Contents of /trunk/mkinitrd-magellan/busybox/examples/var_service/fw/run
Parent Directory | Revision Log
Revision 984 -
(show annotations)
(download)
Sun May 30 11:32:42 2010 UTC (13 years, 11 months ago) by niro
File size: 6064 byte(s)
Sun May 30 11:32:42 2010 UTC (13 years, 11 months ago) by niro
File size: 6064 byte(s)
-updated to busybox-1.16.1 and enabled blkid/uuid support in default config
1 | #!/bin/bash |
2 | # (using bashism: arrays) |
3 | |
4 | service="${PWD##*/}" |
5 | rundir="/var/run/service/$service" |
6 | |
7 | user=root |
8 | extif=if |
9 | ext_open_tcp="21 22 80" # space-separated |
10 | |
11 | # Make ourself one-shot |
12 | sv o . |
13 | # Debug |
14 | #date '+%Y-%m-%d %H:%M:%S' >>"$0.log" |
15 | |
16 | ### filter This is the default table (if no -t option is passed). It contains |
17 | ### the built-in chains INPUT (for packets coming into the box itself), |
18 | ### FORWARD (for packets being routed through the box), and OUTPUT (for |
19 | ### locally-generated packets). |
20 | ### |
21 | ### nat This table is consulted when a packet that creates a new connection |
22 | ### is encountered. It consists of three built-ins: PREROUTING (for |
23 | ### altering packets as soon as they come in), OUTPUT (for altering |
24 | ### locally-generated packets before routing), and POSTROUTING (for |
25 | ### altering packets as they are about to go out). |
26 | ### |
27 | ### mangle It had two built-in chains: PREROUTING (for altering incoming |
28 | ### packets before routing) and OUTPUT (for altering locally-generated |
29 | ### packets before routing). Recently three other built-in |
30 | ### chains are added: INPUT (for packets coming into the box |
31 | ### itself), FORWARD (for altering packets being routed through the |
32 | ### box), and POSTROUTING (for altering packets as they are about to go |
33 | ### out). |
34 | ### |
35 | ### ...iface... ...iface... |
36 | ### | ^ |
37 | ### v | |
38 | ### -mangle,NAT- -mangle,filter- -mangle,NAT-- |
39 | ### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING| |
40 | ### ------------ | ^ --------------- ------------- |
41 | ### | | ^ |
42 | ### | +--if NATed------------+ | |
43 | ### v | | |
44 | ### -mangle,filter- -mangle,NAT,filter- |
45 | ### |INPUT | +->[Routing]->|OUTPUT | |
46 | ### --------------- | ------------------- |
47 | ### | | |
48 | ### v | |
49 | ### ... Local Process... |
50 | |
51 | doit() { |
52 | echo "# $*" |
53 | "$@" |
54 | } |
55 | |
56 | #exec >/dev/null |
57 | exec >"$0.out" |
58 | exec 2>&1 |
59 | exec </dev/null |
60 | |
61 | umask 077 |
62 | |
63 | # Make sure rundir/ exists |
64 | mkdir -p "$rundir" 2>/dev/null |
65 | chown -R "$user:" "$rundir" |
66 | chmod -R a=rX "$rundir" |
67 | rm -rf rundir 2>/dev/null |
68 | ln -s "$rundir" rundir |
69 | |
70 | # Timestamping |
71 | date '+%Y-%m-%d %H:%M:%S' |
72 | |
73 | |
74 | echo; echo "* Reading IP config" |
75 | cfg=-1 |
76 | # static cfg dhcp,zeroconf etc |
77 | for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do |
78 | if test -f "$ipconf"; then |
79 | echo "+ $ipconf" |
80 | . "$ipconf" |
81 | fi |
82 | done |
83 | |
84 | echo; echo "* Configuring hardware" |
85 | #doit ethtool -s if autoneg off speed 100 duplex full |
86 | #doit ethtool -K if rx off tx off sg off tso off |
87 | |
88 | echo; echo "* Resetting address and routing info" |
89 | doit ip a f dev lo |
90 | i=0; while test "${if[$i]}"; do |
91 | doit ip a f dev "${if[$i]}" |
92 | doit ip r f dev "${if[$i]}" root 0/0 |
93 | let i++; done |
94 | |
95 | echo; echo "* Configuring addresses" |
96 | doit ip a a dev lo 127.0.0.1/8 scope host |
97 | doit ip a a dev lo ::1/128 scope host |
98 | i=0; while test "${if[$i]}"; do |
99 | if test "${ipmask[$i]}"; then |
100 | doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd + |
101 | doit ip l set dev "${if[$i]}" up |
102 | fi |
103 | let i++; done |
104 | |
105 | echo; echo "* Configuring routes" |
106 | i=0; while test "${if[$i]}"; do |
107 | if test "${net[$i]}" && test "${gw[$i]}"; then |
108 | doit ip r a "${net[$i]}" via "${gw[$i]}" |
109 | fi |
110 | let i++; done |
111 | |
112 | echo; echo "* Recreating /etc/* files reflecting new network configuration:" |
113 | for i in etc/*; do |
114 | n=`basename "$i"` |
115 | echo "+ $n" |
116 | (. "$i") >"/etc/$n" |
117 | chmod 644 "/etc/$n" |
118 | done |
119 | |
120 | |
121 | # Usage: new_chain <chain> [<table>] |
122 | new_chain() { |
123 | local t="" |
124 | test x"$2" != x"" && t="-t $2" |
125 | doit iptables $t -N $1 |
126 | ipt="iptables $t -A $1" |
127 | } |
128 | |
129 | echo; echo "* Reset iptables" |
130 | doit iptables --flush |
131 | doit iptables --delete-chain |
132 | doit iptables --zero |
133 | doit iptables -t nat --flush |
134 | doit iptables -t nat --delete-chain |
135 | doit iptables -t nat --zero |
136 | doit iptables -t mangle --flush |
137 | doit iptables -t mangle --delete-chain |
138 | doit iptables -t mangle --zero |
139 | |
140 | echo; echo "* Configure iptables" |
141 | doit modprobe nf_nat_ftp |
142 | doit modprobe nf_nat_tftp |
143 | doit modprobe nf_conntrack_ftp |
144 | doit modprobe nf_conntrack_tftp |
145 | |
146 | # *** nat *** |
147 | # INCOMING TRAFFIC |
148 | ipt="iptables -t nat -A PREROUTING" |
149 | # nothing here |
150 | |
151 | # LOCALLY ORIGINATED TRAFFIC |
152 | ipt="iptables -t nat -A OUTPUT" |
153 | # nothing here |
154 | |
155 | # OUTGOING TRAFFIC |
156 | ipt="iptables -t nat -A POSTROUTING" |
157 | # Masquerade boxes on my private net |
158 | doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE |
159 | |
160 | # *** mangle *** |
161 | ### DEBUG |
162 | ### ipt="iptables -t mangle -A PREROUTING" |
163 | ### doit $ipt -s 192.168.0.0/24 -j RETURN |
164 | ### ipt="iptables -t mangle -A FORWARD" |
165 | ### doit $ipt -s 192.168.0.0/24 -j RETURN |
166 | ### ipt="iptables -t mangle -A POSTROUTING" |
167 | ### doit $ipt -s 192.168.0.0/24 -j RETURN |
168 | # nothing here |
169 | |
170 | # *** filter *** |
171 | # |
172 | new_chain iext filter |
173 | #doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh |
174 | #doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh |
175 | doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok |
176 | if test "$ext_open_tcp"; then |
177 | portlist="${ext_open_tcp// /,}" |
178 | doit $ipt -p tcp -m multiport --dports $portlist -j RETURN |
179 | fi |
180 | doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster |
181 | # (it probes proxy ports, DROP will incur timeout delays) |
182 | ipt="iptables -t filter -A INPUT" |
183 | doit $ipt -i $extif -j iext |
184 | |
185 | |
186 | echo; echo "* Enabling forwarding" |
187 | echo 1 >/proc/sys/net/ipv4/ip_forward |
188 | echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`" |
189 | |
190 | |
191 | # Signal everybody that firewall is up |
192 | date '+%Y-%m-%d %H:%M:%S' >"$rundir/up" |
193 | |
194 | # Ok, spew out gobs of info and disable ourself |
195 | echo; echo "* IP:" |
196 | ip a l |
197 | echo; echo "* Routing:" |
198 | ip r l |
199 | echo; echo "* Firewall:" |
200 | { |
201 | echo '---FILTER--'; |
202 | iptables -v -L -x -n; |
203 | echo '---NAT-----'; |
204 | iptables -t nat -v -L -x -n; |
205 | echo '---MANGLE--'; |
206 | iptables -t mangle -v -L -x -n; |
207 | } \ |
208 | | grep -v '^$' | grep -Fv 'bytes target' |
209 | echo |
210 | |
211 | echo "* End of firewall configuration" |
Properties
Name | Value |
---|---|
svn:executable | * |