Add persistant iptable-rules via systemd

Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT

If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4

If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6

The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.

Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4

1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4

The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.

Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

6 files changed, 66 insertions, 0 deletions

diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/projectroot/etc/iptables/rules.v4
diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/projectroot/etc/iptables/rules.v6
diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service
new file mode 100644
index 000000000..e842cc197
--- /dev/null
+++ b/projectroot/lib/systemd/system/ip6tables.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+ConditionFileNotEmpty=/etc/iptables/rules.v6
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecStop=/usr/sbin/iptables/ip6tables-flush
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service
new file mode 100644
index 000000000..fa4a8b367
--- /dev/null
+++ b/projectroot/lib/systemd/system/iptables.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+ConditionFileNotEmpty=/etc/iptables/rules.v4
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStop=/usr/sbin/iptables-flush
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
diff --git a/projectroot/usr/sbin/ip6tables-flush b/projectroot/usr/sbin/ip6tables-flush
new file mode 100755
index 000000000..0ef3c3fe0
--- /dev/null
+++ b/projectroot/usr/sbin/ip6tables-flush
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if ! ip6tables --list >/dev/null 2>&1; then
+        echo "ipv6 filtering is not supported by the running kernel."
+        exit 3
+fi
+
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+for table in $(cat /proc/net/ip6_tables_names);
+do
+        ip6tables -t $table -F
+        ip6tables -t $table -X
+        ip6tables -t $table -Z
+done
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
diff --git a/projectroot/usr/sbin/iptables-flush b/projectroot/usr/sbin/iptables-flush
new file mode 100755
index 000000000..a9c146eec
--- /dev/null
+++ b/projectroot/usr/sbin/iptables-flush
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if ! iptables --list >/dev/null 2>&1; then
+	echo "ipv4 filtering is not supported by the running kernel."
+	exit 3
+fi
+
+iptables -F
+iptables -X
+iptables -Z
+for table in $(cat /proc/net/ip_tables_names)
+do
+        iptables -t $table -F
+        iptables -t $table -X
+        iptables -t $table -Z
+done
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT