diff options
Diffstat (limited to 'examples/var_service/fw')
| -rw-r--r-- | examples/var_service/fw/conf/11.22.33.44.ipconf-- | 10 | ||||
| -rw-r--r-- | examples/var_service/fw/conf/192.168.0.1.ipconf | 11 | ||||
| -rw-r--r-- | examples/var_service/fw/conf/lo.ipconf | 10 | ||||
| -rw-r--r-- | examples/var_service/fw/etc/hosts | 21 | ||||
| -rw-r--r-- | examples/var_service/fw/etc/resolv.conf | 31 | ||||
| -rwxr-xr-x | examples/var_service/fw/run | 211 | ||||
| -rwxr-xr-x | examples/var_service/fw/stat | 12 |
7 files changed, 306 insertions, 0 deletions
diff --git a/examples/var_service/fw/conf/11.22.33.44.ipconf-- b/examples/var_service/fw/conf/11.22.33.44.ipconf-- new file mode 100644 index 000000000..9b44e9048 --- /dev/null +++ b/examples/var_service/fw/conf/11.22.33.44.ipconf-- @@ -0,0 +1,10 @@ +#!/bin/sh +# If we have simple static address... +# +let cfg=cfg+1 +if[$cfg]=if +ip[$cfg]=11.22.33.44 +ipmask[$cfg]=11.22.33.44/24 +gw[$cfg]=11.22.33.1 +net[$cfg]=0/0 +dns[$cfg]='11.22.33.2 11.22.33.3' diff --git a/examples/var_service/fw/conf/192.168.0.1.ipconf b/examples/var_service/fw/conf/192.168.0.1.ipconf new file mode 100644 index 000000000..5cf55dbc7 --- /dev/null +++ b/examples/var_service/fw/conf/192.168.0.1.ipconf @@ -0,0 +1,11 @@ +#!/bin/sh +# A small network with no routers +# (maybe *we* are their router) +# +let cfg=cfg+1 +if[$cfg]=if +ip[$cfg]=192.168.0.1 +ipmask[$cfg]=192.168.0.1/24 +### gw[$cfg]= +### net[$cfg]=0/0 +### dns[$cfg]='' diff --git a/examples/var_service/fw/conf/lo.ipconf b/examples/var_service/fw/conf/lo.ipconf new file mode 100644 index 000000000..e6be5f063 --- /dev/null +++ b/examples/var_service/fw/conf/lo.ipconf @@ -0,0 +1,10 @@ +#!/bin/bash +# Mostly redundant except when you need dns[]=your_static_dns_srv +# +let cfg=cfg+1 +if[$cfg]=lo +ip[$cfg]=127.0.0.1 +ipmask[$cfg]=127.0.0.1/8 +gw[$cfg]='' +net[$cfg]='' +#dns[$cfg]=127.0.0.1 diff --git a/examples/var_service/fw/etc/hosts b/examples/var_service/fw/etc/hosts new file mode 100644 index 000000000..f7ee533d2 --- /dev/null +++ b/examples/var_service/fw/etc/hosts @@ -0,0 +1,21 @@ +#!/bin/sh +echo "\ +# This file is automagically regenerated +# Note! /etc/nsswitch.conf may override this! + +# For loopbacking +127.0.0.1 localhost + +# Our local IPs" + +hostname=`hostname` +test "$hostname" || hostname=localhost +domain=`(. /boot.conf; echo "$DNSDOMAINNAME")` +test "$domain" && hostname="$hostname $hostname.$domain" + +ip -o a l \ +| grep -F 'inet ' \ +| sed -e 's/^.*inet //' -e 's:[ /].*$: '"$hostname"':' + +echo +echo "# End of /etc/hosts" diff --git a/examples/var_service/fw/etc/resolv.conf b/examples/var_service/fw/etc/resolv.conf new file mode 100644 index 000000000..3f37b86f5 --- /dev/null +++ b/examples/var_service/fw/etc/resolv.conf @@ -0,0 +1,31 @@ +#!/bin/bash + +domain=`(. /boot.conf; echo "$DNSDOMAINNAME") 2>/dev/null` + +echo "# This file is automagically regenerated with each boot" +echo +test "$domain" && echo "domain $domain" +test "$domain" && echo "search $domain" +echo +echo "# Note that nslookup can choke on DNS server which itself" +echo "# does NOT have domain name. Other things can work fine." +echo +# # If we run DNS cache: +# echo "nameserver 127.0.0.1" +# exit + +prio=0 +i=0; while test "${if[$i]}"; do + test x"${dns_prio[$i]}" != x"" \ + && test "${dns_prio[$i]}" -gt "$prio" \ + && prio="${dns_prio[$i]}" +let i++; done + +i=0; while test "${if[$i]}"; do + for d in ${dns[$i]}; do + p="${dns_prio[$i]}" + test x"$p" == x"" && p=0 + test x"$p" == x"$prio" || continue + echo "nameserver $d" + done +let i++; done diff --git a/examples/var_service/fw/run b/examples/var_service/fw/run new file mode 100755 index 000000000..f02f53dc1 --- /dev/null +++ b/examples/var_service/fw/run @@ -0,0 +1,211 @@ +#!/bin/bash +# (using bashisms: "function", arrays) + +user=root +extif=if +ext_open_tcp="21 22 80" # space-separated + +# Make ourself one-shot +sv o . +# Debug +#date '+%Y-%m-%d %H:%M:%S' >>"$0.log" + +service=`basename "$PWD"` +rundir="/var/run/service/$service" + +### filter This is the default table (if no -t option is passed). It contains +### the built-in chains INPUT (for packets coming into the box itself), +### FORWARD (for packets being routed through the box), and OUTPUT (for +### locally-generated packets). +### +### nat This table is consulted when a packet that creates a new connection +### is encountered. It consists of three built-ins: PREROUTING (for +### altering packets as soon as they come in), OUTPUT (for altering +### locally-generated packets before routing), and POSTROUTING (for +### altering packets as they are about to go out). +### +### mangle It had two built-in chains: PREROUTING (for altering incoming +### packets before routing) and OUTPUT (for altering locally-generated +### packets before routing). Recently three other built-in +### chains are added: INPUT (for packets coming into the box +### itself), FORWARD (for altering packets being routed through the +### box), and POSTROUTING (for altering packets as they are about to go +### out). +### +### ...iface... ...iface... +### | ^ +### v | +### -mangle,NAT- -mangle,filter- -mangle,NAT-- +### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING| +### ------------ | ^ --------------- ------------- +### | | ^ +### | +--if NATed------------+ | +### v | | +### -mangle,filter- -mangle,NAT,filter- +### |INPUT | +->[Routing]->|OUTPUT | +### --------------- | ------------------- +### | | +### v | +### ... Local Process... + +doit() { + echo "# $*" + "$@" +} + +#exec >/dev/null +exec >"$0.out" +exec 2>&1 +exec </dev/null + +umask 077 + +# Make sure rundir/ exists +mkdir -p "$rundir" 2>/dev/null +chown -R "$user:" "$rundir" +chmod -R a=rX "$rundir" +rm -rf rundir 2>/dev/null +ln -s "$rundir" rundir + +# Timestamping +date '+%Y-%m-%d %H:%M:%S' + + +echo; echo "* Reading IP config" +cfg=-1 +# static cfg dhcp,zeroconf etc +for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do + if test -f "$ipconf"; then + echo "+ $ipconf" + . "$ipconf" + fi +done + +echo; echo "* Configuring hardware" +#doit ethtool -s if autoneg off speed 100 duplex full +#doit ethtool -K if rx off tx off sg off tso off + +echo; echo "* Resetting address and routing info" +doit ip a f dev lo +i=0; while test "${if[$i]}"; do + doit ip a f dev "${if[$i]}" + doit ip r f dev "${if[$i]}" root 0/0 +let i++; done + +echo; echo "* Configuring addresses" +doit ip a a dev lo 127.0.0.1/8 scope host +doit ip a a dev lo ::1/128 scope host +i=0; while test "${if[$i]}"; do + if test "${ipmask[$i]}"; then + doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd + + doit ip l set dev "${if[$i]}" up + fi +let i++; done + +echo; echo "* Configuring routes" +i=0; while test "${if[$i]}"; do + if test "${net[$i]}" && test "${gw[$i]}"; then + doit ip r a "${net[$i]}" via "${gw[$i]}" + fi +let i++; done + +echo; echo "* Recreating /etc/* files reflecting new network configuration:" +for i in etc/*; do + n=`basename "$i"` + echo "+ $n" + (. "$i") >"/etc/$n" + chmod 644 "/etc/$n" +done + + +# Usage: new_chain <chain> [<table>] +new_chain() { + local t="" + test x"$2" != x"" && t="-t $2" + doit iptables $t -N $1 + ipt="iptables $t -A $1" +} + +echo; echo "* Reset iptables" +doit iptables --flush +doit iptables --delete-chain +doit iptables --zero +doit iptables -t nat --flush +doit iptables -t nat --delete-chain +doit iptables -t nat --zero +doit iptables -t mangle --flush +doit iptables -t mangle --delete-chain +doit iptables -t mangle --zero + +echo; echo "* Configure iptables" +doit modprobe nf_nat_ftp +doit modprobe nf_nat_tftp +doit modprobe nf_conntrack_ftp +doit modprobe nf_conntrack_tftp + +# *** nat *** +# INCOMING TRAFFIC +ipt="iptables -t nat -A PREROUTING" +# nothing here + +# LOCALLY ORIGINATED TRAFFIC +ipt="iptables -t nat -A OUTPUT" +# nothing here + +# OUTGOING TRAFFIC +ipt="iptables -t nat -A POSTROUTING" +# Masquerade boxes on my private net +doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE + +# *** mangle *** +### DEBUG +### ipt="iptables -t mangle -A PREROUTING" +### doit $ipt -s 192.168.0.0/24 -j RETURN +### ipt="iptables -t mangle -A FORWARD" +### doit $ipt -s 192.168.0.0/24 -j RETURN +### ipt="iptables -t mangle -A POSTROUTING" +### doit $ipt -s 192.168.0.0/24 -j RETURN +# nothing here + +# *** filter *** +# +new_chain iext filter +#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh +#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh +doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok +if test "$ext_open_tcp"; then + portlist="${ext_open_tcp// /,}" + doit $ipt -p tcp -m multiport --dports $portlist -j RETURN +fi +doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster + # (it probes proxy ports, DROP will incur timeout delays) +ipt="iptables -t filter -A INPUT" +doit $ipt -i $extif -j iext + + +echo; echo "* Enabling forwarding" +echo 1 >/proc/sys/net/ipv4/ip_forward +echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`" + + +# Signal everybody that firewall is up +date '+%Y-%m-%d %H:%M:%S' >"$rundir/up" + +# Ok, spew out gobs of info and disable ourself +echo; echo "* IP:" +ip a l +echo; echo "* Routing:" +ip r l +echo; echo "* Firewall:" +{ +echo '---FILTER--'; +iptables -v -L -x -n; +echo '---NAT-----'; +iptables -t nat -v -L -x -n; +echo '---MANGLE--'; +iptables -t mangle -v -L -x -n; +} \ +| grep -v '^$' | grep -Fv 'bytes target' +echo + +echo "* End of firewall configuration" diff --git a/examples/var_service/fw/stat b/examples/var_service/fw/stat new file mode 100755 index 000000000..08736ada8 --- /dev/null +++ b/examples/var_service/fw/stat @@ -0,0 +1,12 @@ +#!/bin/sh + +echo; echo "* Firewall:" +{ +echo '---FILTER--'; +iptables -v -L -x -n; +echo '---NAT-----'; +iptables -t nat -v -L -x -n; +echo '---MANGLE--'; +iptables -t mangle -v -L -x -n; +} \ +| grep -v '^$' | grep -Fv 'bytes target' | $PAGER |