diff options
author | Gavin Schenk <g.schenk@eckelmann.de> | 2016-04-11 14:19:28 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2016-04-11 18:22:08 +0200 |
commit | 6a36221821e623ac619e1eba4f85e95e751159b9 (patch) | |
tree | e928c18f3698dd28eec20a4760a4df6f547ed99f /projectroot | |
parent | fff5afaf3b26a001a31536d8f3c4ca3442f2361c (diff) | |
download | ptxdist-6a36221821e623ac619e1eba4f85e95e751159b9.tar.gz ptxdist-6a36221821e623ac619e1eba4f85e95e751159b9.tar.xz |
Add persistant iptable-rules via systemd
Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT
If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4
If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6
The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.
Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4
1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4
The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.
Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'projectroot')
-rw-r--r-- | projectroot/etc/iptables/rules.v4 | 0 | ||||
-rw-r--r-- | projectroot/etc/iptables/rules.v6 | 0 | ||||
-rw-r--r-- | projectroot/lib/systemd/system/ip6tables.service | 14 | ||||
-rw-r--r-- | projectroot/lib/systemd/system/iptables.service | 14 | ||||
-rwxr-xr-x | projectroot/usr/sbin/ip6tables-flush | 19 | ||||
-rwxr-xr-x | projectroot/usr/sbin/iptables-flush | 19 |
6 files changed, 66 insertions, 0 deletions
diff --git a/projectroot/etc/iptables/rules.v4 b/projectroot/etc/iptables/rules.v4 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/projectroot/etc/iptables/rules.v4 diff --git a/projectroot/etc/iptables/rules.v6 b/projectroot/etc/iptables/rules.v6 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/projectroot/etc/iptables/rules.v6 diff --git a/projectroot/lib/systemd/system/ip6tables.service b/projectroot/lib/systemd/system/ip6tables.service new file mode 100644 index 000000000..e842cc197 --- /dev/null +++ b/projectroot/lib/systemd/system/ip6tables.service @@ -0,0 +1,14 @@ +[Unit] +Description=Packet Filtering Framework +DefaultDependencies=no +After=systemd-sysctl.service +Before=sysinit.target +ConditionFileNotEmpty=/etc/iptables/rules.v6 +[Service] +Type=oneshot +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 +ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 +ExecStop=/usr/sbin/iptables/ip6tables-flush +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target diff --git a/projectroot/lib/systemd/system/iptables.service b/projectroot/lib/systemd/system/iptables.service new file mode 100644 index 000000000..fa4a8b367 --- /dev/null +++ b/projectroot/lib/systemd/system/iptables.service @@ -0,0 +1,14 @@ +[Unit] +Description=Packet Filtering Framework +DefaultDependencies=no +After=systemd-sysctl.service +Before=sysinit.target +ConditionFileNotEmpty=/etc/iptables/rules.v4 +[Service] +Type=oneshot +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4 +ExecReload=/usr/sbin/iptables-restore /etc/iptables/rules.v4 +ExecStop=/usr/sbin/iptables-flush +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target diff --git a/projectroot/usr/sbin/ip6tables-flush b/projectroot/usr/sbin/ip6tables-flush new file mode 100755 index 000000000..0ef3c3fe0 --- /dev/null +++ b/projectroot/usr/sbin/ip6tables-flush @@ -0,0 +1,19 @@ +#!/bin/sh + +if ! ip6tables --list >/dev/null 2>&1; then + echo "ipv6 filtering is not supported by the running kernel." + exit 3 +fi + +ip6tables -F +ip6tables -X +ip6tables -Z +for table in $(cat /proc/net/ip6_tables_names); +do + ip6tables -t $table -F + ip6tables -t $table -X + ip6tables -t $table -Z +done +ip6tables -P INPUT ACCEPT +ip6tables -P OUTPUT ACCEPT +ip6tables -P FORWARD ACCEPT diff --git a/projectroot/usr/sbin/iptables-flush b/projectroot/usr/sbin/iptables-flush new file mode 100755 index 000000000..a9c146eec --- /dev/null +++ b/projectroot/usr/sbin/iptables-flush @@ -0,0 +1,19 @@ +#!/bin/sh + +if ! iptables --list >/dev/null 2>&1; then + echo "ipv4 filtering is not supported by the running kernel." + exit 3 +fi + +iptables -F +iptables -X +iptables -Z +for table in $(cat /proc/net/ip_tables_names) +do + iptables -t $table -F + iptables -t $table -X + iptables -t $table -Z +done +iptables -P INPUT ACCEPT +iptables -P FORWARD ACCEPT +iptables -P OUTPUT ACCEPT |