From 82c43036eb6d65724e1b0fde2c4797028895fdcc Mon Sep 17 00:00:00 2001 From: dma Date: Thu, 3 Jan 2019 16:48:36 -0500 Subject: [PATCH] Citadel iptables service + default filter rules --- .../citadel-config/citadel-config.bb | 15 +++++++++++++++ .../citadel-config/files/iptables-flush.sh | 19 +++++++++++++++++++ .../files/iptables/empty-filter.rules | 6 ++++++ .../files/iptables/iptables.rules | 9 +++++++++ .../files/systemd/iptables.service | 15 +++++++++++++++ 5 files changed, 64 insertions(+) create mode 100644 meta-citadel/recipes-citadel/citadel-config/files/iptables-flush.sh create mode 100644 meta-citadel/recipes-citadel/citadel-config/files/iptables/empty-filter.rules create mode 100644 meta-citadel/recipes-citadel/citadel-config/files/iptables/iptables.rules create mode 100644 meta-citadel/recipes-citadel/citadel-config/files/systemd/iptables.service diff --git a/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb b/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb index ba130a0..ce7d705 100644 --- a/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb +++ b/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb @@ -29,6 +29,11 @@ UDEV_RULES = "\ file://udev/scsi-alpm.rules \ " +IPTABLES_RULES = "\ + file://iptables/empty-filter.rules \ + file://iptables/iptables.rules \ +" + SRC_URI = "\ file://locale.conf \ file://environment.sh \ @@ -40,12 +45,15 @@ SRC_URI = "\ file://share/dot.profile \ file://share/dot.vimrc \ file://polkit/citadel.rules \ + file://iptables-flush.sh \ file://systemd/zram-swap.service \ + file://systemd/iptables.service \ file://citadel/citadel-image.conf \ ${DEFAULT_REALM_UNITS} \ ${MODPROBE_CONFIG} \ ${SYSCTL_CONFIG} \ ${UDEV_RULES} \ + ${IPTABLES_RULES} \ " USERADD_PACKAGES = "${PN}" @@ -58,6 +66,7 @@ RDEPENDS_${PN} = "bash" inherit allarch systemd useradd SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path" +SYSTEMD_SERVICE_${PN} = "iptables.service" do_install() { install -m 0755 -d ${D}/storage @@ -72,6 +81,7 @@ do_install() { install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d install -m 0755 -d ${D}${sysconfdir}/modprobe.d install -m 0755 -d ${D}${datadir}/citadel + install -m 0755 -d ${D}${datadir}/iptables install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections @@ -83,6 +93,7 @@ do_install() { install -d ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir} + install -m 644 ${WORKDIR}/systemd/iptables.service ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir} @@ -101,6 +112,10 @@ do_install() { install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/ install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/ + install -m 0644 ${WORKDIR}/iptables/iptables.rules ${D}${datadir}/iptables/ + install -m 0644 ${WORKDIR}/iptables/empty-filter.rules ${D}${datadir}/iptables/ + install -m 0644 ${WORKDIR}/iptables-flush.sh ${D}${datadir}/iptables/ + install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${sysconfdir}/skel/.bashrc install -m 0644 ${WORKDIR}/share/dot.profile ${D}${sysconfdir}/skel/.profile install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${sysconfdir}/skel/.vimrc diff --git a/meta-citadel/recipes-citadel/citadel-config/files/iptables-flush.sh b/meta-citadel/recipes-citadel/citadel-config/files/iptables-flush.sh new file mode 100644 index 0000000..5ac73d1 --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/iptables-flush.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done <"/proc/net/ip$1_tables_names" + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi + diff --git a/meta-citadel/recipes-citadel/citadel-config/files/iptables/empty-filter.rules b/meta-citadel/recipes-citadel/citadel-config/files/iptables/empty-filter.rules new file mode 100644 index 0000000..e24e1aa --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/iptables/empty-filter.rules @@ -0,0 +1,6 @@ +# Empty iptables rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/meta-citadel/recipes-citadel/citadel-config/files/iptables/iptables.rules b/meta-citadel/recipes-citadel/citadel-config/files/iptables/iptables.rules new file mode 100644 index 0000000..7f946ef --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/iptables/iptables.rules @@ -0,0 +1,9 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -j DROP +-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT +-A FORWARD -j ACCEPT +-A OUTPUT -j DROP +COMMIT diff --git a/meta-citadel/recipes-citadel/citadel-config/files/systemd/iptables.service b/meta-citadel/recipes-citadel/citadel-config/files/systemd/iptables.service new file mode 100644 index 0000000..2cf36b6 --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/systemd/iptables.service @@ -0,0 +1,15 @@ +[Unit] +Description=IPv4 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /usr/share/iptables/iptables.rules +ExecReload=/sbin/iptables-restore /usr/share/iptables/iptables.rules +ExecStop=/bin/bash /usr/share/iptables/iptables-flush.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +