From 59e9a148ccb8d19e2e21575afcea8e63672f41b8 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 26 Mar 2025 10:31:11 +0100 Subject: [PATCH] First commmit --- config/ip6tables | 11 + config/iptables | 11 + libexec/ip6tables.init | 450 ++++++++++++++++++++++++++++++++++++++ libexec/iptables.init | 450 ++++++++++++++++++++++++++++++++++++++ readme.md | 33 +++ systemd/ip6tables.service | 17 ++ systemd/iptables.service | 17 ++ 7 files changed, 989 insertions(+) create mode 100644 config/ip6tables create mode 100644 config/iptables create mode 100755 libexec/ip6tables.init create mode 100755 libexec/iptables.init create mode 100644 readme.md create mode 100644 systemd/ip6tables.service create mode 100644 systemd/iptables.service diff --git a/config/ip6tables b/config/ip6tables new file mode 100644 index 0000000..8479867 --- /dev/null +++ b/config/ip6tables @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [489:69759] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/config/iptables b/config/iptables new file mode 100644 index 0000000..c38a494 --- /dev/null +++ b/config/iptables @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [123:8421] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/libexec/ip6tables.init b/libexec/ip6tables.init new file mode 100755 index 0000000..6cd91dc --- /dev/null +++ b/libexec/ip6tables.init @@ -0,0 +1,450 @@ +#!/usr/bin/bash +# +# ip6tables Start ip6tables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves ip6tables firewall +# +# config: /etc/sysconfig/ip6tables +# config: /etc/sysconfig/ip6tables-config +# +### BEGIN INIT INFO +# Provides: ip6tables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop ip6tables firewall +# Description: Start, stop and save ip6tables firewall +### END INIT INFO + +# compat for removed initscripts dependency + +success() { + echo -n "[ OK ]" + return 0 +} + +warning() { + echo -n "[WARNING]" + return 1 +} + +failure() { + echo -n "[FAILED]" + return 1 +} + +IP6TABLES=ip6tables +IP6TABLES_DATA=/etc/sysconfig/$IP6TABLES +IP6TABLES_FALLBACK_DATA=${IP6TABLES_DATA}.fallback +IP6TABLES_CONFIG=/etc/sysconfig/${IP6TABLES}-config +IPV=${IP6TABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +PROC_IP6TABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IP6TABLES=/var/lock/subsys/$IP6TABLES + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IP6TABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IP6TABLES ]; then + echo -n $"${IP6TABLES}: /sbin/$IP6TABLES does not exist."; warning; echo + exit 5 +fi + +# Default firewall configuration: +IP6TABLES_MODULES="" +IP6TABLES_SAVE_ON_STOP="no" +IP6TABLES_SAVE_ON_RESTART="no" +IP6TABLES_SAVE_COUNTER="no" +IP6TABLES_STATUS_NUMERIC="yes" +IP6TABLES_STATUS_VERBOSE="no" +IP6TABLES_STATUS_LINENUMBERS="yes" +IP6TABLES_SYSCTL_LOAD_LIST="" +IP6TABLES_RESTORE_WAIT=600 +IP6TABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IP6TABLES_CONFIG" ] && . "$IP6TABLES_CONFIG" + +is_ip6tables_nft() { + ip6tables --version | grep -q '(nf_tables)' +} + +netfilter_active() { + is_ip6tables_nft && return 0 + [ -e "$PROC_IP6TABLES_NAMES" ] +} + +netfilter_tables() { + netfilter_active || return 1 + is_ip6tables_nft && { + # explicitly omit security table from this list as + # it should be reserved for SELinux use + echo "raw mangle filter nat" + return 0 + } + cat "$PROC_IP6TABLES_NAMES" 2>/dev/null +} + +# Get active tables +NF_TABLES=$(netfilter_tables) + + +flush_n_delete() { + # Flush firewall rules and delete chains. + netfilter_active || return 0 + + # Check if firewall is configured (has tables) + [ -z "$NF_TABLES" ] && return 1 + + echo -n $"${IP6TABLES}: Flushing firewall rules: " + ret=0 + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IP6TABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IP6TABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IP6TABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + netfilter_active || return 0 + + # Check if firewall is configured (has tables) + tables=$(netfilter_tables) + [ -z "$tables" ] && return 1 + + echo -n $"${IP6TABLES}: Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + raw) + $IP6TABLES -t raw -P PREROUTING $policy \ + && $IP6TABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IP6TABLES -t filter -P INPUT $policy \ + && $IP6TABLES -t filter -P OUTPUT $policy \ + && $IP6TABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IP6TABLES -t nat -P PREROUTING $policy \ + && $IP6TABLES -t nat -P POSTROUTING $policy \ + && $IP6TABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IP6TABLES -t mangle -P PREROUTING $policy \ + && $IP6TABLES -t mangle -P POSTROUTING $policy \ + && $IP6TABLES -t mangle -P INPUT $policy \ + && $IP6TABLES -t mangle -P OUTPUT $policy \ + && $IP6TABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + # load matched sysctl values + if [ -n "$IP6TABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + ret=0 + for item in $IP6TABLES_SYSCTL_LOAD_LIST; do + fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + # Do not start if there is no config file. + if [ ! -f "$IP6TABLES_DATA" ]; then + echo -n $"${IP6TABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IP6TABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IP6TABLES}: Applying firewall rules: " + + OPT= + [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IP6TABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IP6TABLES_RESTORE_WAIT}" + if [ $IP6TABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IP6TABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IP6TABLES-restore $OPT $IP6TABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IP6TABLES_FALLBACK_DATA" ]; then + echo -n $"${IP6TABLES}: Applying firewall fallback rules: " + $IP6TABLES-restore $OPT $IP6TABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IP6TABLES_MODULES" ]; then + echo -n $"${IP6TABLES}: Loading additional modules: " + ret=0 + for mod in $IP6TABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IP6TABLES + return $ret +} + +stop() { + # Do not stop if ip6tables module is not loaded. + netfilter_active || return 0 + + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + # And then, flush the rules and delete chains + flush_n_delete + + rm -f $VAR_SUBSYS_IP6TABLES + return $ret +} + +save() { + # Check if iptable module is loaded + if ! netfilter_active; then + echo -n $"${IP6TABLES}: Nothing to save."; warning; echo + return 0 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo -n $"${IP6TABLES}: Nothing to save."; warning; echo + return 6 + fi + + echo -n $"${IP6TABLES}: Saving firewall rules to $IP6TABLES_DATA: " + + OPT= + [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=$(/bin/mktemp -q $IP6TABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IP6TABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IP6TABLES_DATA ]; then + cp -f $IP6TABLES_DATA $IP6TABLES_DATA.save \ + && chmod 600 $IP6TABLES_DATA.save \ + && restorecon $IP6TABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IP6TABLES_DATA \ + && chmod 600 $IP6TABLES_DATA \ + && restorecon $IP6TABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IP6TABLES" ]; then + echo $"${IP6TABLES}: Firewall is not running." + return 3 + fi + + # Do not print status if lockfile is missing and ip6tables modules are not + # loaded. + # Check if iptable modules are loaded + if ! netfilter_active; then + echo $"${IP6TABLES}: Firewall modules are not loaded." + return 3 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo $"${IP6TABLES}: Firewall is not configured. " + return 3 + fi + + NUM= + [ "x$IP6TABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IP6TABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IP6TABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IP6TABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + # Do not reload if there is no config file. + if [ ! -f "$IP6TABLES_DATA" ]; then + echo -n $"${IP6TABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IP6TABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IP6TABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IP6TABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IP6TABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IP6TABLES_RESTORE_WAIT}" + if [ $IP6TABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IP6TABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IP6TABLES-restore $OPT $IP6TABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IP6TABLES_MODULES" ]; then + echo -n $"${IP6TABLES}: Loading additional modules: " + ret=0 + for mod in $IP6TABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IP6TABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IP6TABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IP6TABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IP6TABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IP6TABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IP6TABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/libexec/iptables.init b/libexec/iptables.init new file mode 100755 index 0000000..b6bb0a2 --- /dev/null +++ b/libexec/iptables.init @@ -0,0 +1,450 @@ +#!/usr/bin/bash +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# compat for removed initscripts dependency + +success() { + echo -n "[ OK ]" + return 0 +} + +warning() { + echo -n "[WARNING]" + return 1 +} + +failure() { + echo -n "[FAILED]" + return 1 +} + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 +fi + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" +IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +is_iptables_nft() { + iptables --version | grep -q '(nf_tables)' +} + +netfilter_active() { + is_iptables_nft && return 0 + [ -e "$PROC_IPTABLES_NAMES" ] +} + +netfilter_tables() { + netfilter_active || return 1 + is_iptables_nft && { + # explicitly omit security table from this list as + # it should be reserved for SELinux use + echo "raw mangle filter nat" + return 0 + } + cat "$PROC_IPTABLES_NAMES" 2>/dev/null +} + +# Get active tables +NF_TABLES=$(netfilter_tables) + + +flush_n_delete() { + # Flush firewall rules and delete chains. + netfilter_active || return 0 + + # Check if firewall is configured (has tables) + [ -z "$NF_TABLES" ] && return 1 + + echo -n $"${IPTABLES}: Flushing firewall rules: " + ret=0 + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + netfilter_active || return 0 + + # Check if firewall is configured (has tables) + tables=$(netfilter_tables) + [ -z "$tables" ] && return 1 + + echo -n $"${IPTABLES}: Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + # load matched sysctl values + if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + ret=0 + for item in $IPTABLES_SYSCTL_LOAD_LIST; do + fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + # Do not start if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IPTABLES_FALLBACK_DATA" ]; then + echo -n $"${IPTABLES}: Applying firewall fallback rules: " + $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + # Do not stop if iptables module is not loaded. + netfilter_active || return 0 + + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + # And then, flush the rules and delete chains + flush_n_delete + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + # Check if iptable module is loaded + if ! netfilter_active; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 0 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 6 + fi + + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + && restorecon $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + && restorecon $IPTABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable modules are loaded + if ! netfilter_active; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + # Do not reload if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IPTABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..5b23d2b --- /dev/null +++ b/readme.md @@ -0,0 +1,33 @@ +## Iptables systemd files for SuSe installations + +These files allow iptables and ip6tables to be installed and run as a system service + +## pre installation + +edit the files in sysconfig to match your preffered iptables configuration. +the default allows ssh access (22/tcp) to the host only. + +## Installation + +- Install iptables +-- zypper install iptables iptables-nft-backend + +- Clone this GIT repo : +-- git clone https://git.xo.nl/marcel/iptables + +- Copy the init files to /usr/libexec +-- cp libexec/*.init /usr/libexec +-- chown root:root /usr/ip?tables.init +-- chmod ug+x /usr/ip?tables.init + +- Copy the systemd files to /etc/systemd/system +-- cp systemd/* /etc/systemd/system +-- systemd daemon-reload + +- Copy the default configuration to /etc/sysconfig +-- cp config/* /etc/sysconfig + +- Enable iptables on next boot +-- systemctl enable iptables ip6tables + +Reboot your host diff --git a/systemd/ip6tables.service b/systemd/ip6tables.service new file mode 100644 index 0000000..9e18a51 --- /dev/null +++ b/systemd/ip6tables.service @@ -0,0 +1,17 @@ +[Unit] +Description=IPv6 firewall with ip6tables +AssertPathExists=/etc/sysconfig/ip6tables +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/ip6tables.init start +ExecReload=/usr/libexec/iptables/ip6tables.init reload +ExecStop=/usr/libexec/iptables/ip6tables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial + +[Install] +WantedBy=multi-user.target diff --git a/systemd/iptables.service b/systemd/iptables.service new file mode 100644 index 0000000..6b996d1 --- /dev/null +++ b/systemd/iptables.service @@ -0,0 +1,17 @@ +[Unit] +Description=IPv4 firewall with iptables +AssertPathExists=/etc/sysconfig/iptables +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial + +[Install] +WantedBy=multi-user.target