commit
f71f99c132
@ -0,0 +1 @@
|
||||
SOURCES/iptables-1.8.10.tar.xz
|
@ -0,0 +1 @@
|
||||
ddbebf81eacbf900dc6dd4ed409353930397e0c2 SOURCES/iptables-1.8.10.tar.xz
|
@ -0,0 +1,336 @@
|
||||
From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 17 Jun 2021 18:44:28 +0200
|
||||
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151
|
||||
Upstream Status: RHEL-only
|
||||
|
||||
This is RHEL9 trying to friendly kick people towards nftables.
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
|
||||
iptables/arptables-nft-save.8 | 14 +++++++++++++-
|
||||
iptables/arptables-nft.8 | 19 ++++++++++++++++++-
|
||||
iptables/ebtables-nft.8 | 15 ++++++++++++++-
|
||||
iptables/iptables-apply.8.in | 14 +++++++++++++-
|
||||
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
|
||||
iptables/iptables-restore.8.in | 17 ++++++++++++++++-
|
||||
iptables/iptables-save.8.in | 15 ++++++++++++++-
|
||||
iptables/iptables.8.in | 17 +++++++++++++++++
|
||||
iptables/xtables-monitor.8.in | 11 +++++++++++
|
||||
10 files changed, 142 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
|
||||
index 09d9082..b1bf029 100644
|
||||
--- a/iptables/arptables-nft-restore.8
|
||||
+++ b/iptables/arptables-nft-restore.8
|
||||
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
|
||||
.SH SYNOPSIS
|
||||
\fBarptables\-restore
|
||||
.SH DESCRIPTION
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
.PP
|
||||
.B arptables-restore
|
||||
is used to restore ARP Tables from data specified on STDIN or
|
||||
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
|
||||
.SH AUTHOR
|
||||
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
.SH SEE ALSO
|
||||
-\fBarptables\-save\fP(8), \fBarptables\fP(8)
|
||||
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||
.PP
|
||||
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
|
||||
index 905e598..49bb0f6 100644
|
||||
--- a/iptables/arptables-nft-save.8
|
||||
+++ b/iptables/arptables-nft-save.8
|
||||
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
|
||||
\fBarptables\-save\fP [\fB\-V\fP]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B arptables-save
|
||||
is used to dump the contents of an ARP Table in easily parseable format
|
||||
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
|
||||
@@ -43,5 +55,5 @@ Print version information and exit.
|
||||
.SH AUTHOR
|
||||
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
.SH SEE ALSO
|
||||
-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
|
||||
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||
.PP
|
||||
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
|
||||
index ea31e08..ec5b993 100644
|
||||
--- a/iptables/arptables-nft.8
|
||||
+++ b/iptables/arptables-nft.8
|
||||
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
|
||||
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
|
||||
|
||||
.SH DESCRIPTION
|
||||
+.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B arptables
|
||||
is a user space tool, it is used to set up and maintain the
|
||||
tables of ARP rules in the Linux kernel. These rules inspect
|
||||
@@ -340,9 +353,13 @@ bridges, the same may be achieved using
|
||||
chain in
|
||||
.BR ebtables .
|
||||
|
||||
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
|
||||
+will not receive new features. New setups should use \fBnft\fP(8). Existing
|
||||
+setups should migrate to \fBnft\fP(8) when possible.
|
||||
+
|
||||
.SH MAILINGLISTS
|
||||
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
.SH SEE ALSO
|
||||
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index 0304b50..cfd617a 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
+.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B ebtables
|
||||
is an application program used to set up and maintain the
|
||||
tables of rules (inside the Linux kernel) that inspect
|
||||
@@ -1083,6 +1096,6 @@ has not been implemented, although
|
||||
might replace them entirely given the inherent atomicity of nftables.
|
||||
Finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
|
||||
index f0ed4e5..7f99a21 100644
|
||||
--- a/iptables/iptables-apply.8.in
|
||||
+++ b/iptables/iptables-apply.8.in
|
||||
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
|
||||
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
iptables\-apply will try to apply a new rulesfile (as output by
|
||||
iptables-save, read by iptables-restore) or run a command to configure
|
||||
iptables and then prompt the user whether the changes are okay. If the
|
||||
@@ -47,7 +59,7 @@ Display usage information.
|
||||
Display version information.
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
|
||||
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
|
||||
.SH LEGALESE
|
||||
.PP
|
||||
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
|
||||
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
|
||||
index 99d89a1..73d40bb 100644
|
||||
--- a/iptables/iptables-extensions.8.tmpl.in
|
||||
+++ b/iptables/iptables-extensions.8.tmpl.in
|
||||
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
|
||||
.PP
|
||||
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
|
||||
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
|
||||
+.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details. There is also
|
||||
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
|
||||
+to help with the migration.
|
||||
.SH MATCH EXTENSIONS
|
||||
iptables can use extended packet matching modules
|
||||
with the \fB\-m\fP or \fB\-\-match\fP
|
||||
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
|
||||
index aa816f7..353d4dc 100644
|
||||
--- a/iptables/iptables-restore.8.in
|
||||
+++ b/iptables/iptables-restore.8.in
|
||||
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
|
||||
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
|
||||
[\fIfile\fP]
|
||||
.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details. There is also
|
||||
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
|
||||
+to help with the migration.
|
||||
.PP
|
||||
.B iptables-restore
|
||||
and
|
||||
@@ -82,7 +95,9 @@ from Rusty Russell.
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
|
||||
.SH SEE ALSO
|
||||
-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
|
||||
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
|
||||
+\fBip6tables\-restore\-translate\fP(8)
|
||||
.PP
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
|
||||
index 65c1f28..d47be27 100644
|
||||
--- a/iptables/iptables-save.8.in
|
||||
+++ b/iptables/iptables-save.8.in
|
||||
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
|
||||
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B iptables-save
|
||||
and
|
||||
.B ip6tables-save
|
||||
@@ -66,7 +78,8 @@ Rusty Russell <rusty@rustcorp.com.au>
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
|
||||
.SH SEE ALSO
|
||||
-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8),
|
||||
+\fBnft\fP(8)
|
||||
.PP
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
|
||||
index ecaa555..4c4a15a 100644
|
||||
--- a/iptables/iptables.8.in
|
||||
+++ b/iptables/iptables.8.in
|
||||
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
|
||||
.PP
|
||||
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
|
||||
.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details. There is also
|
||||
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
|
||||
+to help with the migration.
|
||||
+.PP
|
||||
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
|
||||
tables of IPv4 and IPv6 packet
|
||||
filter rules in the Linux kernel. Several different tables
|
||||
@@ -455,6 +469,9 @@ There are several other changes in iptables.
|
||||
\fBiptables\-save\fP(8),
|
||||
\fBiptables\-restore\fP(8),
|
||||
\fBiptables\-extensions\fP(8),
|
||||
+\fBnft\fP(8),
|
||||
+\fBiptables\-translate\fP(8),
|
||||
+\fBip6tables\-translate\fP(8)
|
||||
.PP
|
||||
The packet-filtering-HOWTO details iptables usage for
|
||||
packet filtering, the NAT-HOWTO details NAT,
|
||||
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
|
||||
index a7f22c0..e21d7ff 100644
|
||||
--- a/iptables/xtables-monitor.8.in
|
||||
+++ b/iptables/xtables-monitor.8.in
|
||||
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
|
||||
.PP
|
||||
\
|
||||
.SH DESCRIPTION
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
.PP
|
||||
.B xtables-monitor
|
||||
is used to monitor changes to the ruleset or to show rule evaluation events
|
@ -0,0 +1,28 @@
|
||||
From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 21:51:49 +0200
|
||||
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558
|
||||
Upstream Status: RHEL-only
|
||||
|
||||
RHEL SELinux policies don't allow setting
|
||||
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
|
||||
'packet_type' attribute (identified via
|
||||
'seinfo -xt | grep packet_type').
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
extensions/libxt_SECMARK.t | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||
index 39d4c09..295e7a7 100644
|
||||
--- a/extensions/libxt_SECMARK.t
|
||||
+++ b/extensions/libxt_SECMARK.t
|
||||
@@ -1,4 +1,4 @@
|
||||
:INPUT,FORWARD,OUTPUT
|
||||
*security
|
||||
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
|
||||
-j SECMARK;;FAIL
|
@ -0,0 +1,73 @@
|
||||
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 7 Nov 2023 23:44:55 +0100
|
||||
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-14147
|
||||
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||
|
||||
commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue Nov 7 19:12:14 2023 +0100
|
||||
|
||||
ebtables: Fix corner-case noflush restore bug
|
||||
|
||||
Report came from firwalld, but this is actually rather hard to trigger.
|
||||
Since a regular chain line prevents it, typical dump/restore use-cases
|
||||
are unaffected.
|
||||
|
||||
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
|
||||
Cc: Eric Garver <eric@garver.life>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
|
||||
iptables/xtables-eb.c | 2 ++
|
||||
2 files changed, 27 insertions(+)
|
||||
create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||
|
||||
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||
new file mode 100755
|
||||
index 0000000..0def0ac
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||
@@ -0,0 +1,25 @@
|
||||
+#!/bin/sh
|
||||
+#
|
||||
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
|
||||
+# - with --noflush
|
||||
+# - a second table after the broute one
|
||||
+# - A policy command but no chain line for BROUTING chain
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+case "$XT_MULTI" in
|
||||
+*xtables-nft-multi)
|
||||
+ ;;
|
||||
+*)
|
||||
+ echo "skip $XT_MULTI"
|
||||
+ exit 0
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
+$XT_MULTI ebtables-restore --noflush <<EOF
|
||||
+*broute
|
||||
+-P BROUTING ACCEPT
|
||||
+*nat
|
||||
+-P PREROUTING ACCEPT
|
||||
+COMMIT
|
||||
+EOF
|
||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||
index 08eec79..a8ad57c 100644
|
||||
--- a/iptables/xtables-eb.c
|
||||
+++ b/iptables/xtables-eb.c
|
||||
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
|
||||
return NF_BR_LOCAL_OUT;
|
||||
else if (strcmp(chain, "POSTROUTING") == 0)
|
||||
return NF_BR_POST_ROUTING;
|
||||
+ else if (strcmp(chain, "BROUTING") == 0)
|
||||
+ return NF_BR_BROUTING;
|
||||
|
||||
/* placeholder for user defined chain */
|
||||
return NF_BR_NUMHOOKS;
|
@ -0,0 +1,73 @@
|
||||
#!/bin/sh
|
||||
|
||||
ARPTABLES_CONFIG=/etc/sysconfig/arptables
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ ! -x /usr/sbin/arptables ]; then
|
||||
exit 4
|
||||
fi
|
||||
|
||||
# don't do squat if we don't have the config file
|
||||
if [ -f $ARPTABLES_CONFIG ]; then
|
||||
printf "Applying arptables firewall rules: "
|
||||
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
|
||||
success || \
|
||||
failure
|
||||
touch /var/lock/subsys/arptables
|
||||
else
|
||||
failure
|
||||
echo "Configuration file /etc/sysconfig/arptables missing"
|
||||
exit 6
|
||||
fi
|
||||
}
|
||||
|
||||
stop() {
|
||||
printf "Removing user defined chains: "
|
||||
arptables -X && success || failure
|
||||
printf "Flushing all chains: "
|
||||
arptables -F && success || failure
|
||||
printf "Resetting built-in chains to the default ACCEPT policy: "
|
||||
arptables -P INPUT ACCEPT && \
|
||||
arptables -P OUTPUT ACCEPT && \
|
||||
success || \
|
||||
failure
|
||||
rm -f /var/lock/subsys/arptables
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
|
||||
restart|reload)
|
||||
# "restart" is really just "start" as this isn't a daemon,
|
||||
# and "start" clears any pre-defined rules anyway.
|
||||
# This is really only here to make those who expect it happy
|
||||
start
|
||||
;;
|
||||
|
||||
condrestart|try-restart|force-reload)
|
||||
[ -e /var/lock/subsys/arptables ] && start
|
||||
;;
|
||||
|
||||
*)
|
||||
exit 2
|
||||
esac
|
||||
|
||||
exit 0
|
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Automates a packet filtering firewall with arptables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/libexec/arptables-helper start
|
||||
ExecStop=/usr/libexec/arptables-helper stop
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,11 @@
|
||||
# Save current firewall rules on stop.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules if firewall gets stopped
|
||||
# (e.g. on system shutdown).
|
||||
EBTABLES_SAVE_ON_STOP="no"
|
||||
|
||||
# Save (and restore) rule counters.
|
||||
# Value: yes|no, default: no
|
||||
# Save rule counters when saving a kernel table to a file. If the
|
||||
# rule counters were saved, they will be restored when restoring the table.
|
||||
EBTABLES_SAVE_COUNTER="no"
|
@ -0,0 +1,104 @@
|
||||
#!/bin/bash
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
# internal variables
|
||||
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
|
||||
EBTABLES_DATA=/etc/sysconfig/ebtables
|
||||
EBTABLES_TABLES="filter nat"
|
||||
if ebtables --version | grep -q '(legacy)'; then
|
||||
EBTABLES_TABLES+=" broute"
|
||||
fi
|
||||
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
|
||||
|
||||
# ebtables-config defaults
|
||||
EBTABLES_SAVE_ON_STOP="no"
|
||||
EBTABLES_SAVE_COUNTER="no"
|
||||
|
||||
# load config if existing
|
||||
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
|
||||
|
||||
initialize() {
|
||||
local ret=0
|
||||
for table in $EBTABLES_TABLES; do
|
||||
ebtables -t $table --init-table || ret=1
|
||||
done
|
||||
return $ret
|
||||
}
|
||||
|
||||
sanitize_dump() {
|
||||
local drop=false
|
||||
|
||||
export EBTABLES_TABLES
|
||||
|
||||
cat $1 | while read line; do
|
||||
case $line in
|
||||
\**)
|
||||
drop=false
|
||||
local table="${line#\*}"
|
||||
local found=false
|
||||
for t in $EBTABLES_TABLES; do
|
||||
if [[ $t == "$table" ]]; then
|
||||
found=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
$found || drop=true
|
||||
;;
|
||||
esac
|
||||
$drop || echo "$line"
|
||||
done
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ -f $EBTABLES_DATA ]; then
|
||||
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
|
||||
sanitize_dump $EBTABLES_DATA | ebtables-restore
|
||||
else
|
||||
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
|
||||
initialize
|
||||
fi
|
||||
local ret=$?
|
||||
touch $VAR_SUBSYS_EBTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
|
||||
export EBTABLES_SAVE_COUNTER
|
||||
ebtables-save >$EBTABLES_DATA && success || failure
|
||||
}
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
|
||||
start && success || failure
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
echo -n $"ebtables: stopping firewall: "
|
||||
initialize && success || failure
|
||||
RETVAL=$?
|
||||
rm -f $VAR_SUBSYS_EBTABLES
|
||||
;;
|
||||
save)
|
||||
save
|
||||
;;
|
||||
*)
|
||||
echo "usage: ${0##*/} {start|stop|save}" >&2
|
||||
RETVAL=2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=Ethernet Bridge Filtering tables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/ebtables-helper start
|
||||
ExecStop=/usr/libexec/ebtables-helper stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,59 @@
|
||||
# Load additional iptables modules (nat helpers)
|
||||
# Default: -none-
|
||||
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
|
||||
# are loaded after the firewall rules are applied. Options for the helpers are
|
||||
# stored in /etc/modprobe.conf.
|
||||
IPTABLES_MODULES=""
|
||||
|
||||
# Save current firewall rules on stop.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
|
||||
# (e.g. on system shutdown).
|
||||
IPTABLES_SAVE_ON_STOP="no"
|
||||
|
||||
# Save current firewall rules on restart.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
|
||||
# restarted.
|
||||
IPTABLES_SAVE_ON_RESTART="no"
|
||||
|
||||
# Save (and restore) rule and chain counter.
|
||||
# Value: yes|no, default: no
|
||||
# Save counters for rules and chains to /etc/sysconfig/iptables if
|
||||
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
|
||||
# SAVE_ON_RESTART is enabled.
|
||||
IPTABLES_SAVE_COUNTER="no"
|
||||
|
||||
# Numeric status output
|
||||
# Value: yes|no, default: yes
|
||||
# Print IP addresses and port numbers in numeric format in the status output.
|
||||
IPTABLES_STATUS_NUMERIC="yes"
|
||||
|
||||
# Verbose status output
|
||||
# Value: yes|no, default: yes
|
||||
# Print info about the number of packets and bytes plus the "input-" and
|
||||
# "outputdevice" in the status output.
|
||||
IPTABLES_STATUS_VERBOSE="no"
|
||||
|
||||
# Status output with numbered lines
|
||||
# Value: yes|no, default: yes
|
||||
# Print a counter/number for every rule in the status output.
|
||||
IPTABLES_STATUS_LINENUMBERS="yes"
|
||||
|
||||
# Reload sysctl settings on start and restart
|
||||
# Default: -none-
|
||||
# Space separated list of sysctl items which are to be reloaded on start.
|
||||
# List items will be matched by fgrep.
|
||||
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
|
||||
|
||||
# Set wait option for iptables-restore calls in seconds
|
||||
# Default: 600
|
||||
# Set to 0 to deactivate the wait.
|
||||
#IPTABLES_RESTORE_WAIT=600
|
||||
|
||||
# Set wait interval option for iptables-restore calls in microseconds
|
||||
# Default: 1000000
|
||||
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
|
||||
# second.
|
||||
# Only usable with IPTABLES_RESTORE_WAIT > 0
|
||||
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
@ -0,0 +1,35 @@
|
||||
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
|
||||
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
|
||||
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
|
||||
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
|
||||
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
|
||||
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
|
||||
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
|
||||
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
|
||||
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
|
||||
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
|
||||
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
|
||||
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
|
||||
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
|
@ -0,0 +1,450 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# iptables Start iptables firewall
|
||||
#
|
||||
# chkconfig: 2345 08 92
|
||||
# description: Starts, stops and saves iptables firewall
|
||||
#
|
||||
# config: /etc/sysconfig/iptables
|
||||
# config: /etc/sysconfig/iptables-config
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: iptables
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop iptables firewall
|
||||
# Description: Start, stop and save iptables firewall
|
||||
### END INIT INFO
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo -n "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
warning() {
|
||||
echo -n "[WARNING]"
|
||||
return 1
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo -n "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
IPTABLES=iptables
|
||||
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
|
||||
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
|
||||
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
|
||||
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
|
||||
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
|
||||
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
|
||||
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
|
||||
|
||||
# only usable for root
|
||||
if [ $EUID != 0 ]; then
|
||||
echo -n $"${IPTABLES}: Only usable by root."; warning; echo
|
||||
exit 4
|
||||
fi
|
||||
|
||||
if [ ! -x /sbin/$IPTABLES ]; then
|
||||
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
|
||||
exit 5
|
||||
fi
|
||||
|
||||
# Default firewall configuration:
|
||||
IPTABLES_MODULES=""
|
||||
IPTABLES_SAVE_ON_STOP="no"
|
||||
IPTABLES_SAVE_ON_RESTART="no"
|
||||
IPTABLES_SAVE_COUNTER="no"
|
||||
IPTABLES_STATUS_NUMERIC="yes"
|
||||
IPTABLES_STATUS_VERBOSE="no"
|
||||
IPTABLES_STATUS_LINENUMBERS="yes"
|
||||
IPTABLES_SYSCTL_LOAD_LIST=""
|
||||
IPTABLES_RESTORE_WAIT=600
|
||||
IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
||||
|
||||
# Load firewall configuration.
|
||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
||||
|
||||
is_iptables_nft() {
|
||||
iptables --version | grep -q '(nf_tables)'
|
||||
}
|
||||
|
||||
netfilter_active() {
|
||||
is_iptables_nft && return 0
|
||||
[ -e "$PROC_IPTABLES_NAMES" ]
|
||||
}
|
||||
|
||||
netfilter_tables() {
|
||||
netfilter_active || return 1
|
||||
is_iptables_nft && {
|
||||
# explicitly omit security table from this list as
|
||||
# it should be reserved for SELinux use
|
||||
echo "raw mangle filter nat"
|
||||
return 0
|
||||
}
|
||||
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
|
||||
}
|
||||
|
||||
# Get active tables
|
||||
NF_TABLES=$(netfilter_tables)
|
||||
|
||||
|
||||
flush_n_delete() {
|
||||
# Flush firewall rules and delete chains.
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Flushing firewall rules: "
|
||||
ret=0
|
||||
# For all tables
|
||||
for i in $NF_TABLES; do
|
||||
# Flush firewall rules.
|
||||
$IPTABLES -t $i -F;
|
||||
let ret+=$?;
|
||||
|
||||
# Delete firewall chains.
|
||||
$IPTABLES -t $i -X;
|
||||
let ret+=$?;
|
||||
|
||||
# Set counter to zero.
|
||||
$IPTABLES -t $i -Z;
|
||||
let ret+=$?;
|
||||
done
|
||||
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
return $ret
|
||||
}
|
||||
|
||||
set_policy() {
|
||||
# Set policy for configured tables.
|
||||
policy=$1
|
||||
|
||||
# Check if iptable module is loaded
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(netfilter_tables)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||
ret=0
|
||||
for i in $tables; do
|
||||
echo -n "$i "
|
||||
case "$i" in
|
||||
raw)
|
||||
$IPTABLES -t raw -P PREROUTING $policy \
|
||||
&& $IPTABLES -t raw -P OUTPUT $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
filter)
|
||||
$IPTABLES -t filter -P INPUT $policy \
|
||||
&& $IPTABLES -t filter -P OUTPUT $policy \
|
||||
&& $IPTABLES -t filter -P FORWARD $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
nat)
|
||||
$IPTABLES -t nat -P PREROUTING $policy \
|
||||
&& $IPTABLES -t nat -P POSTROUTING $policy \
|
||||
&& $IPTABLES -t nat -P OUTPUT $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
mangle)
|
||||
$IPTABLES -t mangle -P PREROUTING $policy \
|
||||
&& $IPTABLES -t mangle -P POSTROUTING $policy \
|
||||
&& $IPTABLES -t mangle -P INPUT $policy \
|
||||
&& $IPTABLES -t mangle -P OUTPUT $policy \
|
||||
&& $IPTABLES -t mangle -P FORWARD $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
*)
|
||||
let ret+=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
return $ret
|
||||
}
|
||||
|
||||
load_sysctl() {
|
||||
# load matched sysctl values
|
||||
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
|
||||
echo -n $"Loading sysctl settings: "
|
||||
ret=0
|
||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
||||
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
return $ret
|
||||
}
|
||||
|
||||
start() {
|
||||
# Do not start if there is no config file.
|
||||
if [ ! -f "$IPTABLES_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: No config file."; warning; echo
|
||||
return 6
|
||||
fi
|
||||
|
||||
# check if ipv6 module load is deactivated
|
||||
if [ "${_IPV}" = "ipv6" ] \
|
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
|
||||
echo $"${IPTABLES}: ${_IPV} is disabled."
|
||||
return 150
|
||||
fi
|
||||
|
||||
echo -n $"${IPTABLES}: Applying firewall rules: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
fi
|
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo;
|
||||
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
|
||||
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo; return 1
|
||||
fi
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
modprobe $mod > /dev/null 2>&1
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
|
||||
# Load sysctl settings
|
||||
load_sysctl
|
||||
|
||||
touch $VAR_SUBSYS_IPTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
stop() {
|
||||
# Do not stop if iptables module is not loaded.
|
||||
netfilter_active || return 0
|
||||
|
||||
# Set default chain policy to ACCEPT, in order to not break shutdown
|
||||
# on systems where the default policy is DROP and root device is
|
||||
# network-based (i.e.: iSCSI, NFS)
|
||||
set_policy ACCEPT
|
||||
# And then, flush the rules and delete chains
|
||||
flush_n_delete
|
||||
|
||||
rm -f $VAR_SUBSYS_IPTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
# Check if iptable module is loaded
|
||||
if ! netfilter_active; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ -z "$NF_TABLES" ]; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
return 6
|
||||
fi
|
||||
|
||||
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
|
||||
ret=0
|
||||
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
|
||||
&& chmod 600 "$TMP_FILE" \
|
||||
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
|
||||
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|
||||
|| ret=1
|
||||
if [ $ret -eq 0 ]; then
|
||||
if [ -e $IPTABLES_DATA ]; then
|
||||
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
|
||||
&& chmod 600 $IPTABLES_DATA.save \
|
||||
&& restorecon $IPTABLES_DATA.save \
|
||||
|| ret=1
|
||||
fi
|
||||
if [ $ret -eq 0 ]; then
|
||||
mv -f $TMP_FILE $IPTABLES_DATA \
|
||||
&& chmod 600 $IPTABLES_DATA \
|
||||
&& restorecon $IPTABLES_DATA \
|
||||
|| ret=1
|
||||
fi
|
||||
fi
|
||||
rm -f $TMP_FILE
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
return $ret
|
||||
}
|
||||
|
||||
status() {
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
|
||||
echo $"${IPTABLES}: Firewall is not running."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Do not print status if lockfile is missing and iptables modules are not
|
||||
# loaded.
|
||||
# Check if iptable modules are loaded
|
||||
if ! netfilter_active; then
|
||||
echo $"${IPTABLES}: Firewall modules are not loaded."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ -z "$NF_TABLES" ]; then
|
||||
echo $"${IPTABLES}: Firewall is not configured. "
|
||||
return 3
|
||||
fi
|
||||
|
||||
NUM=
|
||||
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
|
||||
VERBOSE=
|
||||
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
|
||||
COUNT=
|
||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
||||
|
||||
for table in $NF_TABLES; do
|
||||
echo $"Table: $table"
|
||||
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
reload() {
|
||||
# Do not reload if there is no config file.
|
||||
if [ ! -f "$IPTABLES_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: No config file."; warning; echo
|
||||
return 6
|
||||
fi
|
||||
|
||||
# check if ipv6 module load is deactivated
|
||||
if [ "${_IPV}" = "ipv6" ] \
|
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
|
||||
echo $"${IPTABLES}: ${_IPV} is disabled."
|
||||
return 150
|
||||
fi
|
||||
|
||||
echo -n $"${IPTABLES}: Trying to reload firewall rules: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
fi
|
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo; echo "Firewall rules are not changed."; return 1
|
||||
fi
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
modprobe $mod > /dev/null 2>&1
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
|
||||
# Load sysctl settings
|
||||
load_sysctl
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
||||
restart() {
|
||||
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
|
||||
start
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
stop
|
||||
RETVAL=$?
|
||||
;;
|
||||
restart|force-reload)
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
reload)
|
||||
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
status)
|
||||
status
|
||||
RETVAL=$?
|
||||
;;
|
||||
panic)
|
||||
set_policy DROP
|
||||
RETVAL=$?
|
||||
;;
|
||||
save)
|
||||
save
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
|
||||
RETVAL=2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
@ -0,0 +1,17 @@
|
||||
[Unit]
|
||||
Description=IPv4 firewall with iptables
|
||||
AssertPathExists=/etc/sysconfig/iptables
|
||||
Before=network-pre.target
|
||||
Wants=network-pre.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/iptables/iptables.init start
|
||||
ExecReload=/usr/libexec/iptables/iptables.init reload
|
||||
ExecStop=/usr/libexec/iptables/iptables.init stop
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,15 @@
|
||||
# sample configuration for ip6tables service
|
||||
# you can edit this manually or use system-config-firewall
|
||||
# please do not ask us to add additional ports/services to this default configuration
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
||||
COMMIT
|
@ -0,0 +1,14 @@
|
||||
# sample configuration for iptables service
|
||||
# you can edit this manually or use system-config-firewall
|
||||
# please do not ask us to add additional ports/services to this default configuration
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
COMMIT
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue