iptables-cn
~~~~~~~~~~~
-Ovaj paket donosi System V init skriptu za iptables paket, kao i set nekih
-prirucnih primjera za koristenje Netfilter paketa.
+Ovaj paket ovisi o paketu iptables-persistent koji podize vatrozid
+prilikom pokretanja posluzitelja, kao i set nekih prirucnih primjera za
+koristenje Netfilter paketa.
- -- Dinko Korunic <kreator@carnet.hr> Wed, 27 Apr 2011 17:51:45 +0200
+ -- Ivan Rako <Ivan.Rako@CARNet.hr> Thu, 21 Jul 2016 20:49:25 +0200
+iptables-cn (2:1.4.21~cn0) stable; urgency=low
+
+ * izmjene paketa za jessie
+ * koristi se netfilter-persistent
+
+ -- Ivan Rako <Ivan.Rako@CARNet.hr> Thu, 21 Jul 2016 20:42:32 +0200
+
iptables-cn (2:1.4.14) stable; urgency=low
* izmjene paketa za Wheezy
Source: iptables-cn
Section: net
Priority: optional
-Maintainer: Dinko Korunic <kreator@CARNet.hr>
+Maintainer: Ivan Rako <Ivan.Rako@CARNet.hr>
Build-Depends: debhelper (>= 9.20120909)
-Standards-Version: 3.9.4
+Standards-Version: 3.9.6
Package: iptables-cn
Architecture: all
-Depends: iptables (>= 1.4.14-3.1), ${misc:Depends}
+Depends: iptables (>= 1.4.21), iptables-persistent (>=1.0.3+deb8u1), ${misc:Depends}
Conflicts: iptables-cn (<< 2:1.2.11-4)
Description: Linux kernel 2.4+ iptables administration tools
netfilter and iptables provide a Linux kernel framework for
translation, and other IP packet manipulation. The framework is the
successor to ipchains.
.
- This is a basic CARNet Debian customization package which brings
- back old System V init script functionality.
+ This is a basic CARNet Debian customization package.
+++ /dev/null
-# /etc/init.d/iptables-cn defaults file
-
-# INTRODUCTION: First thing first, I must warn you. The iptables
-# init.d setup and iptables tools themselves are VERY much capable
-# of locking you out of network services. This includes remote and
-# local network services, even localhost. You can even block local
-# console logins if authentication is network based. And please do
-# not be lulled into a false sense of security because you simply
-# installed the iptables package. It really does not provide a
-# firewall or any system security.
-#
-# Now for a short question and answer session:
-#
-# Q: You concocted this init.d setup, but you do not like it?
-# A: I was pretty much hounded into providing it. I do not like it.
-# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
-# scripts use /etc/ppp/ip-*.d/ script. Create your own custom
-# init.d script -- no need to even name it iptables. Use ferm,
-# ipmasq, ipmenu, guarddog, firestarter, or one of the many other
-# firewall configuration tools available. Do not use the init.d
-# script.
-#
-# Q: What is this iptables init.d setup all about?
-# A: The iptables init.d setup saves and restores whole iptables's
-# table rulesets. That's basically it. It doesn't create any
-# iptables rules nor provide for running any iptables rules.
-# That also implies no support at all for dynamic rules.
-#
-# Q: How do I get started?
-# A: (Did I mention "do not use it" already? Oh well.)
-# 1. Setup your normal iptables rules -- firewalling, port forwarding
-# NAT, etc. When everything is configured the way you like, run:
-#
-# /etc/init.d/iptables-cn save active
-#
-# 2. Setup your your inactive firewall rules -- this can be something
-# like clear all rules and set all policy defaults to accept (which
-# can be done with /etc/init.d/iptables-cn clear). When that is ready,
-# save the inactive ruleset:
-#
-# /etc/init.d/iptables-cn save inactive
-#
-# 3. Controlling the script itself is done through runlevels configured
-# with debconf for package installation. Run "dpkg-reconfigure iptables"
-# to enable or disable after installation.
-#
-# Q: Is that all?
-# A: Mostly. You can save additional rulesets and restore them by name. As
-# an example:
-#
-# /etc/init.d/iptables-cn save midnight
-# /etc/init.d/iptables-cn load midnight
-#
-#
-# Autosave only works with start followed by stop.
-#
-# Also, take great care with the halt option. It's almost as good as
-# pulling the network cable, except it disrupts localhost too.
-
-# deprecated default values:
-# enable_iptables_initd - use the debconf setup
-# preload_default - probably not necessary for iptables-restore
-# and user modified init.d scripts cannot trusted anyway
-
-# set iptables_command to "iptables" (default) or "ip6tables"
-iptables_command=iptables
-
-# set enable_autosave to "true" to autosave the active ruleset
-# when going from start to stop
-enable_autosave=false
-
-# set enable_save_counters to "true" to save table counters with
-# rulesets
-enable_save_counters=true
+++ /dev/null
-etc/default
-etc/init.d
-var/lib/iptables
+++ /dev/null
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides: iptables
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Should-Start: $syslog
-# Should-Stop: $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Start or stop the iptables.
-### END INIT INFO
-
-set -e
-
-# Q: How do I get started?
-# A: (Did I mention "do not use it" already? Oh well.)
-# 1. Setup your normal iptables rules -- firewalling, port forwarding
-# NAT, etc. When everything is configured the way you like, run:
-#
-# /etc/init.d/iptables save active
-#
-# 2. Setup your your inactive firewall rules -- this can be something
-# like clear all rules and set all policy defaults to accept (which
-# can be done with /etc/init.d/iptables clear). When that is ready,
-# save the inactive ruleset:
-#
-# /etc/init.d/iptables save inactive
-#
-# 3. Controlling the script itself is done through runlevels configured
-# with debconf for package installation. Run "dpkg-reconfigure iptables"
-# to enable or disable after installation.
-#
-# Q: Is that all?
-# A: Mostly. You can save additional rulesets and restore them by name. As
-# an example:
-#
-# /etc/init.d/iptables save midnight
-# /etc/init.d/iptables load midnight
-#
-#
-# Autosave only works with start followed by stop.
-#
-# Also, take great care with the halt option. It's almost as good as
-# pulling the network cable, except it disrupts localhost too.
-#
-# Also, create the /var/lib/iptables and /var/lib/ip6tables dirs
-# as necessary.
-
-# enable ipv6 support
-enable_ipv6=false
-
-# set enable_autosave to "true" to autosave the active ruleset
-# when going from start to stop
-enable_autosave=false
-
-# set enable_save_counters to "true" to save table counters with
-# rulesets
-enable_save_counters=true
-
-if test -f /etc/default/iptables-cn; then
- . /etc/default/iptables-cn
-fi
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-initd="$0"
-default="$0"
-
-initd_abort () {
- cmd=$1
- shift
- echo "Aborting iptables $cmd: $@."
- echo
- usage
- exit 0
-}
-
-initd_have_a_cow_man () {
- for i in $@; do
- if ! command -v "$i" >/dev/null 2>&1; then
- echo "Aborting iptables initd: no $i executable"
- exit 0
- fi
- done
-}
-
-initd_clear () {
- rm -f "$autosave"
- echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy"
- $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
- echo "."
-}
-
-initd_halt () {
- rm -f $autosave
- echo -n "Clearing ${iptables_command} ruleset: default DROP policy"
- $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
- echo "."
-}
-
-initd_load () {
- ruleset="$libdir/$@"
- if ! test -f "$ruleset"; then
- initd_abort load "unknown ruleset, \"$@\""
- fi
- if test "$@" = inactive; then
- initd_autosave
- fi
- rm -f "$autosave"
- echo -n "Loading ${iptables_command} ruleset: load \"$@\""
- $iptables_restore < "$ruleset"
- echo "."
-}
-
-initd_counters () {
- if test "${enable_save_counters:-false}" = true; then
- echo -n " with counters"
- $iptables_save -c > "$ruleset"
- else
- $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"
- fi
-}
-
-initd_save () {
- rm -f $autosave
- ruleset="${libdir}/$@"
- echo -n "Saving ${iptables_command} ruleset: save \"$@\""
- initd_counters
- echo "."
-}
-
-initd_autosave () {
- if test -f $autosave -a ${enable_autosave-false} = true; then
- ruleset="${libdir}/active"
- echo -n "Autosaving ${iptables_command} ruleset: save \"active\""
- initd_counters
- echo "."
- fi
-}
-
-usage () {
-# current="$(ls -m ${libdir} \
-# | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
-cat << END
-$initd options:
- start|restart|reload|force-reload
- load the "active" ruleset
- save <ruleset>
- save the current ruleset
- load <ruleset>
- load a ruleset
- stop
- load the "inactive" ruleset
- clear
- remove all rules and user-defined chains, set default policy to ACCEPT
- halt
- remove all rules and user-defined chains, set default policy to DROP
-
-Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/
-
-Please read: $default
-
-END
-}
-
-initd_main () {
- case "$1" in
- start|restart|reload|force-reload)
- initd_load active
- if test ${enable_autosave-false} = true; then
- touch $autosave
- fi
- ;;
- stop)
- initd_load inactive
- ;;
- clear)
- initd_clear
- ;;
- halt)
- initd_halt
- ;;
- save)
- shift
- if test -z "$*"; then
- initd_abort save "no ruleset name given"
- else
- initd_save "$*"
- fi
- ;;
- load)
- shift
- if test -z "$*"; then
- initd_abort load "no ruleset name given"
- else
- initd_load "$*"
- fi
- ;;
- save_active) #legacy option
- initd_save active
- ;;
- save_inactive) #legacy option
- initd_save inactive
- ;;
- *)
- echo "$initd: unknown command: \"$*\""
- usage
- ;;
- esac
-}
-
-initd_preload() {
- iptables="/sbin/${iptables_command}"
- iptables_save="${iptables}-save"
- iptables_restore="${iptables}-restore"
- libdir="/var/lib/${iptables_command}"
- autosave="${libdir}/autosave"
- initd_have_a_cow_man "$iptables_save" "$iptables_restore"
- ${iptables_command} -nL >/dev/null
- initd_main $*
-}
-
-iptables_command=iptables initd_preload $*
-if test "$enable_ipv6" = "true"; then
- iptables_command=ip6tables initd_preload $*
-fi
-
-exit 0
-etc/init.d/iptables-cn etc/init.d/iptables
+etc/init.d/netfilter-persistent etc/init.d/iptables-cn
+++ /dev/null
-iptables-cn: script-in-etc-init.d-not-registered-via-update-rc.d /etc/init.d/iptables
#!/bin/sh
-# postinst script for bind9-cn
-#
-# see: dh_installdeb(1)
-
set -e
-# summary of how this script can be called:
-# * <postinst> `configure' <most-recently-configured-version>
-# * <old-postinst> `abort-upgrade' <new version>
-# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
-# <new-version>
-# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
-# <failed-install-package> <version> `removing'
-# <conflicting-package> <version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-#
-
-case "$1" in
- configure|reconfigure)
- # continue below
- ;;
-
- *)
- exit 0
- ;;
-esac
-
-# fix problem with permissions from the old package
-if dpkg --compare-versions "$2" lt "2:1.2.11-4"; then
- chown -f -Rh root:root /var/lib/iptables /etc/init.d/iptables \
- /etc/default/iptables >/dev/null 2>&1 || true
-fi
+[ "$1" = "configure" ] || exit 0
+[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
# remove old iptables init script
update-rc.d -f iptables remove >/dev/null 2>&1 || true
+update-rc.d -f iptables-cn remove >/dev/null 2>&1 || true
-# check if old default file exists and import it
+# check if old default file exists and delete it
+if [ -e /etc/default/iptables-cn ]; then
+ rm -f /etc/default/iptables-cn
+fi
if [ -e /etc/default/iptables ]; then
- mv /etc/default/iptables /etc/default/iptables-cn
+ rm -f /etc/default/iptables
fi
# check to see if fail2ban is installed
-if dpkg -l fail2ban | grep -q '^.i'; then
+if dpkg-query -f '${Status}' -W fail2ban | grep -q installed; then
echo "CN: Detected Fail2Ban installation, will remove SSH bruteforce rules by default"
iptables -D SSH_Brute_Force -m recent ! --rcheck --seconds 90 \
--hitcount 3 --name SSH --rsource \
-j SSH_Brute_Force >/dev/null 2>&1 || true
iptables -X SSH_Brute_Force >/dev/null 2>&1 || true
- echo "CN: Saving current Netfilter rules to /var/lib/iptables/active"
- iptables-save > /var/lib/iptables/active
+ echo "CN: Saving current Netfilter rules to /etc/iptables/rules.v4"
+ iptables-save > /etc/iptables/rules.v4
else
# check if there is any default netfilter policy and install default SSH
# REJECT recent if there is none..
# also, save current set of rules into active and inactive configuration
- if [ ! -e /var/lib/iptables/active ]; then
+ if [ ! -e /etc/iptables/rules.v4 ]; then
if ! iptables-save | grep '^-' >/dev/null; then
echo "CN: Netfilter rules empty: importing SSH bruteforce rules"
/usr/share/doc/iptables-cn/examples/ssh-bruteforce \
1>/dev/null 2>&1 || true
fi
- echo "CN: Saving current Netfilter rules to /var/lib/iptables/active"
- iptables-save > /var/lib/iptables/active
+ echo "CN: Saving current Netfilter rules to /etc/iptables/rules.v4"
+ iptables-save > /etc/iptables/rules.v4
fi
fi
-# create inactive
-if [ ! -e /var/lib/iptables/inactive ]; then
- touch /var/lib/iptables/inactive
-fi
-
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
+++ /dev/null
-#!/bin/sh
-# postrm script for bind9-cn
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-# * <postrm> `remove'
-# * <postrm> `purge'
-# * <old-postrm> `upgrade' <new-version>
-# * <new-postrm> `failed-upgrade' <old-version>
-# * <new-postrm> `abort-install'
-# * <new-postrm> `abort-install' <old-version>
-# * <new-postrm> `abort-upgrade' <old-version>
-# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
- purge)
- # continue below
- ;;
-
- *)
- exit 0
- ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
projects / iptables-cn.git / commitdiff