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 echo -n $"${IP6TABLES}: Flushing firewall rules: " # For all tables for i in $NF_TABLES; do # Flush firewall rules. $IP6TABLES_CMD -t $i -F; let ret+=$?; # Delete firewall chains. $IP6TABLES_CMD -t $i -X; let ret+=$?; # Set counter to zero. $IP6TABLES_CMD -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { local ret=0 # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) tables=$(cat "$PROC_IP6TABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"${IP6TABLES}: Setting chains to policy $policy: " for i in $tables; do echo -n "$i " case "$i" in raw) $IP6TABLES_CMD -t raw -P PREROUTING $policy \ && $IP6TABLES_CMD -t raw -P OUTPUT $policy \ || let ret+=1 ;; filter) $IP6TABLES_CMD -t filter -P INPUT $policy \ && $IP6TABLES_CMD -t filter -P OUTPUT $policy \ && $IP6TABLES_CMD -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) $IP6TABLES_CMD -t nat -P PREROUTING $policy \ && $IP6TABLES_CMD -t nat -P POSTROUTING $policy \ && $IP6TABLES_CMD -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) $IP6TABLES_CMD -t mangle -P PREROUTING $policy \ && $IP6TABLES_CMD -t mangle -P POSTROUTING $policy \ && $IP6TABLES_CMD -t mangle -P INPUT $policy \ && $IP6TABLES_CMD -t mangle -P OUTPUT $policy \ && $IP6TABLES_CMD -t mangle -P FORWARD $policy \ || let ret+=1 ;; security) # Ignore the security table ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } load_sysctl() { local ret=0 # load matched sysctl values if [ -n "$IP6TABLES_SYSCTL_LOAD_LIST" ]; then echo -n $"Loading sysctl settings: " for item in $IP6TABLES_SYSCTL_LOAD_LIST; do fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi return $ret } start() { local ret=0 # Do not start if there is no config file. if [ ! -f "$IP6TABLES_DATA" ]; then echo -n $"${IP6TABLES}: No config file."; warning; echo return 6 fi # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] \ && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then echo $"${IP6TABLES}: ${_IPV} is disabled." return 150 fi echo -n $"${IP6TABLES}: Applying firewall rules: " OPT= [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IP6TABLES_RESTORE_CMD $OPT $IP6TABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; if [ -f "$IP6TABLES_FALLBACK_DATA" ]; then echo -n $"${IP6TABLES}: Applying firewall fallback rules: " $IP6TABLES_RESTORE_CMD $OPT $IP6TABLES_FALLBACK_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi else return 1 fi fi # Load additional modules (helpers) if [ -n "$IP6TABLES_MODULES" ]; then echo -n $"${IP6TABLES}: Loading additional modules: " for mod in $IP6TABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi # Load sysctl settings load_sysctl touch $VAR_SUBSYS_IP6TABLES return $ret } stop() { local ret=0 # Do not stop if ip6tables module is not loaded. [ ! -e "$PROC_IP6TABLES_NAMES" ] && return 0 # Set default chain policy to ACCEPT, in order to not break shutdown # on systems where the default policy is DROP and root device is # network-based (i.e.: iSCSI, NFS) set_policy ACCEPT let ret+=$? # And then, flush the rules and delete chains flush_n_delete let ret+=$? rm -f $VAR_SUBSYS_IP6TABLES return $ret } save() { local ret=0 # Check if iptable module is loaded if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then echo -n $"${IP6TABLES}: Nothing to save."; warning; echo return 0 fi # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then echo -n $"${IP6TABLES}: Nothing to save."; warning; echo return 6 fi echo -n $"${IP6TABLES}: Saving firewall rules to $IP6TABLES_DATA: " OPT= [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" TMP_FILE=$(/bin/mktemp -q $IP6TABLES_DATA.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \ && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IP6TABLES_DATA ]; then cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \ && chmod 600 $IP6TABLES_DATA.save \ && $RESTORECON $IP6TABLES_DATA.save \ || ret=1 fi if [ $ret -eq 0 ]; then mv -f $TMP_FILE $IP6TABLES_DATA \ && chmod 600 $IP6TABLES_DATA \ && $RESTORECON $IP6TABLES_DATA \ || ret=1 fi fi rm -f $TMP_FILE [ $ret -eq 0 ] && success || failure echo return $ret } status() { if [ ! -f "$VAR_SUBSYS_IP6TABLES" ] && [ -z "$NF_TABLES" ]; then echo $"${IP6TABLES}: Firewall is not running." return 3 fi # Do not print status if lockfile is missing and ip6tables modules are not # loaded. # Check if iptable modules are loaded if [ ! -e "$PROC_IP6TABLES_NAMES" ]; then echo $"${IP6TABLES}: Firewall modules are not loaded." return 3 fi # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then echo $"${IP6TABLES}: Firewall is not configured. " return 3 fi NUM= [ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" VERBOSE= [ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" for table in $NF_TABLES; do echo $"Table: $table" $IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 } reload() { local ret=0 # Do not reload if there is no config file. if [ ! -f "$IP6TABLES_DATA" ]; then echo -n $"${IP6TABLES}: No config file."; warning; echo return 6 fi # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] \ && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then echo $"${IP6TABLES}: ${_IPV} is disabled." return 150 fi echo -n $"${IP6TABLES}: Trying to reload firewall rules: " OPT= [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IP6TABLES_RESTORE_CMD $OPT $IP6TABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; echo "Firewall rules are not changed."; return 1 fi # Load additional modules (helpers) if [ -n "$IP6TABLES_MODULES" ]; then echo -n $"${IP6TABLES}: Loading additional modules: " for mod in $IP6TABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi # Load sysctl settings load_sysctl return $ret } restart() { [ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) [ -f "$VAR_SUBSYS_IP6TABLES" ] && exit 0 start RETVAL=$? ;; stop) [ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart|force-reload) restart RETVAL=$? ;; reload) [ -e "$VAR_SUBSYS_IP6TABLES" ] && reload RETVAL=$? ;; condrestart|try-restart) [ ! -e "$VAR_SUBSYS_IP6TABLES" ] && exit 0 restart RETVAL=$? ;; status) status RETVAL=$? ;; panic) set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: ${IP6TABLES} {start|stop|reload|restart|condrestart|status|panic|save}" RETVAL=2 ;; esac exit $RETVAL