hash-and-url avoids IP fragementation, cert and crl fetch based on IPv6

[strongswan.git] / testing / tests / ipv6 / net2net-rfc3779-ikev2 / hosts / sun / etc / init.d / iptables

#!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

opts="start stop reload"

depend() {
        before net
        need logger
}

start() {
        ebegin "Starting firewall"

        # enable IP forwarding
        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward
        
        # default policy is DROP
        /sbin/iptables -P INPUT DROP
        /sbin/iptables -P OUTPUT DROP
        /sbin/iptables -P FORWARD DROP

        /sbin/ip6tables -P INPUT DROP
        /sbin/ip6tables -P OUTPUT DROP
        /sbin/ip6tables -P FORWARD DROP

        # allow esp
        ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
        ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT

        # allow IKE
        ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
        ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT

        # allow MobIKE
        ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
        ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT

        # allow ICMPv6 neighbor-solicitations
        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
        
        # allow ICMPv6 neighbor-advertisements
        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

        # allow crl and certificate fetch from winnetou
        ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
        ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT

        # allow ssh
        iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
        iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

        # log dropped packets
        ip6tables -A INPUT  -j LOG --log-prefix " IN: "
        ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "

        eend $?
}

stop() {
        ebegin "Stopping firewall"
                for a in `cat /proc/net/ip_tables_names`; do
                        /sbin/ip6tables -F -t $a
                        /sbin/ip6tables -X -t $a

                        /sbin/iptables -F -t $a
                        /sbin/iptables -X -t $a
        
                        if [ $a == nat ]; then
                                /sbin/iptables -t nat -P PREROUTING ACCEPT
                                /sbin/iptables -t nat -P POSTROUTING ACCEPT
                                /sbin/iptables -t nat -P OUTPUT ACCEPT
                        elif [ $a == mangle ]; then
                                /sbin/iptables -t mangle -P PREROUTING ACCEPT
                                /sbin/iptables -t mangle -P INPUT ACCEPT
                                /sbin/iptables -t mangle -P FORWARD ACCEPT
                                /sbin/iptables -t mangle -P OUTPUT ACCEPT
                                /sbin/iptables -t mangle -P POSTROUTING ACCEPT
                        elif [ $a == filter ]; then
                                /sbin/ip6tables -t filter -P INPUT ACCEPT
                                /sbin/ip6tables -t filter -P FORWARD ACCEPT
                                /sbin/ip6tables -t filter -P OUTPUT ACCEPT

                                /sbin/iptables -t filter -P INPUT ACCEPT
                                /sbin/iptables -t filter -P FORWARD ACCEPT
                                /sbin/iptables -t filter -P OUTPUT ACCEPT
                        fi
                done
        eend $?
}

reload() {
        ebegin "Flushing firewall"
                for a in `cat /proc/net/ip_tables_names`; do
                        /sbin/ip6tables -F -t $a
                        /sbin/ip6tables -X -t $a
                done;
        eend $?
        start
}