From 4fa5de8bf09ed9c2ed5f3fe3f5cf5a23b2ba8010 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Sun, 29 Nov 2020 18:35:52 -0500 Subject: [PATCH] Install iptables rules --- .../bbappends/iptables/iptables.rules | 8 ++++++++ .../bbappends/iptables/iptables.service | 19 +++++++++++++++++++ .../bbappends/iptables_%.bbappend | 1 + 3 files changed, 28 insertions(+) create mode 100644 meta-citadel/recipes-citadel/bbappends/iptables/iptables.rules create mode 100644 meta-citadel/recipes-citadel/bbappends/iptables/iptables.service create mode 100644 meta-citadel/recipes-citadel/bbappends/iptables_%.bbappend diff --git a/meta-citadel/recipes-citadel/bbappends/iptables/iptables.rules b/meta-citadel/recipes-citadel/bbappends/iptables/iptables.rules new file mode 100644 index 0000000..15af1b8 --- /dev/null +++ b/meta-citadel/recipes-citadel/bbappends/iptables/iptables.rules @@ -0,0 +1,8 @@ +*filter +:INPUT DROP [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT DROP [0:0] +-A INPUT -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A OUTPUT -j LOG --log-uid --log-prefix 'iptables' +COMMIT diff --git a/meta-citadel/recipes-citadel/bbappends/iptables/iptables.service b/meta-citadel/recipes-citadel/bbappends/iptables/iptables.service new file mode 100644 index 0000000..3de7b37 --- /dev/null +++ b/meta-citadel/recipes-citadel/bbappends/iptables/iptables.service @@ -0,0 +1,19 @@ +[Unit] +Description=IPv4 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot + +ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules +ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules + +ExecStopPost=-/sbin/iptables -P INPUT ACCEPT +ExecStopPost=-/sbin/iptables -P OUTPUT ACCEPT +ExecStopPost=/sbin/iptables -F + +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/meta-citadel/recipes-citadel/bbappends/iptables_%.bbappend b/meta-citadel/recipes-citadel/bbappends/iptables_%.bbappend new file mode 100644 index 0000000..abfb055 --- /dev/null +++ b/meta-citadel/recipes-citadel/bbappends/iptables_%.bbappend @@ -0,0 +1 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/iptables:"