diff options
author | Filip Pytloun <filip@pytloun.cz> | 2016-03-09 11:09:41 +0100 |
---|---|---|
committer | Filip Pytloun <filip@pytloun.cz> | 2016-03-11 09:50:51 +0100 |
commit | ea1f8911cd69216027df5f9d727f47a1b67ef29b (patch) | |
tree | a1f2590c4b1be985b4a276ac291e0dfc9ad78484 /bootstrap.d/21-firewall.sh | |
parent | 27d947162017091ac25267c7f235c97d5c685dd2 (diff) | |
download | rpi2-gen-image-ea1f8911cd69216027df5f9d727f47a1b67ef29b.tar.gz rpi2-gen-image-ea1f8911cd69216027df5f9d727f47a1b67ef29b.tar.bz2 rpi2-gen-image-ea1f8911cd69216027df5f9d727f47a1b67ef29b.zip |
Refactor: split bootstrap actions and allow custom
Diffstat (limited to 'bootstrap.d/21-firewall.sh')
-rw-r--r-- | bootstrap.d/21-firewall.sh | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh new file mode 100644 index 0000000..5563d06 --- /dev/null +++ b/bootstrap.d/21-firewall.sh @@ -0,0 +1,43 @@ +# +# Enable firewall based on iptables started by systemd service +# + +. ./functions.sh + +if [ "$ENABLE_IPTABLES" = true ] ; then + # Create iptables configuration directory + mkdir -p "$R/etc/iptables" + + # Create iptables systemd service + install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service + + # Create flush-table script called by iptables service + install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh + + # Create iptables rule file + install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules + + # Reload systemd configuration and enable iptables service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable iptables.service + + if [ "$ENABLE_IPV6" = true ] ; then + # Create ip6tables systemd service + install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service + + # Create ip6tables file + install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh + + install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules + + # Reload systemd configuration and enable iptables service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable ip6tables.service + fi +fi + +# Remove SSHD related iptables rules +if [ "$ENABLE_SSHD" = false ] ; then + sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null + sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null +fi |