diff options
author | root <root@rshg054.dnsready.net> | 2011-09-03 23:14:38 +0000 |
---|---|---|
committer | root <root@rshg054.dnsready.net> | 2011-09-03 23:14:38 +0000 |
commit | 3b18be1752c9fd9fa74eb1314ca97dd61e9ce912 (patch) | |
tree | 695198e2351a85f6c3a8fe7ba53ba5e4a4ec2bdd /testing/iptables | |
parent | b37ee9de1a430956d9e5958ebd9d7e0dbfc79327 (diff) |
Sat Sep 3 23:14:38 UTC 2011
Diffstat (limited to 'testing/iptables')
-rw-r--r-- | testing/iptables/PKGBUILD | 69 | ||||
-rw-r--r-- | testing/iptables/empty-filter.rules | 6 | ||||
-rw-r--r-- | testing/iptables/empty-mangle.rules | 8 | ||||
-rw-r--r-- | testing/iptables/empty-nat.rules | 7 | ||||
-rw-r--r-- | testing/iptables/empty-raw.rules | 5 | ||||
-rw-r--r-- | testing/iptables/empty-security.rules | 6 | ||||
-rw-r--r-- | testing/iptables/empty.rules | 6 | ||||
-rwxr-xr-x | testing/iptables/ip6tables | 69 | ||||
-rwxr-xr-x | testing/iptables/iptables | 68 | ||||
-rw-r--r-- | testing/iptables/iptables.conf.d | 12 | ||||
-rw-r--r-- | testing/iptables/simple_firewall.rules | 11 |
11 files changed, 267 insertions, 0 deletions
diff --git a/testing/iptables/PKGBUILD b/testing/iptables/PKGBUILD new file mode 100644 index 000000000..d856612e3 --- /dev/null +++ b/testing/iptables/PKGBUILD @@ -0,0 +1,69 @@ +# $Id: PKGBUILD 136877 2011-09-02 16:01:49Z ronald $ +# Maintainer: Ronald van Haren <ronald.archlinux.org> +# Contributor: Thomas Baechler <thomas@archlinux.org> + +pkgname=iptables +pkgver=1.4.12.1 +pkgrel=1 +pkgdesc="A Linux kernel packet control tool" +arch=('i686' 'x86_64') +license=('GPL2') +url="http://www.netfilter.org/projects/iptables/index.html" +depends=('glibc' 'bash') +makedepends=('linux-api-headers') +options=('!libtool') +source=(http://www.iptables.org/projects/iptables/files/${pkgname}-${pkgver}.tar.bz2 + iptables + ip6tables + empty.rules + simple_firewall.rules + iptables.conf.d + empty-filter.rules + empty-mangle.rules + empty-nat.rules + empty-raw.rules + empty-security.rules) +backup=(etc/conf.d/iptables) +sha1sums=('86022c3b5129ad7105f5087ec1349e99cc5a9728' + '5bb6fa526665cdd728c26f0f282f5a51f220cf88' + '2db68906b603e5268736f48c8e251f3a49da1d75' + '83b3363878e3660ce23b2ad325b53cbd6c796ecf' + '9907f9e815592837abc7fa3264a401567b7606ab' + 'cdb830137192bbe002c6d01058656bd053ed0ddd' + 'd9f9f06b46b4187648e860afa0552335aafe3ce4' + 'c45b738b5ec4cfb11611b984c21a83b91a2d58f3' + '1694d79b3e6e9d9d543f6a6e75fed06066c9a6c6' + '7db53bb882f62f6c677cc8559cff83d8bae2ef73' + 'ebbd1424a1564fd45f455a81c61ce348f0a14c2e') +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + + # http://bugs.archlinux.org/task/17046 + sed -i '87 i libxt_RATEEST.so: libxt_RATEEST.oo' extensions/GNUmakefile.in + sed -i '88 i \\t${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -lm -shared ${LDFLAGS} -o $@ $<;\n' extensions/GNUmakefile.in + + # FS#25358: libxt_statistic.so undefined symbol: lround + export LDFLAGS="-lm" + + ./configure --prefix=/usr \ + --libexecdir=/usr/lib/iptables --sysconfdir=/etc \ + --with-xtlibdir=/usr/lib/iptables \ + --enable-devel --enable-libipq + + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" install + + cd "${srcdir}" + install -D -m755 iptables "${pkgdir}"/etc/rc.d/iptables + install -D -m755 ip6tables "${pkgdir}"/etc/rc.d/ip6tables + install -D -m644 empty.rules "${pkgdir}"/etc/iptables/empty.rules + install -D -m644 simple_firewall.rules "${pkgdir}"/etc/iptables/simple_firewall.rules + install -D -m644 iptables.conf.d "${pkgdir}"/etc/conf.d/iptables + + mkdir -p "${pkgdir}/var/lib/iptables" + install -m644 empty-{filter,mangle,nat,raw,security}.rules ${pkgdir}/var/lib/iptables/ +} diff --git a/testing/iptables/empty-filter.rules b/testing/iptables/empty-filter.rules new file mode 100644 index 000000000..5a4de4876 --- /dev/null +++ b/testing/iptables/empty-filter.rules @@ -0,0 +1,6 @@ +# Empty iptables filter table rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/testing/iptables/empty-mangle.rules b/testing/iptables/empty-mangle.rules new file mode 100644 index 000000000..49d493c4d --- /dev/null +++ b/testing/iptables/empty-mangle.rules @@ -0,0 +1,8 @@ +# Empty iptables mangle table rules file +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/testing/iptables/empty-nat.rules b/testing/iptables/empty-nat.rules new file mode 100644 index 000000000..437e96411 --- /dev/null +++ b/testing/iptables/empty-nat.rules @@ -0,0 +1,7 @@ +# Empty iptables nat table rules file +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/testing/iptables/empty-raw.rules b/testing/iptables/empty-raw.rules new file mode 100644 index 000000000..8dc50d23e --- /dev/null +++ b/testing/iptables/empty-raw.rules @@ -0,0 +1,5 @@ +# Empty iptables raw table rules file +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/testing/iptables/empty-security.rules b/testing/iptables/empty-security.rules new file mode 100644 index 000000000..4531fa13f --- /dev/null +++ b/testing/iptables/empty-security.rules @@ -0,0 +1,6 @@ +# Empty iptables security table rules file +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/testing/iptables/empty.rules b/testing/iptables/empty.rules new file mode 100644 index 000000000..e24e1aa30 --- /dev/null +++ b/testing/iptables/empty.rules @@ -0,0 +1,6 @@ +# Empty iptables rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/testing/iptables/ip6tables b/testing/iptables/ip6tables new file mode 100755 index 000000000..2d119e3ed --- /dev/null +++ b/testing/iptables/ip6tables @@ -0,0 +1,69 @@ +#!/bin/bash + +# source application-specific settings +[ -f /etc/conf.d/iptables ] && . /etc/conf.d/iptables + +# Set defaults if settings are missing +[ -z "$IP6TABLES_CONF" ] && IP6TABLES_CONF=/etc/iptables/ip6tables.rules + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + if [ ! -f "$IP6TABLES_CONF" ]; then + echo "Cannot load ip6tables rules: $IP6TABLES_CONF is missing!" >&2 + exit 1 + fi + stat_busy "Starting IP6 Tables" + if [ "$IPTABLES_FORWARD" = "1" ]; then + echo 1 >/proc/sys/net/ipv6/conf/default/forwarding + echo 1 >/proc/sys/net/ipv6/conf/all/forwarding + fi + if ck_daemon ip6tables; then + /usr/sbin/ip6tables-restore < $IP6TABLES_CONF + if [ $? -gt 0 ]; then + stat_fail + else + add_daemon ip6tables + stat_done + fi + else + stat_fail + fi + ;; + stop) + stat_busy "Stopping IP6 Tables" + if ! ck_daemon ip6tables; then + fail=0 + for table in $(cat /proc/net/ip6_tables_names); do + ip6tables-restore < /var/lib/iptables/empty-$table.rules + [ $? -gt 0 ] && fail=1 + done + if [ $fail -gt 0 ]; then + stat_fail + else + rm_daemon ip6tables + stat_done + fi + else + stat_fail + fi + ;; + restart) + $0 stop + $0 start + ;; + save) + stat_busy "Saving IP6 Tables" + /usr/sbin/ip6tables-save >$IP6TABLES_CONF + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + ;; + *) + echo "usage: $0 {start|stop|restart|save}" +esac +exit 0 diff --git a/testing/iptables/iptables b/testing/iptables/iptables new file mode 100755 index 000000000..fbb02face --- /dev/null +++ b/testing/iptables/iptables @@ -0,0 +1,68 @@ +#!/bin/bash + +# source application-specific settings +[ -f /etc/conf.d/iptables ] && . /etc/conf.d/iptables + +# Set defaults if settings are missing +[ -z "$IPTABLES_CONF" ] && IPTABLES_CONF=/etc/iptables/iptables.rules + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + if [ ! -f "$IPTABLES_CONF" ]; then + echo "Cannot load iptables rules: $IPTABLES_CONF is missing!" >&2 + exit 1 + fi + stat_busy "Starting IP Tables" + if [ "$IPTABLES_FORWARD" = "1" ]; then + echo 1 >/proc/sys/net/ipv4/ip_forward + fi + if ck_daemon iptables; then + /usr/sbin/iptables-restore < $IPTABLES_CONF + if [ $? -gt 0 ]; then + stat_fail + else + add_daemon iptables + stat_done + fi + else + stat_fail + fi + ;; + stop) + stat_busy "Stopping IP Tables" + if ! ck_daemon iptables; then + fail=0 + for table in $(cat /proc/net/ip_tables_names); do + iptables-restore < /var/lib/iptables/empty-$table.rules + [ $? -gt 0 ] && fail=1 + done + if [ $fail -gt 0 ]; then + stat_fail + else + rm_daemon iptables + stat_done + fi + else + stat_fail + fi + ;; + restart) + $0 stop + $0 start + ;; + save) + stat_busy "Saving IP Tables" + /usr/sbin/iptables-save >$IPTABLES_CONF + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + ;; + *) + echo "usage: $0 {start|stop|restart|save}" +esac +exit 0 diff --git a/testing/iptables/iptables.conf.d b/testing/iptables/iptables.conf.d new file mode 100644 index 000000000..1c6cc7b5d --- /dev/null +++ b/testing/iptables/iptables.conf.d @@ -0,0 +1,12 @@ +# Configuration for iptables rules +IPTABLES_CONF=/etc/iptables/iptables.rules +IP6TABLES_CONF=/etc/iptables/ip6tables.rules + +# Enable IP forwarding (both IPv4 and IPv6) +# NOTE: this is not the recommended way to do this, and is supported only for +# backward compatibility. Instead, use /etc/sysctl.conf and set the following +# options: +# * net.ipv4.ip_forward=1 +# * net.ipv6.conf.default.forwarding=1 +# * net.ipv6.conf.all.forwarding=1 +#IPTABLES_FORWARD=0 diff --git a/testing/iptables/simple_firewall.rules b/testing/iptables/simple_firewall.rules new file mode 100644 index 000000000..e1604cc36 --- /dev/null +++ b/testing/iptables/simple_firewall.rules @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -p icmp -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -j REJECT --reject-with icmp-proto-unreachable +COMMIT |