blob: 7084838a84d1d5c9544ae04ac602ad801d641d91 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# Example systemd unit file. Some assembly required.
[Unit]
Description=dnschain
After=network.target
Wants=namecoin.service
[Service]
ExecStart=/usr/bin/dnschain
Environment=DNSCHAIN_SYSD_VER=0.0.1
PermissionsStartOnly=true
ExecStartPre=sysctl -w net.ipv4.ip_forward=1
ExecStartPre=iptables -A INPUT -p udp --dport 5333 -j ACCEPT
ExecStartPre=iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5333
ExecStopPost=iptables -D INPUT -p udp --dport 5333 -j ACCEPT
ExecStopPost=iptables -t nat -D PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5333
User=root
Group=root
Restart=always
RestartSec=5
WorkingDirectory=/root/
PrivateTmp=true
NoNewPrivileges=true
ReadOnlyDirectories=/etc
# Unfortunately, capabilities are basically worthless because they're designed to restrict root daemons. Instead, we use iptables to listen on privileged ports.
# Capabilities=cap_net_bind_service+pei
# SecureBits=keep-caps
[Install]
WantedBy=multi-user.target
|