Browse code
iptables: flush iptables on service stop
Improve CommandUtils.findFile() function to filter out directories.
That allow us to have iptables file in iptables directory.
Change-Id: Ib556b6d5dfa222f9e121b8a553075cd2a3587ad3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1976
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Divya Thaluru <dthaluru@vmware.com>
Alexey Makhalov authored on 2017/01/19 06:12:03Showing 7 changed files
- SPECS/iptables/blfs-systemd-units-20140907.tar.bz2
- SPECS/iptables/iptable_rules
- SPECS/iptables/iptables
- SPECS/iptables/iptables.service
- SPECS/iptables/iptables.spec
- SPECS/iptables/iptables.stop
- support/package-builder/CommandUtils.py
| 3 | 3 |
deleted file mode 100644 |
| ... | ... |
@@ -1,71 +0,0 @@ |
| 1 |
-#!/bin/sh |
|
| 2 |
- |
|
| 3 |
-# Begin /etc/systemd/scripts/iptables |
|
| 4 |
- |
|
| 5 |
-# Insert connection-tracking modules |
|
| 6 |
-# (not needed if built into the kernel) |
|
| 7 |
-modprobe nf_conntrack |
|
| 8 |
-modprobe xt_LOG |
|
| 9 |
- |
|
| 10 |
-# Enable broadcast echo Protection |
|
| 11 |
-echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
|
| 12 |
- |
|
| 13 |
-# Disable Source Routed Packets |
|
| 14 |
-echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
|
| 15 |
-echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route |
|
| 16 |
- |
|
| 17 |
-# Enable TCP SYN Cookie Protection |
|
| 18 |
-echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
|
| 19 |
- |
|
| 20 |
-# Disable ICMP Redirect Acceptance |
|
| 21 |
-echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects |
|
| 22 |
- |
|
| 23 |
-# Do not send Redirect Messages |
|
| 24 |
-echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
|
| 25 |
-echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects |
|
| 26 |
- |
|
| 27 |
-# Drop Spoofed Packets coming in on an interface, where responses |
|
| 28 |
-# would result in the reply going out a different interface. |
|
| 29 |
-echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
|
| 30 |
-echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter |
|
| 31 |
- |
|
| 32 |
-# Log packets with impossible addresses. |
|
| 33 |
-echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
|
| 34 |
-echo 1 > /proc/sys/net/ipv4/conf/default/log_martians |
|
| 35 |
- |
|
| 36 |
-# be verbose on dynamic ip-addresses (not needed in case of static IP) |
|
| 37 |
-echo 2 > /proc/sys/net/ipv4/ip_dynaddr |
|
| 38 |
- |
|
| 39 |
-# disable Explicit Congestion Notification |
|
| 40 |
-# too many routers are still ignorant |
|
| 41 |
-echo 0 > /proc/sys/net/ipv4/tcp_ecn |
|
| 42 |
- |
|
| 43 |
-# Set a known state |
|
| 44 |
-iptables -P INPUT DROP |
|
| 45 |
-iptables -P FORWARD DROP |
|
| 46 |
-iptables -P OUTPUT DROP |
|
| 47 |
- |
|
| 48 |
-# These lines are here in case rules are already in place and the |
|
| 49 |
-# script is ever rerun on the fly. We want to remove all rules and |
|
| 50 |
-# pre-existing user defined chains before we implement new rules. |
|
| 51 |
-iptables -F |
|
| 52 |
-iptables -X |
|
| 53 |
-iptables -Z |
|
| 54 |
- |
|
| 55 |
-iptables -t nat -F |
|
| 56 |
- |
|
| 57 |
-# Allow local-only connections |
|
| 58 |
-iptables -A INPUT -i lo -j ACCEPT |
|
| 59 |
- |
|
| 60 |
-# Free output on any interface to any ip for any service |
|
| 61 |
-# (equal to -P ACCEPT) |
|
| 62 |
-iptables -A OUTPUT -j ACCEPT |
|
| 63 |
- |
|
| 64 |
-# Permit answers on already established connections |
|
| 65 |
-# and permit new connections related to established ones |
|
| 66 |
-# (e.g. port mode ftp) |
|
| 67 |
-iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
| 68 |
- |
|
| 69 |
-#Enable ssh connections |
|
| 70 |
-iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
|
| 71 |
-# End /etc/systemd/scripts/iptables |
| 72 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,74 @@ |
| 0 |
+#!/bin/sh |
|
| 1 |
+ |
|
| 2 |
+# Begin /etc/systemd/scripts/iptables |
|
| 3 |
+ |
|
| 4 |
+# Insert connection-tracking modules |
|
| 5 |
+# (not needed if built into the kernel) |
|
| 6 |
+modprobe nf_conntrack |
|
| 7 |
+modprobe xt_LOG |
|
| 8 |
+ |
|
| 9 |
+# Enable broadcast echo Protection |
|
| 10 |
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
|
| 11 |
+ |
|
| 12 |
+# Disable Source Routed Packets |
|
| 13 |
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
|
| 14 |
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route |
|
| 15 |
+ |
|
| 16 |
+# Enable TCP SYN Cookie Protection |
|
| 17 |
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
|
| 18 |
+ |
|
| 19 |
+# Disable ICMP Redirect Acceptance |
|
| 20 |
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects |
|
| 21 |
+ |
|
| 22 |
+# Do not send Redirect Messages |
|
| 23 |
+echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
|
| 24 |
+echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects |
|
| 25 |
+ |
|
| 26 |
+# Drop Spoofed Packets coming in on an interface, where responses |
|
| 27 |
+# would result in the reply going out a different interface. |
|
| 28 |
+echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
|
| 29 |
+echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter |
|
| 30 |
+ |
|
| 31 |
+# Log packets with impossible addresses. |
|
| 32 |
+echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
|
| 33 |
+echo 1 > /proc/sys/net/ipv4/conf/default/log_martians |
|
| 34 |
+ |
|
| 35 |
+# be verbose on dynamic ip-addresses (not needed in case of static IP) |
|
| 36 |
+echo 2 > /proc/sys/net/ipv4/ip_dynaddr |
|
| 37 |
+ |
|
| 38 |
+# disable Explicit Congestion Notification |
|
| 39 |
+# too many routers are still ignorant |
|
| 40 |
+echo 0 > /proc/sys/net/ipv4/tcp_ecn |
|
| 41 |
+ |
|
| 42 |
+# Set a known state |
|
| 43 |
+iptables -P INPUT DROP |
|
| 44 |
+iptables -P FORWARD DROP |
|
| 45 |
+iptables -P OUTPUT DROP |
|
| 46 |
+ |
|
| 47 |
+# These lines are here in case rules are already in place and the |
|
| 48 |
+# script is ever rerun on the fly. We want to remove all rules and |
|
| 49 |
+# pre-existing user defined chains before we implement new rules. |
|
| 50 |
+iptables -F |
|
| 51 |
+iptables -X |
|
| 52 |
+iptables -Z |
|
| 53 |
+ |
|
| 54 |
+iptables -t nat -F |
|
| 55 |
+iptables -t nat -X |
|
| 56 |
+iptables -t mangle -F |
|
| 57 |
+iptables -t mangle -X |
|
| 58 |
+ |
|
| 59 |
+# Allow local-only connections |
|
| 60 |
+iptables -A INPUT -i lo -j ACCEPT |
|
| 61 |
+ |
|
| 62 |
+# Free output on any interface to any ip for any service |
|
| 63 |
+# (equal to -P ACCEPT) |
|
| 64 |
+iptables -A OUTPUT -j ACCEPT |
|
| 65 |
+ |
|
| 66 |
+# Permit answers on already established connections |
|
| 67 |
+# and permit new connections related to established ones |
|
| 68 |
+# (e.g. port mode ftp) |
|
| 69 |
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
| 70 |
+ |
|
| 71 |
+#Enable ssh connections |
|
| 72 |
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
|
| 73 |
+# End /etc/systemd/scripts/iptables |
| 0 | 74 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,14 @@ |
| 0 |
+[Unit] |
|
| 1 |
+Description=Load Iptables Rules |
|
| 2 |
+ConditionFileIsExecutable=/etc/systemd/scripts/iptables |
|
| 3 |
+After=network.target |
|
| 4 |
+ |
|
| 5 |
+[Service] |
|
| 6 |
+Type=forking |
|
| 7 |
+ExecStart=/etc/systemd/scripts/iptables |
|
| 8 |
+ExecStop=/etc/systemd/scripts/iptables.stop |
|
| 9 |
+TimeoutSec=0 |
|
| 10 |
+RemainAfterExit=yes |
|
| 11 |
+ |
|
| 12 |
+[Install] |
|
| 13 |
+WantedBy=multi-user.target |
| ... | ... |
@@ -1,18 +1,17 @@ |
| 1 | 1 |
Summary: Linux kernel packet control tool |
| 2 | 2 |
Name: iptables |
| 3 | 3 |
Version: 1.6.0 |
| 4 |
-Release: 5%{?dist}
|
|
| 4 |
+Release: 6%{?dist}
|
|
| 5 | 5 |
License: GPLv2+ |
| 6 | 6 |
URL: http://www.netfilter.org/projects/iptables |
| 7 | 7 |
Group: System Environment/Security |
| 8 | 8 |
Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
|
| 11 |
-%define sha1 iptables=21a694e75b0d6863cc001f85fb15915d12b8cc22 |
|
| 12 |
-Source1: http://www.linuxfromscratch.org/blfs/downloads/systemd/blfs-systemd-units-20140907.tar.bz2 |
|
| 13 |
-%define sha1 blfs-systemd-units=713afb3bbe681314650146e5ec412ef77aa1fe33 |
|
| 14 |
-Source2: iptable_rules |
|
| 15 |
-Patch1: blfs_systemd_fixes.patch |
|
| 11 |
+%define sha1 iptables-=21a694e75b0d6863cc001f85fb15915d12b8cc22 |
|
| 12 |
+Source1: iptables.service |
|
| 13 |
+Source2: iptables |
|
| 14 |
+Source3: iptables.stop |
|
| 16 | 15 |
BuildRequires: systemd |
| 17 | 16 |
Requires: systemd |
| 18 | 17 |
%description |
| ... | ... |
@@ -21,9 +20,6 @@ firewall tool for Linux is Iptables. You will need to install |
| 21 | 21 |
Iptables if you intend on using any form of a firewall. |
| 22 | 22 |
%prep |
| 23 | 23 |
%setup -q |
| 24 |
-tar xf %{SOURCE1} --no-same-owner
|
|
| 25 |
-cp %{SOURCE2} .
|
|
| 26 |
-%patch1 -p0 |
|
| 27 | 24 |
%build |
| 28 | 25 |
./configure \ |
| 29 | 26 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -44,13 +40,13 @@ make V=0 |
| 44 | 44 |
[ %{buildroot} != "/"] && rm -rf %{buildroot}/*
|
| 45 | 45 |
make DESTDIR=%{buildroot} install
|
| 46 | 46 |
ln -sfv ../../sbin/xtables-multi %{buildroot}%{_libdir}/iptables-xml
|
| 47 |
-# Install daemon script |
|
| 48 |
-pushd blfs-systemd-units-20140907 |
|
| 49 |
-make DESTDIR=%{buildroot} install-iptables
|
|
| 50 |
-popd |
|
| 47 |
+# Install daemon scripts |
|
| 48 |
+install -vdm755 %{buildroot}%{_unitdir}
|
|
| 49 |
+install -m 644 %{SOURCE1} %{buildroot}%{_unitdir}
|
|
| 51 | 50 |
install -vdm755 %{buildroot}/etc/systemd/scripts
|
| 52 |
-cp iptable_rules %{buildroot}/etc/systemd/scripts/iptables
|
|
| 53 |
-chmod 755 %{buildroot}/etc/systemd/scripts/iptables
|
|
| 51 |
+install -m 755 %{SOURCE2} %{buildroot}/etc/systemd/scripts
|
|
| 52 |
+install -m 755 %{SOURCE3} %{buildroot}/etc/systemd/scripts
|
|
| 53 |
+ |
|
| 54 | 54 |
find %{buildroot} -name '*.a' -delete
|
| 55 | 55 |
find %{buildroot} -name '*.la' -delete
|
| 56 | 56 |
%{_fixperms} %{buildroot}/*
|
| ... | ... |
@@ -71,6 +67,7 @@ rm -rf %{buildroot}/*
|
| 71 | 71 |
%files |
| 72 | 72 |
%defattr(-,root,root) |
| 73 | 73 |
%config(noreplace) /etc/systemd/scripts/iptables |
| 74 |
+%config(noreplace) /etc/systemd/scripts/iptables.stop |
|
| 74 | 75 |
/lib/systemd/system/iptables.service |
| 75 | 76 |
/sbin/* |
| 76 | 77 |
%{_bindir}/*
|
| ... | ... |
@@ -83,6 +80,8 @@ rm -rf %{buildroot}/*
|
| 83 | 83 |
%{_mandir}/man3/*
|
| 84 | 84 |
%{_mandir}/man8/*
|
| 85 | 85 |
%changelog |
| 86 |
+* Wed Jan 18 2017 Alexey Makhalov <amakhalov@vmware.com> 1.6.0-6 |
|
| 87 |
+- Flush iptables on service stop |
|
| 86 | 88 |
* Tue Aug 30 2016 Anish Swaminathan <anishs@vmware.com> 1.6.0-5 |
| 87 | 89 |
- Change config file properties for iptables script |
| 88 | 90 |
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.6.0-4 |
| 89 | 91 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,16 @@ |
| 0 |
+#! /bin/sh |
|
| 1 |
+ |
|
| 2 |
+# Begin /etc/systemd/scripts/iptables.stop |
|
| 3 |
+ |
|
| 4 |
+iptables -Z |
|
| 5 |
+iptables -F |
|
| 6 |
+iptables -t nat -F |
|
| 7 |
+iptables -t nat -X |
|
| 8 |
+iptables -t mangle -F |
|
| 9 |
+iptables -t mangle -X |
|
| 10 |
+iptables -X |
|
| 11 |
+iptables -P INPUT ACCEPT |
|
| 12 |
+iptables -P FORWARD ACCEPT |
|
| 13 |
+iptables -P OUTPUT ACCEPT |
|
| 14 |
+ |
|
| 15 |
+# End /etc/systemd/scripts/iptables.stop |
| ... | ... |
@@ -6,7 +6,7 @@ class CommandUtils(object): |
| 6 | 6 |
self.findBinary = "find" |
| 7 | 7 |
|
| 8 | 8 |
def findFile (self, filename, sourcePath): |
| 9 |
- process = subprocess.Popen([self.findBinary, "-L", sourcePath, "-name", filename], stdout=subprocess.PIPE) |
|
| 9 |
+ process = subprocess.Popen([self.findBinary, "-L", sourcePath, "-name", filename, "-not", "-type", "d"], stdout=subprocess.PIPE) |
|
| 10 | 10 |
returnVal = process.wait() |
| 11 | 11 |
if returnVal != 0: |
| 12 | 12 |
return None |