[3320] | 1 | #!/bin/bash
|
---|
| 2 | # (using bashism: arrays)
|
---|
| 3 |
|
---|
| 4 | service="${PWD##*/}"
|
---|
| 5 | rundir="/var/run/service/$service"
|
---|
| 6 |
|
---|
| 7 | user=root
|
---|
| 8 | extif=if
|
---|
| 9 | ext_open_tcp="21 22 80" # space-separated
|
---|
| 10 |
|
---|
| 11 | # Make ourself one-shot
|
---|
| 12 | sv o .
|
---|
| 13 | # Debug
|
---|
| 14 | #date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
|
---|
| 15 |
|
---|
| 16 | ### filter This is the default table (if no -t option is passed). It contains
|
---|
| 17 | ### the built-in chains INPUT (for packets coming into the box itself),
|
---|
| 18 | ### FORWARD (for packets being routed through the box), and OUTPUT (for
|
---|
| 19 | ### locally-generated packets).
|
---|
| 20 | ###
|
---|
| 21 | ### nat This table is consulted when a packet that creates a new connection
|
---|
| 22 | ### is encountered. It consists of three built-ins: PREROUTING (for
|
---|
| 23 | ### altering packets as soon as they come in), OUTPUT (for altering
|
---|
| 24 | ### locally-generated packets before routing), and POSTROUTING (for
|
---|
| 25 | ### altering packets as they are about to go out).
|
---|
| 26 | ###
|
---|
| 27 | ### mangle It had two built-in chains: PREROUTING (for altering incoming
|
---|
| 28 | ### packets before routing) and OUTPUT (for altering locally-generated
|
---|
| 29 | ### packets before routing). Recently three other built-in
|
---|
| 30 | ### chains are added: INPUT (for packets coming into the box
|
---|
| 31 | ### itself), FORWARD (for altering packets being routed through the
|
---|
| 32 | ### box), and POSTROUTING (for altering packets as they are about to go
|
---|
| 33 | ### out).
|
---|
| 34 | ###
|
---|
| 35 | ### ...iface... ...iface...
|
---|
| 36 | ### | ^
|
---|
| 37 | ### v |
|
---|
| 38 | ### -mangle,NAT- -mangle,filter- -mangle,NAT--
|
---|
| 39 | ### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
|
---|
| 40 | ### ------------ | ^ --------------- -------------
|
---|
| 41 | ### | | ^
|
---|
| 42 | ### | +--if NATed------------+ |
|
---|
| 43 | ### v | |
|
---|
| 44 | ### -mangle,filter- -mangle,NAT,filter-
|
---|
| 45 | ### |INPUT | +->[Routing]->|OUTPUT |
|
---|
| 46 | ### --------------- | -------------------
|
---|
| 47 | ### | |
|
---|
| 48 | ### v |
|
---|
| 49 | ### ... Local Process...
|
---|
| 50 |
|
---|
| 51 | doit() {
|
---|
| 52 | echo "# $*"
|
---|
| 53 | "$@"
|
---|
| 54 | }
|
---|
| 55 |
|
---|
| 56 | #exec >/dev/null
|
---|
| 57 | exec >"$0.out"
|
---|
| 58 | exec 2>&1
|
---|
| 59 | exec </dev/null
|
---|
| 60 |
|
---|
| 61 | umask 077
|
---|
| 62 |
|
---|
| 63 | # Make sure rundir/ exists
|
---|
| 64 | mkdir -p "$rundir" 2>/dev/null
|
---|
| 65 | chown -R "$user:" "$rundir"
|
---|
| 66 | chmod -R a=rX "$rundir"
|
---|
| 67 | rm -rf rundir 2>/dev/null
|
---|
| 68 | ln -s "$rundir" rundir
|
---|
| 69 |
|
---|
| 70 | # Timestamping
|
---|
| 71 | date '+%Y-%m-%d %H:%M:%S'
|
---|
| 72 |
|
---|
| 73 |
|
---|
| 74 | echo; echo "* Reading IP config"
|
---|
| 75 | cfg=-1
|
---|
| 76 | # static cfg dhcp,zeroconf etc
|
---|
| 77 | for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
|
---|
| 78 | if test -f "$ipconf"; then
|
---|
| 79 | echo "+ $ipconf"
|
---|
| 80 | . "$ipconf"
|
---|
| 81 | fi
|
---|
| 82 | done
|
---|
| 83 |
|
---|
| 84 | echo; echo "* Configuring hardware"
|
---|
| 85 | #doit ethtool -s if autoneg off speed 100 duplex full
|
---|
| 86 | #doit ethtool -K if rx off tx off sg off tso off
|
---|
| 87 |
|
---|
| 88 | echo; echo "* Resetting address and routing info"
|
---|
| 89 | doit ip a f dev lo
|
---|
| 90 | i=0; while test "${if[$i]}"; do
|
---|
| 91 | doit ip a f dev "${if[$i]}"
|
---|
| 92 | doit ip r f dev "${if[$i]}" root 0/0
|
---|
| 93 | let i++; done
|
---|
| 94 |
|
---|
| 95 | echo; echo "* Configuring addresses"
|
---|
| 96 | doit ip a a dev lo 127.0.0.1/8 scope host
|
---|
| 97 | doit ip a a dev lo ::1/128 scope host
|
---|
| 98 | i=0; while test "${if[$i]}"; do
|
---|
| 99 | if test "${ipmask[$i]}"; then
|
---|
| 100 | doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
|
---|
| 101 | doit ip l set dev "${if[$i]}" up
|
---|
| 102 | fi
|
---|
| 103 | let i++; done
|
---|
| 104 |
|
---|
| 105 | echo; echo "* Configuring routes"
|
---|
| 106 | i=0; while test "${if[$i]}"; do
|
---|
| 107 | if test "${net[$i]}" && test "${gw[$i]}"; then
|
---|
| 108 | doit ip r a "${net[$i]}" via "${gw[$i]}"
|
---|
| 109 | fi
|
---|
| 110 | let i++; done
|
---|
| 111 |
|
---|
| 112 | echo; echo "* Recreating /etc/* files reflecting new network configuration:"
|
---|
| 113 | for i in etc/*; do
|
---|
| 114 | n=`basename "$i"`
|
---|
| 115 | echo "+ $n"
|
---|
| 116 | (. "$i") >"/etc/$n"
|
---|
| 117 | chmod 644 "/etc/$n"
|
---|
| 118 | done
|
---|
| 119 |
|
---|
| 120 |
|
---|
| 121 | # Usage: new_chain <chain> [<table>]
|
---|
| 122 | new_chain() {
|
---|
| 123 | local t=""
|
---|
| 124 | test x"$2" != x"" && t="-t $2"
|
---|
| 125 | doit iptables $t -N $1
|
---|
| 126 | ipt="iptables $t -A $1"
|
---|
| 127 | }
|
---|
| 128 |
|
---|
| 129 | echo; echo "* Reset iptables"
|
---|
| 130 | doit iptables --flush
|
---|
| 131 | doit iptables --delete-chain
|
---|
| 132 | doit iptables --zero
|
---|
| 133 | doit iptables -t nat --flush
|
---|
| 134 | doit iptables -t nat --delete-chain
|
---|
| 135 | doit iptables -t nat --zero
|
---|
| 136 | doit iptables -t mangle --flush
|
---|
| 137 | doit iptables -t mangle --delete-chain
|
---|
| 138 | doit iptables -t mangle --zero
|
---|
| 139 |
|
---|
| 140 | echo; echo "* Configure iptables"
|
---|
| 141 | doit modprobe nf_nat_ftp
|
---|
| 142 | doit modprobe nf_nat_tftp
|
---|
| 143 | doit modprobe nf_conntrack_ftp
|
---|
| 144 | doit modprobe nf_conntrack_tftp
|
---|
| 145 |
|
---|
| 146 | # *** nat ***
|
---|
| 147 | # INCOMING TRAFFIC
|
---|
| 148 | ipt="iptables -t nat -A PREROUTING"
|
---|
| 149 | # nothing here
|
---|
| 150 |
|
---|
| 151 | # LOCALLY ORIGINATED TRAFFIC
|
---|
| 152 | ipt="iptables -t nat -A OUTPUT"
|
---|
| 153 | # nothing here
|
---|
| 154 |
|
---|
| 155 | # OUTGOING TRAFFIC
|
---|
| 156 | ipt="iptables -t nat -A POSTROUTING"
|
---|
| 157 | # Masquerade boxes on my private net
|
---|
| 158 | doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
|
---|
| 159 |
|
---|
| 160 | # *** mangle ***
|
---|
| 161 | ### DEBUG
|
---|
| 162 | ### ipt="iptables -t mangle -A PREROUTING"
|
---|
| 163 | ### doit $ipt -s 192.168.0.0/24 -j RETURN
|
---|
| 164 | ### ipt="iptables -t mangle -A FORWARD"
|
---|
| 165 | ### doit $ipt -s 192.168.0.0/24 -j RETURN
|
---|
| 166 | ### ipt="iptables -t mangle -A POSTROUTING"
|
---|
| 167 | ### doit $ipt -s 192.168.0.0/24 -j RETURN
|
---|
| 168 | # nothing here
|
---|
| 169 |
|
---|
| 170 | # *** filter ***
|
---|
| 171 | #
|
---|
| 172 | new_chain iext filter
|
---|
| 173 | #doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
|
---|
| 174 | #doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
|
---|
| 175 | doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
|
---|
| 176 | if test "$ext_open_tcp"; then
|
---|
| 177 | portlist="${ext_open_tcp// /,}"
|
---|
| 178 | doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
|
---|
| 179 | fi
|
---|
| 180 | doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
|
---|
| 181 | # (it probes proxy ports, DROP will incur timeout delays)
|
---|
| 182 | ipt="iptables -t filter -A INPUT"
|
---|
| 183 | doit $ipt -i $extif -j iext
|
---|
| 184 |
|
---|
| 185 |
|
---|
| 186 | echo; echo "* Enabling forwarding"
|
---|
| 187 | echo 1 >/proc/sys/net/ipv4/ip_forward
|
---|
| 188 | echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
|
---|
| 189 |
|
---|
| 190 |
|
---|
| 191 | # Signal everybody that firewall is up
|
---|
| 192 | date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
|
---|
| 193 |
|
---|
| 194 | # Ok, spew out gobs of info and disable ourself
|
---|
| 195 | echo; echo "* IP:"
|
---|
| 196 | ip a l
|
---|
| 197 | echo; echo "* Routing:"
|
---|
| 198 | ip r l
|
---|
| 199 | echo; echo "* Firewall:"
|
---|
| 200 | {
|
---|
| 201 | echo '---FILTER--';
|
---|
| 202 | iptables -v -L -x -n;
|
---|
| 203 | echo '---NAT-----';
|
---|
| 204 | iptables -t nat -v -L -x -n;
|
---|
| 205 | echo '---MANGLE--';
|
---|
| 206 | iptables -t mangle -v -L -x -n;
|
---|
| 207 | } \
|
---|
| 208 | | grep -v '^$' | grep -Fv 'bytes target'
|
---|
| 209 | echo
|
---|
| 210 |
|
---|
| 211 | echo "* End of firewall configuration"
|
---|