IPv6 deployment:IPv6 firewall script

IPv6 firewall script
Note: this will display WIDE, because the long lines are not broken. check { if test ! -x "$1"; then echo "$1 not found or is not executable" exit 1 fi }
 * 1) !/bin/sh
 * 2)  This is automatically generated file. DO NOT MODIFY !
 * 3)  Firewall Builder  fwb_ipt v1.0.8-3
 * 4)  Generated Thu Apr 24 15:48:38 2003 PDT by root
 * 1)  Firewall Builder  fwb_ipt v1.0.8-3
 * 2)  Generated Thu Apr 24 15:48:38 2003 PDT by root
 * 1)  Generated Thu Apr 24 15:48:38 2003 PDT by root

log { if test -x "$LOGGER"; then logger -p info "$1" fi }

MODPROBE="/sbin/modprobe" IPTABLES="/sbin/ip6tables" IP="/sbin/ip" LOGGER="/usr/bin/logger" SYSCTL="/sbin/sysctl"

check $MODPROBE check $IPTABLES check $IP

cd /etc || exit 1

log "Activating firewall script generated Thu Apr 24 15:48:38 2003 PDT by root"

va_num=1

$SYSCTL -w net.IPv6.conf.all.forwarding=0

$IP -4 neigh flush dev eth0 $IP -4 addr flush dev eth0 label "eth0:FWB*" $IP -4 neigh flush dev eth3 $IP -4 addr flush dev eth3 label "eth3:FWB*" $IP -4 neigh flush dev eth1 $IP -4 addr flush dev eth1 label "eth1:FWB*" $IP -4 neigh flush dev eth2 $IP -4 addr flush dev eth2 label "eth2:FWB*"

$IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT  DROP $IPTABLES -P FORWARD DROP

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/IPv6/netfilter/" MODULES=`(cd $MODULE_DIR; ls | sed "s/\.o.*$//")` for module in $(echo $MODULES); do  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then $MODPROBE ${module} || exit 1 fi done

$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -N eth3_In_RULE_0 $IPTABLES -A INPUT -i eth3  -s  -j eth3_In_RULE_0 $IPTABLES -A FORWARD -i eth3  -s  -j eth3_In_RULE_0 $IPTABLES -A eth3_In_RULE_0 -j LOG  --log-level info --log-prefix "RULE 0 -- DROP " $IPTABLES -A eth3_In_RULE_0 -j DROP $IPTABLES -N ptmp001 $IPTABLES -A OUTPUT -o eth3 -j ptmp001 $IPTABLES -A FORWARD -o eth3 -j ptmp001 $IPTABLES -A ptmp001 -o eth3  -s  -j RETURN $IPTABLES -N eth3_Out_RULE_1_3 $IPTABLES -A ptmp001 -o eth3 -j eth3_Out_RULE_1_3 $IPTABLES -A eth3_Out_RULE_1_3 -j LOG  --log-level info --log-prefix "RULE 1 -- DROP " $IPTABLES -A eth3_Out_RULE_1_3 -j DROP $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A FORWARD -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A FORWARD -o lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A FORWARD -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A FORWARD -o lo -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m multiport  -d  --destination-port 80  -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m multiport  -d  --destination-port 80  -m state --state NEW -j ACCEPT $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -j RULE_7 $IPTABLES -A INPUT -j RULE_7 $IPTABLES -A FORWARD -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DROP " $IPTABLES -A RULE_7 -j DROP $SYSCTL -w net.IPv6.conf.all.forwarding=1
 * 1) Rule 0(eth3)
 * 2) Anti-spoofing rule
 * 1) Anti-spoofing rule
 * 1) Anti-spoofing rule
 * 1) Rule 1(eth3)
 * 2) Anti-spoofing rule
 * 1) Anti-spoofing rule
 * 1) Anti-spoofing rule
 * 1) Rule 0(lo)
 * 2) allow everything on loopback
 * 1) allow everything on loopback
 * 1) allow everything on loopback
 * 1) Rule 1(lo)
 * 2) allow everything on loopback
 * 1) allow everything on loopback
 * 1) allow everything on loopback
 * 1) Rule 1(global)
 * 2) allow access from the firewall on certain ports
 * 1) allow access from the firewall on certain ports
 * 1) allow access from the firewall on certain ports
 * 1) Rule 7(global)
 * 2) "catch all" rule
 * 1) "catch all" rule
 * 1) "catch all" rule
 * 1) "catch all" rule

Internal links
Main article: IPv6 deployment