@@ -1,44 +1,49 | |||
|
1 | 1 | # |
|
2 | 2 | # Setup Firewall |
|
3 | 3 | # |
|
4 | 4 | |
|
5 | 5 | # Load utility functions |
|
6 | 6 | . ./functions.sh |
|
7 | 7 | |
|
8 | 8 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
9 | 9 | # Create iptables configuration directory |
|
10 | 10 | mkdir -p "${ETC_DIR}/iptables" |
|
11 | ||
|
11 | ||
|
12 | # make sure iptables-legacy,iptables-legacy-restore and iptables-legacy-save are the used alternatives | |
|
13 | chroot_exec update-alternatives --verbose --set iptables /usr/bin/iptables-legacy | |
|
14 | chroot_exec update-alternatives --verbose --set iptables-save /usr/bin/iptables-legacy-save | |
|
15 | chroot_exec update-alternatives --verbose --set iptables-restore /usr/bin/iptables-legacy-restore | |
|
16 | ||
|
12 | 17 | # Install iptables systemd service |
|
13 | 18 | install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" |
|
14 | 19 | |
|
15 | 20 | # Install flush-table script called by iptables service |
|
16 | 21 | install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh" |
|
17 | 22 | |
|
18 | 23 | # Install iptables rule file |
|
19 | 24 | install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules" |
|
20 | 25 | |
|
21 | 26 | # Reload systemd configuration and enable iptables service |
|
22 | 27 | chroot_exec systemctl daemon-reload |
|
23 | 28 | chroot_exec systemctl enable iptables.service |
|
24 | 29 | |
|
25 | 30 | if [ "$ENABLE_IPV6" = true ] ; then |
|
26 | 31 | # Install ip6tables systemd service |
|
27 | 32 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" |
|
28 | 33 | |
|
29 | 34 | # Install ip6tables file |
|
30 | 35 | install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh" |
|
31 | 36 | |
|
32 | 37 | install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules" |
|
33 | 38 | |
|
34 | 39 | # Reload systemd configuration and enable iptables service |
|
35 | 40 | chroot_exec systemctl daemon-reload |
|
36 | 41 | chroot_exec systemctl enable ip6tables.service |
|
37 | 42 | fi |
|
38 | 43 | |
|
39 | 44 | if [ "$ENABLE_SSHD" = false ] ; then |
|
40 | 45 | # Remove SSHD related iptables rules |
|
41 | 46 | sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null |
|
42 | 47 | sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null |
|
43 | 48 | fi |
|
44 | 49 | fi |
@@ -1,15 +1,15 | |||
|
1 | 1 | [Unit] |
|
2 | 2 | Description=Packet Filtering Framework |
|
3 | 3 | DefaultDependencies=no |
|
4 | 4 | After=systemd-sysctl.service |
|
5 | 5 | Before=sysinit.target |
|
6 | 6 | |
|
7 | 7 | [Service] |
|
8 | 8 | Type=oneshot |
|
9 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
|
9 | ExecStart=/sbin/ip6tables-restore -w 5 /etc/iptables/ip6tables.rules | |
|
10 | 10 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
11 | 11 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
12 | 12 | RemainAfterExit=yes |
|
13 | 13 | |
|
14 | 14 | [Install] |
|
15 | 15 | WantedBy=multi-user.target |
@@ -1,15 +1,15 | |||
|
1 | 1 | [Unit] |
|
2 | 2 | Description=Packet Filtering Framework |
|
3 | 3 | DefaultDependencies=no |
|
4 | 4 | After=systemd-sysctl.service |
|
5 | 5 | Before=sysinit.target |
|
6 | 6 | |
|
7 | 7 | [Service] |
|
8 | 8 | Type=oneshot |
|
9 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |
|
9 | ExecStart=/sbin/iptables-restore -w 5 /etc/iptables/iptables.rules | |
|
10 | 10 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
11 | 11 | ExecStop=/etc/iptables/flush-iptables.sh |
|
12 | 12 | RemainAfterExit=yes |
|
13 | 13 | |
|
14 | 14 | [Install] |
|
15 | 15 | WantedBy=multi-user.target |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant