diff --git a/arptables.service b/arptables.service new file mode 100644 index 0000000..54758b6 --- /dev/null +++ b/arptables.service @@ -0,0 +1,14 @@ +[Unit] +Description=ARP table +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c '/usr/sbin/arptables-restore < /etc/arptables.conf' +ExecReload=/bin/sh -c '/usr/sbin/arptables-restore < /etc/arptables.conf' +ExecStop=/bin/sh -c '/usr/sbin/arptables-restore < /dev/null' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ebtables.service b/ebtables.service new file mode 100644 index 0000000..ad8fb77 --- /dev/null +++ b/ebtables.service @@ -0,0 +1,14 @@ +[Unit] +Description=Ethernet bridge table +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c '/usr/sbin/ebtables-restore < /etc/ebtables.conf' +ExecReload=/bin/sh -c '/usr/sbin/ebtables-restore < /etc/ebtables.conf' +ExecStop=/bin/sh -c '/usr/sbin/ebtables-restore < /dev/null' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/empty.rules b/empty.rules new file mode 100644 index 0000000..e24e1aa --- /dev/null +++ b/empty.rules @@ -0,0 +1,6 @@ +# Empty iptables rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/ip6tables.service b/ip6tables.service new file mode 100644 index 0000000..df54cd7 --- /dev/null +++ b/ip6tables.service @@ -0,0 +1,15 @@ +[Unit] +Description=IPv6 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target +After=iptables.service + +[Service] +Type=oneshot +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecStop=/usr/lib/systemd/scripts/iptables-flush 6 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/iptables-initscript b/iptables-initscript deleted file mode 100644 index 985a685..0000000 --- a/iptables-initscript +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/bash -# -# iptables -- Startup script to implement /etc/sysconfig/iptables pre-defined rules -# -# chkconfig: 2345 25 92 -# description: Automates a packet filtering firewall with iptables. -# config: /etc/sysconfig/iptables -# -# By bero@redhat.com, based on the ipchains script: -# Script Author: Joshua Jensen -# -- hacked up by gafton with help from notting -# Modified by Anton Altaparmakov : -# Modified by Nils Philippsen - -. /etc/sysconfig/rc -. $rc_functions - -NAME=iptables -IPTABLES=/sbin/$NAME -IPTABLES_RESTORE=/sbin/iptables-restore -IPTABLES_SAVE=/sbin/iptables-save -IPTABLES_CONFIG=/etc/sysconfig/$NAME - -[ -x $IPTABLES ] || exit 0 - -case "$1" in - start) - # don't do squat if we don't have the config file - if [ -f $IPTABLES_CONFIG ]; then - # we do _not_ need to flush/clear anything when using iptables-restore - echo -n $"Applying iptables firewall rules: " - grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | \ - grep -v '^[[:space:]]*$' | \ - $IPTABLES_RESTORE -c - evaluate_retval; echo - fi - touch /var/lock/subsys/$NAME - ;; - stop) - echo -n $"Setting up default policies to ACCEPT: " - $IPTABLES --table mangle --policy PREROUTING ACCEPT && - $IPTABLES --table mangle --policy INPUT ACCEPT && - $IPTABLES --table mangle --policy FORWARD ACCEPT && - $IPTABLES --table mangle --policy OUTPUT ACCEPT && - $IPTABLES --table mangle --policy POSTROUTING ACCEPT && - $IPTABLES --table filter --policy INPUT ACCEPT && - $IPTABLES --table filter --policy OUTPUT ACCEPT && - $IPTABLES --table filter --policy FORWARD ACCEPT && - $IPTABLES --table nat --policy PREROUTING ACCEPT && - $IPTABLES --table nat --policy POSTROUTING ACCEPT && - $IPTABLES --table nat --policy OUTPUT ACCEPT - evaluate_retval; echo - - echo -n $"Flushing all chains and deleting all user ones: " - for table in filter nat mangle; do - $IPTABLES --table $table --flush && - $IPTABLES --table $table --delete-chain && - $IPTABLES --table $table --zero - done - evaluate_retval; echo - - rm -f /var/lock/subsys/$NAME - ;; - restart|reload) - # "restart" is really just "start" as this isn't a daemon, - # and "start" clears any pre-defined rules anyway. - # This is really only here to make those who expect it happy - $0 start - ;; - condrestart) - [ -e /var/lock/subsys/$NAME ] && $0 restart || : - ;; - status) - for table in $(cat /proc/net/ip_tables_names 2>/dev/null); do - echo "["$"TABLE:"" $table]" - $IPTABLES -t $table --list - echo - done - ;; - panic) - echo -n $"Setting up default policies to DROP: " - $IPTABLES --table mangle --policy PREROUTING DROP && - $IPTABLES --table mangle --policy INPUT DROP && - $IPTABLES --table mangle --policy FORWARD DROP && - $IPTABLES --table mangle --policy OUTPUT DROP && - $IPTABLES --table mangle --policy POSTROUTING DROP && - $IPTABLES --table filter --policy INPUT DROP && - $IPTABLES --table filter --policy OUTPUT DROP && - $IPTABLES --table filter --policy FORWARD DROP && - $IPTABLES --table nat --policy PREROUTING DROP && - $IPTABLES --table nat --policy POSTROUTING DROP && - $IPTABLES --table nat --policy OUTPUT DROP - evaluate_retval; echo - - echo -n $"Flushing all chains and deleting all user ones: " - for table in filter nat mangle; do - $IPTABLES --table $table --flush && - $IPTABLES --table $table --delete-chain && - $IPTABLES --table $table --zero - done - evaluate_retval; echo - ;; - save) - echo -n $"Saving current rules to"" \`$IPTABLES_CONFIG': " - touch $IPTABLES_CONFIG && chmod 600 $IPTABLES_CONFIG && - $IPTABLES_SAVE -c > $IPTABLES_CONFIG 2>/dev/null - evaluate_retval; echo - ;; - *) - echo "Usage: ""$0 {start|stop|restart|condrestart|status|panic|save}" - exit 1 - ;; -esac - -exit 0 diff --git a/iptables-legacy-flush b/iptables-legacy-flush new file mode 100644 index 0000000..3d8ee89 --- /dev/null +++ b/iptables-legacy-flush @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done <"/proc/net/ip$1_tables_names" + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi diff --git a/iptables-nat.sh b/iptables-nat.sh deleted file mode 100644 index 4e832b4..0000000 --- a/iptables-nat.sh +++ /dev/null @@ -1,60 +0,0 @@ -#! /bin/bash -# -# iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules -# for IPTABLES on all the network devices marked as local (ZONE=local) -# -# Copyright (c) 2003-2004 by Silvan Calarco -# Copyright (c) 2003-2006 by Davide Madrisan - -. /etc/sysconfig/rc -. $rc_functions -. $rc_networkfunctions -. /etc/sysconfig/network - -get_interfaces_by_zone -[ ${#ifzone_local[@]} -eq 0 ] && exit 0 # no local interfaces found - -# shut down NAT routing and delete any NAT existing chains -iptables -t nat -P PREROUTING DROP && \ -iptables -t nat -P POSTROUTING DROP && \ -iptables -t nat -P OUTPUT DROP && \ -iptables -t nat -F && \ -iptables -t nat -X - -for int_name in ${ifzone_local[@]}; do - # get the parameters: int_ip, int_netmask, int_network - get_interface_parameters $int_name - [ $? -ne 0 ] && - { echo "\ -WARNING: could not determine parameters for interface $int_name. - $int_name will not be configured for NAT." 1>&2; - continue; } - - [ -z "$int_network" -a "$natconfig" = 1 ] && - { echo "\ -WARNING: NETWORK variable for interface $int_name not set. - $int_name will not be configured for NAT." 1>&2; - continue; } - - [ -z "$int_netmask" -a "$natconfig" = 1 ] && - { int_netmask="255.255.255.0"; - echo "\ -WARNING: NETMASK variable missing for $int_name. - Using $int_netmask." 1>&2; } - - # masquerade rules - iptables -t nat -N fromprivate.$int_name - # packets from the private IP range to another private IP range are untouched. - iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT - # packets that get here are from the private address range - # and are trying to get out to the internet. We NAT them. - iptables -t nat -A fromprivate.$int_name -j MASQUERADE - # siphon off any packets that are from the private IP range - iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name -done - -# packets that get here can just hit the default policy -iptables -t nat -P PREROUTING ACCEPT && \ -iptables -t nat -P POSTROUTING ACCEPT && \ -iptables -t nat -P OUTPUT ACCEPT - diff --git a/iptables-nft-flush b/iptables-nft-flush new file mode 100644 index 0000000..5038d32 --- /dev/null +++ b/iptables-nft-flush @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done < <(nft list tables | sed -n "s/table ip$1 //p") + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi diff --git a/iptables.service b/iptables.service new file mode 100644 index 0000000..b61b4b0 --- /dev/null +++ b/iptables.service @@ -0,0 +1,14 @@ +[Unit] +Description=IPv4 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules +ExecReload=/usr/sbin/iptables-restore /etc/iptables/iptables.rules +ExecStop=/usr/lib/systemd/scripts/iptables-flush +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/iptables.spec b/iptables.spec index ac99202..bdc378c 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,5 +1,5 @@ Name: iptables -Version: 1.8.8 +Version: 1.8.9 Release: 2mamba Summary: kernel libraries, user tools/libraries for netfilter/iptables firewalling Group: Network/Security @@ -7,9 +7,14 @@ Vendor: openmamba Distribution: openmamba Packager: Silvan Calarco URL: https://www.netfilter.org/ -Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 -Source1: iptables-initscript -Source2: iptables-nat.sh +Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.xz +Source1: iptables.service +Source2: ip6tables.service +Source3: arptables.service +Source4: ebtables.service +Source5: empty.rules +Source6: iptables-legacy-flush +Source7: iptables-nft-flush License: GPL ## AUTOBUILDREQ-BEGIN BuildRequires: glibc-devel @@ -17,6 +22,7 @@ BuildRequires: libmnl-devel BuildRequires: libnetfilter_conntrack-devel BuildRequires: libnfnetlink-devel BuildRequires: libnftnl-devel +BuildRequires: libpcap-devel ## AUTOBUILDREQ-END BuildRequires: libnftnl-devel >= 1.0.9 Provides: iptables-nat @@ -68,7 +74,12 @@ This package contains the header files needed for development with xtables. %setup -q %build -%configure +%configure \ + --enable-bpf-compiler \ + --enable-devel \ + --enable-libipq \ + --enable-shared + #--sbindir=/sbin --bindir=/sbin %ifarch arm @@ -84,8 +95,23 @@ sed -i "/#define HAVE_LINUX_BPF_H/d" config.h [ "%{buildroot}" != / ] && rm -rf %{buildroot} %makeinstall -#install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/iptables -#install -D -m 755 %{S:2} %{buildroot}%{_sbindir}/iptables-nat.sh +install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/iptables.service +install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/ip6tables.service +install -D -m0644 %{SOURCE3} %{buildroot}%{_unitdir}/arptables.service +install -D -m0644 %{SOURCE4} %{buildroot}%{_unitdir}/ebtables.service +install -D -m0755 %{SOURCE6} %{buildroot}%{_systemd_util_dir}/scripts/iptables-flush + +install -D -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/iptables/iptables.rules +install -D -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/iptables/ip6tables.rules + +install -d -m0755 %{buildroot}%{_presetdir} + +cat > %{buildroot}%{_presetdir}/50-iptables.preset << __EOF +disable iptables +disable ip6tables +disable arptables +disable ebtables +__EOF %clean [ "%{buildroot}" != / ] && rm -rf %{buildroot} @@ -100,7 +126,11 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \; %files %defattr(-,root,root) +%dir %{_sysconfdir}/iptables +%config(noreplace) %{_sysconfdir}/iptables/ip6tables.rules +%config(noreplace) %{_sysconfdir}/iptables/iptables.rules %{_sysconfdir}/ethertypes +%config(noreplace) %{_sysconfdir}/xtables.conf %{_bindir}/iptables-xml %{_sbindir}/arptables* %{_sbindir}/ebtables* @@ -110,8 +140,15 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \; %{_sbindir}/iptables %{_sbindir}/iptables-* %{_sbindir}/nfnl_osf +%{_sbindir}/nfbpf_compile +%{_systemd_util_dir}/scripts/iptables-flush +%{_presetdir}/50-iptables.preset +%{_unitdir}/arptables.service +%{_unitdir}/ebtables.service +%{_unitdir}/ip6tables.service +%{_unitdir}/iptables.service %dir %{_datadir}/xtables -%{_datadir}/xtables/pf.os +%{_datadir}/xtables/* %{_mandir}/man1/iptables-*.1* %{_mandir}/man8/iptables.8* %{_mandir}/man8/iptables-*.8* @@ -119,6 +156,8 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \; %{_mandir}/man8/xtables-*.8* %{_mandir}/man8/arptables-nft*.8* %{_mandir}/man8/ebtables-nft.8* +%{_mandir}/man8/ebtables-translate.8* +%{_mandir}/man8/nfbpf_compile.8* %files ipv6 %defattr(-,root,root) @@ -128,8 +167,10 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \; %files -n lib%{name} %defattr(-,root,root) +%{_includedir}/libipq.h %{_libdir}/libip4tc.so.* %{_libdir}/libip6tc.so.* +%{_libdir}/libipq.so.* %dir %{_libdir}/xtables %{_libdir}/xtables/libarpt_*.so %{_libdir}/xtables/libebt_*.so @@ -148,12 +189,25 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \; %{_libdir}/libip4tc.so %{_libdir}/libip6tc.so %{_libdir}/libxtables.so +%{_libdir}/libipq.so %{_libdir}/pkgconfig/xtables.pc %{_libdir}/pkgconfig/libiptc.pc %{_libdir}/pkgconfig/libip4tc.pc %{_libdir}/pkgconfig/libip6tc.pc +%{_libdir}/pkgconfig/libipq.pc +%{_mandir}/man3/ipq_*.3* +%{_mandir}/man3/libipq.3* %changelog +* Thu Jan 19 2023 Silvan Calarco 1.8.9-2mamba +- add a systemd preset file to disable services by default + +* Thu Jan 19 2023 Silvan Calarco 1.8.9-1mamba +- update to 1.8.9 + +* Thu Jan 19 2023 Silvan Calarco 1.8.8-3mamba +- added systemd support scripts; rebuilt with --enable-libipq + * Wed Nov 02 2022 Silvan Calarco 1.8.8-2mamba - move libraries to libiptables subpackage