summaryrefslogtreecommitdiff
path: root/testing/iptables
diff options
context:
space:
mode:
authorroot <root@rshg054.dnsready.net>2011-09-03 23:14:38 +0000
committerroot <root@rshg054.dnsready.net>2011-09-03 23:14:38 +0000
commit3b18be1752c9fd9fa74eb1314ca97dd61e9ce912 (patch)
tree695198e2351a85f6c3a8fe7ba53ba5e4a4ec2bdd /testing/iptables
parentb37ee9de1a430956d9e5958ebd9d7e0dbfc79327 (diff)
Sat Sep 3 23:14:38 UTC 2011
Diffstat (limited to 'testing/iptables')
-rw-r--r--testing/iptables/PKGBUILD69
-rw-r--r--testing/iptables/empty-filter.rules6
-rw-r--r--testing/iptables/empty-mangle.rules8
-rw-r--r--testing/iptables/empty-nat.rules7
-rw-r--r--testing/iptables/empty-raw.rules5
-rw-r--r--testing/iptables/empty-security.rules6
-rw-r--r--testing/iptables/empty.rules6
-rwxr-xr-xtesting/iptables/ip6tables69
-rwxr-xr-xtesting/iptables/iptables68
-rw-r--r--testing/iptables/iptables.conf.d12
-rw-r--r--testing/iptables/simple_firewall.rules11
11 files changed, 267 insertions, 0 deletions
diff --git a/testing/iptables/PKGBUILD b/testing/iptables/PKGBUILD
new file mode 100644
index 000000000..d856612e3
--- /dev/null
+++ b/testing/iptables/PKGBUILD
@@ -0,0 +1,69 @@
+# $Id: PKGBUILD 136877 2011-09-02 16:01:49Z ronald $
+# Maintainer: Ronald van Haren <ronald.archlinux.org>
+# Contributor: Thomas Baechler <thomas@archlinux.org>
+
+pkgname=iptables
+pkgver=1.4.12.1
+pkgrel=1
+pkgdesc="A Linux kernel packet control tool"
+arch=('i686' 'x86_64')
+license=('GPL2')
+url="http://www.netfilter.org/projects/iptables/index.html"
+depends=('glibc' 'bash')
+makedepends=('linux-api-headers')
+options=('!libtool')
+source=(http://www.iptables.org/projects/iptables/files/${pkgname}-${pkgver}.tar.bz2
+ iptables
+ ip6tables
+ empty.rules
+ simple_firewall.rules
+ iptables.conf.d
+ empty-filter.rules
+ empty-mangle.rules
+ empty-nat.rules
+ empty-raw.rules
+ empty-security.rules)
+backup=(etc/conf.d/iptables)
+sha1sums=('86022c3b5129ad7105f5087ec1349e99cc5a9728'
+ '5bb6fa526665cdd728c26f0f282f5a51f220cf88'
+ '2db68906b603e5268736f48c8e251f3a49da1d75'
+ '83b3363878e3660ce23b2ad325b53cbd6c796ecf'
+ '9907f9e815592837abc7fa3264a401567b7606ab'
+ 'cdb830137192bbe002c6d01058656bd053ed0ddd'
+ 'd9f9f06b46b4187648e860afa0552335aafe3ce4'
+ 'c45b738b5ec4cfb11611b984c21a83b91a2d58f3'
+ '1694d79b3e6e9d9d543f6a6e75fed06066c9a6c6'
+ '7db53bb882f62f6c677cc8559cff83d8bae2ef73'
+ 'ebbd1424a1564fd45f455a81c61ce348f0a14c2e')
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ # http://bugs.archlinux.org/task/17046
+ sed -i '87 i libxt_RATEEST.so: libxt_RATEEST.oo' extensions/GNUmakefile.in
+ sed -i '88 i \\t${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -lm -shared ${LDFLAGS} -o $@ $<;\n' extensions/GNUmakefile.in
+
+ # FS#25358: libxt_statistic.so undefined symbol: lround
+ export LDFLAGS="-lm"
+
+ ./configure --prefix=/usr \
+ --libexecdir=/usr/lib/iptables --sysconfdir=/etc \
+ --with-xtlibdir=/usr/lib/iptables \
+ --enable-devel --enable-libipq
+
+ make
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ make DESTDIR="${pkgdir}" install
+
+ cd "${srcdir}"
+ install -D -m755 iptables "${pkgdir}"/etc/rc.d/iptables
+ install -D -m755 ip6tables "${pkgdir}"/etc/rc.d/ip6tables
+ install -D -m644 empty.rules "${pkgdir}"/etc/iptables/empty.rules
+ install -D -m644 simple_firewall.rules "${pkgdir}"/etc/iptables/simple_firewall.rules
+ install -D -m644 iptables.conf.d "${pkgdir}"/etc/conf.d/iptables
+
+ mkdir -p "${pkgdir}/var/lib/iptables"
+ install -m644 empty-{filter,mangle,nat,raw,security}.rules ${pkgdir}/var/lib/iptables/
+}
diff --git a/testing/iptables/empty-filter.rules b/testing/iptables/empty-filter.rules
new file mode 100644
index 000000000..5a4de4876
--- /dev/null
+++ b/testing/iptables/empty-filter.rules
@@ -0,0 +1,6 @@
+# Empty iptables filter table rule file
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/testing/iptables/empty-mangle.rules b/testing/iptables/empty-mangle.rules
new file mode 100644
index 000000000..49d493c4d
--- /dev/null
+++ b/testing/iptables/empty-mangle.rules
@@ -0,0 +1,8 @@
+# Empty iptables mangle table rules file
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
diff --git a/testing/iptables/empty-nat.rules b/testing/iptables/empty-nat.rules
new file mode 100644
index 000000000..437e96411
--- /dev/null
+++ b/testing/iptables/empty-nat.rules
@@ -0,0 +1,7 @@
+# Empty iptables nat table rules file
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
diff --git a/testing/iptables/empty-raw.rules b/testing/iptables/empty-raw.rules
new file mode 100644
index 000000000..8dc50d23e
--- /dev/null
+++ b/testing/iptables/empty-raw.rules
@@ -0,0 +1,5 @@
+# Empty iptables raw table rules file
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/testing/iptables/empty-security.rules b/testing/iptables/empty-security.rules
new file mode 100644
index 000000000..4531fa13f
--- /dev/null
+++ b/testing/iptables/empty-security.rules
@@ -0,0 +1,6 @@
+# Empty iptables security table rules file
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/testing/iptables/empty.rules b/testing/iptables/empty.rules
new file mode 100644
index 000000000..e24e1aa30
--- /dev/null
+++ b/testing/iptables/empty.rules
@@ -0,0 +1,6 @@
+# Empty iptables rule file
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/testing/iptables/ip6tables b/testing/iptables/ip6tables
new file mode 100755
index 000000000..2d119e3ed
--- /dev/null
+++ b/testing/iptables/ip6tables
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# source application-specific settings
+[ -f /etc/conf.d/iptables ] && . /etc/conf.d/iptables
+
+# Set defaults if settings are missing
+[ -z "$IP6TABLES_CONF" ] && IP6TABLES_CONF=/etc/iptables/ip6tables.rules
+
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+case "$1" in
+ start)
+ if [ ! -f "$IP6TABLES_CONF" ]; then
+ echo "Cannot load ip6tables rules: $IP6TABLES_CONF is missing!" >&2
+ exit 1
+ fi
+ stat_busy "Starting IP6 Tables"
+ if [ "$IPTABLES_FORWARD" = "1" ]; then
+ echo 1 >/proc/sys/net/ipv6/conf/default/forwarding
+ echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
+ fi
+ if ck_daemon ip6tables; then
+ /usr/sbin/ip6tables-restore < $IP6TABLES_CONF
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon ip6tables
+ stat_done
+ fi
+ else
+ stat_fail
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping IP6 Tables"
+ if ! ck_daemon ip6tables; then
+ fail=0
+ for table in $(cat /proc/net/ip6_tables_names); do
+ ip6tables-restore < /var/lib/iptables/empty-$table.rules
+ [ $? -gt 0 ] && fail=1
+ done
+ if [ $fail -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon ip6tables
+ stat_done
+ fi
+ else
+ stat_fail
+ fi
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ save)
+ stat_busy "Saving IP6 Tables"
+ /usr/sbin/ip6tables-save >$IP6TABLES_CONF
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ stat_done
+ fi
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart|save}"
+esac
+exit 0
diff --git a/testing/iptables/iptables b/testing/iptables/iptables
new file mode 100755
index 000000000..fbb02face
--- /dev/null
+++ b/testing/iptables/iptables
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# source application-specific settings
+[ -f /etc/conf.d/iptables ] && . /etc/conf.d/iptables
+
+# Set defaults if settings are missing
+[ -z "$IPTABLES_CONF" ] && IPTABLES_CONF=/etc/iptables/iptables.rules
+
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+case "$1" in
+ start)
+ if [ ! -f "$IPTABLES_CONF" ]; then
+ echo "Cannot load iptables rules: $IPTABLES_CONF is missing!" >&2
+ exit 1
+ fi
+ stat_busy "Starting IP Tables"
+ if [ "$IPTABLES_FORWARD" = "1" ]; then
+ echo 1 >/proc/sys/net/ipv4/ip_forward
+ fi
+ if ck_daemon iptables; then
+ /usr/sbin/iptables-restore < $IPTABLES_CONF
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon iptables
+ stat_done
+ fi
+ else
+ stat_fail
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping IP Tables"
+ if ! ck_daemon iptables; then
+ fail=0
+ for table in $(cat /proc/net/ip_tables_names); do
+ iptables-restore < /var/lib/iptables/empty-$table.rules
+ [ $? -gt 0 ] && fail=1
+ done
+ if [ $fail -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon iptables
+ stat_done
+ fi
+ else
+ stat_fail
+ fi
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ save)
+ stat_busy "Saving IP Tables"
+ /usr/sbin/iptables-save >$IPTABLES_CONF
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ stat_done
+ fi
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart|save}"
+esac
+exit 0
diff --git a/testing/iptables/iptables.conf.d b/testing/iptables/iptables.conf.d
new file mode 100644
index 000000000..1c6cc7b5d
--- /dev/null
+++ b/testing/iptables/iptables.conf.d
@@ -0,0 +1,12 @@
+# Configuration for iptables rules
+IPTABLES_CONF=/etc/iptables/iptables.rules
+IP6TABLES_CONF=/etc/iptables/ip6tables.rules
+
+# Enable IP forwarding (both IPv4 and IPv6)
+# NOTE: this is not the recommended way to do this, and is supported only for
+# backward compatibility. Instead, use /etc/sysctl.conf and set the following
+# options:
+# * net.ipv4.ip_forward=1
+# * net.ipv6.conf.default.forwarding=1
+# * net.ipv6.conf.all.forwarding=1
+#IPTABLES_FORWARD=0
diff --git a/testing/iptables/simple_firewall.rules b/testing/iptables/simple_firewall.rules
new file mode 100644
index 000000000..e1604cc36
--- /dev/null
+++ b/testing/iptables/simple_firewall.rules
@@ -0,0 +1,11 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+COMMIT