-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathdns-firewall.service
31 lines (26 loc) · 1.2 KB
/
dns-firewall.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[Unit]
Description=dns-firewall
After=network.target
[Service]
Type=simple
EnvironmentFile=/etc/dns-firewall/config.env
# Do not run as root, create an ephemeral user + group instead.
# We add the required capabilities instead:
# CAP_NET_ADMIN and CAP_NET_RAW are required to operate iptables
# CAP_NET_BIND_SERVICE is required to bind to ports < 1000
DynamicUser=true
User=dns-firewall-u
Group=dns-firewall-g
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
# iptables uses a netlink socket to communicate with the kernel, which is allowed by the above capabilites.
# However, locking is done previously, through the /run/xtables.lock file.
# This is, by default, owned and readable/writable by root alone (or does not exist at all).
# We make it read/writable for the dynamically created group instead (and remove the group when stopping the service):
ExecStartPre=+/usr/bin/touch /run/xtables.lock
ExecStartPre=+/usr/bin/chown :dns-firewall-g /run/xtables.lock
ExecStartPre=+/usr/bin/chmod g+rw /run/xtables.lock
ExecStart=/usr/bin/dns-firewall
ExecStopPost=+/usr/bin/chown :root /run/xtables.lock
[Install]
WantedBy=multi-user.target