Citadel iptables service + default filter rules

meta-citadel/recipes-citadel/citadel-config/citadel-config.bb

@@ -29,6 +29,11 @@ UDEV_RULES = "\
     file://udev/scsi-alpm.rules \
 "
 
+IPTABLES_RULES = "\
+    file://iptables/empty-filter.rules \
+    file://iptables/iptables.rules \
+"
+
 SRC_URI = "\
     file://locale.conf \
     file://environment.sh \
@@ -40,12 +45,15 @@ SRC_URI = "\
     file://share/dot.profile \
     file://share/dot.vimrc \
     file://polkit/citadel.rules \
+    file://iptables-flush.sh \
     file://systemd/zram-swap.service \
+    file://systemd/iptables.service \
     file://citadel/citadel-image.conf \
     ${DEFAULT_REALM_UNITS} \
     ${MODPROBE_CONFIG} \
     ${SYSCTL_CONFIG} \
     ${UDEV_RULES} \
+    ${IPTABLES_RULES} \
 "
 
 USERADD_PACKAGES = "${PN}"
@@ -58,6 +66,7 @@ RDEPENDS_${PN} = "bash"
 inherit allarch systemd useradd
 
 SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path"
+SYSTEMD_SERVICE_${PN} = "iptables.service"
 
 do_install() {
     install -m 0755 -d ${D}/storage
@@ -72,6 +81,7 @@ do_install() {
     install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d
     install -m 0755 -d ${D}${sysconfdir}/modprobe.d
     install -m 0755 -d ${D}${datadir}/citadel
+    install -m 0755 -d ${D}${datadir}/iptables
     install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
     install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
 
@@ -83,6 +93,7 @@ do_install() {
 
     install -d ${D}${systemd_system_unitdir}
     install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir}
+    install -m 644 ${WORKDIR}/systemd/iptables.service ${D}${systemd_system_unitdir}
 
     install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir}
     install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir}
@@ -101,6 +112,10 @@ do_install() {
     install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/
     install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/
 
+    install -m 0644 ${WORKDIR}/iptables/iptables.rules ${D}${datadir}/iptables/
+    install -m 0644 ${WORKDIR}/iptables/empty-filter.rules ${D}${datadir}/iptables/
+    install -m 0644 ${WORKDIR}/iptables-flush.sh ${D}${datadir}/iptables/
+
     install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${sysconfdir}/skel/.bashrc
     install -m 0644 ${WORKDIR}/share/dot.profile ${D}${sysconfdir}/skel/.profile
     install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${sysconfdir}/skel/.vimrc

meta-citadel/recipes-citadel/citadel-config/files/iptables-flush.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Usage: iptables-flush [6]
+#
+
+iptables=ip$1tables
+if ! type -p "$iptables" &>/dev/null; then
+  echo "error: invalid argument"
+  exit 1
+fi
+
+while read -r table; do
+  tables+=("/usr/share/iptables/empty-$table.rules")
+done <"/proc/net/ip$1_tables_names"
+
+if (( ${#tables[*]} )); then
+  cat "${tables[@]}" | "$iptables-restore"
+fi
+

meta-citadel/recipes-citadel/citadel-config/files/iptables/empty-filter.rules

@@ -0,0 +1,6 @@
+# Empty iptables rule file
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT

meta-citadel/recipes-citadel/citadel-config/files/iptables/iptables.rules

@@ -0,0 +1,9 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -j DROP
+-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
+-A FORWARD -j ACCEPT
+-A OUTPUT -j DROP
+COMMIT

meta-citadel/recipes-citadel/citadel-config/files/systemd/iptables.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=IPv4 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /usr/share/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /usr/share/iptables/iptables.rules
+ExecStop=/bin/bash /usr/share/iptables/iptables-flush.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+