1
0
forked from brl/citadel

Citadel iptables service + default filter rules

This commit is contained in:
dma 2019-01-03 16:48:36 -05:00
parent 0254476746
commit 82c43036eb
5 changed files with 64 additions and 0 deletions

View File

@ -29,6 +29,11 @@ UDEV_RULES = "\
file://udev/scsi-alpm.rules \ file://udev/scsi-alpm.rules \
" "
IPTABLES_RULES = "\
file://iptables/empty-filter.rules \
file://iptables/iptables.rules \
"
SRC_URI = "\ SRC_URI = "\
file://locale.conf \ file://locale.conf \
file://environment.sh \ file://environment.sh \
@ -40,12 +45,15 @@ SRC_URI = "\
file://share/dot.profile \ file://share/dot.profile \
file://share/dot.vimrc \ file://share/dot.vimrc \
file://polkit/citadel.rules \ file://polkit/citadel.rules \
file://iptables-flush.sh \
file://systemd/zram-swap.service \ file://systemd/zram-swap.service \
file://systemd/iptables.service \
file://citadel/citadel-image.conf \ file://citadel/citadel-image.conf \
${DEFAULT_REALM_UNITS} \ ${DEFAULT_REALM_UNITS} \
${MODPROBE_CONFIG} \ ${MODPROBE_CONFIG} \
${SYSCTL_CONFIG} \ ${SYSCTL_CONFIG} \
${UDEV_RULES} \ ${UDEV_RULES} \
${IPTABLES_RULES} \
" "
USERADD_PACKAGES = "${PN}" USERADD_PACKAGES = "${PN}"
@ -58,6 +66,7 @@ RDEPENDS_${PN} = "bash"
inherit allarch systemd useradd inherit allarch systemd useradd
SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path" SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path"
SYSTEMD_SERVICE_${PN} = "iptables.service"
do_install() { do_install() {
install -m 0755 -d ${D}/storage install -m 0755 -d ${D}/storage
@ -72,6 +81,7 @@ do_install() {
install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d
install -m 0755 -d ${D}${sysconfdir}/modprobe.d install -m 0755 -d ${D}${sysconfdir}/modprobe.d
install -m 0755 -d ${D}${datadir}/citadel install -m 0755 -d ${D}${datadir}/citadel
install -m 0755 -d ${D}${datadir}/iptables
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
@ -83,6 +93,7 @@ do_install() {
install -d ${D}${systemd_system_unitdir} install -d ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/iptables.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir}
@ -101,6 +112,10 @@ do_install() {
install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/ install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/ install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0644 ${WORKDIR}/iptables/iptables.rules ${D}${datadir}/iptables/
install -m 0644 ${WORKDIR}/iptables/empty-filter.rules ${D}${datadir}/iptables/
install -m 0644 ${WORKDIR}/iptables-flush.sh ${D}${datadir}/iptables/
install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${sysconfdir}/skel/.bashrc install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${sysconfdir}/skel/.bashrc
install -m 0644 ${WORKDIR}/share/dot.profile ${D}${sysconfdir}/skel/.profile install -m 0644 ${WORKDIR}/share/dot.profile ${D}${sysconfdir}/skel/.profile
install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${sysconfdir}/skel/.vimrc install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${sysconfdir}/skel/.vimrc

View File

@ -0,0 +1,19 @@
#!/bin/bash
#
# Usage: iptables-flush [6]
#
iptables=ip$1tables
if ! type -p "$iptables" &>/dev/null; then
echo "error: invalid argument"
exit 1
fi
while read -r table; do
tables+=("/usr/share/iptables/empty-$table.rules")
done <"/proc/net/ip$1_tables_names"
if (( ${#tables[*]} )); then
cat "${tables[@]}" | "$iptables-restore"
fi

View File

@ -0,0 +1,6 @@
# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

View File

@ -0,0 +1,9 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j DROP
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j DROP
COMMIT

View File

@ -0,0 +1,15 @@
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /usr/share/iptables/iptables.rules
ExecReload=/sbin/iptables-restore /usr/share/iptables/iptables.rules
ExecStop=/bin/bash /usr/share/iptables/iptables-flush.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target