From 840a7d2d375d39c0a5f510da3286c98490f4b4f1 Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Fri, 10 Jan 2014 16:19:56 +0100
Subject: [PATCH] add default /etc/sysconfig/ip[6]tables (RHBZ#1034494)

---
 iptables.spec       | 17 ++++++++++++-----
 sysconfig_ip6tables | 14 ++++++++++++++
 sysconfig_iptables  | 14 ++++++++++++++
 3 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 sysconfig_ip6tables
 create mode 100644 sysconfig_iptables

diff --git a/iptables.spec b/iptables.spec
index 8a09ece..1a5f47b 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -13,6 +13,8 @@ Source1: iptables.init
 Source2: iptables-config
 Source3: iptables.service
 Source4: iptables.save-legacy
+Source5: sysconfig_iptables
+Source6: sysconfig_ip6tables
 URL: http://www.netfilter.org/
 License: GPLv2
 # libnfnetlink-devel is requires for nfnl_osf
@@ -103,10 +105,12 @@ install -d -m 755 %{buildroot}%{script_path}
 install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init
 sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
 install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init
-install -d -m 755 %{buildroot}/etc/sysconfig
-install -c -m 755 %{SOURCE2} %{buildroot}/etc/sysconfig/iptables-config
+install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig
+install -c -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config
 sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
-install -c -m 755 ip6tables-config %{buildroot}/etc/sysconfig/ip6tables-config
+install -c -m 755 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config
+install -c -m 755 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/iptables
+install -c -m 755 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables
 
 # install systemd service files
 install -d -m 755 %{buildroot}/%{_unitdir}
@@ -138,8 +142,8 @@ install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/
 
 %files
 %doc COPYING INCOMPATIBILITIES
-%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config
-%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config
+%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables-config
+%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables-config
 %{_sbindir}/iptables*
 %{_sbindir}/ip6tables*
 %{_sbindir}/xtables-multi
@@ -172,6 +176,8 @@ install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/
 %files services
 %attr(0755,root,root) %{script_path}/iptables.init
 %attr(0755,root,root) %{script_path}/ip6tables.init
+%config(noreplace) %{_sysconfdir}/sysconfig/iptables
+%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables
 %dir %{script_path}
 %{_unitdir}/iptables.service
 %{_unitdir}/ip6tables.service
@@ -189,6 +195,7 @@ install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/
 %changelog
 * Fri Jan 10 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-4
 - drop virtual provide for xtables.so.9
+- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494)
 
 * Thu Jan 09 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-3
 - no need to support the pre-systemd things
diff --git a/sysconfig_ip6tables b/sysconfig_ip6tables
new file mode 100644
index 0000000..e642a8d
--- /dev/null
+++ b/sysconfig_ip6tables
@@ -0,0 +1,14 @@
+# sample configuration for ip6tables service
+# you can edit this manually or use system-config-firewall
+# requests to add additional ports/services will most likely be refused
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
diff --git a/sysconfig_iptables b/sysconfig_iptables
new file mode 100644
index 0000000..81471f0
--- /dev/null
+++ b/sysconfig_iptables
@@ -0,0 +1,14 @@
+# sample configuration for iptables service
+# you can edit this manually or use system-config-firewall
+# requests to add additional ports/services will most likely be refused
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT