[Lunar-commits] <moonbase> iptables: added systemd script corrected init script added wrapper..

Jean-Michel Bruenn wdp at lunar-linux.org
Fri Aug 5 00:26:04 CEST 2011


commit b85784c6894db5b1f8d8d10b36ed0397a072e5eb
Author: Jean-Michel Bruenn <wdp at lunar-linux.org>
Date:   Fri Aug 5 00:26:04 2011 +0200

    iptables: added systemd script corrected init script added wrapper..
---
 security/iptables/BUILD                      |   14 +++++++++++++-
 security/iptables/files/iptables-empty       |   15 +++++++++++++++
 security/iptables/files/iptsave              |   24 ++++++++++++++++++++++++
 security/iptables/init.d/iptables            |   24 ++++++++++--------------
 security/iptables/systemd.d/iptables.service |   13 +++++++++++++
 5 files changed, 75 insertions(+), 15 deletions(-)

diff --git a/security/iptables/BUILD b/security/iptables/BUILD
index 07b7319..5d412ed 100644
--- a/security/iptables/BUILD
+++ b/security/iptables/BUILD
@@ -17,7 +17,19 @@
   # revive tables
   if [ -f /etc/config.d/iptables.sav ] ; then
     cat /etc/config.d/iptables.sav | iptables-restore -c  &&
-    rm /etc/config.d/iptables.sav
+    rm /etc/config.d/iptables.sav &&
+  fi
+
+  # add empty iptables file for flushing
+  if [ ! -f /etc/config.d/iptables-empty ]; then
+    cp $SCRIPT_DIRECTORY/files/iptables-empty /etc/config.d/iptables-empty &&
+  fi
+  # little wrapper for systemd's usage
+  # todo: should be detected by our package-management (installwatch?)
+  #       tho i guess nobody uses lunar without installed iptables..
+  if [ ! -f /usr/sbin/iptsave ]; then
+    cp $SCRIPT_DIRECTORY/files/iptsave /usr/sbin/iptsave &&
+    chmod a+x /usr/sbin/iptsave
   fi
 
 ) > $C_FIFO 2>&1
diff --git a/security/iptables/files/iptables-empty b/security/iptables/files/iptables-empty
new file mode 100644
index 0000000..67f3eec
--- /dev/null
+++ b/security/iptables/files/iptables-empty
@@ -0,0 +1,15 @@
+# Generated by iptables-save v1.4.10 on Thu Aug  4 13:14:07 2011
+*nat
+:PREROUTING ACCEPT [62421:10188892]
+:INPUT ACCEPT [62199:10166936]
+:OUTPUT ACCEPT [20422:1295697]
+:POSTROUTING ACCEPT [20422:1295697]
+COMMIT
+# Completed on Thu Aug  4 13:14:07 2011
+# Generated by iptables-save v1.4.10 on Thu Aug  4 13:14:07 2011
+*filter
+:INPUT ACCEPT [5763104:5100721247]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3667989:588315306]
+COMMIT
+# Completed on Thu Aug  4 13:14:07 2011
diff --git a/security/iptables/files/iptsave b/security/iptables/files/iptsave
new file mode 100644
index 0000000..5b1f6dd
--- /dev/null
+++ b/security/iptables/files/iptsave
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+###
+# the purpose of this wrapper is, that I have no
+# idea how to do things like bla < foo or foo > bla
+# in systemd. iptables-save needs this behaviour
+# thus this script is just a wrapper. Feel free
+# to provide a proper solution :)
+# <wdp at lunar-linux.org>
+###
+
+IPTSAVEFILE="/etc/config.d/iptables";
+IPTSAVEBIN=$(which iptables-save);
+
+# only run this if iptables-save is executable
+if [ -x "$IPTSAVEBIN" ]; then
+  # remove saved rules if already available
+  if [ -f "$IPTSAVE" ]; then
+    rm -f "$IPTSAVE";
+  fi
+
+  # save the iptables rules
+  $IPTSAVEBIN > $IPTSAVEFILE;
+fi
diff --git a/security/iptables/init.d/iptables b/security/iptables/init.d/iptables
index 2a3d97f..81bccb8 100755
--- a/security/iptables/init.d/iptables
+++ b/security/iptables/init.d/iptables
@@ -4,22 +4,23 @@
 #
 # config: /etc/config.d/iptables
 
-IPTABLESSAVE=`which iptables-save`
-IPTABLESRESTORE=`which iptables-restore`
+IPTSAVE=`which iptables-save`
+IPTRESTORE=`which iptables-restore`
+IPTCONFIG=/etc/config.d/iptables
 
 start() {
     echo -n "Starting iptables: "
     if [ ! -e /var/run/iptables ]; then
-        if [ -z $IPTABLESSAVE -o -z $IPTABLESRESTORE ]; then
+        if [ -z $IPTSAVE -o -z $IPTRESTORE ]; then
 	    echo -n "missing iptables binaries"
 	    echo -e $RESULT_FAIL
 	else
-	    if [ ! -e /etc/config.d/iptables ]; then
+	    if [ ! -e "$IPTCONFIG" ]; then
 	        echo -n "no config to load, forwarding enabled"
 		echo -e $RESULT_WARN
             else
 	        echo 1 > /proc/sys/net/ipv4/ip_forward
-	        iptables-restore /etc/config.d/iptables
+	        $IPTRESTORE < $IPTCONFIG
 	        echo -e $RESULT_OK
 	    fi
 	    touch /var/run/iptables
@@ -36,18 +37,13 @@ stop() {
         echo -n "not running";
 	echo -e $RESULT_FAIL
     else
-        if [ -z $IPTABLESSAVE -o -z $IPTABLESRESTORE ]; then
+        if [ -z $IPTSAVE -o -z $IPTRESTORE ]; then
             echo -n "missing iptables binaries"
             echo -e $RESULT_FAIL
         else
-	    iptables-save > /etc/config.d/iptables
-	    iptables -P INPUT ACCEPT
-	    iptables -F INPUT
-	    iptables -P OUTPUT ACCEPT
-	    iptables -F OUTPUT
-	    iptables -P FORWARD DROP
-	    iptables -F FORWARD
-	    iptables -t nat -F
+	    $IPTSAVE > $IPTCONFIG
+	    # restore EMPTY iptables ruleset
+            $IPTRESTORE < $IPTCONFIG-empty
 	    echo 0 > /proc/sys/net/ipv4/ip_forward
 
 	    rm /var/run/iptables
diff --git a/security/iptables/systemd.d/iptables.service b/security/iptables/systemd.d/iptables.service
new file mode 100644
index 0000000..62fe083
--- /dev/null
+++ b/security/iptables/systemd.d/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Packet Filtering Framework
+
+[Service]
+Type=oneshot
+ConditionFileExists=/etc/config.d/iptables
+ExecStart=/usr/sbin/iptables-restore /etc/config.d/iptables
+ExecStop=/usr/sbin/iptsave
+ExecStopPost=/usr/sbin/iptables-restore /etc/config.d/iptables-empty
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target


More information about the Lunar-commits mailing list