diff --git a/README.md b/README.md index 8ab83ff..8c8e3ac 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,5 @@ # iptables +Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels. +It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules. + diff --git a/iptables-initscript b/iptables-initscript new file mode 100644 index 0000000..985a685 --- /dev/null +++ b/iptables-initscript @@ -0,0 +1,115 @@ +#!/bin/bash +# +# iptables -- Startup script to implement /etc/sysconfig/iptables pre-defined rules +# +# chkconfig: 2345 25 92 +# description: Automates a packet filtering firewall with iptables. +# config: /etc/sysconfig/iptables +# +# By bero@redhat.com, based on the ipchains script: +# Script Author: Joshua Jensen +# -- hacked up by gafton with help from notting +# Modified by Anton Altaparmakov : +# Modified by Nils Philippsen + +. /etc/sysconfig/rc +. $rc_functions + +NAME=iptables +IPTABLES=/sbin/$NAME +IPTABLES_RESTORE=/sbin/iptables-restore +IPTABLES_SAVE=/sbin/iptables-save +IPTABLES_CONFIG=/etc/sysconfig/$NAME + +[ -x $IPTABLES ] || exit 0 + +case "$1" in + start) + # don't do squat if we don't have the config file + if [ -f $IPTABLES_CONFIG ]; then + # we do _not_ need to flush/clear anything when using iptables-restore + echo -n $"Applying iptables firewall rules: " + grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | \ + grep -v '^[[:space:]]*$' | \ + $IPTABLES_RESTORE -c + evaluate_retval; echo + fi + touch /var/lock/subsys/$NAME + ;; + stop) + echo -n $"Setting up default policies to ACCEPT: " + $IPTABLES --table mangle --policy PREROUTING ACCEPT && + $IPTABLES --table mangle --policy INPUT ACCEPT && + $IPTABLES --table mangle --policy FORWARD ACCEPT && + $IPTABLES --table mangle --policy OUTPUT ACCEPT && + $IPTABLES --table mangle --policy POSTROUTING ACCEPT && + $IPTABLES --table filter --policy INPUT ACCEPT && + $IPTABLES --table filter --policy OUTPUT ACCEPT && + $IPTABLES --table filter --policy FORWARD ACCEPT && + $IPTABLES --table nat --policy PREROUTING ACCEPT && + $IPTABLES --table nat --policy POSTROUTING ACCEPT && + $IPTABLES --table nat --policy OUTPUT ACCEPT + evaluate_retval; echo + + echo -n $"Flushing all chains and deleting all user ones: " + for table in filter nat mangle; do + $IPTABLES --table $table --flush && + $IPTABLES --table $table --delete-chain && + $IPTABLES --table $table --zero + done + evaluate_retval; echo + + rm -f /var/lock/subsys/$NAME + ;; + restart|reload) + # "restart" is really just "start" as this isn't a daemon, + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy + $0 start + ;; + condrestart) + [ -e /var/lock/subsys/$NAME ] && $0 restart || : + ;; + status) + for table in $(cat /proc/net/ip_tables_names 2>/dev/null); do + echo "["$"TABLE:"" $table]" + $IPTABLES -t $table --list + echo + done + ;; + panic) + echo -n $"Setting up default policies to DROP: " + $IPTABLES --table mangle --policy PREROUTING DROP && + $IPTABLES --table mangle --policy INPUT DROP && + $IPTABLES --table mangle --policy FORWARD DROP && + $IPTABLES --table mangle --policy OUTPUT DROP && + $IPTABLES --table mangle --policy POSTROUTING DROP && + $IPTABLES --table filter --policy INPUT DROP && + $IPTABLES --table filter --policy OUTPUT DROP && + $IPTABLES --table filter --policy FORWARD DROP && + $IPTABLES --table nat --policy PREROUTING DROP && + $IPTABLES --table nat --policy POSTROUTING DROP && + $IPTABLES --table nat --policy OUTPUT DROP + evaluate_retval; echo + + echo -n $"Flushing all chains and deleting all user ones: " + for table in filter nat mangle; do + $IPTABLES --table $table --flush && + $IPTABLES --table $table --delete-chain && + $IPTABLES --table $table --zero + done + evaluate_retval; echo + ;; + save) + echo -n $"Saving current rules to"" \`$IPTABLES_CONFIG': " + touch $IPTABLES_CONFIG && chmod 600 $IPTABLES_CONFIG && + $IPTABLES_SAVE -c > $IPTABLES_CONFIG 2>/dev/null + evaluate_retval; echo + ;; + *) + echo "Usage: ""$0 {start|stop|restart|condrestart|status|panic|save}" + exit 1 + ;; +esac + +exit 0 diff --git a/iptables-nat.sh b/iptables-nat.sh new file mode 100644 index 0000000..4e832b4 --- /dev/null +++ b/iptables-nat.sh @@ -0,0 +1,60 @@ +#! /bin/bash +# +# iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules +# for IPTABLES on all the network devices marked as local (ZONE=local) +# +# Copyright (c) 2003-2004 by Silvan Calarco +# Copyright (c) 2003-2006 by Davide Madrisan + +. /etc/sysconfig/rc +. $rc_functions +. $rc_networkfunctions +. /etc/sysconfig/network + +get_interfaces_by_zone +[ ${#ifzone_local[@]} -eq 0 ] && exit 0 # no local interfaces found + +# shut down NAT routing and delete any NAT existing chains +iptables -t nat -P PREROUTING DROP && \ +iptables -t nat -P POSTROUTING DROP && \ +iptables -t nat -P OUTPUT DROP && \ +iptables -t nat -F && \ +iptables -t nat -X + +for int_name in ${ifzone_local[@]}; do + # get the parameters: int_ip, int_netmask, int_network + get_interface_parameters $int_name + [ $? -ne 0 ] && + { echo "\ +WARNING: could not determine parameters for interface $int_name. + $int_name will not be configured for NAT." 1>&2; + continue; } + + [ -z "$int_network" -a "$natconfig" = 1 ] && + { echo "\ +WARNING: NETWORK variable for interface $int_name not set. + $int_name will not be configured for NAT." 1>&2; + continue; } + + [ -z "$int_netmask" -a "$natconfig" = 1 ] && + { int_netmask="255.255.255.0"; + echo "\ +WARNING: NETMASK variable missing for $int_name. + Using $int_netmask." 1>&2; } + + # masquerade rules + iptables -t nat -N fromprivate.$int_name + # packets from the private IP range to another private IP range are untouched. + iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT + # packets that get here are from the private address range + # and are trying to get out to the internet. We NAT them. + iptables -t nat -A fromprivate.$int_name -j MASQUERADE + # siphon off any packets that are from the private IP range + iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name +done + +# packets that get here can just hit the default policy +iptables -t nat -P PREROUTING ACCEPT && \ +iptables -t nat -P POSTROUTING ACCEPT && \ +iptables -t nat -P OUTPUT ACCEPT + diff --git a/iptables.spec b/iptables.spec new file mode 100644 index 0000000..b1bfe27 --- /dev/null +++ b/iptables.spec @@ -0,0 +1,326 @@ +Name: iptables +Version: 1.4.21 +Release: 1mamba +Summary: kernel libraries, user tools/libraries for netfilter/iptables firewalling +Group: Network/Security +Vendor: openmamba +Distribution: openmamba +Packager: Silvan Calarco +URL: http://www.netfilter.org +Source0: ftp://ftp.netfilter.org/pub/iptables/iptables-%{version}.tar.bz2 +Source1: iptables-initscript +Source2: iptables-nat.sh +License: GPL +BuildRequires: libnfnetlink-devel +BuildRoot: %{_tmppath}/%{name}-%{version}-root + +%description +Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels. +It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules. + +%package ipv6 +Summary: IPv6 support for iptables +Group: Network/Security +Requires: %{name} = %{?epoch:%epoch:}%{version}-%{release} + +%description ipv6 +Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels. +It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules. + +Install iptables-ipv6 if you need to set up firewalling for your network and you're using ipv6. +IPv6 is the next version of the IP protocol. + +%package devel +Summary: Header files needed for development with xtables +Group: Network/Security +Requires: %{name} = %{?epoch:%epoch:}%{version}-%{release} +Requires: %{name}-ipv6 = %{?epoch:%epoch:}%{version}-%{release} + +%description devel +Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels. +It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules. +This package contains the header files needed for development with xtables. + +%package nat +Summary: IPtables script that enables NAT functionality +Group: Network/Security +Requires: %{name} = %{?epoch:%epoch:}%{version}-%{release} + +%description nat +This is a simple script that enables iptables NAT functionality from an interface marked as local in /etc/sysconfig/network-devices/ifconfig.* using +the variable ZONE=local. + +%prep +%setup -q + +%build +%configure --sbindir=/sbin --bindir=/sbin + +%make -j1 \ +%if "%{_host}" != "%{_build}" + CFLAGS="-ldl" +%endif + +%install +[ "%{buildroot}" != / ] && rm -rf %{buildroot} +%makeinstall + +install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/iptables +install -D -m 755 %{S:2} %{buildroot}%{_sbindir}/iptables-nat.sh + +%clean +[ "%{buildroot}" != / ] && rm -rf %{buildroot} + +%post +# new install +if [ $1 -ge 1 ]; then + /sbin/ldconfig +# /sbin/chkconfig --add iptables +# service iptables condrestart +fi +exit 0 + +%preun +#erase +if [ $1 -eq 0 ]; then + service iptables stop + /sbin/chkconfig --del iptables +fi +exit 0 + +%post nat +if [ $1 -eq 1 ]; then + /usr/sbin/iptables-nat.sh && \ + /sbin/iptables-save > %{_sysconfdir}/sysconfig/iptables +fi +exit 0 + +%files +%defattr(-,root,root) +#%{_sysconfdir}/xtables/connlabel.conf +%{_initrddir}/iptables +/sbin/iptables +/sbin/iptables-xml +/sbin/iptables-restore +/sbin/iptables-save +/sbin/xtables-multi +/sbin/nfnl_osf +%dir %{_libdir}/xtables +%{_libdir}/xtables/libipt_*.so +%{_libdir}/xtables/libxt_*.so +%{_libdir}/libxtables.so.* +%{_libdir}/libiptc.so.* +%{_libdir}/libip4tc.so.* +%{_libdir}/libip6tc.so.* +%dir %{_datadir}/xtables +%{_datadir}/xtables/pf.os +%{_mandir}/man1/iptables-xml.* +%{_mandir}/man8/iptables-restore.* +%{_mandir}/man8/iptables-save.* +%{_mandir}/man8/iptables.* +%{_mandir}/man8/iptables-extensions.* + +%files ipv6 +%defattr(-,root,root) +/sbin/ip6tables +/sbin/ip6tables-restore +/sbin/ip6tables-save +%{_libdir}/xtables/libip6t_*.so +%{_mandir}/man8/ip6tables.* +%{_mandir}/man8/ip6tables-restore.* +%{_mandir}/man8/ip6tables-save.* + +%files devel +%defattr(-,root,root) +%{_includedir}/xtables-version.h +%{_includedir}/libiptc/*.h +%{_libdir}/libiptc.la +%{_libdir}/libiptc.so +%{_libdir}/libip4tc.la +%{_libdir}/libip4tc.so +%{_libdir}/libip6tc.la +%{_libdir}/libip6tc.so +%{_libdir}/libxtables.la +%{_libdir}/libxtables.so +%{_includedir}/xtables.h +%{_libdir}/pkgconfig/xtables.pc +%{_libdir}/pkgconfig/libiptc.pc +%{_libdir}/pkgconfig/libip4tc.pc +%{_libdir}/pkgconfig/libip6tc.pc + +%files nat +%defattr(-,root,root) +%{_sbindir}/iptables-nat.sh + +%changelog +* Fri Nov 22 2013 Automatic Build System 1.4.21-1mamba +- automatic version update by autodist + +* Tue Aug 13 2013 Automatic Build System 1.4.20-1mamba +- automatic update by autodist + +* Thu May 30 2013 Automatic Build System 1.4.19.1-1mamba +- automatic version update by autodist + +* Wed Mar 06 2013 Automatic Build System 1.4.18-1mamba +- automatic version update by autodist + +* Wed Dec 26 2012 Automatic Build System 1.4.17-1mamba +- automatic version update by autodist + +* Thu Oct 18 2012 Automatic Build System 1.4.16.3-1mamba +- automatic version update by autodist + +* Mon Oct 08 2012 Automatic Build System 1.4.16.2-1mamba +- automatic version update by autodist + +* Tue Jul 31 2012 Automatic Build System 1.4.15-1mamba +- automatic version update by autodist + +* Sun May 27 2012 Automatic Build System 1.4.14-1mamba +- automatic version update by autodist + +* Tue Mar 27 2012 Automatic Build System 1.4.13-1mamba +- automatic version update by autodist + +* Mon Jan 09 2012 Automatic Build System 1.4.12.2-1mamba +- automatic version update by autodist + +* Tue Nov 01 2011 Silvan Calarco 1.4.12.1-2mamba +- drop guarddog support in initscript +- don't enable service at startup by default + +* Fri Sep 02 2011 Automatic Build System 1.4.12.1-1mamba +- automatic version update by autodist + +* Fri Jul 22 2011 Automatic Build System 1.4.12-1mamba +- automatic update to 3.0.3.0 by autodist + +* Tue Jun 14 2011 Automatic Build System 1.4.11.1-1mamba +- automatic update by autodist + +* Sat Oct 30 2010 Automatic Build System 1.4.10-1mamba +- automatic update to 1.4.10 by autodist + +* Sat Aug 07 2010 Automatic Build System 1.4.9.1-1mamba +- automatic update to 1.4.9.1 by autodist + +* Wed Aug 04 2010 Automatic Build System 1.4.9-1mamba +- automatic update to 1.4.9 by autodist + +* Fri May 21 2010 Automatic Build System 1.4.8-1mamba +- automatic update to 1.4.8 by autodist + +* Wed Mar 03 2010 Davide Madrisan 1.4.7-1mamba +- update to 1.4.7 + +* Wed Dec 09 2009 Automatic Build System 1.4.6-1mamba +- automatic update to 1.4.6 by autodist + +* Fri Sep 25 2009 Automatic Build System 1.4.5-1mamba +- automatic update to 1.4.5 by autodist + +* Tue Jun 16 2009 Automatic Build System 1.4.4-1mamba +- automatic update to 1.4.4 by autodist + +* Mon Apr 06 2009 Silvan Calarco 1.4.3.2-1mamba +- automatic update to 1.4.3.2 by autodist + +* Wed Mar 25 2009 Silvan Calarco 1.4.3.1-1mamba +- automatic update to 1.4.3.1 by autodist + +* Tue Oct 21 2008 Silvan Calarco 1.4.2-1mamba +- update to 1.4.2 +- initscript: fix condrestart check +- install initscript and iptables-nat.sh with read permissions for all + +* Sat Sep 13 2008 Silvan Calarco 1.4.1.1-1mamba +- automatic update to 1.4.1.1 by autodist + +* Wed Apr 30 2008 Aleph0 1.4.0-1mamba +- update to 1.4.0 (bugfixes and strong IPv6 support improvement) +- own %{_libdir}/iptables dir + +* Mon Jul 02 2007 Aleph0 1.3.8-1mamba +- update to 1.3.8 + +* Mon Apr 16 2007 Davide Madrisan 1.3.7-1mamba +- update to version 1.3.7 by autospec +- use service to run the initscript +- updated initscript + +* Wed Oct 04 2006 Davide Madrisan 1.3.6-1qilnx +- update to version 1.3.6 by autospec + +* Fri Feb 03 2006 Davide Madrisan 1.3.5-1qilnx +- update to version 1.3.5 by autospec + +* Mon Nov 07 2005 Davide Madrisan 1.3.4-1qilnx +- update to version 1.3.4 by autospec + +* Mon Aug 01 2005 Davide Madrisan 1.3.3-1qilnx +- update to version 1.3.3 by autospec + +* Mon Jul 25 2005 Davide Madrisan 1.3.2-1qilnx +- update to version 1.3.2 by autospec + +* Mon Apr 18 2005 Silvan Calarco 1.3.1-2qilnx +- changed initscript for Guarddog first time configurator execution + +* Tue Mar 08 2005 Davide Madrisan 1.3.1-1qilnx +- update to version 1.3.1 by autospec + +* Mon Feb 14 2005 Davide Madrisan 1.3.0-1qilnx +- update to version 1.3.0 by autospec + +* Wed Nov 03 2004 Davide Madrisan 1.2.11-2qilnx +- security fix: QSA-2004-049 (CAN-2004-0986) + +* Tue Jun 29 2004 Davide Madrisan 1.2.11.1qilnx +- new version rebuild + +* Fri May 14 2004 Davide Madrisan 1.2.9-6qilnx +- iptables-nat.sh updated to use the new network-functions features + +* Wed Mar 31 2004 Silvan Calarco 1.2.9-5qilnx +- fixed iptables-nat.sh when a dhcp interface has no IP address + +* Tue Feb 03 2004 Davide Madrisan 1.2.9-4qilnx +- fixed iptables-nat.sh script + +* Mon Feb 02 2004 Davide Madrisan 1.2.9-3qilnx +- post scriptlet fixed + +* Wed Nov 19 2003 Davide Madrisan 1.2.9-2qilnx +- added missing requirements for iptables-nat and iptables-ipv6 + +* Mon Nov 03 2003 Davide Madrisan 1.2.9-1qilnx +- rebuilt with version 1.2.9 + +* Fri Oct 31 2003 Davide Madrisan 1.2.8-9qilnx +- RPM specfile fixes/updates + +* Fri Sep 19 2003 Davide Madrisan 1.2.8-8qilnx +- fixes in iptables-nat.sh script + +* Fri Aug 15 2003 Silvan Calarco 1.2.8-7qilnx +- changed iptables-nat.sh script so that it works when a private interface + doesn't have and ip address + +* Wed Aug 06 2003 Silvan Calarco 1.2.8-6qilnx +- changed iptables-nat.sh script so that it uses new network-functions scripts + +* Tue Jul 15 2003 Silvan Calarco 1.2.8-5qilnx +- fixed minor initscript problem (a lot of newlines after [OK]) + +* Mon Jun 26 2003 Silvan Calarco 1.2.8-4qilnx +- changed initscript sequence number to boot after network activation + +* Mon Jun 23 2003 Silvan Calarco 1.2.8-3qilnx +- added guarddog aware configuration file + +* Wed May 07 2003 Silvan Calarco 1.2.8-2qilnx +- added iptables-nat package + +* Thu Apr 29 2003 Alessandro Ramazzina 1.2.8-1qilnx +- creation of iptables package