From: Arno van Amersfoort <arnova@rocky.eld.leidenuniv.nl>
Subject: Prevent incremental rule build-up in ipv6 chains when restarting the
  firewall.
Origin: upstream, https://rocky.eld.leidenuniv.nl/trac/aif/changeset/297?format=diff&new=297
  backported to 1.9.2k by Michael Hanke
Bug-Debian: http://bugs.debian.org/596170
--- a/bin/arno-iptables-firewall
+++ b/bin/arno-iptables-firewall
@@ -682,9 +682,18 @@
 
   # Flush built-in rules
   ######################
-  iptables -F INPUT
-  iptables -F OUTPUT
-  iptables -F FORWARD
+  ip4tables -F INPUT
+  ip4tables -F OUTPUT
+  ip4tables -F FORWARD
+
+  if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+    # Flush builtin IPv6 chains
+    ###########################
+    ip6tables -F INPUT
+    ip6tables -F OUTPUT
+    ip6tables -F FORWARD
+  fi
+
   iptables -t nat -F
   iptables -t nat -X
   iptables -t mangle -F
@@ -5000,14 +5009,27 @@
 stop_firewall()
 {
   # Set default policies
-  iptables -P INPUT ACCEPT
-  iptables -P FORWARD DROP
-  iptables -P OUTPUT ACCEPT
+  ip4tables -P INPUT ACCEPT
+  ip4tables -P FORWARD DROP
+  ip4tables -P OUTPUT ACCEPT
 
   # Flush Built-in Rules
-  iptables -F INPUT
-  iptables -F OUTPUT
-  iptables -F FORWARD
+  ip4tables -F INPUT
+  ip4tables -F OUTPUT
+  ip4tables -F FORWARD
+
+  if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+    # Set default IPv6 policies
+    ip6tables -P INPUT ACCEPT
+    ip6tables -P FORWARD DROP
+    ip6tables -P OUTPUT ACCEPT
+
+    # Flush builtin IPv6 chains
+    ip6tables -F INPUT
+    ip6tables -F OUTPUT
+    ip6tables -F FORWARD
+  fi
+
   iptables -t mangle -F
   iptables -t mangle -X
   iptables -t nat -F
@@ -5037,9 +5059,17 @@
   iptables -P OUTPUT ACCEPT
 
   # Flush Built-in Rules
-  iptables -F INPUT
-  iptables -F OUTPUT
-  iptables -F FORWARD
+  ip4tables -F INPUT
+  ip4tables -F OUTPUT
+  ip4tables -F FORWARD
+
+  if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+    # Flush builtin IPv6 chains
+    ip6tables -F INPUT
+    ip6tables -F OUTPUT
+    ip6tables -F FORWARD
+  fi
+
   iptables -t nat -F
   iptables -t mangle -F
 
@@ -5056,14 +5086,26 @@
   # Temporarely set default policies to DROP, to don't even have a small
   # window of opportunity
   ######################################################################
-  iptables -P INPUT DROP
-  iptables -P FORWARD DROP
-  iptables -P OUTPUT DROP
+  ip4tables -P INPUT DROP
+  ip4tables -P FORWARD DROP
+  ip4tables -P OUTPUT DROP
 
   # Flush Built-in Rules
-  iptables -F INPUT
-  iptables -F OUTPUT
-  iptables -F FORWARD
+  ip4tables -F INPUT
+  ip4tables -F OUTPUT
+  ip4tables -F FORWARD
+
+  if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+    ip6tables -P INPUT DROP
+    ip6tables -P FORWARD DROP
+    ip6tables -P OUTPUT DROP
+
+    # Flush builtin IPv6 chains
+    ip6tables -F INPUT
+    ip6tables -F OUTPUT
+    ip6tables -F FORWARD
+  fi
+
   iptables -t nat -F
   iptables -t nat -X
   iptables -t mangle -F
@@ -5076,18 +5118,34 @@
   # Deny traffic from our internet interfaces
   IFS=' ,'
   for interface in $EXT_IF; do
-    iptables -A INPUT -i $interface -j DROP
-  done
+    ip4tables -A INPUT -i $interface -j DROP
 
-  # Allow traffic from the loopback (localhost)
-  iptables -A INPUT -i lo -j ACCEPT
-  iptables -A FORWARD -i lo -j ACCEPT
-  iptables -A OUTPUT -o lo -j ACCEPT
+    if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+      ip6tables -A INPUT -i $interface -j DROP
+    fi
+  done
 
-  # Set default policies
-  iptables -P INPUT ACCEPT
-  iptables -P FORWARD DROP
-  iptables -P OUTPUT ACCEPT
+  # Allow IPv4 traffic from the loopback (localhost)
+  ip4tables -A INPUT -i lo -j ACCEPT
+  ip4tables -A FORWARD -i lo -j ACCEPT
+  ip4tables -A OUTPUT -o lo -j ACCEPT
+
+  # Set default IPv4 policies
+  ip4tables -P INPUT ACCEPT
+  ip4tables -P FORWARD DROP
+  ip4tables -P OUTPUT ACCEPT
+
+  if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+    # Allow IPv6 traffic from the loopback (localhost)
+    ip6tables -A INPUT -i lo -j ACCEPT
+    ip6tables -A FORWARD -i lo -j ACCEPT
+    ip6tables -A OUTPUT -o lo -j ACCEPT
+
+    # Set default IPv6 policies
+    ip6tables -P INPUT ACCEPT
+    ip6tables -P FORWARD DROP
+    ip6tables -P OUTPUT ACCEPT
+  fi
 }
 
 
