Improve CommandUtils.findFile() function to filter out directories.
That allow us to have iptables file in iptables directory.
Change-Id: Ib556b6d5dfa222f9e121b8a553075cd2a3587ad3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1976
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Divya Thaluru <dthaluru@vmware.com>
3 | 3 |
deleted file mode 100644 |
... | ... |
@@ -1,71 +0,0 @@ |
1 |
-#!/bin/sh |
|
2 |
- |
|
3 |
-# Begin /etc/systemd/scripts/iptables |
|
4 |
- |
|
5 |
-# Insert connection-tracking modules |
|
6 |
-# (not needed if built into the kernel) |
|
7 |
-modprobe nf_conntrack |
|
8 |
-modprobe xt_LOG |
|
9 |
- |
|
10 |
-# Enable broadcast echo Protection |
|
11 |
-echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
|
12 |
- |
|
13 |
-# Disable Source Routed Packets |
|
14 |
-echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
|
15 |
-echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route |
|
16 |
- |
|
17 |
-# Enable TCP SYN Cookie Protection |
|
18 |
-echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
|
19 |
- |
|
20 |
-# Disable ICMP Redirect Acceptance |
|
21 |
-echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects |
|
22 |
- |
|
23 |
-# Do not send Redirect Messages |
|
24 |
-echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
|
25 |
-echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects |
|
26 |
- |
|
27 |
-# Drop Spoofed Packets coming in on an interface, where responses |
|
28 |
-# would result in the reply going out a different interface. |
|
29 |
-echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
|
30 |
-echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter |
|
31 |
- |
|
32 |
-# Log packets with impossible addresses. |
|
33 |
-echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
|
34 |
-echo 1 > /proc/sys/net/ipv4/conf/default/log_martians |
|
35 |
- |
|
36 |
-# be verbose on dynamic ip-addresses (not needed in case of static IP) |
|
37 |
-echo 2 > /proc/sys/net/ipv4/ip_dynaddr |
|
38 |
- |
|
39 |
-# disable Explicit Congestion Notification |
|
40 |
-# too many routers are still ignorant |
|
41 |
-echo 0 > /proc/sys/net/ipv4/tcp_ecn |
|
42 |
- |
|
43 |
-# Set a known state |
|
44 |
-iptables -P INPUT DROP |
|
45 |
-iptables -P FORWARD DROP |
|
46 |
-iptables -P OUTPUT DROP |
|
47 |
- |
|
48 |
-# These lines are here in case rules are already in place and the |
|
49 |
-# script is ever rerun on the fly. We want to remove all rules and |
|
50 |
-# pre-existing user defined chains before we implement new rules. |
|
51 |
-iptables -F |
|
52 |
-iptables -X |
|
53 |
-iptables -Z |
|
54 |
- |
|
55 |
-iptables -t nat -F |
|
56 |
- |
|
57 |
-# Allow local-only connections |
|
58 |
-iptables -A INPUT -i lo -j ACCEPT |
|
59 |
- |
|
60 |
-# Free output on any interface to any ip for any service |
|
61 |
-# (equal to -P ACCEPT) |
|
62 |
-iptables -A OUTPUT -j ACCEPT |
|
63 |
- |
|
64 |
-# Permit answers on already established connections |
|
65 |
-# and permit new connections related to established ones |
|
66 |
-# (e.g. port mode ftp) |
|
67 |
-iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
68 |
- |
|
69 |
-#Enable ssh connections |
|
70 |
-iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
|
71 |
-# End /etc/systemd/scripts/iptables |
72 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,74 @@ |
0 |
+#!/bin/sh |
|
1 |
+ |
|
2 |
+# Begin /etc/systemd/scripts/iptables |
|
3 |
+ |
|
4 |
+# Insert connection-tracking modules |
|
5 |
+# (not needed if built into the kernel) |
|
6 |
+modprobe nf_conntrack |
|
7 |
+modprobe xt_LOG |
|
8 |
+ |
|
9 |
+# Enable broadcast echo Protection |
|
10 |
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
|
11 |
+ |
|
12 |
+# Disable Source Routed Packets |
|
13 |
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
|
14 |
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route |
|
15 |
+ |
|
16 |
+# Enable TCP SYN Cookie Protection |
|
17 |
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
|
18 |
+ |
|
19 |
+# Disable ICMP Redirect Acceptance |
|
20 |
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects |
|
21 |
+ |
|
22 |
+# Do not send Redirect Messages |
|
23 |
+echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
|
24 |
+echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects |
|
25 |
+ |
|
26 |
+# Drop Spoofed Packets coming in on an interface, where responses |
|
27 |
+# would result in the reply going out a different interface. |
|
28 |
+echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
|
29 |
+echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter |
|
30 |
+ |
|
31 |
+# Log packets with impossible addresses. |
|
32 |
+echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
|
33 |
+echo 1 > /proc/sys/net/ipv4/conf/default/log_martians |
|
34 |
+ |
|
35 |
+# be verbose on dynamic ip-addresses (not needed in case of static IP) |
|
36 |
+echo 2 > /proc/sys/net/ipv4/ip_dynaddr |
|
37 |
+ |
|
38 |
+# disable Explicit Congestion Notification |
|
39 |
+# too many routers are still ignorant |
|
40 |
+echo 0 > /proc/sys/net/ipv4/tcp_ecn |
|
41 |
+ |
|
42 |
+# Set a known state |
|
43 |
+iptables -P INPUT DROP |
|
44 |
+iptables -P FORWARD DROP |
|
45 |
+iptables -P OUTPUT DROP |
|
46 |
+ |
|
47 |
+# These lines are here in case rules are already in place and the |
|
48 |
+# script is ever rerun on the fly. We want to remove all rules and |
|
49 |
+# pre-existing user defined chains before we implement new rules. |
|
50 |
+iptables -F |
|
51 |
+iptables -X |
|
52 |
+iptables -Z |
|
53 |
+ |
|
54 |
+iptables -t nat -F |
|
55 |
+iptables -t nat -X |
|
56 |
+iptables -t mangle -F |
|
57 |
+iptables -t mangle -X |
|
58 |
+ |
|
59 |
+# Allow local-only connections |
|
60 |
+iptables -A INPUT -i lo -j ACCEPT |
|
61 |
+ |
|
62 |
+# Free output on any interface to any ip for any service |
|
63 |
+# (equal to -P ACCEPT) |
|
64 |
+iptables -A OUTPUT -j ACCEPT |
|
65 |
+ |
|
66 |
+# Permit answers on already established connections |
|
67 |
+# and permit new connections related to established ones |
|
68 |
+# (e.g. port mode ftp) |
|
69 |
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
70 |
+ |
|
71 |
+#Enable ssh connections |
|
72 |
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
|
73 |
+# End /etc/systemd/scripts/iptables |
0 | 74 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,14 @@ |
0 |
+[Unit] |
|
1 |
+Description=Load Iptables Rules |
|
2 |
+ConditionFileIsExecutable=/etc/systemd/scripts/iptables |
|
3 |
+After=network.target |
|
4 |
+ |
|
5 |
+[Service] |
|
6 |
+Type=forking |
|
7 |
+ExecStart=/etc/systemd/scripts/iptables |
|
8 |
+ExecStop=/etc/systemd/scripts/iptables.stop |
|
9 |
+TimeoutSec=0 |
|
10 |
+RemainAfterExit=yes |
|
11 |
+ |
|
12 |
+[Install] |
|
13 |
+WantedBy=multi-user.target |
... | ... |
@@ -1,18 +1,17 @@ |
1 | 1 |
Summary: Linux kernel packet control tool |
2 | 2 |
Name: iptables |
3 | 3 |
Version: 1.6.0 |
4 |
-Release: 5%{?dist} |
|
4 |
+Release: 6%{?dist} |
|
5 | 5 |
License: GPLv2+ |
6 | 6 |
URL: http://www.netfilter.org/projects/iptables |
7 | 7 |
Group: System Environment/Security |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 |
11 |
-%define sha1 iptables=21a694e75b0d6863cc001f85fb15915d12b8cc22 |
|
12 |
-Source1: http://www.linuxfromscratch.org/blfs/downloads/systemd/blfs-systemd-units-20140907.tar.bz2 |
|
13 |
-%define sha1 blfs-systemd-units=713afb3bbe681314650146e5ec412ef77aa1fe33 |
|
14 |
-Source2: iptable_rules |
|
15 |
-Patch1: blfs_systemd_fixes.patch |
|
11 |
+%define sha1 iptables-=21a694e75b0d6863cc001f85fb15915d12b8cc22 |
|
12 |
+Source1: iptables.service |
|
13 |
+Source2: iptables |
|
14 |
+Source3: iptables.stop |
|
16 | 15 |
BuildRequires: systemd |
17 | 16 |
Requires: systemd |
18 | 17 |
%description |
... | ... |
@@ -21,9 +20,6 @@ firewall tool for Linux is Iptables. You will need to install |
21 | 21 |
Iptables if you intend on using any form of a firewall. |
22 | 22 |
%prep |
23 | 23 |
%setup -q |
24 |
-tar xf %{SOURCE1} --no-same-owner |
|
25 |
-cp %{SOURCE2} . |
|
26 |
-%patch1 -p0 |
|
27 | 24 |
%build |
28 | 25 |
./configure \ |
29 | 26 |
CFLAGS="%{optflags}" \ |
... | ... |
@@ -44,13 +40,13 @@ make V=0 |
44 | 44 |
[ %{buildroot} != "/"] && rm -rf %{buildroot}/* |
45 | 45 |
make DESTDIR=%{buildroot} install |
46 | 46 |
ln -sfv ../../sbin/xtables-multi %{buildroot}%{_libdir}/iptables-xml |
47 |
-# Install daemon script |
|
48 |
-pushd blfs-systemd-units-20140907 |
|
49 |
-make DESTDIR=%{buildroot} install-iptables |
|
50 |
-popd |
|
47 |
+# Install daemon scripts |
|
48 |
+install -vdm755 %{buildroot}%{_unitdir} |
|
49 |
+install -m 644 %{SOURCE1} %{buildroot}%{_unitdir} |
|
51 | 50 |
install -vdm755 %{buildroot}/etc/systemd/scripts |
52 |
-cp iptable_rules %{buildroot}/etc/systemd/scripts/iptables |
|
53 |
-chmod 755 %{buildroot}/etc/systemd/scripts/iptables |
|
51 |
+install -m 755 %{SOURCE2} %{buildroot}/etc/systemd/scripts |
|
52 |
+install -m 755 %{SOURCE3} %{buildroot}/etc/systemd/scripts |
|
53 |
+ |
|
54 | 54 |
find %{buildroot} -name '*.a' -delete |
55 | 55 |
find %{buildroot} -name '*.la' -delete |
56 | 56 |
%{_fixperms} %{buildroot}/* |
... | ... |
@@ -71,6 +67,7 @@ rm -rf %{buildroot}/* |
71 | 71 |
%files |
72 | 72 |
%defattr(-,root,root) |
73 | 73 |
%config(noreplace) /etc/systemd/scripts/iptables |
74 |
+%config(noreplace) /etc/systemd/scripts/iptables.stop |
|
74 | 75 |
/lib/systemd/system/iptables.service |
75 | 76 |
/sbin/* |
76 | 77 |
%{_bindir}/* |
... | ... |
@@ -83,6 +80,8 @@ rm -rf %{buildroot}/* |
83 | 83 |
%{_mandir}/man3/* |
84 | 84 |
%{_mandir}/man8/* |
85 | 85 |
%changelog |
86 |
+* Wed Jan 18 2017 Alexey Makhalov <amakhalov@vmware.com> 1.6.0-6 |
|
87 |
+- Flush iptables on service stop |
|
86 | 88 |
* Tue Aug 30 2016 Anish Swaminathan <anishs@vmware.com> 1.6.0-5 |
87 | 89 |
- Change config file properties for iptables script |
88 | 90 |
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.6.0-4 |
89 | 91 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,16 @@ |
0 |
+#! /bin/sh |
|
1 |
+ |
|
2 |
+# Begin /etc/systemd/scripts/iptables.stop |
|
3 |
+ |
|
4 |
+iptables -Z |
|
5 |
+iptables -F |
|
6 |
+iptables -t nat -F |
|
7 |
+iptables -t nat -X |
|
8 |
+iptables -t mangle -F |
|
9 |
+iptables -t mangle -X |
|
10 |
+iptables -X |
|
11 |
+iptables -P INPUT ACCEPT |
|
12 |
+iptables -P FORWARD ACCEPT |
|
13 |
+iptables -P OUTPUT ACCEPT |
|
14 |
+ |
|
15 |
+# End /etc/systemd/scripts/iptables.stop |
... | ... |
@@ -6,7 +6,7 @@ class CommandUtils(object): |
6 | 6 |
self.findBinary = "find" |
7 | 7 |
|
8 | 8 |
def findFile (self, filename, sourcePath): |
9 |
- process = subprocess.Popen([self.findBinary, "-L", sourcePath, "-name", filename], stdout=subprocess.PIPE) |
|
9 |
+ process = subprocess.Popen([self.findBinary, "-L", sourcePath, "-name", filename, "-not", "-type", "d"], stdout=subprocess.PIPE) |
|
10 | 10 |
returnVal = process.wait() |
11 | 11 |
if returnVal != 0: |
12 | 12 |
return None |