diff options
Diffstat (limited to 'bootstrap.d/21-firewall.sh')
-rw-r--r-- | bootstrap.d/21-firewall.sh | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh new file mode 100644 index 0000000..5563d06 --- /dev/null +++ b/bootstrap.d/21-firewall.sh @@ -0,0 +1,43 @@ +# +# Enable firewall based on iptables started by systemd service +# + +. ./functions.sh + +if [ "$ENABLE_IPTABLES" = true ] ; then + # Create iptables configuration directory + mkdir -p "$R/etc/iptables" + + # Create iptables systemd service + install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service + + # Create flush-table script called by iptables service + install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh + + # Create iptables rule file + install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules + + # Reload systemd configuration and enable iptables service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable iptables.service + + if [ "$ENABLE_IPV6" = true ] ; then + # Create ip6tables systemd service + install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service + + # Create ip6tables file + install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh + + install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules + + # Reload systemd configuration and enable iptables service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable ip6tables.service + fi +fi + +# Remove SSHD related iptables rules +if [ "$ENABLE_SSHD" = false ] ; then + sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null + sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null +fi |