diff options
Diffstat (limited to 'examples/var_service/fw/run')
| -rwxr-xr-x | examples/var_service/fw/run | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/examples/var_service/fw/run b/examples/var_service/fw/run new file mode 100755 index 000000000..f02f53dc1 --- /dev/null +++ b/examples/var_service/fw/run @@ -0,0 +1,211 @@ +#!/bin/bash +# (using bashisms: "function", arrays) + +user=root +extif=if +ext_open_tcp="21 22 80" # space-separated + +# Make ourself one-shot +sv o . +# Debug +#date '+%Y-%m-%d %H:%M:%S' >>"$0.log" + +service=`basename "$PWD"` +rundir="/var/run/service/$service" + +### filter This is the default table (if no -t option is passed). It contains +### the built-in chains INPUT (for packets coming into the box itself), +### FORWARD (for packets being routed through the box), and OUTPUT (for +### locally-generated packets). +### +### nat This table is consulted when a packet that creates a new connection +### is encountered. It consists of three built-ins: PREROUTING (for +### altering packets as soon as they come in), OUTPUT (for altering +### locally-generated packets before routing), and POSTROUTING (for +### altering packets as they are about to go out). +### +### mangle It had two built-in chains: PREROUTING (for altering incoming +### packets before routing) and OUTPUT (for altering locally-generated +### packets before routing). Recently three other built-in +### chains are added: INPUT (for packets coming into the box +### itself), FORWARD (for altering packets being routed through the +### box), and POSTROUTING (for altering packets as they are about to go +### out). +### +### ...iface... ...iface... +### | ^ +### v | +### -mangle,NAT- -mangle,filter- -mangle,NAT-- +### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING| +### ------------ | ^ --------------- ------------- +### | | ^ +### | +--if NATed------------+ | +### v | | +### -mangle,filter- -mangle,NAT,filter- +### |INPUT | +->[Routing]->|OUTPUT | +### --------------- | ------------------- +### | | +### v | +### ... Local Process... + +doit() { + echo "# $*" + "$@" +} + +#exec >/dev/null +exec >"$0.out" +exec 2>&1 +exec </dev/null + +umask 077 + +# Make sure rundir/ exists +mkdir -p "$rundir" 2>/dev/null +chown -R "$user:" "$rundir" +chmod -R a=rX "$rundir" +rm -rf rundir 2>/dev/null +ln -s "$rundir" rundir + +# Timestamping +date '+%Y-%m-%d %H:%M:%S' + + +echo; echo "* Reading IP config" +cfg=-1 +# static cfg dhcp,zeroconf etc +for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do + if test -f "$ipconf"; then + echo "+ $ipconf" + . "$ipconf" + fi +done + +echo; echo "* Configuring hardware" +#doit ethtool -s if autoneg off speed 100 duplex full +#doit ethtool -K if rx off tx off sg off tso off + +echo; echo "* Resetting address and routing info" +doit ip a f dev lo +i=0; while test "${if[$i]}"; do + doit ip a f dev "${if[$i]}" + doit ip r f dev "${if[$i]}" root 0/0 +let i++; done + +echo; echo "* Configuring addresses" +doit ip a a dev lo 127.0.0.1/8 scope host +doit ip a a dev lo ::1/128 scope host +i=0; while test "${if[$i]}"; do + if test "${ipmask[$i]}"; then + doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd + + doit ip l set dev "${if[$i]}" up + fi +let i++; done + +echo; echo "* Configuring routes" +i=0; while test "${if[$i]}"; do + if test "${net[$i]}" && test "${gw[$i]}"; then + doit ip r a "${net[$i]}" via "${gw[$i]}" + fi +let i++; done + +echo; echo "* Recreating /etc/* files reflecting new network configuration:" +for i in etc/*; do + n=`basename "$i"` + echo "+ $n" + (. "$i") >"/etc/$n" + chmod 644 "/etc/$n" +done + + +# Usage: new_chain <chain> [<table>] +new_chain() { + local t="" + test x"$2" != x"" && t="-t $2" + doit iptables $t -N $1 + ipt="iptables $t -A $1" +} + +echo; echo "* Reset iptables" +doit iptables --flush +doit iptables --delete-chain +doit iptables --zero +doit iptables -t nat --flush +doit iptables -t nat --delete-chain +doit iptables -t nat --zero +doit iptables -t mangle --flush +doit iptables -t mangle --delete-chain +doit iptables -t mangle --zero + +echo; echo "* Configure iptables" +doit modprobe nf_nat_ftp +doit modprobe nf_nat_tftp +doit modprobe nf_conntrack_ftp +doit modprobe nf_conntrack_tftp + +# *** nat *** +# INCOMING TRAFFIC +ipt="iptables -t nat -A PREROUTING" +# nothing here + +# LOCALLY ORIGINATED TRAFFIC +ipt="iptables -t nat -A OUTPUT" +# nothing here + +# OUTGOING TRAFFIC +ipt="iptables -t nat -A POSTROUTING" +# Masquerade boxes on my private net +doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE + +# *** mangle *** +### DEBUG +### ipt="iptables -t mangle -A PREROUTING" +### doit $ipt -s 192.168.0.0/24 -j RETURN +### ipt="iptables -t mangle -A FORWARD" +### doit $ipt -s 192.168.0.0/24 -j RETURN +### ipt="iptables -t mangle -A POSTROUTING" +### doit $ipt -s 192.168.0.0/24 -j RETURN +# nothing here + +# *** filter *** +# +new_chain iext filter +#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh +#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh +doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok +if test "$ext_open_tcp"; then + portlist="${ext_open_tcp// /,}" + doit $ipt -p tcp -m multiport --dports $portlist -j RETURN +fi +doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster + # (it probes proxy ports, DROP will incur timeout delays) +ipt="iptables -t filter -A INPUT" +doit $ipt -i $extif -j iext + + +echo; echo "* Enabling forwarding" +echo 1 >/proc/sys/net/ipv4/ip_forward +echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`" + + +# Signal everybody that firewall is up +date '+%Y-%m-%d %H:%M:%S' >"$rundir/up" + +# Ok, spew out gobs of info and disable ourself +echo; echo "* IP:" +ip a l +echo; echo "* Routing:" +ip r l +echo; echo "* Firewall:" +{ +echo '---FILTER--'; +iptables -v -L -x -n; +echo '---NAT-----'; +iptables -t nat -v -L -x -n; +echo '---MANGLE--'; +iptables -t mangle -v -L -x -n; +} \ +| grep -v '^$' | grep -Fv 'bytes target' +echo + +echo "* End of firewall configuration" |