Annotation of /trunk/mkinitrd-magellan/busybox/examples/var_service/fw/run
Parent Directory | Revision Log
Revision 984 -
(hide annotations)
(download)
Sun May 30 11:32:42 2010 UTC (14 years ago) by niro
File size: 6064 byte(s)
Sun May 30 11:32:42 2010 UTC (14 years ago) by niro
File size: 6064 byte(s)
-updated to busybox-1.16.1 and enabled blkid/uuid support in default config
1 | niro | 984 | #!/bin/bash |
2 | # (using bashism: arrays) | ||
3 | |||
4 | service="${PWD##*/}" | ||
5 | rundir="/var/run/service/$service" | ||
6 | |||
7 | user=root | ||
8 | extif=if | ||
9 | ext_open_tcp="21 22 80" # space-separated | ||
10 | |||
11 | # Make ourself one-shot | ||
12 | sv o . | ||
13 | # Debug | ||
14 | #date '+%Y-%m-%d %H:%M:%S' >>"$0.log" | ||
15 | |||
16 | ### filter This is the default table (if no -t option is passed). It contains | ||
17 | ### the built-in chains INPUT (for packets coming into the box itself), | ||
18 | ### FORWARD (for packets being routed through the box), and OUTPUT (for | ||
19 | ### locally-generated packets). | ||
20 | ### | ||
21 | ### nat This table is consulted when a packet that creates a new connection | ||
22 | ### is encountered. It consists of three built-ins: PREROUTING (for | ||
23 | ### altering packets as soon as they come in), OUTPUT (for altering | ||
24 | ### locally-generated packets before routing), and POSTROUTING (for | ||
25 | ### altering packets as they are about to go out). | ||
26 | ### | ||
27 | ### mangle It had two built-in chains: PREROUTING (for altering incoming | ||
28 | ### packets before routing) and OUTPUT (for altering locally-generated | ||
29 | ### packets before routing). Recently three other built-in | ||
30 | ### chains are added: INPUT (for packets coming into the box | ||
31 | ### itself), FORWARD (for altering packets being routed through the | ||
32 | ### box), and POSTROUTING (for altering packets as they are about to go | ||
33 | ### out). | ||
34 | ### | ||
35 | ### ...iface... ...iface... | ||
36 | ### | ^ | ||
37 | ### v | | ||
38 | ### -mangle,NAT- -mangle,filter- -mangle,NAT-- | ||
39 | ### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING| | ||
40 | ### ------------ | ^ --------------- ------------- | ||
41 | ### | | ^ | ||
42 | ### | +--if NATed------------+ | | ||
43 | ### v | | | ||
44 | ### -mangle,filter- -mangle,NAT,filter- | ||
45 | ### |INPUT | +->[Routing]->|OUTPUT | | ||
46 | ### --------------- | ------------------- | ||
47 | ### | | | ||
48 | ### v | | ||
49 | ### ... Local Process... | ||
50 | |||
51 | doit() { | ||
52 | echo "# $*" | ||
53 | "$@" | ||
54 | } | ||
55 | |||
56 | #exec >/dev/null | ||
57 | exec >"$0.out" | ||
58 | exec 2>&1 | ||
59 | exec </dev/null | ||
60 | |||
61 | umask 077 | ||
62 | |||
63 | # Make sure rundir/ exists | ||
64 | mkdir -p "$rundir" 2>/dev/null | ||
65 | chown -R "$user:" "$rundir" | ||
66 | chmod -R a=rX "$rundir" | ||
67 | rm -rf rundir 2>/dev/null | ||
68 | ln -s "$rundir" rundir | ||
69 | |||
70 | # Timestamping | ||
71 | date '+%Y-%m-%d %H:%M:%S' | ||
72 | |||
73 | |||
74 | echo; echo "* Reading IP config" | ||
75 | cfg=-1 | ||
76 | # static cfg dhcp,zeroconf etc | ||
77 | for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do | ||
78 | if test -f "$ipconf"; then | ||
79 | echo "+ $ipconf" | ||
80 | . "$ipconf" | ||
81 | fi | ||
82 | done | ||
83 | |||
84 | echo; echo "* Configuring hardware" | ||
85 | #doit ethtool -s if autoneg off speed 100 duplex full | ||
86 | #doit ethtool -K if rx off tx off sg off tso off | ||
87 | |||
88 | echo; echo "* Resetting address and routing info" | ||
89 | doit ip a f dev lo | ||
90 | i=0; while test "${if[$i]}"; do | ||
91 | doit ip a f dev "${if[$i]}" | ||
92 | doit ip r f dev "${if[$i]}" root 0/0 | ||
93 | let i++; done | ||
94 | |||
95 | echo; echo "* Configuring addresses" | ||
96 | doit ip a a dev lo 127.0.0.1/8 scope host | ||
97 | doit ip a a dev lo ::1/128 scope host | ||
98 | i=0; while test "${if[$i]}"; do | ||
99 | if test "${ipmask[$i]}"; then | ||
100 | doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd + | ||
101 | doit ip l set dev "${if[$i]}" up | ||
102 | fi | ||
103 | let i++; done | ||
104 | |||
105 | echo; echo "* Configuring routes" | ||
106 | i=0; while test "${if[$i]}"; do | ||
107 | if test "${net[$i]}" && test "${gw[$i]}"; then | ||
108 | doit ip r a "${net[$i]}" via "${gw[$i]}" | ||
109 | fi | ||
110 | let i++; done | ||
111 | |||
112 | echo; echo "* Recreating /etc/* files reflecting new network configuration:" | ||
113 | for i in etc/*; do | ||
114 | n=`basename "$i"` | ||
115 | echo "+ $n" | ||
116 | (. "$i") >"/etc/$n" | ||
117 | chmod 644 "/etc/$n" | ||
118 | done | ||
119 | |||
120 | |||
121 | # Usage: new_chain <chain> [<table>] | ||
122 | new_chain() { | ||
123 | local t="" | ||
124 | test x"$2" != x"" && t="-t $2" | ||
125 | doit iptables $t -N $1 | ||
126 | ipt="iptables $t -A $1" | ||
127 | } | ||
128 | |||
129 | echo; echo "* Reset iptables" | ||
130 | doit iptables --flush | ||
131 | doit iptables --delete-chain | ||
132 | doit iptables --zero | ||
133 | doit iptables -t nat --flush | ||
134 | doit iptables -t nat --delete-chain | ||
135 | doit iptables -t nat --zero | ||
136 | doit iptables -t mangle --flush | ||
137 | doit iptables -t mangle --delete-chain | ||
138 | doit iptables -t mangle --zero | ||
139 | |||
140 | echo; echo "* Configure iptables" | ||
141 | doit modprobe nf_nat_ftp | ||
142 | doit modprobe nf_nat_tftp | ||
143 | doit modprobe nf_conntrack_ftp | ||
144 | doit modprobe nf_conntrack_tftp | ||
145 | |||
146 | # *** nat *** | ||
147 | # INCOMING TRAFFIC | ||
148 | ipt="iptables -t nat -A PREROUTING" | ||
149 | # nothing here | ||
150 | |||
151 | # LOCALLY ORIGINATED TRAFFIC | ||
152 | ipt="iptables -t nat -A OUTPUT" | ||
153 | # nothing here | ||
154 | |||
155 | # OUTGOING TRAFFIC | ||
156 | ipt="iptables -t nat -A POSTROUTING" | ||
157 | # Masquerade boxes on my private net | ||
158 | doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE | ||
159 | |||
160 | # *** mangle *** | ||
161 | ### DEBUG | ||
162 | ### ipt="iptables -t mangle -A PREROUTING" | ||
163 | ### doit $ipt -s 192.168.0.0/24 -j RETURN | ||
164 | ### ipt="iptables -t mangle -A FORWARD" | ||
165 | ### doit $ipt -s 192.168.0.0/24 -j RETURN | ||
166 | ### ipt="iptables -t mangle -A POSTROUTING" | ||
167 | ### doit $ipt -s 192.168.0.0/24 -j RETURN | ||
168 | # nothing here | ||
169 | |||
170 | # *** filter *** | ||
171 | # | ||
172 | new_chain iext filter | ||
173 | #doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh | ||
174 | #doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh | ||
175 | doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok | ||
176 | if test "$ext_open_tcp"; then | ||
177 | portlist="${ext_open_tcp// /,}" | ||
178 | doit $ipt -p tcp -m multiport --dports $portlist -j RETURN | ||
179 | fi | ||
180 | doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster | ||
181 | # (it probes proxy ports, DROP will incur timeout delays) | ||
182 | ipt="iptables -t filter -A INPUT" | ||
183 | doit $ipt -i $extif -j iext | ||
184 | |||
185 | |||
186 | echo; echo "* Enabling forwarding" | ||
187 | echo 1 >/proc/sys/net/ipv4/ip_forward | ||
188 | echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`" | ||
189 | |||
190 | |||
191 | # Signal everybody that firewall is up | ||
192 | date '+%Y-%m-%d %H:%M:%S' >"$rundir/up" | ||
193 | |||
194 | # Ok, spew out gobs of info and disable ourself | ||
195 | echo; echo "* IP:" | ||
196 | ip a l | ||
197 | echo; echo "* Routing:" | ||
198 | ip r l | ||
199 | echo; echo "* Firewall:" | ||
200 | { | ||
201 | echo '---FILTER--'; | ||
202 | iptables -v -L -x -n; | ||
203 | echo '---NAT-----'; | ||
204 | iptables -t nat -v -L -x -n; | ||
205 | echo '---MANGLE--'; | ||
206 | iptables -t mangle -v -L -x -n; | ||
207 | } \ | ||
208 | | grep -v '^$' | grep -Fv 'bytes target' | ||
209 | echo | ||
210 | |||
211 | echo "* End of firewall configuration" |
Properties
Name | Value |
---|---|
svn:executable | * |