#!/bin/sh
#
# firewall-pre	This script pre initialises firewall
#
# chkconfig: 2345 09 09
# description:	Deny everything but loopback, nameserver and
#		gateway if it's on the different network than DNS
# config: /etc/sysconfig/firewall
# config: /etc/sysconfig/firewall.d/*

# Source function library.
. /etc/rc.d/init.d/functions

# Get network config
. /etc/sysconfig/network

# Get iptables config and function library
. /etc/sysconfig/firewall
. /etc/sysconfig/firewall.d/functions

is_no "${FIREWALL}" && exit 0

# Check that networking is up.
if is_no "${NETWORKING}"; then
	# nls "ERROR: Networking is down. %s can't be run." <service>
	msg_Network_Down firewall
	exit 1
fi

if [ ! -x "$iptables" ] ; then
	echo "iptables executables not found (\"$iptables\"). Can't continue."
	exit 1
fi

if is_yes "${IPV6_NETWORKING}" && [ ! -x "$iptables" ] ; then
	echo "ip6tables executables not found (\"$ip6tables\"). Can't continue."
	exit 1
fi

# See how we were called.
case "$1" in
  start|stop)
	show "Load netfilter modules (IPv4)"
	busy
	ipv4_load_modules
	deltext ; ok
	show "Flush standard tables and remove remaining chains (IPv4)"
	busy
	clean_rules ipv4
	deltext ; ok
	show "Block everything but lo and DNS (IPv4)"
	busy
	ipv4_pre_init_block
	deltext ; ok
	if is_yes "${IPV6_NETWORKING}" ; then
		show "Load netfilter modules (IPv6)"
		busy
		ipv6_load_modules
		deltext ; ok
		show "Flush standard tables and remove remaining chains (IPv6)"
		busy
		clean_rules ipv6
		deltext ; ok
		show "Block everything but lo and DNS (IPv6)"
		busy
		ipv6_pre_init_block
		deltext ; ok
	fi
	;;
  *)
	echo "Usage: $0 {start|stop}"
	exit 1
esac

exit 0
