[Lunar-commits] <moonbase> iptables: added systemd script corrected init script added wrapper..
Jean-Michel Bruenn
wdp at lunar-linux.org
Fri Aug 5 00:26:04 CEST 2011
commit b85784c6894db5b1f8d8d10b36ed0397a072e5eb
Author: Jean-Michel Bruenn <wdp at lunar-linux.org>
Date: Fri Aug 5 00:26:04 2011 +0200
iptables: added systemd script corrected init script added wrapper..
---
security/iptables/BUILD | 14 +++++++++++++-
security/iptables/files/iptables-empty | 15 +++++++++++++++
security/iptables/files/iptsave | 24 ++++++++++++++++++++++++
security/iptables/init.d/iptables | 24 ++++++++++--------------
security/iptables/systemd.d/iptables.service | 13 +++++++++++++
5 files changed, 75 insertions(+), 15 deletions(-)
diff --git a/security/iptables/BUILD b/security/iptables/BUILD
index 07b7319..5d412ed 100644
--- a/security/iptables/BUILD
+++ b/security/iptables/BUILD
@@ -17,7 +17,19 @@
# revive tables
if [ -f /etc/config.d/iptables.sav ] ; then
cat /etc/config.d/iptables.sav | iptables-restore -c &&
- rm /etc/config.d/iptables.sav
+ rm /etc/config.d/iptables.sav &&
+ fi
+
+ # add empty iptables file for flushing
+ if [ ! -f /etc/config.d/iptables-empty ]; then
+ cp $SCRIPT_DIRECTORY/files/iptables-empty /etc/config.d/iptables-empty &&
+ fi
+ # little wrapper for systemd's usage
+ # todo: should be detected by our package-management (installwatch?)
+ # tho i guess nobody uses lunar without installed iptables..
+ if [ ! -f /usr/sbin/iptsave ]; then
+ cp $SCRIPT_DIRECTORY/files/iptsave /usr/sbin/iptsave &&
+ chmod a+x /usr/sbin/iptsave
fi
) > $C_FIFO 2>&1
diff --git a/security/iptables/files/iptables-empty b/security/iptables/files/iptables-empty
new file mode 100644
index 0000000..67f3eec
--- /dev/null
+++ b/security/iptables/files/iptables-empty
@@ -0,0 +1,15 @@
+# Generated by iptables-save v1.4.10 on Thu Aug 4 13:14:07 2011
+*nat
+:PREROUTING ACCEPT [62421:10188892]
+:INPUT ACCEPT [62199:10166936]
+:OUTPUT ACCEPT [20422:1295697]
+:POSTROUTING ACCEPT [20422:1295697]
+COMMIT
+# Completed on Thu Aug 4 13:14:07 2011
+# Generated by iptables-save v1.4.10 on Thu Aug 4 13:14:07 2011
+*filter
+:INPUT ACCEPT [5763104:5100721247]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3667989:588315306]
+COMMIT
+# Completed on Thu Aug 4 13:14:07 2011
diff --git a/security/iptables/files/iptsave b/security/iptables/files/iptsave
new file mode 100644
index 0000000..5b1f6dd
--- /dev/null
+++ b/security/iptables/files/iptsave
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+###
+# the purpose of this wrapper is, that I have no
+# idea how to do things like bla < foo or foo > bla
+# in systemd. iptables-save needs this behaviour
+# thus this script is just a wrapper. Feel free
+# to provide a proper solution :)
+# <wdp at lunar-linux.org>
+###
+
+IPTSAVEFILE="/etc/config.d/iptables";
+IPTSAVEBIN=$(which iptables-save);
+
+# only run this if iptables-save is executable
+if [ -x "$IPTSAVEBIN" ]; then
+ # remove saved rules if already available
+ if [ -f "$IPTSAVE" ]; then
+ rm -f "$IPTSAVE";
+ fi
+
+ # save the iptables rules
+ $IPTSAVEBIN > $IPTSAVEFILE;
+fi
diff --git a/security/iptables/init.d/iptables b/security/iptables/init.d/iptables
index 2a3d97f..81bccb8 100755
--- a/security/iptables/init.d/iptables
+++ b/security/iptables/init.d/iptables
@@ -4,22 +4,23 @@
#
# config: /etc/config.d/iptables
-IPTABLESSAVE=`which iptables-save`
-IPTABLESRESTORE=`which iptables-restore`
+IPTSAVE=`which iptables-save`
+IPTRESTORE=`which iptables-restore`
+IPTCONFIG=/etc/config.d/iptables
start() {
echo -n "Starting iptables: "
if [ ! -e /var/run/iptables ]; then
- if [ -z $IPTABLESSAVE -o -z $IPTABLESRESTORE ]; then
+ if [ -z $IPTSAVE -o -z $IPTRESTORE ]; then
echo -n "missing iptables binaries"
echo -e $RESULT_FAIL
else
- if [ ! -e /etc/config.d/iptables ]; then
+ if [ ! -e "$IPTCONFIG" ]; then
echo -n "no config to load, forwarding enabled"
echo -e $RESULT_WARN
else
echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables-restore /etc/config.d/iptables
+ $IPTRESTORE < $IPTCONFIG
echo -e $RESULT_OK
fi
touch /var/run/iptables
@@ -36,18 +37,13 @@ stop() {
echo -n "not running";
echo -e $RESULT_FAIL
else
- if [ -z $IPTABLESSAVE -o -z $IPTABLESRESTORE ]; then
+ if [ -z $IPTSAVE -o -z $IPTRESTORE ]; then
echo -n "missing iptables binaries"
echo -e $RESULT_FAIL
else
- iptables-save > /etc/config.d/iptables
- iptables -P INPUT ACCEPT
- iptables -F INPUT
- iptables -P OUTPUT ACCEPT
- iptables -F OUTPUT
- iptables -P FORWARD DROP
- iptables -F FORWARD
- iptables -t nat -F
+ $IPTSAVE > $IPTCONFIG
+ # restore EMPTY iptables ruleset
+ $IPTRESTORE < $IPTCONFIG-empty
echo 0 > /proc/sys/net/ipv4/ip_forward
rm /var/run/iptables
diff --git a/security/iptables/systemd.d/iptables.service b/security/iptables/systemd.d/iptables.service
new file mode 100644
index 0000000..62fe083
--- /dev/null
+++ b/security/iptables/systemd.d/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Packet Filtering Framework
+
+[Service]
+Type=oneshot
+ConditionFileExists=/etc/config.d/iptables
+ExecStart=/usr/sbin/iptables-restore /etc/config.d/iptables
+ExecStop=/usr/sbin/iptsave
+ExecStopPost=/usr/sbin/iptables-restore /etc/config.d/iptables-empty
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
More information about the Lunar-commits
mailing list