External/fedora-kickstarts
1
0
Fork 0
mirror of https://pagure.io/fedora-kickstarts.git synced 2025-01-03 03:25:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

by popular demand, disable the iptables firewall entirely.

Browse Source
This commit is contained in:
Matthew Miller 2013-11-18 12:15:19 -05:00
parent 9b40e37957
commit fe5b6843ac
1 changed files with 2 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
fedora-cloud-base.ks
View File

@ -19,14 +19,12 @@ auth --useshadow --enablemd5
selinux --enforcing selinux --enforcing
rootpw --lock --iscrypted locked rootpw --lock --iscrypted locked
# this is actually not used, but a static firewall firewall --disabled
# matching these rules is generated below.
firewall --service=ssh
bootloader --timeout=1 --append="console=ttyS0,115200n8 console=tty0" extlinux bootloader --timeout=1 --append="console=ttyS0,115200n8 console=tty0" extlinux
network --bootproto=dhcp --device=eth0 --onboot=on network --bootproto=dhcp --device=eth0 --onboot=on
services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final services --enabled=network,sshd,rsyslog,cloud-init,cloud-init-local,cloud-config,cloud-final
zerombr zerombr
@ -63,10 +61,6 @@ syslinux-extlinux
# Needed initially, but removed below. # Needed initially, but removed below.
firewalld firewalld
# Basic firewall. If you're going to rely on your cloud service's
# security groups you can remove this.
iptables-services
# cherry-pick a few things from @standard # cherry-pick a few things from @standard
tar tar
rsync rsync
@ -135,28 +129,6 @@ yum -C -y remove linux-firmware
echo "Removing firewalld." echo "Removing firewalld."
yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1"
# Non-firewalld-firewall
echo -n "Writing static firewall"
cat <<EOF > /etc/sysconfig/iptables
# Simple static firewall loaded by iptables.service. Replace
# this with your own custom rules, run lokkit, or switch to
# shorewall or firewalld as your needs dictate.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
echo .
# Another one needed at install time but not after that, and it pulls # Another one needed at install time but not after that, and it pulls
# in some unneeded deps (like, newt and slang) # in some unneeded deps (like, newt and slang)
echo "Removing authconfig." echo "Removing authconfig."