Add iptables-persistent and Apertis iptables rules

In previous versions of Apertis we were using a modified iptables package containing custom scripting/systemd unit to load iptables rules at boot. Debian contains the iptables-persistent package which performs this task.

Use this instead of adding the custom scripts to the new version. Add the custom rules to an overlay so we don't need to modify the package.

Signed-off-by: Martyn Welch martyn.welch@collabora.com

overlays/iptables-rules/etc/iptables/rules.v4

+# sample configuration for iptables service
+# you can edit this manually
+# inspired from Fedora's packaging of iptables on:
+# git://pkgs.fedoraproject.org/iptables.git
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i gpic0 -j ACCEPT
+# Accept http
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+# Accept ssh for development
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+# Accept mDNS and UPnP (Avahi)
+-A INPUT -p udp -m udp --dport 1900 -j ACCEPT
+-A INPUT -p udp -m udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+# Accept dhcp/dns and forwarding on the tether interface
+-A INPUT -p udp --dport 67 -i tether -j ACCEPT
+-A INPUT -p udp --dport 53 -i tether -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
+
+-A FORWARD -i tether -j ACCEPT
+-A FORWARD -o tether -j ACCEPT
+
+# Reject everything else
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT