Annotation of /trunk/mkinitrd-magellan/busybox/examples/var_service/fw/run

#!/bin/bash
# (using bashism: arrays)

service="${PWD##*/}"
rundir="/var/run/service/$service"

user=root
extif=if
ext_open_tcp="21 22 80" # space-separated

# Make ourself one-shot
sv o .
# Debug
#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"

### filter This is the default table (if no -t option is passed).  It contains
###        the  built-in chains INPUT (for packets coming into the box itself),
###        FORWARD (for packets being routed through the box), and OUTPUT (for
###        locally-generated packets).
###
### nat    This table is consulted when a packet that creates a new connection
###        is encountered.  It consists of three built-ins: PREROUTING (for
###        altering packets as soon as they come in), OUTPUT (for altering
###        locally-generated packets before routing), and POSTROUTING (for
###        altering packets as they are about to go out).
###
### mangle It had two built-in chains: PREROUTING (for altering incoming
###        packets before routing) and OUTPUT (for altering locally-generated
###        packets before routing).  Recently three other built-in
###        chains are added: INPUT (for packets coming into the box
###        itself), FORWARD (for altering packets being routed through the
###        box), and POSTROUTING (for altering packets as they are about to go
###        out).
###
###       ...iface...                              ...iface...
###          |                                        ^
###          v                                        |
### -mangle,NAT-               -mangle,filter-   -mangle,NAT--
### |PREROUTING|-->[Routing]-->|FORWARD      |-->|POSTROUTING|
### ------------    |    ^     ---------------   -------------
###                 |    |                           ^
###                 |    +--if NATed------------+    |
###                 v                           |    |
###      -mangle,filter-                -mangle,NAT,filter-
###      |INPUT        |  +->[Routing]->|OUTPUT           |
###      ---------------  |             -------------------
###                 |     |
###                 v     |
###         ... Local Process...

doit() {
	echo "# $*"
	"$@"
}

#exec >/dev/null
exec >"$0.out"
exec 2>&1
exec </dev/null

umask 077

# Make sure rundir/ exists
mkdir -p "$rundir" 2>/dev/null
chown -R "$user:" "$rundir"
chmod -R a=rX "$rundir"
rm -rf rundir 2>/dev/null
ln -s "$rundir" rundir

# Timestamping
date '+%Y-%m-%d %H:%M:%S'


echo; echo "* Reading IP config"
cfg=-1
#             static cfg    dhcp,zeroconf etc
for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
	if test -f "$ipconf"; then
		echo "+ $ipconf"
		. "$ipconf"
	fi
done

echo; echo "* Configuring hardware"
#doit ethtool -s if autoneg off speed 100 duplex full
#doit ethtool -K if rx off tx off sg off tso off

echo; echo "* Resetting address and routing info"
doit ip a f dev lo
i=0; while test "${if[$i]}"; do
	doit ip a f dev "${if[$i]}"
	doit ip r f dev "${if[$i]}" root 0/0
let i++; done

echo; echo "* Configuring addresses"
doit ip a a dev lo 127.0.0.1/8 scope host
doit ip a a dev lo ::1/128 scope host
i=0; while test "${if[$i]}"; do
	if test "${ipmask[$i]}"; then
		doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
		doit ip l set dev "${if[$i]}" up
	fi
let i++; done

echo; echo "* Configuring routes"
i=0; while test "${if[$i]}"; do
	if test "${net[$i]}" && test "${gw[$i]}"; then
		doit ip r a "${net[$i]}" via "${gw[$i]}"
	fi
let i++; done

echo; echo "* Recreating /etc/* files reflecting new network configuration:"
for i in etc/*; do
	n=`basename "$i"`
	echo "+ $n"
	(. "$i") >"/etc/$n"
	chmod 644 "/etc/$n"
done


# Usage: new_chain <chain> [<table>]
new_chain() {
	local t=""
	test x"$2" != x"" && t="-t $2"
	doit iptables $t -N $1
	ipt="iptables $t -A $1"
}

echo; echo "* Reset iptables"
doit iptables           --flush
doit iptables           --delete-chain
doit iptables           --zero
doit iptables -t nat    --flush
doit iptables -t nat    --delete-chain
doit iptables -t nat    --zero
doit iptables -t mangle --flush
doit iptables -t mangle --delete-chain
doit iptables -t mangle --zero

echo; echo "* Configure iptables"
doit modprobe nf_nat_ftp
doit modprobe nf_nat_tftp
doit modprobe nf_conntrack_ftp
doit modprobe nf_conntrack_tftp

#       *** nat ***
#       INCOMING TRAFFIC
ipt="iptables -t nat -A PREROUTING"
# nothing here

#       LOCALLY ORIGINATED TRAFFIC
ipt="iptables -t nat -A OUTPUT"
# nothing here

#       OUTGOING TRAFFIC
ipt="iptables -t nat -A POSTROUTING"
# Masquerade boxes on my private net
doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE

#       *** mangle ***
### DEBUG
### ipt="iptables -t mangle -A PREROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A FORWARD"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A POSTROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
# nothing here

#       *** filter ***
#
new_chain iext filter
#doit $ipt -s 203.177.104.72 -j DROP	# Some idiot probes my ssh
#doit $ipt -d 203.177.104.72 -j DROP	# Some idiot probes my ssh
doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN  # FTP data etc is ok
if test "$ext_open_tcp"; then
	portlist="${ext_open_tcp// /,}"
	doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
fi
doit $ipt -p tcp -j REJECT	# Anything else isn't ok. REJECT = irc opens faster
				# (it probes proxy ports, DROP will incur timeout delays)
ipt="iptables -t filter -A INPUT"
doit $ipt -i $extif -j iext


echo; echo "* Enabling forwarding"
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"


# Signal everybody that firewall is up
date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"

# Ok, spew out gobs of info and disable ourself
echo; echo "* IP:"
ip a l
echo; echo "* Routing:"
ip r l
echo; echo "* Firewall:"
{
echo '---FILTER--';
iptables -v -L -x -n;
echo '---NAT-----';
iptables -t nat -v -L -x -n;
echo '---MANGLE--';
iptables -t mangle -v -L -x -n;
} \
| grep -v '^$' | grep -Fv 'bytes target'
echo

echo "* End of firewall configuration"
1	niro	984	#!/bin/bash
2			# (using bashism: arrays)
3
4			service="${PWD##*/}"
5			rundir="/var/run/service/$service"
6
7			user=root
8			extif=if
9			ext_open_tcp="21 22 80" # space-separated
10
11			# Make ourself one-shot
12			sv o .
13			# Debug
14			#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
15
16			### filter This is the default table (if no -t option is passed). It contains
17			### the built-in chains INPUT (for packets coming into the box itself),
18			### FORWARD (for packets being routed through the box), and OUTPUT (for
19			### locally-generated packets).
20			###
21			### nat This table is consulted when a packet that creates a new connection
22			### is encountered. It consists of three built-ins: PREROUTING (for
23			### altering packets as soon as they come in), OUTPUT (for altering
24			### locally-generated packets before routing), and POSTROUTING (for
25			### altering packets as they are about to go out).
26			###
27			### mangle It had two built-in chains: PREROUTING (for altering incoming
28			### packets before routing) and OUTPUT (for altering locally-generated
29			### packets before routing). Recently three other built-in
30			### chains are added: INPUT (for packets coming into the box
31			### itself), FORWARD (for altering packets being routed through the
32			### box), and POSTROUTING (for altering packets as they are about to go
33			### out).
34			###
35			### ...iface... ...iface...
36			### \| ^
37			### v \|
38			### -mangle,NAT- -mangle,filter- -mangle,NAT--
39			### \|PREROUTING\|-->[Routing]-->\|FORWARD \|-->\|POSTROUTING\|
40			### ------------ \| ^ --------------- -------------
41			### \| \| ^
42			### \| +--if NATed------------+ \|
43			### v \| \|
44			### -mangle,filter- -mangle,NAT,filter-
45			### \|INPUT \| +->[Routing]->\|OUTPUT \|
46			### --------------- \| -------------------
47			### \| \|
48			### v \|
49			### ... Local Process...
50
51			doit() {
52			echo "# $*"
53			"$@"
54			}
55
56			#exec >/dev/null
57			exec >"$0.out"
58			exec 2>&1
59			exec </dev/null
60
61			umask 077
62
63			# Make sure rundir/ exists
64			mkdir -p "$rundir" 2>/dev/null
65			chown -R "$user:" "$rundir"
66			chmod -R a=rX "$rundir"
67			rm -rf rundir 2>/dev/null
68			ln -s "$rundir" rundir
69
70			# Timestamping
71			date '+%Y-%m-%d %H:%M:%S'
72
73
74			echo; echo "* Reading IP config"
75			cfg=-1
76			# static cfg dhcp,zeroconf etc
77			for ipconf in conf/.ipconf "$rundir"/.ipconf; do
78			if test -f "$ipconf"; then
79			echo "+ $ipconf"
80			. "$ipconf"
81			fi
82			done
83
84			echo; echo "* Configuring hardware"
85			#doit ethtool -s if autoneg off speed 100 duplex full
86			#doit ethtool -K if rx off tx off sg off tso off
87
88			echo; echo "* Resetting address and routing info"
89			doit ip a f dev lo
90			i=0; while test "${if[$i]}"; do
91			doit ip a f dev "${if[$i]}"
92			doit ip r f dev "${if[$i]}" root 0/0
93			let i++; done
94
95			echo; echo "* Configuring addresses"
96			doit ip a a dev lo 127.0.0.1/8 scope host
97			doit ip a a dev lo ::1/128 scope host
98			i=0; while test "${if[$i]}"; do
99			if test "${ipmask[$i]}"; then
100			doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
101			doit ip l set dev "${if[$i]}" up
102			fi
103			let i++; done
104
105			echo; echo "* Configuring routes"
106			i=0; while test "${if[$i]}"; do
107			if test "${net[$i]}" && test "${gw[$i]}"; then
108			doit ip r a "${net[$i]}" via "${gw[$i]}"
109			fi
110			let i++; done
111
112			echo; echo "* Recreating /etc/* files reflecting new network configuration:"
113			for i in etc/*; do
114			n=`basename "$i"`
115			echo "+ $n"
116			(. "$i") >"/etc/$n"
117			chmod 644 "/etc/$n"
118			done
119
120
121			# Usage: new_chain <chain> [<table>]
122			new_chain() {
123			local t=""
124			test x"$2" != x"" && t="-t $2"
125			doit iptables $t -N $1
126			ipt="iptables $t -A $1"
127			}
128
129			echo; echo "* Reset iptables"
130			doit iptables --flush
131			doit iptables --delete-chain
132			doit iptables --zero
133			doit iptables -t nat --flush
134			doit iptables -t nat --delete-chain
135			doit iptables -t nat --zero
136			doit iptables -t mangle --flush
137			doit iptables -t mangle --delete-chain
138			doit iptables -t mangle --zero
139
140			echo; echo "* Configure iptables"
141			doit modprobe nf_nat_ftp
142			doit modprobe nf_nat_tftp
143			doit modprobe nf_conntrack_ftp
144			doit modprobe nf_conntrack_tftp
145
146			# * nat *
147			# INCOMING TRAFFIC
148			ipt="iptables -t nat -A PREROUTING"
149			# nothing here
150
151			# LOCALLY ORIGINATED TRAFFIC
152			ipt="iptables -t nat -A OUTPUT"
153			# nothing here
154
155			# OUTGOING TRAFFIC
156			ipt="iptables -t nat -A POSTROUTING"
157			# Masquerade boxes on my private net
158			doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
159
160			# * mangle *
161			### DEBUG
162			### ipt="iptables -t mangle -A PREROUTING"
163			### doit $ipt -s 192.168.0.0/24 -j RETURN
164			### ipt="iptables -t mangle -A FORWARD"
165			### doit $ipt -s 192.168.0.0/24 -j RETURN
166			### ipt="iptables -t mangle -A POSTROUTING"
167			### doit $ipt -s 192.168.0.0/24 -j RETURN
168			# nothing here
169
170			# * filter *
171			#
172			new_chain iext filter
173			#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
174			#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
175			doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
176			if test "$ext_open_tcp"; then
177			portlist="${ext_open_tcp// /,}"
178			doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
179			fi
180			doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
181			# (it probes proxy ports, DROP will incur timeout delays)
182			ipt="iptables -t filter -A INPUT"
183			doit $ipt -i $extif -j iext
184
185
186			echo; echo "* Enabling forwarding"
187			echo 1 >/proc/sys/net/ipv4/ip_forward
188			echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
189
190
191			# Signal everybody that firewall is up
192			date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
193
194			# Ok, spew out gobs of info and disable ourself
195			echo; echo "* IP:"
196			ip a l
197			echo; echo "* Routing:"
198			ip r l
199			echo; echo "* Firewall:"
200			{
201			echo '---FILTER--';
202			iptables -v -L -x -n;
203			echo '---NAT-----';
204			iptables -t nat -v -L -x -n;
205			echo '---MANGLE--';
206			iptables -t mangle -v -L -x -n;
207			} \
208			\| grep -v '^$' \| grep -Fv 'bytes target'
209			echo
210
211			echo "* End of firewall configuration"