diff options
| author | Gavin Schenk <g.schenk@eckelmann.de> | 2016-04-11 14:19:28 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2016-04-11 18:22:08 +0200 |
| commit | 6a36221821e623ac619e1eba4f85e95e751159b9 (patch) | |
| tree | e928c18f3698dd28eec20a4760a4df6f547ed99f /rules/iptables.make | |
| parent | fff5afaf3b26a001a31536d8f3c4ca3442f2361c (diff) | |
| download | ptxdist-6a36221821e623ac619e1eba4f85e95e751159b9.tar.gz ptxdist-6a36221821e623ac619e1eba4f85e95e751159b9.tar.xz | |
Add persistant iptable-rules via systemd
Supports ipv4 and ipv6 and both options can be selected in menuconfig
by IPTABLES_IPV6_SYSTEMD_UNIT and/or IPTABLES_IPV4_SYSTEMD_UNIT
If you select IPTABLES_IPV4_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from file:
/etc/iptables/rules.v4
If you select IPTABLES_IPV6_SYSTEMD_UNIT a systemd unit is started on
multiuser.target that set the iptable rules from the file:
/etc/iptables/rules.v6
The Package provides empty files. If you want to add custom rules, you
have to provide your own files. The rule files can be generated with
the utils iptables-save ip6tables-save from the iptables package.
Example:
Generating a rule file, that drops port 5000 on interface eth0 for ipv4
1.) iptables -A INPUT -i eth0 -p TCP --dport 5000 -j DROP
2.) iptables-save > /etc/iptables/rules.v4
The basic idea was taken from https://github.com/gronke/systemd-iptables
written by Stefan Grönke <stefan@gronke.net> in 2015.
Signed-off-by: Gavin Schenk <g.schenk@eckelmann.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'rules/iptables.make')
| -rw-r--r-- | rules/iptables.make | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/rules/iptables.make b/rules/iptables.make index 8a1ea66bd..b31833653 100644 --- a/rules/iptables.make +++ b/rules/iptables.make @@ -126,6 +126,27 @@ ifdef PTXCONF_IPTABLES_IPV4 @$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-restore) @$(call install_link, iptables, xtables-multi, /usr/sbin/iptables-save) endif + +ifdef PTXCONF_IPTABLES_IPV6_SYSTEMD_UNIT +# # IPv6 systemd service unit part + @$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v6) + @$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/ip6tables-flush) + @$(call install_alternative, iptables, 0, 0, 0644, \ + /lib/systemd/system/ip6tables.service) + @$(call install_link, iptables, ../ip6tables.service, \ + /lib/systemd/system/multi-user.target.wants/ip6tables.service) +endif + +ifdef PTXCONF_IPTABLES_IPV4_SYSTEMD_UNIT +# # IPv4 systemd service unit part + @$(call install_alternative, iptables, 0, 0, 0644, /etc/iptables/rules.v4) + @$(call install_alternative, iptables, 0, 0, 0755, /usr/sbin/iptables-flush) + @$(call install_alternative, iptables, 0, 0, 0644, \ + /lib/systemd/system/iptables.service) + @$(call install_link, iptables, ../iptables.service, \ + /lib/systemd/system/multi-user.target.wants/iptables.service) +endif + endif ifdef PTXCONF_IPTABLES_INSTALL_IPTABLES_APPLY |