#
# Simpler (and less effective) than the ipv4 rules, as
# we don't have state matching for ipv6.
#
set -e
set -x
MODPROBE=/sbin/modprobe
IPT=/usr/local/sbin/ip6tables
IPTSK="$IPT -t skfilter"

$IPT -X
$IPT -F

$IPTSK -F
$IPTSK -X
$IPTSK -N LD

#
# Only allow httpd_t to send and receive via local port 80
#
$IPTSK -t skfilter -A SOCKET -p tcp --dport 80 \
	-m owner --ctx-owner system_u:system_r:httpd_t -j ACCEPT


$IPTSK -t skfilter -A OUTPUT -p tcp --sport 80 \
	-m owner --ctx-owner system_u:system_r:httpd_t -j ACCEPT


# A real system would need DNS and ICMP, too.

# Drop everything else
$IPTSK -A SOCKET -j LD

$IPTSK -A LD -j LOG --log-context --log-prefix="dropping: "
$IPTSK -A LD -j DROP

$IPTSK -L