2 # Copyright 1999-2004 Gentoo Foundation
3 # Distributed under the terms of the GNU General Public License v2
5 opts="start stop reload"
13 ebegin "Starting firewall"
15 # enable IP forwarding
16 echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
17 echo 1 > /proc/sys/net/ipv4/ip_forward
19 # default policy is DROP
20 /sbin/iptables -P INPUT DROP
21 /sbin/iptables -P OUTPUT DROP
22 /sbin/iptables -P FORWARD DROP
24 /sbin/ip6tables -P INPUT DROP
25 /sbin/ip6tables -P OUTPUT DROP
26 /sbin/ip6tables -P FORWARD DROP
29 ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT
30 ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
33 ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
34 ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
37 ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
38 ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
40 # allow ICMPv6 neighbor-solicitations
41 ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
42 ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
44 # allow ICMPv6 neighbor-advertisements
45 ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
46 ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
48 # allow crl and certificate fetch from winnetou
49 ip6tables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
50 ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
53 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
54 iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
57 ip6tables -A INPUT -j LOG --log-prefix " IN: "
58 ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
64 ebegin "Stopping firewall"
65 for a in `cat /proc/net/ip_tables_names`; do
66 /sbin/ip6tables -F -t $a
67 /sbin/ip6tables -X -t $a
69 /sbin/iptables -F -t $a
70 /sbin/iptables -X -t $a
72 if [ $a == nat ]; then
73 /sbin/iptables -t nat -P PREROUTING ACCEPT
74 /sbin/iptables -t nat -P POSTROUTING ACCEPT
75 /sbin/iptables -t nat -P OUTPUT ACCEPT
76 elif [ $a == mangle ]; then
77 /sbin/iptables -t mangle -P PREROUTING ACCEPT
78 /sbin/iptables -t mangle -P INPUT ACCEPT
79 /sbin/iptables -t mangle -P FORWARD ACCEPT
80 /sbin/iptables -t mangle -P OUTPUT ACCEPT
81 /sbin/iptables -t mangle -P POSTROUTING ACCEPT
82 elif [ $a == filter ]; then
83 /sbin/ip6tables -t filter -P INPUT ACCEPT
84 /sbin/ip6tables -t filter -P FORWARD ACCEPT
85 /sbin/ip6tables -t filter -P OUTPUT ACCEPT
87 /sbin/iptables -t filter -P INPUT ACCEPT
88 /sbin/iptables -t filter -P FORWARD ACCEPT
89 /sbin/iptables -t filter -P OUTPUT ACCEPT
96 ebegin "Flushing firewall"
97 for a in `cat /proc/net/ip_tables_names`; do
98 /sbin/ip6tables -F -t $a
99 /sbin/ip6tables -X -t $a