jasonwbarnett · August 14, 2018 00:50
diff --git a/hab_iptables_linked.sh b/hab_iptables_linked.sh
 # yum remove iptables -y
 Loaded plugins: fastestmirror
 Resolving Dependencies
 --> Running transaction check
 ---> Package iptables.x86_64 0:1.4.21-16.el7 will be erased
 --> Processing Dependency: iptables = 1.4.21-16.el7 for package: iptables-services-1.4.21-16.el7.x86_64
 --> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-3.10.0-54.el7.x86_64
 --> Running transaction check
 ---> Package iproute.x86_64 0:3.10.0-54.el7 will be erased
 --> Processing Dependency: iproute for package: dracut-network-033-359.el7.x86_64
 --> Processing Dependency: iproute for package: initscripts-9.49.30-1.el7.x86_64
 --> Processing Dependency: iproute for package: cloud-init-0.7.5-6.el7.x86_64
 --> Processing Dependency: iproute for package: 1:NetworkManager-1.0.6-27.el7.x86_64
 --> Processing Dependency: iproute for package: 12:dhclient-4.2.5-42.el7.centos.x86_64
 ---> Package iptables-services.x86_64 0:1.4.21-16.el7 will be erased
 --> Processing Dependency: iptables for package: firewalld-0.3.9-14.el7.noarch
 --> Running transaction check
 ---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be erased
 --> Processing Dependency: NetworkManager = 1:1.0.6-27.el7 for package: 1:NetworkManager-tui-1.0.6-27.el7.x86_64
 --> Processing Dependency: NetworkManager(x86-64) = 1:1.0.6-27.el7 for package: 1:NetworkManager-wifi-1.0.6-27.el7.x86_64
 ---> Package cloud-init.x86_64 0:0.7.5-6.el7 will be erased
 ---> Package dhclient.x86_64 12:4.2.5-42.el7.centos will be erased
 ---> Package dracut-network.x86_64 0:033-359.el7 will be erased
 --> Processing Dependency: dracut-network for package: kexec-tools-2.0.7-38.el7.x86_64
 ---> Package firewalld.noarch 0:0.3.9-14.el7 will be erased
 ---> Package initscripts.x86_64 0:9.49.30-1.el7 will be erased
 --> Processing Dependency: initscripts for package: open-vm-tools-9.10.2-4.el7.x86_64
 --> Processing Dependency: initscripts >= 8.83-1 for package: plymouth-0.8.9-0.24.20140113.el7.centos.x86_64
 --> Processing Dependency: initscripts >= 5.86-1 for package: kbd-1.15.5-11.el7.x86_64
 --> Running transaction check
 ---> Package NetworkManager-tui.x86_64 1:1.0.6-27.el7 will be erased
 ---> Package NetworkManager-wifi.x86_64 1:1.0.6-27.el7 will be erased
 ---> Package kbd.x86_64 0:1.15.5-11.el7 will be erased
 ---> Package kexec-tools.x86_64 0:2.0.7-38.el7 will be erased
 ---> Package open-vm-tools.x86_64 0:9.10.2-4.el7 will be erased
 ---> Package plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
 --> Processing Dependency: plymouth for package: plymouth-scripts-0.8.9-0.24.20140113.el7.centos.x86_64
 --> Running transaction check
 ---> Package plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
 --> Finished Dependency Resolution

 ...

 Remove  1 Package (+15 Dependent packages)

 Installed size: 22 M
 Is this ok [y/N]: y

 ...

 Removed:
  iptables.x86_64 0:1.4.21-16.el7

 Dependency Removed:
  NetworkManager.x86_64 1:1.0.6-27.el7     NetworkManager-tui.x86_64 1:1.0.6-27.el7     NetworkManager-wifi.x86_64 1:1.0.6-27.el7     cloud-init.x86_64 0:0.7.5-6.el7       dhclient.x86_64 12:4.2.5-42.el7.centos     dracut-network.x86_64 0:033-359.el7                  firewalld.noarch 0:0.3.9-14.el7                              initscripts.x86_64 0:9.49.30-1.el7
  iproute.x86_64 0:3.10.0-54.el7           iptables-services.x86_64 0:1.4.21-16.el7     kbd.x86_64 0:1.15.5-11.el7                    kexec-tools.x86_64 0:2.0.7-38.el7     open-vm-tools.x86_64 0:9.10.2-4.el7        plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos     plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos
  
 # curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo TMPDIR=/root bash
 --> hab-install: Checking installed hab version
 hab 0.59.0/20180712155441
 --> hab-install: Installation of Habitat 'hab' program complete.

 # cat <<EOF | sudo tee /etc/systemd/system/hab.service
 > [Unit]
 > Description=The Habitat Supervisor
 >
 > [Service]
 > ExecStart=/bin/hab sup run --no-color
 >
 > [Install]
 > WantedBy=default.target
 > EOF
 [Unit]
 Description=The Habitat Supervisor

 [Service]
 ExecStart=/bin/hab sup run --no-color

 [Install]
 WantedBy=default.target
 # systemctl start hab
 # hab pkg install core/iptables --binlink
 # iptables-restore <<EOF 
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -s 127.0.0.0/8 -j DROP
 -A FORWARD -j RETURN
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
 COMMIT
 EOF
 # iptables -L
 # iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
 ACCEPT     all  --  anywhere             anywhere
 DROP       all  --  127.0.0.0/8          anywhere
 ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
 ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh ctstate ESTABLISHED

 Chain FORWARD (policy DROP)
 target     prot opt source               destination
 RETURN     all  --  anywhere             anywhere

 Chain OUTPUT (policy DROP)
 target     prot opt source               destination
 ACCEPT     all  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
 ACCEPT     all  --  anywhere             anywhere
	# yum remove iptables -y
	Loaded plugins: fastestmirror
	Resolving Dependencies
	--> Running transaction check
	---> Package iptables.x86_64 0:1.4.21-16.el7 will be erased
	--> Processing Dependency: iptables = 1.4.21-16.el7 for package: iptables-services-1.4.21-16.el7.x86_64
	--> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-3.10.0-54.el7.x86_64
	--> Running transaction check
	---> Package iproute.x86_64 0:3.10.0-54.el7 will be erased
	--> Processing Dependency: iproute for package: dracut-network-033-359.el7.x86_64
	--> Processing Dependency: iproute for package: initscripts-9.49.30-1.el7.x86_64
	--> Processing Dependency: iproute for package: cloud-init-0.7.5-6.el7.x86_64
	--> Processing Dependency: iproute for package: 1:NetworkManager-1.0.6-27.el7.x86_64
	--> Processing Dependency: iproute for package: 12:dhclient-4.2.5-42.el7.centos.x86_64
	---> Package iptables-services.x86_64 0:1.4.21-16.el7 will be erased
	--> Processing Dependency: iptables for package: firewalld-0.3.9-14.el7.noarch
	--> Running transaction check
	---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be erased
	--> Processing Dependency: NetworkManager = 1:1.0.6-27.el7 for package: 1:NetworkManager-tui-1.0.6-27.el7.x86_64
	--> Processing Dependency: NetworkManager(x86-64) = 1:1.0.6-27.el7 for package: 1:NetworkManager-wifi-1.0.6-27.el7.x86_64
	---> Package cloud-init.x86_64 0:0.7.5-6.el7 will be erased
	---> Package dhclient.x86_64 12:4.2.5-42.el7.centos will be erased
	---> Package dracut-network.x86_64 0:033-359.el7 will be erased
	--> Processing Dependency: dracut-network for package: kexec-tools-2.0.7-38.el7.x86_64
	---> Package firewalld.noarch 0:0.3.9-14.el7 will be erased
	---> Package initscripts.x86_64 0:9.49.30-1.el7 will be erased
	--> Processing Dependency: initscripts for package: open-vm-tools-9.10.2-4.el7.x86_64
	--> Processing Dependency: initscripts >= 8.83-1 for package: plymouth-0.8.9-0.24.20140113.el7.centos.x86_64
	--> Processing Dependency: initscripts >= 5.86-1 for package: kbd-1.15.5-11.el7.x86_64
	--> Running transaction check
	---> Package NetworkManager-tui.x86_64 1:1.0.6-27.el7 will be erased
	---> Package NetworkManager-wifi.x86_64 1:1.0.6-27.el7 will be erased
	---> Package kbd.x86_64 0:1.15.5-11.el7 will be erased
	---> Package kexec-tools.x86_64 0:2.0.7-38.el7 will be erased
	---> Package open-vm-tools.x86_64 0:9.10.2-4.el7 will be erased
	---> Package plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
	--> Processing Dependency: plymouth for package: plymouth-scripts-0.8.9-0.24.20140113.el7.centos.x86_64
	--> Running transaction check
	---> Package plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos will be erased
	--> Finished Dependency Resolution

	...

	Remove 1 Package (+15 Dependent packages)

	Installed size: 22 M
	Is this ok [y/N]: y

	...

	Removed:
	iptables.x86_64 0:1.4.21-16.el7

	Dependency Removed:
	NetworkManager.x86_64 1:1.0.6-27.el7 NetworkManager-tui.x86_64 1:1.0.6-27.el7 NetworkManager-wifi.x86_64 1:1.0.6-27.el7 cloud-init.x86_64 0:0.7.5-6.el7 dhclient.x86_64 12:4.2.5-42.el7.centos dracut-network.x86_64 0:033-359.el7 firewalld.noarch 0:0.3.9-14.el7 initscripts.x86_64 0:9.49.30-1.el7
	iproute.x86_64 0:3.10.0-54.el7 iptables-services.x86_64 0:1.4.21-16.el7 kbd.x86_64 0:1.15.5-11.el7 kexec-tools.x86_64 0:2.0.7-38.el7 open-vm-tools.x86_64 0:9.10.2-4.el7 plymouth.x86_64 0:0.8.9-0.24.20140113.el7.centos plymouth-scripts.x86_64 0:0.8.9-0.24.20140113.el7.centos

	# curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh \| sudo TMPDIR=/root bash
	--> hab-install: Checking installed hab version
	hab 0.59.0/20180712155441
	--> hab-install: Installation of Habitat 'hab' program complete.

	# cat <<EOF \| sudo tee /etc/systemd/system/hab.service
	> [Unit]
	> Description=The Habitat Supervisor
	>
	> [Service]
	> ExecStart=/bin/hab sup run --no-color
	>
	> [Install]
	> WantedBy=default.target
	> EOF
	[Unit]
	Description=The Habitat Supervisor

	[Service]
	ExecStart=/bin/hab sup run --no-color

	[Install]
	WantedBy=default.target
	# systemctl start hab
	# hab pkg install core/iptables --binlink
	# iptables-restore <<EOF
	*filter
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT DROP [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -s 127.0.0.0/8 -j DROP
	-A FORWARD -j RETURN
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
	-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT
	COMMIT
	EOF
	# iptables -L
	# iptables -L
	Chain INPUT (policy DROP)
	target prot opt source destination
	ACCEPT all -- anywhere anywhere
	DROP all -- 127.0.0.0/8 anywhere
	ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
	ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
	ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate ESTABLISHED

	Chain FORWARD (policy DROP)
	target prot opt source destination
	RETURN all -- anywhere anywhere

	Chain OUTPUT (policy DROP)
	target prot opt source destination
	ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
	ACCEPT all -- anywhere anywhere