diff options
| author | Gavin Schenk <g.schenk@eckelmann.de> | 2016-04-11 14:19:28 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2016-04-11 18:22:08 +0200 |
| commit | 6a36221821e623ac619e1eba4f85e95e751159b9 (patch) | |
| tree | e928c18f3698dd28eec20a4760a4df6f547ed99f /projectroot/lib/systemd | |
| parent | fff5afaf3b26a001a31536d8f3c4ca3442f2361c (diff) | |
| download | ptxdist-6a36221821e623ac619e1eba4f85e95e751159b9.tar.gz ptxdist-6a36221821e623ac619e1eba4f85e95e751159b9.tar.xz | |
Add persistant iptable-rules via systemd
Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT
If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4
If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6
The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.
Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4
1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4
The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.
Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'projectroot/lib/systemd')
| -rw-r--r-- | projectroot/lib/systemd/system/ip6tables.service | 14 | ||||
| -rw-r--r-- | projectroot/lib/systemd/system/iptables.service | 14 |
2 files changed, 28 insertions, 0 deletions
diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service new file mode 100644 index 000000000..e842cc197 --- /dev/null +++ b/projectroot/lib/systemd/system/ip6tables.service @@ -0,0 +1,14 @@ +[Unit] +Description=Packet Filtering Framework +DefaultDependencies=no +After=systemd-sysctl.service +Before=sysinit.target +ConditionFileNotEmpty=/etc/iptables/rules.v6 +[Service] +Type=oneshot +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 +ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 +ExecStop=/usr/sbin/iptables/ip6tables-flush +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service new file mode 100644 index 000000000..fa4a8b367 --- /dev/null +++ b/projectroot/lib/systemd/system/iptables.service @@ -0,0 +1,14 @@ +[Unit] +Description=Packet Filtering Framework +DefaultDependencies=no +After=systemd-sysctl.service +Before=sysinit.target +ConditionFileNotEmpty=/etc/iptables/rules.v4 +[Service] +Type=oneshot +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4 +ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4 +ExecStop=/usr/sbin/iptables-flush +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target |