From 7c256c27990ffc1201aeba5ca57f1882fa1102cd Mon Sep 17 00:00:00 2001 From: fdupoux Date: Sun, 29 Dec 2019 20:39:32 +0000 Subject: [PATCH] Enabled iptables/ip6tables by default --- ChangeLog | 2 ++ airootfs/etc/iptables/ip6tables.rules | 8 ++++++++ airootfs/etc/iptables/iptables.rules | 8 ++++++++ airootfs/etc/systemd/scripts/sysresccd-initialize | 9 +++++++++ airootfs/root/customize_airootfs.sh | 2 ++ 5 files changed, 29 insertions(+) create mode 100644 airootfs/etc/iptables/ip6tables.rules create mode 100644 airootfs/etc/iptables/iptables.rules diff --git a/ChangeLog b/ChangeLog index b39f9ae..7ae4eb7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ SystemRescueCd ChangeLog * Updated XFCE graphical environment to version 4.14 * Updated parted to 3.3 and gparted to 1.0.0 * Updated Grub boot loader to version 2.04 +* Enabled the iptables service to block incoming traffic by default +* Added boot option "nofirewall" to disable the iptable service ------------------------------------------------------------------------------- 6.0.3 (2019-04-14): diff --git a/airootfs/etc/iptables/ip6tables.rules b/airootfs/etc/iptables/ip6tables.rules new file mode 100644 index 0000000..eb365b7 --- /dev/null +++ b/airootfs/etc/iptables/ip6tables.rules @@ -0,0 +1,8 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT +COMMIT diff --git a/airootfs/etc/iptables/iptables.rules b/airootfs/etc/iptables/iptables.rules new file mode 100644 index 0000000..d26940e --- /dev/null +++ b/airootfs/etc/iptables/iptables.rules @@ -0,0 +1,8 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT +COMMIT diff --git a/airootfs/etc/systemd/scripts/sysresccd-initialize b/airootfs/etc/systemd/scripts/sysresccd-initialize index 671f150..ba910cd 100755 --- a/airootfs/etc/systemd/scripts/sysresccd-initialize +++ b/airootfs/etc/systemd/scripts/sysresccd-initialize @@ -40,6 +40,15 @@ do errcnt=$((errcnt + 1)) fi ;; + + # Option to allow user to disable the firewall + nofirewall) + echo "Found option 'nofirewall' on the boot command line" + systemctl disable iptables.service + systemctl disable ip6tables.service + systemctl stop iptables.service + systemctl stop ip6tables.service + ;; esac done diff --git a/airootfs/root/customize_airootfs.sh b/airootfs/root/customize_airootfs.sh index 49af92d..c19a872 100755 --- a/airootfs/root/customize_airootfs.sh +++ b/airootfs/root/customize_airootfs.sh @@ -31,6 +31,8 @@ sed -i 's/#\(HandleLidSwitch=\)suspend/\1ignore/' /etc/systemd/logind.conf # Services systemctl enable NetworkManager +systemctl enable iptables.service +systemctl enable ip6tables.service systemctl enable pacman-init.service systemctl enable choose-mirror.service systemctl enable sshd.service