From d9cb9b41c426d0a1fee01b4d98c279ad082e9bf2 Mon Sep 17 00:00:00 2001 From: Steffen Vogel Date: Sun, 17 May 2015 19:25:39 +0200 Subject: [PATCH] added iptables scripts and moved setup script out of s2ss source code --- contrib/liveusb/etc/image/setup.sh | 1 + contrib/liveusb/etc/sysconfig/ip6tables | 31 +++++++++++++++++ contrib/liveusb/etc/sysconfig/iptables | 34 +++++++++++++++++++ contrib/liveusb/etc/sysconfig/network | 1 + .../liveusb/etc/systemd/system/setup.service | 2 +- 5 files changed, 68 insertions(+), 1 deletion(-) create mode 120000 contrib/liveusb/etc/image/setup.sh create mode 100644 contrib/liveusb/etc/sysconfig/ip6tables create mode 100644 contrib/liveusb/etc/sysconfig/iptables create mode 100644 contrib/liveusb/etc/sysconfig/network diff --git a/contrib/liveusb/etc/image/setup.sh b/contrib/liveusb/etc/image/setup.sh new file mode 120000 index 000000000..a645eb309 --- /dev/null +++ b/contrib/liveusb/etc/image/setup.sh @@ -0,0 +1 @@ +setup.sh \ No newline at end of file diff --git a/contrib/liveusb/etc/sysconfig/ip6tables b/contrib/liveusb/etc/sysconfig/ip6tables new file mode 100644 index 000000000..13f6e5ed7 --- /dev/null +++ b/contrib/liveusb/etc/sysconfig/ip6tables @@ -0,0 +1,31 @@ +*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT + +# Allow loopback traffic +-A INPUT -i lo -j ACCEPT + +# Allow established connections, and those not coming from the outside +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Allow HTTP +-A INPUT -p tcp --dport http -m conntrack --ctstate NEW -j ACCEPT + +# Allow SSH +-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT + +# Allow Tinc +-A INPUT -p udp --dport tinc -j ACCEPT +-A INPUT -p tcp --dport tinc -j ACCEPT + +# Accept Pings +-A INPUT -p icmpv6 -j ACCEPT + +# Reject everything else +-A INPUT -j REJECT + +# We wont act as a router +-A FORWARD -j REJECT + +COMMIT diff --git a/contrib/liveusb/etc/sysconfig/iptables b/contrib/liveusb/etc/sysconfig/iptables new file mode 100644 index 000000000..cfdd9d2f3 --- /dev/null +++ b/contrib/liveusb/etc/sysconfig/iptables @@ -0,0 +1,34 @@ +*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT + +# Allow loopback traffic +-A INPUT -i lo -j ACCEPT + +# Allow established connections, and those not coming from the outside +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Allow HTTP +-A INPUT -p tcp --dport http -m conntrack --ctstate NEW -j ACCEPT + +# Allow VPN +-A INPUT -s 10.0.0.0/8 -j ACCEPT + +# Allow SSH +-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT + +# Allow Tinc +-A INPUT -p udp --dport tinc -j ACCEPT +-A INPUT -p tcp --dport tinc -j ACCEPT + +# Accept Pings +-A INPUT -p icmp -j ACCEPT + +# Reject everything else +-A INPUT -j REJECT + +# We wont act as a router +-A FORWARD -j REJECT + +COMMIT diff --git a/contrib/liveusb/etc/sysconfig/network b/contrib/liveusb/etc/sysconfig/network new file mode 100644 index 000000000..61c4a5ad8 --- /dev/null +++ b/contrib/liveusb/etc/sysconfig/network @@ -0,0 +1 @@ +NETWORKING=yes diff --git a/contrib/liveusb/etc/systemd/system/setup.service b/contrib/liveusb/etc/systemd/system/setup.service index 50206d3cc..be5b1bd10 100644 --- a/contrib/liveusb/etc/systemd/system/setup.service +++ b/contrib/liveusb/etc/systemd/system/setup.service @@ -5,7 +5,7 @@ After=dhclient.service [Service] Type=simple -ExecStart=/s2ss/contrib/liveusb/setup.sh +ExecStart=/etc/image/setup.sh RemainAfterExit=yes TimeoutSec=120