automatic version update by autodist [release 1.4.21-1mamba;Fri Nov 22 2013]

README.md

@@ -1,2 +1,5 @@
 # iptables
 
+Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels.
+It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules.
+

iptables-initscript

@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# iptables -- Startup script to implement /etc/sysconfig/iptables pre-defined rules
+#
+# chkconfig: 2345 25 92
+# description: Automates a packet filtering firewall with iptables.
+# config: /etc/sysconfig/iptables
+#
+# By bero@redhat.com, based on the ipchains script:
+# Script Author: Joshua Jensen <joshua@redhat.com>
+#   -- hacked up by gafton with help from notting
+# Modified by Anton Altaparmakov <aia21@cam.ac.uk>:
+# Modified by Nils Philippsen <nils@redhat.de>
+
+. /etc/sysconfig/rc
+. $rc_functions
+
+NAME=iptables
+IPTABLES=/sbin/$NAME
+IPTABLES_RESTORE=/sbin/iptables-restore
+IPTABLES_SAVE=/sbin/iptables-save
+IPTABLES_CONFIG=/etc/sysconfig/$NAME
+
+[ -x $IPTABLES ] || exit 0
+
+case "$1" in
+   start)
+      # don't do squat if we don't have the config file
+      if [ -f $IPTABLES_CONFIG ]; then
+         # we do _not_ need to flush/clear anything when using 	iptables-restore
+         echo -n $"Applying iptables firewall rules: "
+         grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | \
+         grep -v '^[[:space:]]*$' | \
+         $IPTABLES_RESTORE -c
+         evaluate_retval; echo
+      fi
+      touch /var/lock/subsys/$NAME
+   ;;
+   stop)
+      echo -n $"Setting up default policies to ACCEPT: "
+      $IPTABLES --table mangle --policy PREROUTING ACCEPT &&
+      $IPTABLES --table mangle --policy INPUT ACCEPT &&
+      $IPTABLES --table mangle --policy FORWARD ACCEPT &&
+      $IPTABLES --table mangle --policy OUTPUT ACCEPT &&
+      $IPTABLES --table mangle --policy POSTROUTING ACCEPT &&
+      $IPTABLES --table filter --policy INPUT ACCEPT &&
+      $IPTABLES --table filter --policy OUTPUT ACCEPT &&
+      $IPTABLES --table filter --policy FORWARD ACCEPT &&
+      $IPTABLES --table nat --policy PREROUTING ACCEPT &&
+      $IPTABLES --table nat --policy POSTROUTING ACCEPT &&
+      $IPTABLES --table nat --policy OUTPUT ACCEPT
+      evaluate_retval; echo
+
+      echo -n $"Flushing all chains and deleting all user ones: "
+      for table in filter nat mangle; do
+         $IPTABLES --table $table --flush &&
+         $IPTABLES --table $table --delete-chain &&
+         $IPTABLES --table $table --zero
+      done
+      evaluate_retval; echo
+
+      rm -f /var/lock/subsys/$NAME
+   ;;
+   restart|reload)
+      # "restart" is really just "start" as this isn't a daemon,
+      #  and "start" clears any pre-defined rules anyway.
+      #  This is really only here to make those who expect it happy
+      $0 start
+   ;;
+   condrestart)
+      [ -e /var/lock/subsys/$NAME ] && $0 restart || :
+   ;;
+   status)
+      for table in $(cat /proc/net/ip_tables_names 2>/dev/null); do
+         echo "["$"TABLE:"" $table]"
+         $IPTABLES -t $table --list
+         echo
+      done
+   ;;
+   panic)
+      echo -n $"Setting up default policies to DROP: "
+      $IPTABLES --table mangle --policy PREROUTING DROP &&
+      $IPTABLES --table mangle --policy INPUT DROP &&
+      $IPTABLES --table mangle --policy FORWARD DROP &&
+      $IPTABLES --table mangle --policy OUTPUT DROP &&
+      $IPTABLES --table mangle --policy POSTROUTING DROP &&
+      $IPTABLES --table filter --policy INPUT DROP &&
+      $IPTABLES --table filter --policy OUTPUT DROP &&
+      $IPTABLES --table filter --policy FORWARD DROP &&
+      $IPTABLES --table nat --policy PREROUTING DROP &&
+      $IPTABLES --table nat --policy POSTROUTING DROP &&
+      $IPTABLES --table nat --policy OUTPUT DROP
+      evaluate_retval; echo
+
+      echo -n $"Flushing all chains and deleting all user ones: "
+      for table in filter nat mangle; do
+         $IPTABLES --table $table --flush &&
+         $IPTABLES --table $table --delete-chain &&
+         $IPTABLES --table $table --zero
+      done
+      evaluate_retval; echo
+   ;;
+   save)
+      echo -n $"Saving current rules to"" \`$IPTABLES_CONFIG': "
+      touch $IPTABLES_CONFIG && chmod 600 $IPTABLES_CONFIG &&
+      $IPTABLES_SAVE -c > $IPTABLES_CONFIG 2>/dev/null
+      evaluate_retval; echo
+   ;;
+   *)
+      echo "Usage: ""$0 {start|stop|restart|condrestart|status|panic|save}"
+      exit 1
+   ;;
+esac
+
+exit 0

iptables-nat.sh

@@ -0,0 +1,60 @@
+#! /bin/bash
+#
+# iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules
+# for IPTABLES on all the network devices marked as local (ZONE=local)
+#
+# Copyright (c) 2003-2004 by Silvan Calarco <silvan.calarco@qilinux.it>
+# Copyright (c) 2003-2006 by Davide Madrisan <davide.madrisan@qilinux.it>
+
+. /etc/sysconfig/rc
+. $rc_functions
+. $rc_networkfunctions
+. /etc/sysconfig/network
+
+get_interfaces_by_zone
+[ ${#ifzone_local[@]} -eq 0 ] && exit 0  # no local interfaces found
+
+# shut down NAT routing and delete any NAT existing chains
+iptables -t nat -P PREROUTING DROP && \
+iptables -t nat -P POSTROUTING DROP && \
+iptables -t nat -P OUTPUT DROP && \
+iptables -t nat -F && \
+iptables -t nat -X
+
+for int_name in ${ifzone_local[@]}; do
+   # get the parameters: int_ip, int_netmask, int_network
+   get_interface_parameters $int_name
+   [ $? -ne 0 ] &&
+    { echo "\
+WARNING: could not determine parameters for interface $int_name.
+         $int_name will not be configured for NAT." 1>&2; 
+      continue; }
+
+   [ -z "$int_network" -a "$natconfig" = 1 ] &&
+    { echo "\
+WARNING: NETWORK variable for interface $int_name not set.
+         $int_name will not be configured for NAT." 1>&2;
+      continue; }
+
+   [ -z "$int_netmask" -a "$natconfig" = 1 ] &&
+    { int_netmask="255.255.255.0";
+      echo "\
+WARNING: NETMASK variable missing for $int_name.
+         Using $int_netmask." 1>&2; }
+
+   # masquerade rules
+   iptables -t nat -N fromprivate.$int_name
+   # packets from the private IP range to another private IP range are untouched.
+   iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT
+   # packets that get here are from the private address range
+   # and are trying to get out to the internet. We NAT them.
+   iptables -t nat -A fromprivate.$int_name -j MASQUERADE
+   # siphon off any packets that are from the private IP range
+   iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name
+done
+
+# packets that get here can just hit the default policy
+iptables -t nat -P PREROUTING ACCEPT && \
+iptables -t nat -P POSTROUTING ACCEPT && \
+iptables -t nat -P OUTPUT ACCEPT
+

iptables.spec

@@ -0,0 +1,326 @@
+Name:          iptables
+Version:       1.4.21
+Release:       1mamba
+Summary:       kernel libraries, user tools/libraries for netfilter/iptables firewalling
+Group:         Network/Security
+Vendor:        openmamba
+Distribution:  openmamba
+Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
+URL:           http://www.netfilter.org
+Source0:       ftp://ftp.netfilter.org/pub/iptables/iptables-%{version}.tar.bz2
+Source1:       iptables-initscript
+Source2:       iptables-nat.sh
+License:       GPL
+BuildRequires: libnfnetlink-devel
+BuildRoot:     %{_tmppath}/%{name}-%{version}-root
+
+%description
+Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels.
+It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules.
+
+%package ipv6
+Summary:       IPv6 support for iptables
+Group:         Network/Security
+Requires:      %{name} = %{?epoch:%epoch:}%{version}-%{release}
+
+%description ipv6
+Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels.
+It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules.
+
+Install iptables-ipv6 if you need to set up firewalling for your network and you're using ipv6.
+IPv6 is the next version of the IP protocol.
+
+%package devel
+Summary:       Header files needed for development with xtables
+Group:         Network/Security
+Requires:      %{name} = %{?epoch:%epoch:}%{version}-%{release}
+Requires:      %{name}-ipv6 = %{?epoch:%epoch:}%{version}-%{release}
+
+%description devel
+Iptables is the new firewalling code in the 2.4.x and 2.6.x linux kernels.
+It provides a more extensible architecture for packet matching and manipulation by moving all but the lowest level into userspace libraries and kernel modules.
+This package contains the header files needed for development with xtables.
+
+%package nat
+Summary:       IPtables script that enables NAT functionality
+Group:         Network/Security
+Requires:      %{name} = %{?epoch:%epoch:}%{version}-%{release}
+
+%description nat
+This is a simple script that enables iptables NAT functionality from an interface marked as local in /etc/sysconfig/network-devices/ifconfig.*  using 
+the variable ZONE=local.
+
+%prep
+%setup -q
+
+%build
+%configure --sbindir=/sbin --bindir=/sbin
+
+%make -j1 \
+%if "%{_host}" != "%{_build}"
+   CFLAGS="-ldl"
+%endif
+
+%install
+[ "%{buildroot}" != / ] && rm -rf %{buildroot}
+%makeinstall
+
+install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/iptables
+install -D -m 755 %{S:2} %{buildroot}%{_sbindir}/iptables-nat.sh
+
+%clean
+[ "%{buildroot}" != / ] && rm -rf %{buildroot}
+
+%post
+# new install
+if [ $1 -ge 1 ]; then
+   /sbin/ldconfig
+#   /sbin/chkconfig --add iptables
+#   service iptables condrestart
+fi
+exit 0
+
+%preun
+#erase
+if [ $1 -eq 0 ]; then
+   service iptables stop
+   /sbin/chkconfig --del iptables
+fi
+exit 0
+
+%post nat
+if [ $1 -eq 1 ]; then
+   /usr/sbin/iptables-nat.sh && \
+      /sbin/iptables-save > %{_sysconfdir}/sysconfig/iptables
+fi
+exit 0
+
+%files
+%defattr(-,root,root)
+#%{_sysconfdir}/xtables/connlabel.conf
+%{_initrddir}/iptables
+/sbin/iptables
+/sbin/iptables-xml
+/sbin/iptables-restore
+/sbin/iptables-save
+/sbin/xtables-multi
+/sbin/nfnl_osf
+%dir %{_libdir}/xtables
+%{_libdir}/xtables/libipt_*.so
+%{_libdir}/xtables/libxt_*.so
+%{_libdir}/libxtables.so.*
+%{_libdir}/libiptc.so.*
+%{_libdir}/libip4tc.so.*
+%{_libdir}/libip6tc.so.*
+%dir %{_datadir}/xtables
+%{_datadir}/xtables/pf.os
+%{_mandir}/man1/iptables-xml.*
+%{_mandir}/man8/iptables-restore.*
+%{_mandir}/man8/iptables-save.*
+%{_mandir}/man8/iptables.*
+%{_mandir}/man8/iptables-extensions.*
+
+%files ipv6
+%defattr(-,root,root)
+/sbin/ip6tables
+/sbin/ip6tables-restore
+/sbin/ip6tables-save
+%{_libdir}/xtables/libip6t_*.so
+%{_mandir}/man8/ip6tables.*
+%{_mandir}/man8/ip6tables-restore.*
+%{_mandir}/man8/ip6tables-save.*
+
+%files devel
+%defattr(-,root,root)
+%{_includedir}/xtables-version.h
+%{_includedir}/libiptc/*.h
+%{_libdir}/libiptc.la
+%{_libdir}/libiptc.so
+%{_libdir}/libip4tc.la
+%{_libdir}/libip4tc.so
+%{_libdir}/libip6tc.la
+%{_libdir}/libip6tc.so
+%{_libdir}/libxtables.la
+%{_libdir}/libxtables.so
+%{_includedir}/xtables.h
+%{_libdir}/pkgconfig/xtables.pc
+%{_libdir}/pkgconfig/libiptc.pc
+%{_libdir}/pkgconfig/libip4tc.pc
+%{_libdir}/pkgconfig/libip6tc.pc
+
+%files nat
+%defattr(-,root,root)
+%{_sbindir}/iptables-nat.sh
+
+%changelog
+* Fri Nov 22 2013 Automatic Build System <autodist@mambasoft.it> 1.4.21-1mamba
+- automatic version update by autodist
+
+* Tue Aug 13 2013 Automatic Build System <autodist@mambasoft.it> 1.4.20-1mamba
+- automatic update by autodist
+
+* Thu May 30 2013 Automatic Build System <autodist@mambasoft.it> 1.4.19.1-1mamba
+- automatic version update by autodist
+
+* Wed Mar 06 2013 Automatic Build System <autodist@mambasoft.it> 1.4.18-1mamba
+- automatic version update by autodist
+
+* Wed Dec 26 2012 Automatic Build System <autodist@mambasoft.it> 1.4.17-1mamba
+- automatic version update by autodist
+
+* Thu Oct 18 2012 Automatic Build System <autodist@mambasoft.it> 1.4.16.3-1mamba
+- automatic version update by autodist
+
+* Mon Oct 08 2012 Automatic Build System <autodist@mambasoft.it> 1.4.16.2-1mamba
+- automatic version update by autodist
+
+* Tue Jul 31 2012 Automatic Build System <autodist@mambasoft.it> 1.4.15-1mamba
+- automatic version update by autodist
+
+* Sun May 27 2012 Automatic Build System <autodist@mambasoft.it> 1.4.14-1mamba
+- automatic version update by autodist
+
+* Tue Mar 27 2012 Automatic Build System <autodist@mambasoft.it> 1.4.13-1mamba
+- automatic version update by autodist
+
+* Mon Jan 09 2012 Automatic Build System <autodist@mambasoft.it> 1.4.12.2-1mamba
+- automatic version update by autodist
+
+* Tue Nov 01 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 1.4.12.1-2mamba
+- drop guarddog support in initscript
+- don't enable service at startup by default
+
+* Fri Sep 02 2011 Automatic Build System <autodist@mambasoft.it> 1.4.12.1-1mamba
+- automatic version update by autodist
+
+* Fri Jul 22 2011 Automatic Build System <autodist@mambasoft.it> 1.4.12-1mamba
+- automatic update to 3.0.3.0 by autodist
+
+* Tue Jun 14 2011 Automatic Build System <autodist@mambasoft.it> 1.4.11.1-1mamba
+- automatic update by autodist
+
+* Sat Oct 30 2010 Automatic Build System <autodist@mambasoft.it> 1.4.10-1mamba
+- automatic update to 1.4.10 by autodist
+
+* Sat Aug 07 2010 Automatic Build System <autodist@mambasoft.it> 1.4.9.1-1mamba
+- automatic update to 1.4.9.1 by autodist
+
+* Wed Aug 04 2010 Automatic Build System <autodist@mambasoft.it> 1.4.9-1mamba
+- automatic update to 1.4.9 by autodist
+
+* Fri May 21 2010 Automatic Build System <autodist@mambasoft.it> 1.4.8-1mamba
+- automatic update to 1.4.8 by autodist
+
+* Wed Mar 03 2010 Davide Madrisan <davide.madrisan@gmail.com> 1.4.7-1mamba
+- update to 1.4.7
+
+* Wed Dec 09 2009 Automatic Build System <autodist@mambasoft.it> 1.4.6-1mamba
+- automatic update to 1.4.6 by autodist
+
+* Fri Sep 25 2009 Automatic Build System <autodist@mambasoft.it> 1.4.5-1mamba
+- automatic update to 1.4.5 by autodist
+
+* Tue Jun 16 2009 Automatic Build System <autodist@mambasoft.it> 1.4.4-1mamba
+- automatic update to 1.4.4 by autodist
+
+* Mon Apr 06 2009 Silvan Calarco <silvan.calarco@mambasoft.it> 1.4.3.2-1mamba
+- automatic update to 1.4.3.2 by autodist
+
+* Wed Mar 25 2009 Silvan Calarco <silvan.calarco@mambasoft.it> 1.4.3.1-1mamba
+- automatic update to 1.4.3.1 by autodist
+
+* Tue Oct 21 2008 Silvan Calarco <silvan.calarco@mambasoft.it> 1.4.2-1mamba
+- update to 1.4.2
+- initscript: fix condrestart check
+- install initscript and iptables-nat.sh with read permissions for all
+
+* Sat Sep 13 2008 Silvan Calarco <silvan.calarco@mambasoft.it> 1.4.1.1-1mamba
+- automatic update to 1.4.1.1 by autodist
+
+* Wed Apr 30 2008 Aleph0 <aleph0@openmamba.org> 1.4.0-1mamba
+- update to 1.4.0 (bugfixes and strong IPv6 support improvement)
+- own %{_libdir}/iptables dir
+
+* Mon Jul 02 2007 Aleph0 <aleph0@openmamba.org> 1.3.8-1mamba
+- update to 1.3.8
+
+* Mon Apr 16 2007 Davide Madrisan <davide.madrisan@gmail.com> 1.3.7-1mamba
+- update to version 1.3.7 by autospec
+- use service to run the initscript
+- updated initscript
+
+* Wed Oct 04 2006 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.6-1qilnx
+- update to version 1.3.6 by autospec
+
+* Fri Feb 03 2006 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.5-1qilnx
+- update to version 1.3.5 by autospec
+
+* Mon Nov 07 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.4-1qilnx
+- update to version 1.3.4 by autospec
+
+* Mon Aug 01 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.3-1qilnx
+- update to version 1.3.3 by autospec
+
+* Mon Jul 25 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.2-1qilnx
+- update to version 1.3.2 by autospec
+
+* Mon Apr 18 2005 Silvan Calarco <silvan.calarco@mambasoft.it> 1.3.1-2qilnx
+- changed initscript for Guarddog first time configurator execution
+
+* Tue Mar 08 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.1-1qilnx
+- update to version 1.3.1 by autospec
+
+* Mon Feb 14 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.3.0-1qilnx
+- update to version 1.3.0 by autospec
+
+* Wed Nov 03 2004 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.11-2qilnx
+- security fix: QSA-2004-049 (CAN-2004-0986)
+
+* Tue Jun 29 2004 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.11.1qilnx
+- new version rebuild
+
+* Fri May 14 2004 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.9-6qilnx
+- iptables-nat.sh updated to use the new network-functions features
+
+* Wed Mar 31 2004 Silvan Calarco <silvan.calarco@mambasoft.it> 1.2.9-5qilnx
+- fixed iptables-nat.sh when a dhcp interface has no IP address
+
+* Tue Feb 03 2004 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.9-4qilnx
+- fixed iptables-nat.sh script 
+
+* Mon Feb 02 2004 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.9-3qilnx
+- post scriptlet fixed
+
+* Wed Nov 19 2003 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.9-2qilnx
+- added missing requirements for iptables-nat and iptables-ipv6
+
+* Mon Nov 03 2003 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.9-1qilnx
+- rebuilt with version 1.2.9
+
+* Fri Oct 31 2003 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.8-9qilnx
+- RPM specfile fixes/updates
+
+* Fri Sep 19 2003 Davide Madrisan <davide.madrisan@qilinux.it> 1.2.8-8qilnx
+- fixes in iptables-nat.sh script
+
+* Fri Aug 15 2003 Silvan Calarco <silvan.calarco@qinet.it> 1.2.8-7qilnx
+- changed iptables-nat.sh script so that it works when a private interface
+  doesn't have and ip address
+
+* Wed Aug 06 2003 Silvan Calarco <silvan.calarco@qinet.it> 1.2.8-6qilnx
+- changed iptables-nat.sh script so that it uses new network-functions scripts
+
+* Tue Jul 15 2003 Silvan Calarco <silvan.calarco@qinet.it> 1.2.8-5qilnx
+- fixed minor initscript problem (a lot of newlines after [OK])
+
+* Mon Jun 26 2003 Silvan Calarco <silvan.calarco@qinet.it> 1.2.8-4qilnx
+- changed initscript sequence number to boot after network activation
+
+* Mon Jun 23 2003 Silvan Calarco <silvan.calarco@qinet.it> 1.2.8-3qilnx
+- added guarddog aware configuration file
+
+* Wed May 07 2003 Silvan Calarco <silvan.calarco@qinet.it> 1.2.8-2qilnx
+- added iptables-nat package
+
+* Thu Apr 29 2003 Alessandro Ramazzina <alessandro.ramazzina@qinet.it> 1.2.8-1qilnx
+- creation of iptables package