Support Debian distro for iptables

We currently use the add-rule script to create iptables rules that allow
the cloud we deployed to function.

These iptable rules are required on RedHat based distros that have a
default deny-all policy; but they're also useful on Debian distros if
the operators turn on a deny-all policy as part of locking down their
environment. It would be useful if these operators could leverage the
work RedHat has done to get the Debian distro working.

This change adds a check for Debian and allows the add-rule script to
run, as a first step towards full support for Debian-based distros.

Also, install.d installs iptables and there is a Debian specific change.

Change-Id: Iea773d37b18c15a417896e93e29bcdc1e20096ac
Closes-Bug: #1351412

elements/iptables/bin/add-rule

@@ -11,23 +11,34 @@
 # add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
 
 set -eu
+set -o pipefail
 
 RULE="$@"
 
 DISTRO=`lsb_release -si` || true
 
+IPT_FILE=
+
 if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
 
     # Check if the iptables service is active
     if systemctl is-active iptables.service ; then
         IPT_FILE=/etc/sysconfig/iptables
-        if [ -f $IPT_FILE ]; then
-            iptables-restore < $IPT_FILE
-        fi
-
-        iptables -C $RULE || iptables -I $RULE
-
-        iptables-save > $IPT_FILE
     fi
 
+elif [[ "Debian Ubuntu" =~ "$DISTRO" ]]; then
+
+    IPT_FILE=/etc/iptables/iptables
+fi
+
+if [ -f "$IPT_FILE" ]; then
+
+    iptables-restore < $IPT_FILE
+fi
+
+if [ -n "$IPT_FILE" ]; then
+
+    iptables -C $RULE || iptables -I $RULE
+
+    iptables-save > $IPT_FILE
 fi

elements/iptables/install.d/01-iptables

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -eux
+set -o pipefail
+
+install-packages iptables
+
+DISTRO=`lsb_release -si` || true
+
+if [[ "Debian Ubuntu" =~ $DISTRO ]]; then
+    mkdir -p /etc/iptables
+fi