diff options
author | Arun Isaac <arunisaac@systemreboot.net> | 2018-08-17 16:39:07 +0530 |
---|---|---|
committer | Arun Isaac <arunisaac@systemreboot.net> | 2018-09-20 13:09:55 +0530 |
commit | 9926b8f8096a0198cc34585bf7424eba0c98aee2 (patch) | |
tree | 030c3d31e6eb30560a08c50154dbfb43471c4352 /doc | |
parent | 3e63a83c0fa5621a272f0a43dc2dfcb46081804e (diff) | |
download | guix-9926b8f8096a0198cc34585bf7424eba0c98aee2.tar.gz |
gnu: services: Add iptables service.
* gnu/services/networking.scm (<iptables-configuration>): New record type. (iptables-service-type): New variable. * gnu/tests/networking.scm (run-iptables-test): New procedure. (%test-iptables): New variable. * doc/guix.texi (Networking Services): Document it.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/guix.texi | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 8987b20fa9..b925485be5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11612,6 +11612,54 @@ Thus, it can be instantiated like this: @end lisp @end defvr +@cindex iptables +@defvr {Scheme Variable} iptables-service-type +This is the service type to set up an iptables configuration. iptables is a +packet filtering framework supported by the Linux kernel. This service +supports configuring iptables for both IPv4 and IPv6. A simple example +configuration rejecting all incoming connections except those to the ssh port +22 is shown below. + +@lisp +(service iptables-service-type + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-port-unreachable +COMMIT +")) + (ipv6-rules (plain-file "ip6tables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-port-unreachable +COMMIT +")))) +@end lisp +@end defvr + +@deftp {Data Type} iptables-configuration +The data type representing the configuration of iptables. + +@table @asis +@item @code{iptables} (default: @code{iptables}) +The iptables package that provides @code{iptables-restore} and +@code{ip6tables-restore}. +@item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules}) +The iptables rules to use. It will be passed to @code{iptables-restore}. +This may be any ``file-like'' object (@pxref{G-Expressions, file-like +objects}). +@item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules}) +The ip6tables rules to use. It will be passed to @code{ip6tables-restore}. +This may be any ``file-like'' object (@pxref{G-Expressions, file-like +objects}). +@end table +@end deftp + @cindex NTP @cindex real time clock @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @ |