Add iptables-persistent and Apertis iptables rules

In previous versions of Apertis we were using a modified iptables package
containing custom scripting/systemd unit to load iptables rules at boot.
Debian contains the iptables-persistent package which performs this task.

Use this instead of adding the custom scripts to the new version. Add the
custom rules to an overlay so we don't need to modify the package.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

apertis-ospack-basesdk.yaml

@@ -107,6 +107,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -470,6 +471,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 

apertis-ospack-devroot.yaml

@@ -136,6 +136,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -366,6 +367,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 

apertis-ospack-sdk.yaml

@@ -130,6 +130,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -659,6 +660,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 

apertis-ospack-target.yaml

@@ -137,6 +137,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -209,6 +210,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 

overlays/iptables-rules/etc/iptables/rules.v4

+# sample configuration for iptables service
+# you can edit this manually
+# inspired from Fedora's packaging of iptables on:
+# git://pkgs.fedoraproject.org/iptables.git
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i gpic0 -j ACCEPT
+# Accept http
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+# Accept ssh for development
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+# Accept mDNS and UPnP (Avahi)
+-A INPUT -p udp -m udp --dport 1900 -j ACCEPT
+-A INPUT -p udp -m udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+# Accept dhcp/dns and forwarding on the tether interface
+-A INPUT -p udp --dport 67 -i tether -j ACCEPT
+-A INPUT -p udp --dport 53 -i tether -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
+
+-A FORWARD -i tether -j ACCEPT
+-A FORWARD -o tether -j ACCEPT
+
+# Reject everything else
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

overlays/iptables-rules/etc/iptables/rules.v6

+# sample configuration for ip6tables service
+# you can edit this manually
+# inspired from Fedora's packaging of iptables on:
+# git://pkgs.fedoraproject.org/iptables.git
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT