From 308215c1e56dc48345ef3a0f739a1eca64384a6f Mon Sep 17 00:00:00 2001 From: Alex Denes Date: Sat, 28 Nov 2020 15:28:22 +0000 Subject: [PATCH] add rootbld to ignores and add iptables --- .gitignore | 1 + .../iptables-redxen-openrc/APKBUILD | 29 ++++++++++++++++++ .../iptables-redxen-openrc/conffile-4 | 14 +++++++++ .../iptables-redxen-openrc/conffile-6 | 14 +++++++++ .../iptables-redxen-config/APKBUILD | 23 ++++++++++++++ .../iptables-redxen-config/rules-v4 | 29 ++++++++++++++++++ .../iptables-redxen-config/rules-v6 | 30 +++++++++++++++++++ 7 files changed, 140 insertions(+) create mode 100644 openrc-configs/iptables-redxen-openrc/APKBUILD create mode 100644 openrc-configs/iptables-redxen-openrc/conffile-4 create mode 100644 openrc-configs/iptables-redxen-openrc/conffile-6 create mode 100644 software-configs/iptables-redxen-config/APKBUILD create mode 100644 software-configs/iptables-redxen-config/rules-v4 create mode 100644 software-configs/iptables-redxen-config/rules-v6 diff --git a/.gitignore b/.gitignore index 9149d5f..ac0880e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ src/ pkg/ +.rootbld-repositories secret-packages/ software-configs/murmur-redxen-config/murmur.ini software-configs/transmission-redxen-config/main.json diff --git a/openrc-configs/iptables-redxen-openrc/APKBUILD b/openrc-configs/iptables-redxen-openrc/APKBUILD new file mode 100644 index 0000000..aba26f2 --- /dev/null +++ b/openrc-configs/iptables-redxen-openrc/APKBUILD @@ -0,0 +1,29 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=iptables-redxen-openrc +pkgver=1 +pkgrel=0 +pkgdesc="IPTables service overrides" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc iptables-redxen-config" +options="!check" +source=" + runfile-$pkgname-$pkgver.$pkgrel.initd::https://git.alpinelinux.org/aports/plain/main/iptables/iptables.initd + conffile-4 + conffile-6 +" +provides="iptables-openrc ip6tables-openrc" +builddir="$srcdir" + +package() { + install -Dm755 "$srcdir"/runfile-iptables-redxen-openrc-"$pkgver"."$pkgrel".initd "$pkgdir"/etc/init.d/iptables + (cd "$pkgdir"/etc/init.d && ln -s iptables ip6tables) + install -Dm644 conffile-4 "$pkgdir"/etc/conf.d/iptables + install -Dm644 conffile-6 "$pkgdir"/etc/conf.d/ip6tables +} + +sha512sums="19cb376bd7a48889daa41ae34d31dfbeac1c277476496e3a1901dc91775c8f596681e0cbccd5c4618158de45da24fcc378a9beb426d79ce26bf46b54599126fe runfile-iptables-redxen-openrc-1.0.initd +9673f6611a4bfdc27fd4f6759331ce6696d688950c98cc8017ac396e9c26b2036c46108c2ea7f5d631d0dd67f79552e3713b973a752f2c47c8e4178f3d16da9a conffile-4 +02ce6849b1f9723f97bba57682ad3f3aebe9e80ee89cf0f324c69bc753654a8e6693804c4462b848945f0b50752378b4c3b7c4a95c1ce81406b37288968aaa1b conffile-6" diff --git a/openrc-configs/iptables-redxen-openrc/conffile-4 b/openrc-configs/iptables-redxen-openrc/conffile-4 new file mode 100644 index 0000000..86f4691 --- /dev/null +++ b/openrc-configs/iptables-redxen-openrc/conffile-4 @@ -0,0 +1,14 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/etc/iptables/rx-rules4" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="no" + +# Enable/disable IPv4 forwarding with the rules +IPFORWARD="no" diff --git a/openrc-configs/iptables-redxen-openrc/conffile-6 b/openrc-configs/iptables-redxen-openrc/conffile-6 new file mode 100644 index 0000000..91d1133 --- /dev/null +++ b/openrc-configs/iptables-redxen-openrc/conffile-6 @@ -0,0 +1,14 @@ +# /etc/conf.d/ip6tables + +# Location in which ip6tables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/etc/iptables/rx-rules6" + +# Options to pass to ip6tables-save and ip6tables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="no" + +# Enable/disable IPv6 forwarding with the rules +IPFORWARD="no" diff --git a/software-configs/iptables-redxen-config/APKBUILD b/software-configs/iptables-redxen-config/APKBUILD new file mode 100644 index 0000000..4ce199c --- /dev/null +++ b/software-configs/iptables-redxen-config/APKBUILD @@ -0,0 +1,23 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=iptables-redxen-config +pkgver=1 +pkgrel=0 +pkgdesc="IPTables firewall configs" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="iptables ip6tables" +source=" + rules-v4 + rules-v6 +" +options="!check" + +package() { + install -Dm644 rules-v4 "$pkgdir"/etc/iptables/rx-rules4 + install -Dm644 rules-v6 "$pkgdir"/etc/iptables/rx-rules6 +} + +sha512sums="102b407af2163bb783f39b5e7dad52fbc17d5b8e00a03514774c4445b3d6ce6024c498cb46d29e74e694156836e6039256b9dde6ae69dc28c7cd3be5211d8548 rules-v4 +549322db21f71334f399a3e5b537f703251beabe45571a008e8f76fae78cc4517ce76e39647a15fc4977df981825599e6df0bae0e9e1d25f25e98c386c2e69cf rules-v6" diff --git a/software-configs/iptables-redxen-config/rules-v4 b/software-configs/iptables-redxen-config/rules-v4 new file mode 100644 index 0000000..492fa91 --- /dev/null +++ b/software-configs/iptables-redxen-config/rules-v4 @@ -0,0 +1,29 @@ +# Filter +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [6:359] +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -i lo -j ACCEPT +-A INPUT -i ens10 -j ACCEPT +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +COMMIT + +# Mangle +*mangle +:PREROUTING ACCEPT [8948:5925361] +:INPUT ACCEPT [8943:5924001] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [10902:1431630] +:POSTROUTING ACCEPT [10965:1438415] +COMMIT + +# Raw +*raw +:PREROUTING ACCEPT [8948:5925361] +:OUTPUT ACCEPT [10902:1431630] +COMMIT diff --git a/software-configs/iptables-redxen-config/rules-v6 b/software-configs/iptables-redxen-config/rules-v6 new file mode 100644 index 0000000..0db1596 --- /dev/null +++ b/software-configs/iptables-redxen-config/rules-v6 @@ -0,0 +1,30 @@ +# Filter +*filter +:INPUT DROP [17:2112] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [31:3265] +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i ens10 -j ACCEPT +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +COMMIT + +# Mangle +*mangle +:PREROUTING ACCEPT [18:2161] +:INPUT ACCEPT [18:2161] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [31:3265] +:POSTROUTING ACCEPT [48:5377] +-A OUTPUT -j TOS --set-tos 0x10/0xff +COMMIT + +# Raw electrons +*raw +:PREROUTING ACCEPT [18:2161] +:OUTPUT ACCEPT [31:3265] +COMMIT