diff options
| -rw-r--r-- | aports/iptables/APKBUILD | 11 | ||||
| -rw-r--r-- | aports/iptables/iptables.confd | 4 | ||||
| -rw-r--r-- | aports/iptables/iptables.rules-save | 14 | ||||
| -rw-r--r-- | etc/iptables.sample | 23 | ||||
| -rw-r--r-- | man/wifibox-alpine.5 | 68 |
5 files changed, 84 insertions, 36 deletions
diff --git a/aports/iptables/APKBUILD b/aports/iptables/APKBUILD index b5428a5..720bd19 100644 --- a/aports/iptables/APKBUILD +++ b/aports/iptables/APKBUILD @@ -2,7 +2,7 @@ pkgname=iptables pkgver=1.8.7 -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel firewall, NAT and packet mangling tools" url="https://www.netfilter.org/projects/iptables/index.html" arch="all" @@ -11,7 +11,6 @@ makedepends="libnftnl-dev bison flex autoconf automake" source="https://www.netfilter.org/projects/iptables/files/iptables-$pkgver.tar.bz2 iptables.initd iptables.confd - iptables.rules-save ip6tables.confd " @@ -47,14 +46,11 @@ package() { "$pkgdir"/usr/lib/pkgconfig mkdir -p "$pkgdir"/usr/lib \ - "$pkgdir"/var/lib/iptables \ - "$pkgdir"/etc/iptables + "$pkgdir"/var/lib/iptables install -D -m755 "$srcdir"/iptables.initd "$pkgdir"/etc/init.d/iptables install -D -m644 "$srcdir"/iptables.confd "$pkgdir"/etc/conf.d/iptables - install -D -m644 "$srcdir"/iptables.rules-save "$pkgdir"/etc/iptables/rules-save - install -D -m755 "$srcdir"/iptables.initd "$pkgdir"/etc/init.d/ip6tables install -D -m644 "$srcdir"/ip6tables.confd "$pkgdir"/etc/conf.d/ip6tables } @@ -62,7 +58,6 @@ package() { sha512sums=" c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75 iptables-1.8.7.tar.bz2 a37c17a5382c756fcfb183af73af2283f0d09932c5a767241cbab5d784738f6f587f287a0cdf13b4fa74724ecd3a2063a9689ccee84c1bda02e730f63480f74d iptables.initd -258ad0341381f251ef9b278c09d8a794c6e4bfc067950d5770539d3beabf8702a5be9a8a3418c849b9707f4b33a55eabef5594ccc290c9b9c7dc5fcad1ed80a5 iptables.confd -382e1ce634aca598891b8f7cf8d1a91bb485a845cc65a92f85ff29f953b629c2f001c3d38bd18928ae89d53b4877eb993236a538e82a94e0089483e50fbda66f iptables.rules-save +85bb1660c2452fdede5ae0a483489a3648a8b327ea658839a1ad8c6405f6526bdf842a62d4df3f6e3cbbb9ad59137d37b39266cee21e252814191964d4c50f44 iptables.confd 0897a7a22f8b700f7f1f5c355ad6cbf39740e44d6c962af99e479978d8a2d556ca7fe4e31f238829046b4a871ce0b5fd52e2544f1361d15dd1ea3e33992646c4 ip6tables.confd " diff --git a/aports/iptables/iptables.confd b/aports/iptables/iptables.confd index 6e356ef..34f7b00 100644 --- a/aports/iptables/iptables.confd +++ b/aports/iptables/iptables.confd @@ -1,4 +1,4 @@ -IPTABLES_SAVE="/etc/iptables/rules-save" -SAVE_RESTORE_OPTIONS="-c" +IPTABLES_SAVE="/media/etc/iptables" +SAVE_RESTORE_OPTIONS="" SAVE_ON_STOP="no" IPFORWARD="yes" diff --git a/aports/iptables/iptables.rules-save b/aports/iptables/iptables.rules-save deleted file mode 100644 index 326a7a8..0000000 --- a/aports/iptables/iptables.rules-save +++ /dev/null @@ -1,14 +0,0 @@ -*filter -:INPUT ACCEPT [24:1728] -:FORWARD ACCEPT [480:181212] -:OUTPUT ACCEPT [27:2041] -[377:71090] -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT -[51:4670] -A FORWARD -i eth0 -o wlan0 -j ACCEPT -COMMIT -*nat -:PREROUTING ACCEPT [64:6167] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [3:174] -:POSTROUTING ACCEPT [3:174] -[51:4670] -A POSTROUTING -o wlan0 -j MASQUERADE -COMMIT diff --git a/etc/iptables.sample b/etc/iptables.sample new file mode 100644 index 0000000..af60a63 --- /dev/null +++ b/etc/iptables.sample @@ -0,0 +1,23 @@ +# This file contains exported IP Tables data that can be read by the +# iptables-restore(8) utility. It is not meant to be edited by hand +# but regenerated by the iptables-save(8) utility after the necessary +# changes were made via the respective iptables(8) commands. +# +# The IP Tables stored here implement a simplistic IP forwarding and +# NAT between the `eth0` (virtual Ethernet, facing towards the host) +# and `wlan0` (wireless networking) interfaces. + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +[0:0] -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT +[0:0] -A FORWARD -i eth0 -o wlan0 -j ACCEPT +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +[0:0] -A POSTROUTING -o wlan0 -j MASQUERADE +COMMIT diff --git a/man/wifibox-alpine.5 b/man/wifibox-alpine.5 index 7fe9fac..e4b66d1 100644 --- a/man/wifibox-alpine.5 +++ b/man/wifibox-alpine.5 @@ -1,4 +1,4 @@ -.Dd April 30, 2022 +.Dd May 14, 2022 .Dt WIFIBOX-ALPINE 5 .Os .Sh NAME @@ -36,6 +36,11 @@ OpenRC: http://www.gentoo.org/proj/en/base/openrc/ .ft R .It +iptables: +.ft B +https://www.netfilter.org/projects/iptables/index.html +.ft R +.It iw: .ft B https://wireless.wiki.kernel.org/en/users/documentation/iw @@ -87,6 +92,19 @@ is the wireless device which is automatically configured through DHCP, is the virtual Ethernet device which is configured according to the contents of the configuration file. .It +.Sy iptables +works with the +.Pa iptables +file and it is responsible for moving network packets (Network Address +Translation, NAT) between the +.Sy eth0 +and +.Sy wlan0 +interfaces. The configuration file describes the flow of the network +packets through the interfaces. It is loaded once at launching the +respective service, usually on boot, and cannot be modified from the +guest. +.It .Sy udhcpd works with the .Pa udhcpd.conf @@ -131,6 +149,12 @@ when managed by and .Sy ifdown . .It +.Pa /media/etc/iptables +is not mapped to anywhere under +.Pa /etc , +it is used directly from this location by +.Sy iptables . +.It .Pa /media/etc/udhcpd.conf is mapped to .Pa /etc/udhcpd.conf @@ -185,17 +209,6 @@ shell itself, shipped in a single small executable. It provides the execution environment for all the scripts and services. All the irrelevant modules were removed for security hardening. .It -.Sy iptables -implements the forwarding (Network Address Translation, NAT) between -the -.Sy eth0 -and -.Sy wlan0 -interfaces. The respective rules are static and they are stored in -the -.Pa /etc/iptables/rules-save -configuration file. -.It The base layout of the Alpine sytem is stripped down to the bare minimum, and for example, the guest does not have the .Sy apk @@ -239,6 +252,37 @@ service. .Pp These commands can help with troubleshooting and restoring the respective services in case of failures. +.Sh CONFIGURATION OF NETWORK PACKET FILTERING +The network packet filtering rules are managed by the +.Sy iptables +service, which needs to be restarted so that the changes in the +.Pa iptables +file can take effect. +.Bd -literal -offset indent +# rc-service iptables restart +.Ed +.Pp +The active set of rules can be queried by the following command. +.Bd -literal -offset indent +# iptables -L -n +.Ed +.Pp +Rules can be dynamically added, deleted, inserted, replaced, and +flushed through the corresponding commands of the +.Sy iptables +utility, see its documentation for the details. The current state of +the configuration can be recorded by dumping it to temporary file +under a directory which is shared with the host, that is +.Pa /var/tmp +in this case. +.Bd -literal -offset indent +# iptables-save > /var/tmp/iptables +.Ed +.Pp +The file exported this way could be then used as the main +configuration by moving it to the location from where the +.Pa /media/etc +directory is mounted. .Sh WIRELESS DIAGNOSTICS Details of wireless configuration can be learned through the use of the |