From e122eb006fe50d2b51f459a1d2c5bca1855c524c Mon Sep 17 00:00:00 2001
From: Martyn Welch <martyn.welch@collabora.com>
Date: Fri, 29 Mar 2019 16:02:21 +0000
Subject: [PATCH] Add iptables-persistent and Apertis iptables rules

In previous versions of Apertis we were using a modified iptables package
containing custom scripting/systemd unit to load iptables rules at boot.
Debian contains the iptables-persistent package which performs this task.

Use this instead of adding the custom scripts to the new version. Add the
custom rules to an overlay so we don't need to modify the package.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>
---
 apertis-ospack-basesdk.yaml                   |  4 +++
 apertis-ospack-devroot.yaml                   |  4 +++
 apertis-ospack-sdk.yaml                       |  4 +++
 apertis-ospack-target.yaml                    |  4 +++
 overlays/iptables-rules/etc/iptables/rules.v4 | 31 +++++++++++++++++++
 overlays/iptables-rules/etc/iptables/rules.v6 | 16 ++++++++++
 6 files changed, 63 insertions(+)
 create mode 100644 overlays/iptables-rules/etc/iptables/rules.v4
 create mode 100644 overlays/iptables-rules/etc/iptables/rules.v6

diff --git a/apertis-ospack-basesdk.yaml b/apertis-ospack-basesdk.yaml
index b857bc8e..5d279d78 100644
--- a/apertis-ospack-basesdk.yaml
+++ b/apertis-ospack-basesdk.yaml
@@ -107,6 +107,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -470,6 +471,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 
diff --git a/apertis-ospack-devroot.yaml b/apertis-ospack-devroot.yaml
index a18682e5..a61e0d76 100644
--- a/apertis-ospack-devroot.yaml
+++ b/apertis-ospack-devroot.yaml
@@ -136,6 +136,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -366,6 +367,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 
diff --git a/apertis-ospack-sdk.yaml b/apertis-ospack-sdk.yaml
index 6d209636..115b9319 100644
--- a/apertis-ospack-sdk.yaml
+++ b/apertis-ospack-sdk.yaml
@@ -130,6 +130,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -659,6 +660,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 
diff --git a/apertis-ospack-target.yaml b/apertis-ospack-target.yaml
index 1e59b398..7096dd08 100644
--- a/apertis-ospack-target.yaml
+++ b/apertis-ospack-target.yaml
@@ -137,6 +137,7 @@ actions:
       - initramfs-tools
       - iproute2
       - iptables
+      - iptables-persistent
       - kmod
       - libgupnp-1.0-4
       - liblockfile-bin
@@ -209,6 +210,9 @@ actions:
   - action: overlay
     source: overlays/loopback-interface
 
+  - action: overlay
+    source: overlays/iptables-rules
+
   - action: overlay
     source: overlays/media-tmpfs
 
diff --git a/overlays/iptables-rules/etc/iptables/rules.v4 b/overlays/iptables-rules/etc/iptables/rules.v4
new file mode 100644
index 00000000..5d5cd928
--- /dev/null
+++ b/overlays/iptables-rules/etc/iptables/rules.v4
@@ -0,0 +1,31 @@
+# sample configuration for iptables service
+# you can edit this manually
+# inspired from Fedora's packaging of iptables on:
+# git://pkgs.fedoraproject.org/iptables.git
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i gpic0 -j ACCEPT
+# Accept http
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+# Accept ssh for development
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+# Accept mDNS and UPnP (Avahi)
+-A INPUT -p udp -m udp --dport 1900 -j ACCEPT
+-A INPUT -p udp -m udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+# Accept dhcp/dns and forwarding on the tether interface
+-A INPUT -p udp --dport 67 -i tether -j ACCEPT
+-A INPUT -p udp --dport 53 -i tether -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
+
+-A FORWARD -i tether -j ACCEPT
+-A FORWARD -o tether -j ACCEPT
+
+# Reject everything else
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
diff --git a/overlays/iptables-rules/etc/iptables/rules.v6 b/overlays/iptables-rules/etc/iptables/rules.v6
new file mode 100644
index 00000000..9e1f579d
--- /dev/null
+++ b/overlays/iptables-rules/etc/iptables/rules.v6
@@ -0,0 +1,16 @@
+# sample configuration for ip6tables service
+# you can edit this manually
+# inspired from Fedora's packaging of iptables on:
+# git://pkgs.fedoraproject.org/iptables.git
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
-- 
GitLab