diff options
| -rw-r--r-- | .SRCINFO | 78 | ||||
| -rw-r--r-- | PKGBUILD | 102 | ||||
| -rw-r--r-- | arptables.service | 14 | ||||
| -rw-r--r-- | ebtables.service | 14 | ||||
| -rw-r--r-- | empty-filter.rules | 6 | ||||
| -rw-r--r-- | empty-mangle.rules | 8 | ||||
| -rw-r--r-- | empty-nat.rules | 7 | ||||
| -rw-r--r-- | empty-raw.rules | 5 | ||||
| -rw-r--r-- | empty-security.rules | 6 | ||||
| -rw-r--r-- | empty.rules | 6 | ||||
| -rw-r--r-- | ip6tables.service | 15 | ||||
| -rw-r--r-- | iptables-fullconenat.install | 9 | ||||
| -rw-r--r-- | iptables-legacy-flush | 18 | ||||
| -rw-r--r-- | iptables-nft-flush | 18 | ||||
| -rw-r--r-- | iptables.service | 14 | ||||
| -rw-r--r-- | simple_firewall.rules | 11 |
16 files changed, 331 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..30de991ec1ce --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,78 @@ +pkgbase = iptables-fullconenat + pkgdesc = Linux kernel packet control tool + pkgver = 1.8.2 + pkgrel = 1 + epoch = 1 + url = https://www.netfilter.org/projects/iptables/index.html + install = iptables-fullconenat.install + arch = x86_64 + license = GPL2 + makedepends = linux-api-headers + depends = libnftnl + depends = libpcap + depends = libnfnetlink + depends = libnetfilter_conntrack + depends = bash + depends = netfilter-fullconenat-dkms-git + provides = iptables + backup = etc/ethertypes + backup = etc/iptables/iptables.rules + backup = etc/iptables/ip6tables.rules + source = https://www.netfilter.org/projects/iptables/files/iptables-1.8.2.tar.bz2 + source = https://www.netfilter.org/projects/iptables/files/iptables-1.8.2.tar.bz2.sig + source = empty.rules + source = simple_firewall.rules + source = empty-filter.rules + source = empty-mangle.rules + source = empty-nat.rules + source = empty-raw.rules + source = empty-security.rules + source = arptables.service + source = ebtables.service + source = iptables.service + source = ip6tables.service + source = iptables-legacy-flush + source = iptables-nft-flush + source = libipt_FULLCONENAT.c::https://raw.githubusercontent.com/Chion82/netfilter-full-cone-nat/master/libipt_FULLCONENAT.c + validpgpkeys = C09DB2063F1D7034BA6152ADAB4655A126D292E4 + sha1sums = 215c4ef4c6cd29ef0dd265b4fa5ec51a4f930c92 + sha1sums = SKIP + sha1sums = 83b3363878e3660ce23b2ad325b53cbd6c796ecf + sha1sums = f085a71f467e4d7cb2cf094d9369b0bcc4bab6ec + sha1sums = d9f9f06b46b4187648e860afa0552335aafe3ce4 + sha1sums = c45b738b5ec4cfb11611b984c21a83b91a2d58f3 + sha1sums = 1694d79b3e6e9d9d543f6a6e75fed06066c9a6c6 + sha1sums = 7db53bb882f62f6c677cc8559cff83d8bae2ef73 + sha1sums = ebbd1424a1564fd45f455a81c61ce348f0a14c2e + sha1sums = 95b0ee26f03132a948fea9f2136b2e2e6a4b40fe + sha1sums = b668ba50d55030c68431a95756bc1f291d74b2b2 + sha1sums = 8d66d21fa4cbfe2a80478301af94ba54f65e4ea0 + sha1sums = 9cec592787e32451f58fa608ea057870e07aa704 + sha1sums = d10af7780d1634778d898c709e2d950aa1561856 + sha1sums = 15c1684f3e671f4d0ede639a7c9c08e1a841511c + sha1sums = SKIP + +pkgname = iptables-fullconenat + pkgdesc = Linux kernel packet control tool (using legacy interface) + +pkgname = iptables-fullconenat-nft + pkgdesc = Linux kernel packet control tool (using nft interface) + depends = libnftnl + depends = libpcap + depends = libnfnetlink + depends = libnetfilter_conntrack + depends = bash + depends = netfilter-fullconenat-dkms-git + depends = nftables + provides = iptables + provides = arptables + provides = ebtables + conflicts = iptables + conflicts = arptables + conflicts = ebtables + backup = etc/ethertypes + backup = etc/iptables/iptables.rules + backup = etc/iptables/ip6tables.rules + backup = etc/arptables.conf + backup = etc/ebtables.conf + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..eb45a47498a4 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,102 @@ +# Maintainer: Edward Pacman <edward@edward-p.xyz> + +_pkgrealbase=iptables +pkgbase=iptables-fullconenat +pkgname=(iptables-fullconenat iptables-fullconenat-nft) +pkgver=1.8.2 +pkgrel=1 +epoch=1 +pkgdesc='Linux kernel packet control tool' +arch=(x86_64) +license=(GPL2) +url='https://www.netfilter.org/projects/iptables/index.html' +depends=(libnftnl libpcap libnfnetlink libnetfilter_conntrack bash netfilter-fullconenat-dkms-git) +makedepends=(linux-api-headers) +provides=('iptables') +install=${pkgbase}.install +backup=(etc/ethertypes etc/iptables/{ip,ip6}tables.rules) +source=(https://www.netfilter.org/projects/iptables/files/$_pkgrealbase-$pkgver.tar.bz2{,.sig} + empty.rules simple_firewall.rules empty-{filter,mangle,nat,raw,security}.rules + {arp,eb,ip,ip6}tables.service iptables-{legacy,nft}-flush + "libipt_FULLCONENAT.c::https://raw.githubusercontent.com/Chion82/netfilter-full-cone-nat/master/libipt_FULLCONENAT.c") +sha1sums=('215c4ef4c6cd29ef0dd265b4fa5ec51a4f930c92' + 'SKIP' + '83b3363878e3660ce23b2ad325b53cbd6c796ecf' + 'f085a71f467e4d7cb2cf094d9369b0bcc4bab6ec' + 'd9f9f06b46b4187648e860afa0552335aafe3ce4' + 'c45b738b5ec4cfb11611b984c21a83b91a2d58f3' + '1694d79b3e6e9d9d543f6a6e75fed06066c9a6c6' + '7db53bb882f62f6c677cc8559cff83d8bae2ef73' + 'ebbd1424a1564fd45f455a81c61ce348f0a14c2e' + '95b0ee26f03132a948fea9f2136b2e2e6a4b40fe' + 'b668ba50d55030c68431a95756bc1f291d74b2b2' + '8d66d21fa4cbfe2a80478301af94ba54f65e4ea0' + '9cec592787e32451f58fa608ea057870e07aa704' + 'd10af7780d1634778d898c709e2d950aa1561856' + '15c1684f3e671f4d0ede639a7c9c08e1a841511c' + 'SKIP') +validpgpkeys=('C09DB2063F1D7034BA6152ADAB4655A126D292E4') # Netfilter Core Team + +prepare() { + mkdir build + cd $_pkgrealbase-$pkgver + + cp ../libipt_FULLCONENAT.c extensions/ + # use system one + rm include/linux/types.h +} + +build() { + cd build + ../$_pkgrealbase-$pkgver/configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib \ + --enable-bpf-compiler \ + --enable-devel \ + --enable-libipq \ + --enable-shared + sed -e 's/ -shared / -Wl,-O1,--as-needed\0/g' -i libtool + make +} + +package_iptables-fullconenat() { + pkgdesc+=' (using legacy interface)' + _package legacy +} + +package_iptables-fullconenat-nft() { + pkgdesc+=' (using nft interface)' + depends+=(nftables) + provides=(iptables arptables ebtables) + conflicts=(iptables arptables ebtables) + backup+=(etc/{arp,eb}tables.conf) + + _package nft + + install -Dt "$pkgdir/usr/lib/systemd/system" -m644 {arp,eb}tables.service + touch "$pkgdir"/etc/{arp,eb}tables.conf +} + +_package() { + DESTDIR="$pkgdir" make -C build install + + for _x in {arp,eb,ip,ip6}tables{,-restore,-save} iptables-xml; do + if [[ $1 = nft || $_x = ip* ]]; then + ln -sf xtables-$1-multi "$pkgdir/usr/bin/$_x" + else + rm "$pkgdir/usr/bin/$_x" + fi + done + + install -Dt "$pkgdir/usr/lib/systemd/system" -m644 {ip,ip6}tables.service + install -D iptables-$1-flush "$pkgdir/usr/lib/systemd/scripts/iptables-flush" + + install -Dm644 empty.rules "$pkgdir/etc/iptables/iptables.rules" + install -Dm644 empty.rules "$pkgdir/etc/iptables/ip6tables.rules" + install -Dt "$pkgdir/usr/share/iptables" -m644 *.rules + ln -srt "$pkgdir/etc/iptables" "$pkgdir"/usr/share/iptables/{empty,simple_firewall}.rules +} + +# vim:set sw=2 et:
\ No newline at end of file diff --git a/arptables.service b/arptables.service new file mode 100644 index 000000000000..0e78e81d048e --- /dev/null +++ b/arptables.service @@ -0,0 +1,14 @@ +[Unit] +Description=ARP table +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'arptables-restore < /etc/arptables.conf' +ExecReload=/bin/sh -c 'arptables-restore < /etc/arptables.conf' +ExecStop=/bin/sh -c 'arptables-restore < /dev/null' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ebtables.service b/ebtables.service new file mode 100644 index 000000000000..795675b28ec9 --- /dev/null +++ b/ebtables.service @@ -0,0 +1,14 @@ +[Unit] +Description=Ethernet bridge table +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'ebtables-restore < /etc/ebtables.conf' +ExecReload=/bin/sh -c 'ebtables-restore < /etc/ebtables.conf' +ExecStop=/bin/sh -c 'ebtables-restore < /dev/null' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/empty-filter.rules b/empty-filter.rules new file mode 100644 index 000000000000..5a4de4876250 --- /dev/null +++ b/empty-filter.rules @@ -0,0 +1,6 @@ +# Empty iptables filter table rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/empty-mangle.rules b/empty-mangle.rules new file mode 100644 index 000000000000..49d493c4d073 --- /dev/null +++ b/empty-mangle.rules @@ -0,0 +1,8 @@ +# Empty iptables mangle table rules file +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/empty-nat.rules b/empty-nat.rules new file mode 100644 index 000000000000..437e96411ff6 --- /dev/null +++ b/empty-nat.rules @@ -0,0 +1,7 @@ +# Empty iptables nat table rules file +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/empty-raw.rules b/empty-raw.rules new file mode 100644 index 000000000000..8dc50d23ee4e --- /dev/null +++ b/empty-raw.rules @@ -0,0 +1,5 @@ +# Empty iptables raw table rules file +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/empty-security.rules b/empty-security.rules new file mode 100644 index 000000000000..4531fa13fbef --- /dev/null +++ b/empty-security.rules @@ -0,0 +1,6 @@ +# Empty iptables security table rules file +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/empty.rules b/empty.rules new file mode 100644 index 000000000000..e24e1aa30f7f --- /dev/null +++ b/empty.rules @@ -0,0 +1,6 @@ +# Empty iptables rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/ip6tables.service b/ip6tables.service new file mode 100644 index 000000000000..9dca615825ac --- /dev/null +++ b/ip6tables.service @@ -0,0 +1,15 @@ +[Unit] +Description=IPv6 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target +After=iptables.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecReload=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecStop=/usr/lib/systemd/scripts/iptables-flush 6 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/iptables-fullconenat.install b/iptables-fullconenat.install new file mode 100644 index 000000000000..59754dc39862 --- /dev/null +++ b/iptables-fullconenat.install @@ -0,0 +1,9 @@ +post_install(){ + echo "Assuming eth0 is WAN interface:" + echo -e "\tiptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE" + echo -e "\tiptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets" +} + +post_upgrade() { + post_install +} diff --git a/iptables-legacy-flush b/iptables-legacy-flush new file mode 100644 index 000000000000..3d8ee893f611 --- /dev/null +++ b/iptables-legacy-flush @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done <"/proc/net/ip$1_tables_names" + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi diff --git a/iptables-nft-flush b/iptables-nft-flush new file mode 100644 index 000000000000..5038d329ac96 --- /dev/null +++ b/iptables-nft-flush @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done < <(nft list tables | sed -n "s/table ip$1 //p") + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi diff --git a/iptables.service b/iptables.service new file mode 100644 index 000000000000..8a7a142d3a32 --- /dev/null +++ b/iptables.service @@ -0,0 +1,14 @@ +[Unit] +Description=IPv4 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules +ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules +ExecStop=/usr/lib/systemd/scripts/iptables-flush +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/simple_firewall.rules b/simple_firewall.rules new file mode 100644 index 000000000000..63426b083dc1 --- /dev/null +++ b/simple_firewall.rules @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -p icmp -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -j REJECT --reject-with icmp-proto-unreachable +COMMIT |