Patchwork [3/5] iptables: add default rules

login
register
mail settings
Submitter Kang Kai
Date June 23, 2014, 2:32 a.m.
Message ID <c33af6b8216db6c04c5a4114d818182a5438ed0e.1403490121.git.kai.kang@windriver.com>
Download mbox | patch
Permalink /patch/74223/
State New
Headers show

Comments

Kang Kai - June 23, 2014, 2:32 a.m.
Add default rule files for iptable/ip6tables from RHEL 5.8.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../iptables/iptables/ip6tables.rules              | 31 ++++++++++++++++++++++
 .../iptables/iptables/iptables.rules               | 30 +++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules
 create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
Ross Burton - June 23, 2014, 10:42 a.m.
On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
> +# Firewall configuration written by system-config-securitylevel
> +# Manual customization of this file is not recommended.

That's just going to be confusing to anyone who doesn't know that this
file was copied directly from RedHat.

Also, is it sensible to ship a static firewall configuration?  The one
thing we're not is one-size-fits-all.

Ross
Kang Kai - June 24, 2014, 1:38 a.m.
On 2014?06?23? 18:42, Burton, Ross wrote:
> On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
>> +# Firewall configuration written by system-config-securitylevel
>> +# Manual customization of this file is not recommended.
> That's just going to be confusing to anyone who doesn't know that this
> file was copied directly from RedHat.

OK, I'll remove them.

>
> Also, is it sensible to ship a static firewall configuration?  The one
> thing we're not is one-size-fits-all.

I just want users could start iptables without any professional work. 
And these static firewall rules are common for desktop/server.
Or does the empty rule is better? Anyone who wants to use iptables 
writes his/her own rules. But it is a little difficult for the people 
who not familiar with iptables.

Any suggestion?

Thanks,
Kai

>
> Ross
>
>
Anders Darander - June 24, 2014, 6:06 a.m.
* Kang Kai <Kai.Kang@windriver.com> [140624 03:40]:

> On 2014?06?23? 18:42, Burton, Ross wrote:
> > On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
> > Also, is it sensible to ship a static firewall configuration?  The one
> > thing we're not is one-size-fits-all.

> I just want users could start iptables without any professional work. 
> And these static firewall rules are common for desktop/server.
> Or does the empty rule is better? 

If these rules are common for a desktop/server, do they make sense here?
Or should a simplified rule set be your example configuration in that
case?

Cheers,
Anders
Kang Kai - June 25, 2014, 6:43 a.m.
On 2014?06?24? 14:06, Anders Darander wrote:
> * Kang Kai <Kai.Kang@windriver.com> [140624 03:40]:
>
>> On 2014?06?23? 18:42, Burton, Ross wrote:
>>> On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
>>> Also, is it sensible to ship a static firewall configuration?  The one
>>> thing we're not is one-size-fits-all.
>> I just want users could start iptables without any professional work.
>> And these static firewall rules are common for desktop/server.
>> Or does the empty rule is better?
> If these rules are common for a desktop/server, do they make sense here?
> Or should a simplified rule set be your example configuration in that
> case?

I am thinking put a configure file there without any special rule that 
allows every input and output.
Users could update it with their rules.

Regards,
Kai



>
> Cheers,
> Anders
>

Patch

diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules b/meta/recipes-extended/iptables/iptables/ip6tables.rules
new file mode 100644
index 0000000..bdd52ed
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.rules
@@ -0,0 +1,31 @@ 
+# Firewall configuration written by system-config-securitylevel
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 23 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
+-A RH-Firewall-1-INPUT -m udp -p udp --dport 137 -j ACCEPT
+-A RH-Firewall-1-INPUT -m udp -p udp --dport 138 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
new file mode 100644
index 0000000..3d92ee0
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.rules
@@ -0,0 +1,30 @@ 
+# Firewall configuration written by system-config-securitylevel
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
+-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT