#!/bin/sh # test we are root if [ "$(id -u)" != "0" ]; then exit 1 fi # cheated off arch build but my coding skill differs greatly..poorly # ebtables removed from load list after checking strings against sbin files export CFLAGS="-mtune=generic -Os -pipe" export CXXFLAGS="-mtune=generic -Os -pipe -fno-exceptions -fno-rtti " P=iptables-nft V=1.8.11 SRC=iptables-$V USER=`cat /etc/sysconfig/tcuser` LIST="compiletc submitqc libnftnl-dev libpcap-dev libnetfilter_conntrack-dev bash libtool-dev " for Z in $LIST do su -c "tce-load -i $Z" $USER done cd /tmp URL=https://gitlab.archlinux.org/archlinux/packaging/packages/iptables/-/raw/main su -c "/usr/local/bin/wget -nc --no-check-certificate \ https://www.netfilter.org/projects/iptables/files/iptables-$V.tar.xz \ $URL/iptables-apply-default-path.patch?ref_type=heads \ $URL/simple_firewall.rules?ref_type=heads \ $URL/empty.rules" $USER tar xvf iptables*xz cd $SRC rm include/linux/types.h ln -rs libiptc/linux_list.h include/libiptc patch -p0 -i ../iptables-apply-default-path.patch* mkdir build && cd build # iptables-restore complains unless it finds a rule as /etc/iptables/iptables.rules so unable to use usr loc etc # man pages also use this pathway ../configure --prefix=/usr/local --enable-bpf-compiler --sysconfdir=/etc/ # Iptables Configuration: # IPv4 support: yes # IPv6 support: yes # Devel support: yes # IPQ support: no # Large file support: yes # BPF utils support: yes # nfsynproxy util support: no # nftables support: yes # connlabel support: yes # profiling support: no # Build parameters: # Put plugins into executable (static): no # Support plugins via dlopen (shared): yes # Installation prefix (--prefix): /usr/local # Xtables extension directory: /usr/local/lib/xtables # Pkg-config directory: /usr/local/lib/pkgconfig # Xtables lock file: /run/xtables.lock # Build against musl-libc: no # Host: x86_64-pc-linux-gnu # GCC binary: gcc sed -e 's/ -shared / -Wl,-O1,--as-needed\0/g' -i libtool # direct cheat from arch make -j4 # 5 seconds make install-strip DESTDIR=/tmp/$P cd /tmp # NO dev as GNUser built nftables not to support iptables so there is no need for a dev TCE ##### rm -rf $P/usr/local/include rm -rf $P/usr/local/lib/pkgconfig rm -rf $P/usr/local/lib/*.la # doc ##### mkdir -p $P-doc/usr/local/share/ mv $P/usr/local/share/man $P-doc/usr/local/share/ # see below for sbin checks against legacy support # means we now have too many irrelevant man pages fix cd $P-doc/usr/local/share/man/man8/ rm -rf arp* eb* cd /tmp # main ##### mkdir -p $P/usr/local/share/doc/$P echo 'GPL v 2' > $P/usr/local/share/doc/$P/COPYING # /usr/local/bin/iptables-xml is currently a broken sym link to usr/local/sbin/xtables-legacy-multi rm -rf $P/usr/local/bin/iptables-xml cd $P/usr/local/bin ln -s ../sbin/xtables-legacy-multi iptables-xml cd /tmp ls -al iptables-nft/usr/local/bin/iptables-xml ### lrwxrwxrwx 1 root root 28 Nov 18 20:37 iptables-nft/usr/local/bin/iptables-xml -> ../sbin/xtables-legacy-multi strings $P/usr/local/sbin/xtables-legacy-multi | grep arp # no hits strings $P/usr/local/sbin/xtables-legacy-multi | grep eb # no hits strings $P/usr/local/sbin/xtables-legacy-multi | grep ip # HAS HITS for ip6* and ip(tables) # therefore we remove sbins for arp and eb rm -rf $P/usr/local/sbin/arp* rm -rf $P/usr/local/sbin/eb* # cd $P/usr/local/bin && ln -s ../sbin/ip* . && cd /tmp # maybe arch echo $PATH does not use for them /usr/sbin? our usr loc sbin? # add rules ########### chown root:root *rules* mv simple_firewall.rules\?ref_type=heads iptables.rules # an extra line but makes it easier to read/list mkdir -p $P/usr/local/share/iptables/rules mv empty.rules $P/usr/local/share/iptables/rules/ip6tables.rules mv iptables.rules $P/usr/local/share/iptables/rules/ # the actual rule generation occurs in below DIR mkdir -p $P/etc/iptables cp $P/usr/local/share/iptables/rules/iptables.rules $P/etc/iptables/ # submit finds not all stripped cd $P/usr/local/lib/xtables strip --strip-unneeded *.so cd /tmp # install script ################ mkdir -p $P/usr/local/tce.installed cat >> $P/usr/local/tce.installed/$P <<'EOF' #!/bin/sh iptables-restore /etc/iptables/iptables.rules EOF chown -R root:staff $P/usr/local/tce.installed chmod -R 775 $P/usr/local/tce.installed # TCZ them ########### LIST2="$P $P-doc " for Z in $LIST2 do mksquashfs $Z $Z.tcz md5sum $Z.tcz > $Z.tcz.md5.txt cd $Z find . -not -type d | cut -c 2- | sort > /tmp/$Z.tcz.list cd /tmp done ls -hal echo 'Title: iptables-nft-doc.tcz Description: man pages Version: 1.8.11 Author: Netfilter Team Original-site: https://www.netfilter.org/projects/iptables/index.html Copying-policy: GPL v3 Size: 72K Extension_by: aus9 @linuxquestions.org Tags: firewall Comments: For bin command $ man iptables-xml For sbin command eg $ man 8 iptables-save Change-log: 2024/11/20 v 1.8.11 Current: 2024/11/20' > $P-doc.tcz.info echo 'man-db.tcz' > $P-doc.tcz.dep echo 'Title: iptables-nft.tcz Description: command line firewall tool as below Version: 1.8.11 Author: Netfilter Team Original-site: https://www.netfilter.org/projects/iptables/index.html Copying-policy: GPL v3 Size: 568K Extension_by: aus9 @linuxquestions.org Tags: firewall Comments: Likely to conflict with iptables.tcz Install script restores /etc/iptables/iptables.rules Which until you change it, is a copy of /usr/local/share/iptables/rules/iptables.rules and not the empty ip6tables.rules. If you need to change it, you delete the /etc file and make a file with the exact same path and name /etc/iptables/iptables.rules and then add that file to your backup (Dropping the leading /) Even tho I am not an expert I believe most members will get by just fine with this ip v4 ruleset Check current ruleset with $ sudo iptables -L Test any changed ruleset by running $ sudo iptables-restore /etc/iptables/iptables.rules $ sudo iptables -L I recommend you test online testers EXAMPLE ONLY https://www.grc.com/x/ne.dll?rh1dkyd2 Bear in mind you may already have a router firewall and some network providers may block some ports Change-log: 2024/11/20 v 1.8.11 Current: 2024/11/20' > $P.tcz.info readelf -d $P/usr/local/bin/* | grep 'NEEDED' # multiple duplicates ignored # libxtables.so.12] libip4tc.so.2]# libip6tc.so.2] this TCE # libmnl.so.0]libmnl libnetfilter_conntrack # libnftnl.so.11]libnftnl nftables # libnetfilter_conntrack.so.3]libnetfilter_conntrack # libnfnetlink.so.0]libnfnetlink libnetfilter_conntrack readelf -d $P/usr/local/sbin/* | grep 'NEEDED' # no extras readelf -d $P/usr/local/lib/*.so | grep 'NEEDED' # TCBs readelf -d $P/usr/local/lib/xtables/*.so | grep 'NEEDED' # no extras # iptables-apply and others are bash scripts echo 'libnetfilter_conntrack.tcz nftables.tcz bash.tcz ' > $P.tcz.dep submitqc --libs rm -rf *.zsync