| @@ -1,52 +1,54 | |||||
| 1 | #!/bin/bash |
|
1 | #!/bin/bash | |
| 2 | # |
|
2 | # | |
| 3 | # Setup Firewall |
|
3 | # Setup Firewall | |
| 4 | # |
|
4 | # | |
| 5 |
|
5 | |||
| 6 | # Load utility functions |
|
6 | # Load utility functions | |
| 7 | . ./functions.sh |
|
7 | . ./functions.sh | |
| 8 |
|
8 | |||
| 9 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
9 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
| 10 | # Create iptables configuration directory |
|
10 | # Create iptables configuration directory | |
| 11 | mkdir -p "${ETC_DIR}/iptables" |
|
11 | mkdir -p "${ETC_DIR}/iptables" | |
| 12 |
|
12 | |||
|
|
13 | if ! [ "$RELEASE" = jessie ] ; then | |||
|
|
14 | #setting slaves | |||
|
|
15 | #chroot_exec update-alternatives --verbose --install /usr/sbin/iptables iptables /usr/sbin/iptables-legacy 1 \ | |||
|
|
16 | --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-legacy-save \ | |||
|
|
17 | --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-legacy-restore | |||
| 13 | # make sure iptables-legacy,iptables-legacy-restore and iptables-legacy-save are the used alternatives |
|
18 | # make sure iptables-legacy,iptables-legacy-restore and iptables-legacy-save are the used alternatives | |
| 14 |
|
|
19 | chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy | |
| 15 | #chroot_exec update-alternatives --verbose --set iptables-save /usr/sbin/iptables-legacy-save |
|
20 | fi | |
| 16 | #chroot_exec update-alternatives --verbose --set iptables-restore /usr/sbin/iptables-legacy-restore |
|
|||
| 17 | chroot_exec update-alternatives --verbose --install /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-legacy-save 1 |
|
|||
| 18 | chroot_exec update-alternatives --verbose --install /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-legacy-restore 1 |
|
|||
| 19 |
|
21 | |||
| 20 | # Install iptables systemd service |
|
22 | # Install iptables systemd service | |
| 21 | install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" |
|
23 | install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" | |
| 22 |
|
24 | |||
| 23 | # Install flush-table script called by iptables service |
|
25 | # Install flush-table script called by iptables service | |
| 24 | install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh" |
|
26 | install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh" | |
| 25 |
|
27 | |||
| 26 | # Install iptables rule file |
|
28 | # Install iptables rule file | |
| 27 | install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules" |
|
29 | install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules" | |
| 28 |
|
30 | |||
| 29 | # Reload systemd configuration and enable iptables service |
|
31 | # Reload systemd configuration and enable iptables service | |
| 30 | chroot_exec systemctl daemon-reload |
|
32 | chroot_exec systemctl daemon-reload | |
| 31 | chroot_exec systemctl enable iptables.service |
|
33 | chroot_exec systemctl enable iptables.service | |
| 32 |
|
34 | |||
| 33 | if [ "$ENABLE_IPV6" = true ] ; then |
|
35 | if [ "$ENABLE_IPV6" = true ] ; then | |
| 34 | # Install ip6tables systemd service |
|
36 | # Install ip6tables systemd service | |
| 35 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" |
|
37 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" | |
| 36 |
|
38 | |||
| 37 | # Install ip6tables file |
|
39 | # Install ip6tables file | |
| 38 | install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh" |
|
40 | install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh" | |
| 39 |
|
41 | |||
| 40 | install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules" |
|
42 | install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules" | |
| 41 |
|
43 | |||
| 42 | # Reload systemd configuration and enable iptables service |
|
44 | # Reload systemd configuration and enable iptables service | |
| 43 | chroot_exec systemctl daemon-reload |
|
45 | chroot_exec systemctl daemon-reload | |
| 44 | chroot_exec systemctl enable ip6tables.service |
|
46 | chroot_exec systemctl enable ip6tables.service | |
| 45 | fi |
|
47 | fi | |
| 46 |
|
48 | |||
| 47 | if [ "$ENABLE_SSHD" = false ] ; then |
|
49 | if [ "$ENABLE_SSHD" = false ] ; then | |
| 48 | # Remove SSHD related iptables rules |
|
50 | # Remove SSHD related iptables rules | |
| 49 | sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null |
|
51 | sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null | |
| 50 | sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null |
|
52 | sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null | |
| 51 | fi |
|
53 | fi | |
| 52 | fi |
|
54 | fi | |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
