From: Ivan Rako Date: Thu, 21 Jul 2016 19:06:27 +0000 (+0200) Subject: izmjene za jessie X-Git-Tag: debian/2%1.4.21_cn0~1 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=iptables-cn.git;a=commitdiff_plain;h=95ce5edc2b2f045ea41812286f373659942c6b0d izmjene za jessie --- diff --git a/README.CARNet b/README.CARNet index 5ee9795..ffccc51 100644 --- a/README.CARNet +++ b/README.CARNet @@ -1,7 +1,8 @@ iptables-cn ~~~~~~~~~~~ -Ovaj paket donosi System V init skriptu za iptables paket, kao i set nekih -prirucnih primjera za koristenje Netfilter paketa. +Ovaj paket ovisi o paketu iptables-persistent koji podize vatrozid +prilikom pokretanja posluzitelja, kao i set nekih prirucnih primjera za +koristenje Netfilter paketa. - -- Dinko Korunic Wed, 27 Apr 2011 17:51:45 +0200 + -- Ivan Rako Thu, 21 Jul 2016 20:49:25 +0200 diff --git a/debian/changelog b/debian/changelog index 4c2bb23..6a4c2f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +iptables-cn (2:1.4.21~cn0) stable; urgency=low + + * izmjene paketa za jessie + * koristi se netfilter-persistent + + -- Ivan Rako Thu, 21 Jul 2016 20:42:32 +0200 + iptables-cn (2:1.4.14) stable; urgency=low * izmjene paketa za Wheezy diff --git a/debian/control b/debian/control index 579f600..114a6bf 100644 --- a/debian/control +++ b/debian/control @@ -1,13 +1,13 @@ Source: iptables-cn Section: net Priority: optional -Maintainer: Dinko Korunic +Maintainer: Ivan Rako Build-Depends: debhelper (>= 9.20120909) -Standards-Version: 3.9.4 +Standards-Version: 3.9.6 Package: iptables-cn Architecture: all -Depends: iptables (>= 1.4.14-3.1), ${misc:Depends} +Depends: iptables (>= 1.4.21), iptables-persistent (>=1.0.3+deb8u1), ${misc:Depends} Conflicts: iptables-cn (<< 2:1.2.11-4) Description: Linux kernel 2.4+ iptables administration tools netfilter and iptables provide a Linux kernel framework for @@ -15,5 +15,4 @@ Description: Linux kernel 2.4+ iptables administration tools translation, and other IP packet manipulation. The framework is the successor to ipchains. . - This is a basic CARNet Debian customization package which brings - back old System V init script functionality. + This is a basic CARNet Debian customization package. diff --git a/debian/default b/debian/default deleted file mode 100644 index 6c5f323..0000000 --- a/debian/default +++ /dev/null @@ -1,74 +0,0 @@ -# /etc/init.d/iptables-cn defaults file - -# INTRODUCTION: First thing first, I must warn you. The iptables -# init.d setup and iptables tools themselves are VERY much capable -# of locking you out of network services. This includes remote and -# local network services, even localhost. You can even block local -# console logins if authentication is network based. And please do -# not be lulled into a false sense of security because you simply -# installed the iptables package. It really does not provide a -# firewall or any system security. -# -# Now for a short question and answer session: -# -# Q: You concocted this init.d setup, but you do not like it? -# A: I was pretty much hounded into providing it. I do not like it. -# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/ -# scripts use /etc/ppp/ip-*.d/ script. Create your own custom -# init.d script -- no need to even name it iptables. Use ferm, -# ipmasq, ipmenu, guarddog, firestarter, or one of the many other -# firewall configuration tools available. Do not use the init.d -# script. -# -# Q: What is this iptables init.d setup all about? -# A: The iptables init.d setup saves and restores whole iptables's -# table rulesets. That's basically it. It doesn't create any -# iptables rules nor provide for running any iptables rules. -# That also implies no support at all for dynamic rules. -# -# Q: How do I get started? -# A: (Did I mention "do not use it" already? Oh well.) -# 1. Setup your normal iptables rules -- firewalling, port forwarding -# NAT, etc. When everything is configured the way you like, run: -# -# /etc/init.d/iptables-cn save active -# -# 2. Setup your your inactive firewall rules -- this can be something -# like clear all rules and set all policy defaults to accept (which -# can be done with /etc/init.d/iptables-cn clear). When that is ready, -# save the inactive ruleset: -# -# /etc/init.d/iptables-cn save inactive -# -# 3. Controlling the script itself is done through runlevels configured -# with debconf for package installation. Run "dpkg-reconfigure iptables" -# to enable or disable after installation. -# -# Q: Is that all? -# A: Mostly. You can save additional rulesets and restore them by name. As -# an example: -# -# /etc/init.d/iptables-cn save midnight -# /etc/init.d/iptables-cn load midnight -# -# -# Autosave only works with start followed by stop. -# -# Also, take great care with the halt option. It's almost as good as -# pulling the network cable, except it disrupts localhost too. - -# deprecated default values: -# enable_iptables_initd - use the debconf setup -# preload_default - probably not necessary for iptables-restore -# and user modified init.d scripts cannot trusted anyway - -# set iptables_command to "iptables" (default) or "ip6tables" -iptables_command=iptables - -# set enable_autosave to "true" to autosave the active ruleset -# when going from start to stop -enable_autosave=false - -# set enable_save_counters to "true" to save table counters with -# rulesets -enable_save_counters=true diff --git a/debian/dirs b/debian/dirs deleted file mode 100644 index 94de6ed..0000000 --- a/debian/dirs +++ /dev/null @@ -1,3 +0,0 @@ -etc/default -etc/init.d -var/lib/iptables diff --git a/debian/init b/debian/init deleted file mode 100755 index 2db1368..0000000 --- a/debian/init +++ /dev/null @@ -1,229 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: iptables -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Should-Start: $syslog -# Should-Stop: $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start or stop the iptables. -### END INIT INFO - -set -e - -# Q: How do I get started? -# A: (Did I mention "do not use it" already? Oh well.) -# 1. Setup your normal iptables rules -- firewalling, port forwarding -# NAT, etc. When everything is configured the way you like, run: -# -# /etc/init.d/iptables save active -# -# 2. Setup your your inactive firewall rules -- this can be something -# like clear all rules and set all policy defaults to accept (which -# can be done with /etc/init.d/iptables clear). When that is ready, -# save the inactive ruleset: -# -# /etc/init.d/iptables save inactive -# -# 3. Controlling the script itself is done through runlevels configured -# with debconf for package installation. Run "dpkg-reconfigure iptables" -# to enable or disable after installation. -# -# Q: Is that all? -# A: Mostly. You can save additional rulesets and restore them by name. As -# an example: -# -# /etc/init.d/iptables save midnight -# /etc/init.d/iptables load midnight -# -# -# Autosave only works with start followed by stop. -# -# Also, take great care with the halt option. It's almost as good as -# pulling the network cable, except it disrupts localhost too. -# -# Also, create the /var/lib/iptables and /var/lib/ip6tables dirs -# as necessary. - -# enable ipv6 support -enable_ipv6=false - -# set enable_autosave to "true" to autosave the active ruleset -# when going from start to stop -enable_autosave=false - -# set enable_save_counters to "true" to save table counters with -# rulesets -enable_save_counters=true - -if test -f /etc/default/iptables-cn; then - . /etc/default/iptables-cn -fi - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -initd="$0" -default="$0" - -initd_abort () { - cmd=$1 - shift - echo "Aborting iptables $cmd: $@." - echo - usage - exit 0 -} - -initd_have_a_cow_man () { - for i in $@; do - if ! command -v "$i" >/dev/null 2>&1; then - echo "Aborting iptables initd: no $i executable" - exit 0 - fi - done -} - -initd_clear () { - rm -f "$autosave" - echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy" - $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore - echo "." -} - -initd_halt () { - rm -f $autosave - echo -n "Clearing ${iptables_command} ruleset: default DROP policy" - $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore - echo "." -} - -initd_load () { - ruleset="$libdir/$@" - if ! test -f "$ruleset"; then - initd_abort load "unknown ruleset, \"$@\"" - fi - if test "$@" = inactive; then - initd_autosave - fi - rm -f "$autosave" - echo -n "Loading ${iptables_command} ruleset: load \"$@\"" - $iptables_restore < "$ruleset" - echo "." -} - -initd_counters () { - if test "${enable_save_counters:-false}" = true; then - echo -n " with counters" - $iptables_save -c > "$ruleset" - else - $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset" - fi -} - -initd_save () { - rm -f $autosave - ruleset="${libdir}/$@" - echo -n "Saving ${iptables_command} ruleset: save \"$@\"" - initd_counters - echo "." -} - -initd_autosave () { - if test -f $autosave -a ${enable_autosave-false} = true; then - ruleset="${libdir}/active" - echo -n "Autosaving ${iptables_command} ruleset: save \"active\"" - initd_counters - echo "." - fi -} - -usage () { -# current="$(ls -m ${libdir} \ -# | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')" -cat << END -$initd options: - start|restart|reload|force-reload - load the "active" ruleset - save - save the current ruleset - load - load a ruleset - stop - load the "inactive" ruleset - clear - remove all rules and user-defined chains, set default policy to ACCEPT - halt - remove all rules and user-defined chains, set default policy to DROP - -Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/ - -Please read: $default - -END -} - -initd_main () { - case "$1" in - start|restart|reload|force-reload) - initd_load active - if test ${enable_autosave-false} = true; then - touch $autosave - fi - ;; - stop) - initd_load inactive - ;; - clear) - initd_clear - ;; - halt) - initd_halt - ;; - save) - shift - if test -z "$*"; then - initd_abort save "no ruleset name given" - else - initd_save "$*" - fi - ;; - load) - shift - if test -z "$*"; then - initd_abort load "no ruleset name given" - else - initd_load "$*" - fi - ;; - save_active) #legacy option - initd_save active - ;; - save_inactive) #legacy option - initd_save inactive - ;; - *) - echo "$initd: unknown command: \"$*\"" - usage - ;; - esac -} - -initd_preload() { - iptables="/sbin/${iptables_command}" - iptables_save="${iptables}-save" - iptables_restore="${iptables}-restore" - libdir="/var/lib/${iptables_command}" - autosave="${libdir}/autosave" - initd_have_a_cow_man "$iptables_save" "$iptables_restore" - ${iptables_command} -nL >/dev/null - initd_main $* -} - -iptables_command=iptables initd_preload $* -if test "$enable_ipv6" = "true"; then - iptables_command=ip6tables initd_preload $* -fi - -exit 0 diff --git a/debian/links b/debian/links index 7c10417..8855430 100644 --- a/debian/links +++ b/debian/links @@ -1 +1 @@ -etc/init.d/iptables-cn etc/init.d/iptables +etc/init.d/netfilter-persistent etc/init.d/iptables-cn diff --git a/debian/lintian-overrides b/debian/lintian-overrides deleted file mode 100644 index df28d01..0000000 --- a/debian/lintian-overrides +++ /dev/null @@ -1 +0,0 @@ -iptables-cn: script-in-etc-init.d-not-registered-via-update-rc.d /etc/init.d/iptables diff --git a/debian/postinst b/debian/postinst index 4ac4576..f61e11e 100755 --- a/debian/postinst +++ b/debian/postinst @@ -1,48 +1,23 @@ #!/bin/sh -# postinst script for bind9-cn -# -# see: dh_installdeb(1) - set -e -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package -# - -case "$1" in - configure|reconfigure) - # continue below - ;; - - *) - exit 0 - ;; -esac - -# fix problem with permissions from the old package -if dpkg --compare-versions "$2" lt "2:1.2.11-4"; then - chown -f -Rh root:root /var/lib/iptables /etc/init.d/iptables \ - /etc/default/iptables >/dev/null 2>&1 || true -fi +[ "$1" = "configure" ] || exit 0 +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx # remove old iptables init script update-rc.d -f iptables remove >/dev/null 2>&1 || true +update-rc.d -f iptables-cn remove >/dev/null 2>&1 || true -# check if old default file exists and import it +# check if old default file exists and delete it +if [ -e /etc/default/iptables-cn ]; then + rm -f /etc/default/iptables-cn +fi if [ -e /etc/default/iptables ]; then - mv /etc/default/iptables /etc/default/iptables-cn + rm -f /etc/default/iptables fi # check to see if fail2ban is installed -if dpkg -l fail2ban | grep -q '^.i'; then +if dpkg-query -f '${Status}' -W fail2ban | grep -q installed; then echo "CN: Detected Fail2Ban installation, will remove SSH bruteforce rules by default" iptables -D SSH_Brute_Force -m recent ! --rcheck --seconds 90 \ --hitcount 3 --name SSH --rsource \ @@ -54,28 +29,23 @@ if dpkg -l fail2ban | grep -q '^.i'; then -j SSH_Brute_Force >/dev/null 2>&1 || true iptables -X SSH_Brute_Force >/dev/null 2>&1 || true - echo "CN: Saving current Netfilter rules to /var/lib/iptables/active" - iptables-save > /var/lib/iptables/active + echo "CN: Saving current Netfilter rules to /etc/iptables/rules.v4" + iptables-save > /etc/iptables/rules.v4 else # check if there is any default netfilter policy and install default SSH # REJECT recent if there is none.. # also, save current set of rules into active and inactive configuration - if [ ! -e /var/lib/iptables/active ]; then + if [ ! -e /etc/iptables/rules.v4 ]; then if ! iptables-save | grep '^-' >/dev/null; then echo "CN: Netfilter rules empty: importing SSH bruteforce rules" /usr/share/doc/iptables-cn/examples/ssh-bruteforce \ 1>/dev/null 2>&1 || true fi - echo "CN: Saving current Netfilter rules to /var/lib/iptables/active" - iptables-save > /var/lib/iptables/active + echo "CN: Saving current Netfilter rules to /etc/iptables/rules.v4" + iptables-save > /etc/iptables/rules.v4 fi fi -# create inactive -if [ ! -e /var/lib/iptables/inactive ]; then - touch /var/lib/iptables/inactive -fi - # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. diff --git a/debian/postrm b/debian/postrm deleted file mode 100755 index 6fb8eb0..0000000 --- a/debian/postrm +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh -# postrm script for bind9-cn -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `purge' -# * `upgrade' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# * `disappear' overwrit>r> -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - purge) - # continue below - ;; - - *) - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0