3
0

run 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. #!/bin/bash
  2. # (using bashism: arrays)
  3. service="${PWD##*/}"
  4. rundir="/var/run/service/$service"
  5. user=root
  6. extif=if
  7. ext_open_tcp="21 22 80" # space-separated
  8. # Make ourself one-shot
  9. sv o .
  10. # Debug
  11. #date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
  12. ### filter This is the default table (if no -t option is passed). It contains
  13. ### the built-in chains INPUT (for packets coming into the box itself),
  14. ### FORWARD (for packets being routed through the box), and OUTPUT (for
  15. ### locally-generated packets).
  16. ###
  17. ### nat This table is consulted when a packet that creates a new connection
  18. ### is encountered. It consists of three built-ins: PREROUTING (for
  19. ### altering packets as soon as they come in), OUTPUT (for altering
  20. ### locally-generated packets before routing), and POSTROUTING (for
  21. ### altering packets as they are about to go out).
  22. ###
  23. ### mangle It had two built-in chains: PREROUTING (for altering incoming
  24. ### packets before routing) and OUTPUT (for altering locally-generated
  25. ### packets before routing). Recently three other built-in
  26. ### chains are added: INPUT (for packets coming into the box
  27. ### itself), FORWARD (for altering packets being routed through the
  28. ### box), and POSTROUTING (for altering packets as they are about to go
  29. ### out).
  30. ###
  31. ### ...iface... ...iface...
  32. ### | ^
  33. ### v |
  34. ### -mangle,NAT- -mangle,filter- -mangle,NAT--
  35. ### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
  36. ### ------------ | ^ --------------- -------------
  37. ### | | ^
  38. ### | +--if NATed------------+ |
  39. ### v | |
  40. ### -mangle,filter- -mangle,NAT,filter-
  41. ### |INPUT | +->[Routing]->|OUTPUT |
  42. ### --------------- | -------------------
  43. ### | |
  44. ### v |
  45. ### ... Local Process...
  46. doit() {
  47. echo "# $*"
  48. "$@"
  49. }
  50. #exec >/dev/null
  51. exec >"$0.out"
  52. exec 2>&1
  53. exec </dev/null
  54. umask 077
  55. # Make sure rundir/ exists
  56. mkdir -p "$rundir" 2>/dev/null
  57. chown -R "$user:" "$rundir"
  58. chmod -R a=rX "$rundir"
  59. rm -rf rundir 2>/dev/null
  60. ln -s "$rundir" rundir
  61. # Timestamping
  62. date '+%Y-%m-%d %H:%M:%S'
  63. echo; echo "* Reading IP config"
  64. cfg=-1
  65. # static cfg dhcp,zeroconf etc
  66. for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
  67. if test -f "$ipconf"; then
  68. echo "+ $ipconf"
  69. . "$ipconf"
  70. fi
  71. done
  72. echo; echo "* Configuring hardware"
  73. #doit ethtool -s if autoneg off speed 100 duplex full
  74. #doit ethtool -K if rx off tx off sg off tso off
  75. echo; echo "* Resetting address and routing info"
  76. doit ip a f dev lo
  77. i=0; while test "${if[$i]}"; do
  78. doit ip a f dev "${if[$i]}"
  79. doit ip r f dev "${if[$i]}" root 0/0
  80. let i++; done
  81. echo; echo "* Configuring addresses"
  82. doit ip a a dev lo 127.0.0.1/8 scope host
  83. doit ip a a dev lo ::1/128 scope host
  84. i=0; while test "${if[$i]}"; do
  85. if test "${ipmask[$i]}"; then
  86. doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
  87. doit ip l set dev "${if[$i]}" up
  88. fi
  89. let i++; done
  90. echo; echo "* Configuring routes"
  91. i=0; while test "${if[$i]}"; do
  92. if test "${net[$i]}" && test "${gw[$i]}"; then
  93. doit ip r a "${net[$i]}" via "${gw[$i]}"
  94. fi
  95. let i++; done
  96. echo; echo "* Recreating /etc/* files reflecting new network configuration:"
  97. for i in etc/*; do
  98. n=`basename "$i"`
  99. echo "+ $n"
  100. (. "$i") >"/etc/$n"
  101. chmod 644 "/etc/$n"
  102. done
  103. # Usage: new_chain <chain> [<table>]
  104. new_chain() {
  105. local t=""
  106. test x"$2" != x"" && t="-t $2"
  107. doit iptables $t -N $1
  108. ipt="iptables $t -A $1"
  109. }
  110. echo; echo "* Reset iptables"
  111. doit iptables --flush
  112. doit iptables --delete-chain
  113. doit iptables --zero
  114. doit iptables -t nat --flush
  115. doit iptables -t nat --delete-chain
  116. doit iptables -t nat --zero
  117. doit iptables -t mangle --flush
  118. doit iptables -t mangle --delete-chain
  119. doit iptables -t mangle --zero
  120. echo; echo "* Configure iptables"
  121. doit modprobe nf_nat_ftp
  122. doit modprobe nf_nat_tftp
  123. doit modprobe nf_conntrack_ftp
  124. doit modprobe nf_conntrack_tftp
  125. # *** nat ***
  126. # INCOMING TRAFFIC
  127. ipt="iptables -t nat -A PREROUTING"
  128. # nothing here
  129. # LOCALLY ORIGINATED TRAFFIC
  130. ipt="iptables -t nat -A OUTPUT"
  131. # nothing here
  132. # OUTGOING TRAFFIC
  133. ipt="iptables -t nat -A POSTROUTING"
  134. # Masquerade boxes on my private net
  135. doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
  136. # *** mangle ***
  137. ### DEBUG
  138. ### ipt="iptables -t mangle -A PREROUTING"
  139. ### doit $ipt -s 192.168.0.0/24 -j RETURN
  140. ### ipt="iptables -t mangle -A FORWARD"
  141. ### doit $ipt -s 192.168.0.0/24 -j RETURN
  142. ### ipt="iptables -t mangle -A POSTROUTING"
  143. ### doit $ipt -s 192.168.0.0/24 -j RETURN
  144. # nothing here
  145. # *** filter ***
  146. #
  147. new_chain iext filter
  148. #doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
  149. #doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
  150. doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
  151. if test "$ext_open_tcp"; then
  152. portlist="${ext_open_tcp// /,}"
  153. doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
  154. fi
  155. doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
  156. # (it probes proxy ports, DROP will incur timeout delays)
  157. ipt="iptables -t filter -A INPUT"
  158. doit $ipt -i $extif -j iext
  159. echo; echo "* Enabling forwarding"
  160. echo 1 >/proc/sys/net/ipv4/ip_forward
  161. echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
  162. # Signal everybody that firewall is up
  163. date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
  164. # Ok, spew out gobs of info and disable ourself
  165. echo; echo "* IP:"
  166. ip a l
  167. echo; echo "* Routing:"
  168. ip r l
  169. echo; echo "* Firewall:"
  170. {
  171. echo '---FILTER--';
  172. iptables -v -L -x -n;
  173. echo '---NAT-----';
  174. iptables -t nat -v -L -x -n;
  175. echo '---MANGLE--';
  176. iptables -t mangle -v -L -x -n;
  177. } \
  178. | grep -v '^$' | grep -Fv 'bytes target'
  179. echo
  180. echo "* End of firewall configuration"