add a systemd preset file to disable services by default [release 1.8.9-2mamba;Thu Jan 19 2023]

This commit is contained in:
Silvan Calarco 2024-01-05 23:57:42 +01:00
parent 2135336bb8
commit 8ea052c85c
10 changed files with 161 additions and 183 deletions

14
arptables.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=ARP table
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c '/usr/sbin/arptables-restore < /etc/arptables.conf'
ExecReload=/bin/sh -c '/usr/sbin/arptables-restore < /etc/arptables.conf'
ExecStop=/bin/sh -c '/usr/sbin/arptables-restore < /dev/null'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

14
ebtables.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Ethernet bridge table
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c '/usr/sbin/ebtables-restore < /etc/ebtables.conf'
ExecReload=/bin/sh -c '/usr/sbin/ebtables-restore < /etc/ebtables.conf'
ExecStop=/bin/sh -c '/usr/sbin/ebtables-restore < /dev/null'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

6
empty.rules Normal file
View File

@ -0,0 +1,6 @@
# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

15
ip6tables.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=IPv6 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
After=iptables.service
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush 6
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -1,115 +0,0 @@
#!/bin/bash
#
# iptables -- Startup script to implement /etc/sysconfig/iptables pre-defined rules
#
# chkconfig: 2345 25 92
# description: Automates a packet filtering firewall with iptables.
# config: /etc/sysconfig/iptables
#
# By bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# Modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# Modified by Nils Philippsen <nils@redhat.de>
. /etc/sysconfig/rc
. $rc_functions
NAME=iptables
IPTABLES=/sbin/$NAME
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_CONFIG=/etc/sysconfig/$NAME
[ -x $IPTABLES ] || exit 0
case "$1" in
start)
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# we do _not_ need to flush/clear anything when using iptables-restore
echo -n $"Applying iptables firewall rules: "
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | \
grep -v '^[[:space:]]*$' | \
$IPTABLES_RESTORE -c
evaluate_retval; echo
fi
touch /var/lock/subsys/$NAME
;;
stop)
echo -n $"Setting up default policies to ACCEPT: "
$IPTABLES --table mangle --policy PREROUTING ACCEPT &&
$IPTABLES --table mangle --policy INPUT ACCEPT &&
$IPTABLES --table mangle --policy FORWARD ACCEPT &&
$IPTABLES --table mangle --policy OUTPUT ACCEPT &&
$IPTABLES --table mangle --policy POSTROUTING ACCEPT &&
$IPTABLES --table filter --policy INPUT ACCEPT &&
$IPTABLES --table filter --policy OUTPUT ACCEPT &&
$IPTABLES --table filter --policy FORWARD ACCEPT &&
$IPTABLES --table nat --policy PREROUTING ACCEPT &&
$IPTABLES --table nat --policy POSTROUTING ACCEPT &&
$IPTABLES --table nat --policy OUTPUT ACCEPT
evaluate_retval; echo
echo -n $"Flushing all chains and deleting all user ones: "
for table in filter nat mangle; do
$IPTABLES --table $table --flush &&
$IPTABLES --table $table --delete-chain &&
$IPTABLES --table $table --zero
done
evaluate_retval; echo
rm -f /var/lock/subsys/$NAME
;;
restart|reload)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
$0 start
;;
condrestart)
[ -e /var/lock/subsys/$NAME ] && $0 restart || :
;;
status)
for table in $(cat /proc/net/ip_tables_names 2>/dev/null); do
echo "["$"TABLE:"" $table]"
$IPTABLES -t $table --list
echo
done
;;
panic)
echo -n $"Setting up default policies to DROP: "
$IPTABLES --table mangle --policy PREROUTING DROP &&
$IPTABLES --table mangle --policy INPUT DROP &&
$IPTABLES --table mangle --policy FORWARD DROP &&
$IPTABLES --table mangle --policy OUTPUT DROP &&
$IPTABLES --table mangle --policy POSTROUTING DROP &&
$IPTABLES --table filter --policy INPUT DROP &&
$IPTABLES --table filter --policy OUTPUT DROP &&
$IPTABLES --table filter --policy FORWARD DROP &&
$IPTABLES --table nat --policy PREROUTING DROP &&
$IPTABLES --table nat --policy POSTROUTING DROP &&
$IPTABLES --table nat --policy OUTPUT DROP
evaluate_retval; echo
echo -n $"Flushing all chains and deleting all user ones: "
for table in filter nat mangle; do
$IPTABLES --table $table --flush &&
$IPTABLES --table $table --delete-chain &&
$IPTABLES --table $table --zero
done
evaluate_retval; echo
;;
save)
echo -n $"Saving current rules to"" \`$IPTABLES_CONFIG': "
touch $IPTABLES_CONFIG && chmod 600 $IPTABLES_CONFIG &&
$IPTABLES_SAVE -c > $IPTABLES_CONFIG 2>/dev/null
evaluate_retval; echo
;;
*)
echo "Usage: ""$0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
;;
esac
exit 0

18
iptables-legacy-flush Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
#
# Usage: iptables-flush [6]
#
iptables=ip$1tables
if ! type -p "$iptables" &>/dev/null; then
echo "error: invalid argument"
exit 1
fi
while read -r table; do
tables+=("/usr/share/iptables/empty-$table.rules")
done <"/proc/net/ip$1_tables_names"
if (( ${#tables[*]} )); then
cat "${tables[@]}" | "$iptables-restore"
fi

View File

@ -1,60 +0,0 @@
#! /bin/bash
#
# iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules
# for IPTABLES on all the network devices marked as local (ZONE=local)
#
# Copyright (c) 2003-2004 by Silvan Calarco <silvan.calarco@qilinux.it>
# Copyright (c) 2003-2006 by Davide Madrisan <davide.madrisan@qilinux.it>
. /etc/sysconfig/rc
. $rc_functions
. $rc_networkfunctions
. /etc/sysconfig/network
get_interfaces_by_zone
[ ${#ifzone_local[@]} -eq 0 ] && exit 0 # no local interfaces found
# shut down NAT routing and delete any NAT existing chains
iptables -t nat -P PREROUTING DROP && \
iptables -t nat -P POSTROUTING DROP && \
iptables -t nat -P OUTPUT DROP && \
iptables -t nat -F && \
iptables -t nat -X
for int_name in ${ifzone_local[@]}; do
# get the parameters: int_ip, int_netmask, int_network
get_interface_parameters $int_name
[ $? -ne 0 ] &&
{ echo "\
WARNING: could not determine parameters for interface $int_name.
$int_name will not be configured for NAT." 1>&2;
continue; }
[ -z "$int_network" -a "$natconfig" = 1 ] &&
{ echo "\
WARNING: NETWORK variable for interface $int_name not set.
$int_name will not be configured for NAT." 1>&2;
continue; }
[ -z "$int_netmask" -a "$natconfig" = 1 ] &&
{ int_netmask="255.255.255.0";
echo "\
WARNING: NETMASK variable missing for $int_name.
Using $int_netmask." 1>&2; }
# masquerade rules
iptables -t nat -N fromprivate.$int_name
# packets from the private IP range to another private IP range are untouched.
iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT
# packets that get here are from the private address range
# and are trying to get out to the internet. We NAT them.
iptables -t nat -A fromprivate.$int_name -j MASQUERADE
# siphon off any packets that are from the private IP range
iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name
done
# packets that get here can just hit the default policy
iptables -t nat -P PREROUTING ACCEPT && \
iptables -t nat -P POSTROUTING ACCEPT && \
iptables -t nat -P OUTPUT ACCEPT

18
iptables-nft-flush Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
#
# Usage: iptables-flush [6]
#
iptables=ip$1tables
if ! type -p "$iptables" &>/dev/null; then
echo "error: invalid argument"
exit 1
fi
while read -r table; do
tables+=("/usr/share/iptables/empty-$table.rules")
done < <(nft list tables | sed -n "s/table ip$1 //p")
if (( ${#tables[*]} )); then
cat "${tables[@]}" | "$iptables-restore"
fi

14
iptables.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -1,5 +1,5 @@
Name: iptables Name: iptables
Version: 1.8.8 Version: 1.8.9
Release: 2mamba Release: 2mamba
Summary: kernel libraries, user tools/libraries for netfilter/iptables firewalling Summary: kernel libraries, user tools/libraries for netfilter/iptables firewalling
Group: Network/Security Group: Network/Security
@ -7,9 +7,14 @@ Vendor: openmamba
Distribution: openmamba Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it> Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: https://www.netfilter.org/ URL: https://www.netfilter.org/
Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.xz
Source1: iptables-initscript Source1: iptables.service
Source2: iptables-nat.sh Source2: ip6tables.service
Source3: arptables.service
Source4: ebtables.service
Source5: empty.rules
Source6: iptables-legacy-flush
Source7: iptables-nft-flush
License: GPL License: GPL
## AUTOBUILDREQ-BEGIN ## AUTOBUILDREQ-BEGIN
BuildRequires: glibc-devel BuildRequires: glibc-devel
@ -17,6 +22,7 @@ BuildRequires: libmnl-devel
BuildRequires: libnetfilter_conntrack-devel BuildRequires: libnetfilter_conntrack-devel
BuildRequires: libnfnetlink-devel BuildRequires: libnfnetlink-devel
BuildRequires: libnftnl-devel BuildRequires: libnftnl-devel
BuildRequires: libpcap-devel
## AUTOBUILDREQ-END ## AUTOBUILDREQ-END
BuildRequires: libnftnl-devel >= 1.0.9 BuildRequires: libnftnl-devel >= 1.0.9
Provides: iptables-nat Provides: iptables-nat
@ -68,7 +74,12 @@ This package contains the header files needed for development with xtables.
%setup -q %setup -q
%build %build
%configure %configure \
--enable-bpf-compiler \
--enable-devel \
--enable-libipq \
--enable-shared
#--sbindir=/sbin --bindir=/sbin #--sbindir=/sbin --bindir=/sbin
%ifarch arm %ifarch arm
@ -84,8 +95,23 @@ sed -i "/#define HAVE_LINUX_BPF_H/d" config.h
[ "%{buildroot}" != / ] && rm -rf %{buildroot} [ "%{buildroot}" != / ] && rm -rf %{buildroot}
%makeinstall %makeinstall
#install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/iptables install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/iptables.service
#install -D -m 755 %{S:2} %{buildroot}%{_sbindir}/iptables-nat.sh install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/ip6tables.service
install -D -m0644 %{SOURCE3} %{buildroot}%{_unitdir}/arptables.service
install -D -m0644 %{SOURCE4} %{buildroot}%{_unitdir}/ebtables.service
install -D -m0755 %{SOURCE6} %{buildroot}%{_systemd_util_dir}/scripts/iptables-flush
install -D -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/iptables/iptables.rules
install -D -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/iptables/ip6tables.rules
install -d -m0755 %{buildroot}%{_presetdir}
cat > %{buildroot}%{_presetdir}/50-iptables.preset << __EOF
disable iptables
disable ip6tables
disable arptables
disable ebtables
__EOF
%clean %clean
[ "%{buildroot}" != / ] && rm -rf %{buildroot} [ "%{buildroot}" != / ] && rm -rf %{buildroot}
@ -100,7 +126,11 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%dir %{_sysconfdir}/iptables
%config(noreplace) %{_sysconfdir}/iptables/ip6tables.rules
%config(noreplace) %{_sysconfdir}/iptables/iptables.rules
%{_sysconfdir}/ethertypes %{_sysconfdir}/ethertypes
%config(noreplace) %{_sysconfdir}/xtables.conf
%{_bindir}/iptables-xml %{_bindir}/iptables-xml
%{_sbindir}/arptables* %{_sbindir}/arptables*
%{_sbindir}/ebtables* %{_sbindir}/ebtables*
@ -110,8 +140,15 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
%{_sbindir}/iptables %{_sbindir}/iptables
%{_sbindir}/iptables-* %{_sbindir}/iptables-*
%{_sbindir}/nfnl_osf %{_sbindir}/nfnl_osf
%{_sbindir}/nfbpf_compile
%{_systemd_util_dir}/scripts/iptables-flush
%{_presetdir}/50-iptables.preset
%{_unitdir}/arptables.service
%{_unitdir}/ebtables.service
%{_unitdir}/ip6tables.service
%{_unitdir}/iptables.service
%dir %{_datadir}/xtables %dir %{_datadir}/xtables
%{_datadir}/xtables/pf.os %{_datadir}/xtables/*
%{_mandir}/man1/iptables-*.1* %{_mandir}/man1/iptables-*.1*
%{_mandir}/man8/iptables.8* %{_mandir}/man8/iptables.8*
%{_mandir}/man8/iptables-*.8* %{_mandir}/man8/iptables-*.8*
@ -119,6 +156,8 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
%{_mandir}/man8/xtables-*.8* %{_mandir}/man8/xtables-*.8*
%{_mandir}/man8/arptables-nft*.8* %{_mandir}/man8/arptables-nft*.8*
%{_mandir}/man8/ebtables-nft.8* %{_mandir}/man8/ebtables-nft.8*
%{_mandir}/man8/ebtables-translate.8*
%{_mandir}/man8/nfbpf_compile.8*
%files ipv6 %files ipv6
%defattr(-,root,root) %defattr(-,root,root)
@ -128,8 +167,10 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
%files -n lib%{name} %files -n lib%{name}
%defattr(-,root,root) %defattr(-,root,root)
%{_includedir}/libipq.h
%{_libdir}/libip4tc.so.* %{_libdir}/libip4tc.so.*
%{_libdir}/libip6tc.so.* %{_libdir}/libip6tc.so.*
%{_libdir}/libipq.so.*
%dir %{_libdir}/xtables %dir %{_libdir}/xtables
%{_libdir}/xtables/libarpt_*.so %{_libdir}/xtables/libarpt_*.so
%{_libdir}/xtables/libebt_*.so %{_libdir}/xtables/libebt_*.so
@ -148,12 +189,25 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
%{_libdir}/libip4tc.so %{_libdir}/libip4tc.so
%{_libdir}/libip6tc.so %{_libdir}/libip6tc.so
%{_libdir}/libxtables.so %{_libdir}/libxtables.so
%{_libdir}/libipq.so
%{_libdir}/pkgconfig/xtables.pc %{_libdir}/pkgconfig/xtables.pc
%{_libdir}/pkgconfig/libiptc.pc %{_libdir}/pkgconfig/libiptc.pc
%{_libdir}/pkgconfig/libip4tc.pc %{_libdir}/pkgconfig/libip4tc.pc
%{_libdir}/pkgconfig/libip6tc.pc %{_libdir}/pkgconfig/libip6tc.pc
%{_libdir}/pkgconfig/libipq.pc
%{_mandir}/man3/ipq_*.3*
%{_mandir}/man3/libipq.3*
%changelog %changelog
* Thu Jan 19 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.9-2mamba
- add a systemd preset file to disable services by default
* Thu Jan 19 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.9-1mamba
- update to 1.8.9
* Thu Jan 19 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.8-3mamba
- added systemd support scripts; rebuilt with --enable-libipq
* Wed Nov 02 2022 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.8-2mamba * Wed Nov 02 2022 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.8-2mamba
- move libraries to libiptables subpackage - move libraries to libiptables subpackage