Added iptables init script - now loading /etc/iptables on start

9865a61b · Vladimir Bashkirtsev · dcef91a2 · 9865a61b · 9865a61b
Commit 9865a61b authored May 09, 2019 by Vladimir Bashkirtsev
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 0 deletions

Makefile Makefile +1 -0

iptables iptables +40 -0

No files found.
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ all: iptables-service
 	@echo "$$IPTABLES_SERVICE" > /lib/systemd/system/iptables.service
 	ln -s /lib/systemd/system/iptables.service /etc/systemd/system/multi-user.target.wants/iptables.service
+	install -v -m755 iptables /etc/systemd/scripts/iptables
 	rm -rf iptables-1.8.2
 iptables-service:

--- a/iptables
+++ b/iptables
+#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+# Enable broadcast echo Protection
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 > /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 > /proc/sys/net/ipv4/tcp_ecn
+iptables-restore /etc/iptables
+# End /etc/systemd/scripts/iptables