jasonwbarnett/hab_iptables_linked.sh

## hab_iptables_linked.sh
# yum remove iptables -y
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package iptables.x86_64 0:1.4.21-16.el7 will be erased
--> Processing Dependency: iptables = 1.4.21-16.el7 for package: iptables-services-1.4.21-16.el7.x86_64
--> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-3.10.0-54.el7.x86_64
--> Running transaction check
---> Package iproute.x86_64 0:3.10.0-54.el7 will be erased
--> Processing Dependency: iproute for package: dracut-network-033-359.el7.x86_64
--> Processing Dependency: iproute for package: initscripts-9.49.30-1.el7.x86_64
--> Processing Dependency: iproute for package: cloud-init-0.7.5-6.el7.x86_64
--> Processing Dependency: iproute for package: 1:NetworkManager-1.0.6-27.el7.x86_64
--> Processing Dependency: iproute for package: 12:dhclient-4.2.5-42.el7.centos.x86_64
---> Package iptables-services.x86_64 0:1.4.21-16.el7 will be erased
--> Processing Dependency: iptables for package: firewalld-0.3.9-14.el7.noarch
--> Running transaction check
---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be erased
--> Processing Dependency: NetworkManager = 1:1.0.6-27.el7 for package: 1:NetworkManager-tui-1.0.6-27.el7.x86_64
--> Processing Dependency: NetworkManager(x86-64) = 1:1.0.6-27.el7 for package: 1:NetworkManager-wifi-1.0.6-27.el7.x86_64
---> Package cloud-init.x86_64 0:0.7.5-6.el7 will be erased
---> Package dhclient.x86_64 12:4.2.5-42.el7.centos will be erased
---> Package dracut-network.x86_64 0:033-359.el7 will be erased
--> Processing Dependency: dracut-network for package: kexec-tools-2.0.7-38.el7.x86_64
---> Package firewalld.noarch 0:0.3.9-14.el7 will be erased
---> Package initscripts.x86_64 0:9.49.30-1.el7 will be erased
--> Processing Dependency: initscripts for package: open-vm-tools-9.10.2-4.el7.x86_64
--> Processing Dependency: initscripts >= 8.83-1 for package: plymouth-0.8.9-0.24.20140113.el7.centos.x86_64
--> Processing Dependency: initscripts >= 5.86-1 for package: kbd-1.15.5-11.el7.x86_64
--> Running transaction check
---> Package NetworkManager-tui.x86_64 1:1.0.6-27.el7 will be erased
---> Package NetworkManager-wifi.x86_64 1:1.0.6-27.el7 will be erased
---> Package kbd.x86_64 0:1.15.5-11.el7 will be erased
---> Package kexec-tools.x86_64 0:2.0.7-38.el7 will be erased
---> Package open-vm-tools.x86_64 0:9.10.2-4.el7 will be erased
---> Package plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
--> Processing Dependency: plymouth for package: plymouth-scripts-0.8.9-0.24.20140113.el7.centos.x86_64
--> Running transaction check
---> Package plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
--> Finished Dependency Resolution

...

Remove  1 Package (+15 Dependent packages)

Installed size: 22 M
Is this ok [y/N]: y

...

Removed:
  iptables.x86_64 0:1.4.21-16.el7

Dependency Removed:
  NetworkManager.x86_64 1:1.0.6-27.el7     NetworkManager-tui.x86_64 1:1.0.6-27.el7     NetworkManager-wifi.x86_64 1:1.0.6-27.el7     cloud-init.x86_64 0:0.7.5-6.el7       dhclient.x86_64 12:4.2.5-42.el7.centos     dracut-network.x86_64 0:033-359.el7                  firewalld.noarch 0:0.3.9-14.el7                              initscripts.x86_64 0:9.49.30-1.el7
  iproute.x86_64 0:3.10.0-54.el7           iptables-services.x86_64 0:1.4.21-16.el7     kbd.x86_64 0:1.15.5-11.el7                    kexec-tools.x86_64 0:2.0.7-38.el7     open-vm-tools.x86_64 0:9.10.2-4.el7        plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos     plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos

# curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo TMPDIR=/root bash
--> hab-install: Checking installed hab version
hab 0.59.0/20180712155441
--> hab-install: Installation of Habitat 'hab' program complete.

# cat <<EOF | sudo tee /etc/systemd/system/hab.service
> [Unit]
> Description=The Habitat Supervisor
>
> [Service]
> ExecStart=/bin/hab sup run --no-color
>
> [Install]
> WantedBy=default.target
> EOF
[Unit]
Description=The Habitat Supervisor

[Service]
ExecStart=/bin/hab sup run --no-color

[Install]
WantedBy=default.target
# systemctl start hab
# hab pkg install core/iptables --binlink
# iptables-restore <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j DROP
-A FORWARD -j RETURN
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
EOF
# iptables -L
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  127.0.0.0/8          anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh ctstate ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
	# yum remove iptables -y
	Loaded plugins: fastestmirror
	Resolving Dependencies
	--> Running transaction check
	---> Package iptables.x86_64 0:1.4.21-16.el7 will be erased
	--> Processing Dependency: iptables = 1.4.21-16.el7 for package: iptables-services-1.4.21-16.el7.x86_64
	--> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-3.10.0-54.el7.x86_64
	--> Running transaction check
	---> Package iproute.x86_64 0:3.10.0-54.el7 will be erased
	--> Processing Dependency: iproute for package: dracut-network-033-359.el7.x86_64
	--> Processing Dependency: iproute for package: initscripts-9.49.30-1.el7.x86_64
	--> Processing Dependency: iproute for package: cloud-init-0.7.5-6.el7.x86_64
	--> Processing Dependency: iproute for package: 1:NetworkManager-1.0.6-27.el7.x86_64
	--> Processing Dependency: iproute for package: 12:dhclient-4.2.5-42.el7.centos.x86_64
	---> Package iptables-services.x86_64 0:1.4.21-16.el7 will be erased
	--> Processing Dependency: iptables for package: firewalld-0.3.9-14.el7.noarch
	--> Running transaction check
	---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be erased
	--> Processing Dependency: NetworkManager = 1:1.0.6-27.el7 for package: 1:NetworkManager-tui-1.0.6-27.el7.x86_64
	--> Processing Dependency: NetworkManager(x86-64) = 1:1.0.6-27.el7 for package: 1:NetworkManager-wifi-1.0.6-27.el7.x86_64
	---> Package cloud-init.x86_64 0:0.7.5-6.el7 will be erased
	---> Package dhclient.x86_64 12:4.2.5-42.el7.centos will be erased
	---> Package dracut-network.x86_64 0:033-359.el7 will be erased
	--> Processing Dependency: dracut-network for package: kexec-tools-2.0.7-38.el7.x86_64
	---> Package firewalld.noarch 0:0.3.9-14.el7 will be erased
	---> Package initscripts.x86_64 0:9.49.30-1.el7 will be erased
	--> Processing Dependency: initscripts for package: open-vm-tools-9.10.2-4.el7.x86_64
	--> Processing Dependency: initscripts >= 8.83-1 for package: plymouth-0.8.9-0.24.20140113.el7.centos.x86_64
	--> Processing Dependency: initscripts >= 5.86-1 for package: kbd-1.15.5-11.el7.x86_64
	--> Running transaction check
	---> Package NetworkManager-tui.x86_64 1:1.0.6-27.el7 will be erased
	---> Package NetworkManager-wifi.x86_64 1:1.0.6-27.el7 will be erased
	---> Package kbd.x86_64 0:1.15.5-11.el7 will be erased
	---> Package kexec-tools.x86_64 0:2.0.7-38.el7 will be erased
	---> Package open-vm-tools.x86_64 0:9.10.2-4.el7 will be erased
	---> Package plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
	--> Processing Dependency: plymouth for package: plymouth-scripts-0.8.9-0.24.20140113.el7.centos.x86_64
	--> Running transaction check
	---> Package plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
	--> Finished Dependency Resolution

	...

	Remove 1 Package (+15 Dependent packages)

	Installed size: 22 M
	Is this ok [y/N]: y

	...

	Removed:
	iptables.x86_64 0:1.4.21-16.el7

	Dependency Removed:
	NetworkManager.x86_64 1:1.0.6-27.el7 NetworkManager-tui.x86_64 1:1.0.6-27.el7 NetworkManager-wifi.x86_64 1:1.0.6-27.el7 cloud-init.x86_64 0:0.7.5-6.el7 dhclient.x86_64 12:4.2.5-42.el7.centos dracut-network.x86_64 0:033-359.el7 firewalld.noarch 0:0.3.9-14.el7 initscripts.x86_64 0:9.49.30-1.el7
	iproute.x86_64 0:3.10.0-54.el7 iptables-services.x86_64 0:1.4.21-16.el7 kbd.x86_64 0:1.15.5-11.el7 kexec-tools.x86_64 0:2.0.7-38.el7 open-vm-tools.x86_64 0:9.10.2-4.el7 plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos

	# curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh \| sudo TMPDIR=/root bash
	--> hab-install: Checking installed hab version
	hab 0.59.0/20180712155441
	--> hab-install: Installation of Habitat 'hab' program complete.

	# cat <<EOF \| sudo tee /etc/systemd/system/hab.service
	> [Unit]
	> Description=The Habitat Supervisor
	>
	> [Service]
	> ExecStart=/bin/hab sup run --no-color
	>
	> [Install]
	> WantedBy=default.target
	> EOF
	[Unit]
	Description=The Habitat Supervisor

	[Service]
	ExecStart=/bin/hab sup run --no-color

	[Install]
	WantedBy=default.target
	# systemctl start hab
	# hab pkg install core/iptables --binlink
	# iptables-restore <<EOF
	*filter
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT DROP [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -s 127.0.0.0/8 -j DROP
	-A FORWARD -j RETURN
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
	-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT
	COMMIT
	EOF
	# iptables -L
	# iptables -L
	Chain INPUT (policy DROP)
	target prot opt source destination
	ACCEPT all -- anywhere anywhere
	DROP all -- 127.0.0.0/8 anywhere
	ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
	ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
	ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate ESTABLISHED

	Chain FORWARD (policy DROP)
	target prot opt source destination
	RETURN all -- anywhere anywhere

	Chain OUTPUT (policy DROP)
	target prot opt source destination
	ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
	ACCEPT all -- anywhere anywhere