forked from brl/citadel
Citadel iptables service + default filter rules
This commit is contained in:
parent
0254476746
commit
82c43036eb
@ -29,6 +29,11 @@ UDEV_RULES = "\
|
|||||||
file://udev/scsi-alpm.rules \
|
file://udev/scsi-alpm.rules \
|
||||||
"
|
"
|
||||||
|
|
||||||
|
IPTABLES_RULES = "\
|
||||||
|
file://iptables/empty-filter.rules \
|
||||||
|
file://iptables/iptables.rules \
|
||||||
|
"
|
||||||
|
|
||||||
SRC_URI = "\
|
SRC_URI = "\
|
||||||
file://locale.conf \
|
file://locale.conf \
|
||||||
file://environment.sh \
|
file://environment.sh \
|
||||||
@ -40,12 +45,15 @@ SRC_URI = "\
|
|||||||
file://share/dot.profile \
|
file://share/dot.profile \
|
||||||
file://share/dot.vimrc \
|
file://share/dot.vimrc \
|
||||||
file://polkit/citadel.rules \
|
file://polkit/citadel.rules \
|
||||||
|
file://iptables-flush.sh \
|
||||||
file://systemd/zram-swap.service \
|
file://systemd/zram-swap.service \
|
||||||
|
file://systemd/iptables.service \
|
||||||
file://citadel/citadel-image.conf \
|
file://citadel/citadel-image.conf \
|
||||||
${DEFAULT_REALM_UNITS} \
|
${DEFAULT_REALM_UNITS} \
|
||||||
${MODPROBE_CONFIG} \
|
${MODPROBE_CONFIG} \
|
||||||
${SYSCTL_CONFIG} \
|
${SYSCTL_CONFIG} \
|
||||||
${UDEV_RULES} \
|
${UDEV_RULES} \
|
||||||
|
${IPTABLES_RULES} \
|
||||||
"
|
"
|
||||||
|
|
||||||
USERADD_PACKAGES = "${PN}"
|
USERADD_PACKAGES = "${PN}"
|
||||||
@ -58,6 +66,7 @@ RDEPENDS_${PN} = "bash"
|
|||||||
inherit allarch systemd useradd
|
inherit allarch systemd useradd
|
||||||
|
|
||||||
SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path"
|
SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path"
|
||||||
|
SYSTEMD_SERVICE_${PN} = "iptables.service"
|
||||||
|
|
||||||
do_install() {
|
do_install() {
|
||||||
install -m 0755 -d ${D}/storage
|
install -m 0755 -d ${D}/storage
|
||||||
@ -72,6 +81,7 @@ do_install() {
|
|||||||
install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d
|
install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d
|
||||||
install -m 0755 -d ${D}${sysconfdir}/modprobe.d
|
install -m 0755 -d ${D}${sysconfdir}/modprobe.d
|
||||||
install -m 0755 -d ${D}${datadir}/citadel
|
install -m 0755 -d ${D}${datadir}/citadel
|
||||||
|
install -m 0755 -d ${D}${datadir}/iptables
|
||||||
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
|
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
|
||||||
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
|
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
|
||||||
|
|
||||||
@ -83,6 +93,7 @@ do_install() {
|
|||||||
|
|
||||||
install -d ${D}${systemd_system_unitdir}
|
install -d ${D}${systemd_system_unitdir}
|
||||||
install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir}
|
install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir}
|
||||||
|
install -m 644 ${WORKDIR}/systemd/iptables.service ${D}${systemd_system_unitdir}
|
||||||
|
|
||||||
install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir}
|
install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir}
|
||||||
install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir}
|
install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir}
|
||||||
@ -101,6 +112,10 @@ do_install() {
|
|||||||
install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/
|
install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/
|
||||||
install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/
|
install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/
|
||||||
|
|
||||||
|
install -m 0644 ${WORKDIR}/iptables/iptables.rules ${D}${datadir}/iptables/
|
||||||
|
install -m 0644 ${WORKDIR}/iptables/empty-filter.rules ${D}${datadir}/iptables/
|
||||||
|
install -m 0644 ${WORKDIR}/iptables-flush.sh ${D}${datadir}/iptables/
|
||||||
|
|
||||||
install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${sysconfdir}/skel/.bashrc
|
install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${sysconfdir}/skel/.bashrc
|
||||||
install -m 0644 ${WORKDIR}/share/dot.profile ${D}${sysconfdir}/skel/.profile
|
install -m 0644 ${WORKDIR}/share/dot.profile ${D}${sysconfdir}/skel/.profile
|
||||||
install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${sysconfdir}/skel/.vimrc
|
install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${sysconfdir}/skel/.vimrc
|
||||||
|
@ -0,0 +1,19 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Usage: iptables-flush [6]
|
||||||
|
#
|
||||||
|
|
||||||
|
iptables=ip$1tables
|
||||||
|
if ! type -p "$iptables" &>/dev/null; then
|
||||||
|
echo "error: invalid argument"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
while read -r table; do
|
||||||
|
tables+=("/usr/share/iptables/empty-$table.rules")
|
||||||
|
done <"/proc/net/ip$1_tables_names"
|
||||||
|
|
||||||
|
if (( ${#tables[*]} )); then
|
||||||
|
cat "${tables[@]}" | "$iptables-restore"
|
||||||
|
fi
|
||||||
|
|
@ -0,0 +1,6 @@
|
|||||||
|
# Empty iptables rule file
|
||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
COMMIT
|
@ -0,0 +1,9 @@
|
|||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
-A INPUT -j DROP
|
||||||
|
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
|
||||||
|
-A FORWARD -j ACCEPT
|
||||||
|
-A OUTPUT -j DROP
|
||||||
|
COMMIT
|
@ -0,0 +1,15 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=IPv4 Packet Filtering Framework
|
||||||
|
Before=network-pre.target
|
||||||
|
Wants=network-pre.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/sbin/iptables-restore /usr/share/iptables/iptables.rules
|
||||||
|
ExecReload=/sbin/iptables-restore /usr/share/iptables/iptables.rules
|
||||||
|
ExecStop=/bin/bash /usr/share/iptables/iptables-flush.sh
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
Loading…
Reference in New Issue
Block a user