Contents of /trunk/mkinitrd-magellan/busybox/examples/var_service/fw/run

#!/bin/bash
# (using bashism: arrays)

service="${PWD##*/}"
rundir="/var/run/service/$service"

user=root
extif=if
ext_open_tcp="21 22 80" # space-separated

# Make ourself one-shot
sv o .
# Debug
#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"

### filter This is the default table (if no -t option is passed).  It contains
###        the  built-in chains INPUT (for packets coming into the box itself),
###        FORWARD (for packets being routed through the box), and OUTPUT (for
###        locally-generated packets).
###
### nat    This table is consulted when a packet that creates a new connection
###        is encountered.  It consists of three built-ins: PREROUTING (for
###        altering packets as soon as they come in), OUTPUT (for altering
###        locally-generated packets before routing), and POSTROUTING (for
###        altering packets as they are about to go out).
###
### mangle It had two built-in chains: PREROUTING (for altering incoming
###        packets before routing) and OUTPUT (for altering locally-generated
###        packets before routing).  Recently three other built-in
###        chains are added: INPUT (for packets coming into the box
###        itself), FORWARD (for altering packets being routed through the
###        box), and POSTROUTING (for altering packets as they are about to go
###        out).
###
###       ...iface...                              ...iface...
###          |                                        ^
###          v                                        |
### -mangle,NAT-               -mangle,filter-   -mangle,NAT--
### |PREROUTING|-->[Routing]-->|FORWARD      |-->|POSTROUTING|
### ------------    |    ^     ---------------   -------------
###                 |    |                           ^
###                 |    +--if NATed------------+    |
###                 v                           |    |
###      -mangle,filter-                -mangle,NAT,filter-
###      |INPUT        |  +->[Routing]->|OUTPUT           |
###      ---------------  |             -------------------
###                 |     |
###                 v     |
###         ... Local Process...

doit() {
	echo "# $*"
	"$@"
}

#exec >/dev/null
exec >"$0.out"
exec 2>&1
exec </dev/null

umask 077

# Make sure rundir/ exists
mkdir -p "$rundir" 2>/dev/null
chown -R "$user:" "$rundir"
chmod -R a=rX "$rundir"
rm -rf rundir 2>/dev/null
ln -s "$rundir" rundir

# Timestamping
date '+%Y-%m-%d %H:%M:%S'


echo; echo "* Reading IP config"
cfg=-1
#             static cfg    dhcp,zeroconf etc
for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
	if test -f "$ipconf"; then
		echo "+ $ipconf"
		. "$ipconf"
	fi
done

echo; echo "* Configuring hardware"
#doit ethtool -s if autoneg off speed 100 duplex full
#doit ethtool -K if rx off tx off sg off tso off

echo; echo "* Resetting address and routing info"
doit ip a f dev lo
i=0; while test "${if[$i]}"; do
	doit ip a f dev "${if[$i]}"
	doit ip r f dev "${if[$i]}" root 0/0
let i++; done

echo; echo "* Configuring addresses"
doit ip a a dev lo 127.0.0.1/8 scope host
doit ip a a dev lo ::1/128 scope host
i=0; while test "${if[$i]}"; do
	if test "${ipmask[$i]}"; then
		doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
		doit ip l set dev "${if[$i]}" up
	fi
let i++; done

echo; echo "* Configuring routes"
i=0; while test "${if[$i]}"; do
	if test "${net[$i]}" && test "${gw[$i]}"; then
		doit ip r a "${net[$i]}" via "${gw[$i]}"
	fi
let i++; done

echo; echo "* Recreating /etc/* files reflecting new network configuration:"
for i in etc/*; do
	n=`basename "$i"`
	echo "+ $n"
	(. "$i") >"/etc/$n"
	chmod 644 "/etc/$n"
done


# Usage: new_chain <chain> [<table>]
new_chain() {
	local t=""
	test x"$2" != x"" && t="-t $2"
	doit iptables $t -N $1
	ipt="iptables $t -A $1"
}

echo; echo "* Reset iptables"
doit iptables           --flush
doit iptables           --delete-chain
doit iptables           --zero
doit iptables -t nat    --flush
doit iptables -t nat    --delete-chain
doit iptables -t nat    --zero
doit iptables -t mangle --flush
doit iptables -t mangle --delete-chain
doit iptables -t mangle --zero

echo; echo "* Configure iptables"
doit modprobe nf_nat_ftp
doit modprobe nf_nat_tftp
doit modprobe nf_conntrack_ftp
doit modprobe nf_conntrack_tftp

#       *** nat ***
#       INCOMING TRAFFIC
ipt="iptables -t nat -A PREROUTING"
# nothing here

#       LOCALLY ORIGINATED TRAFFIC
ipt="iptables -t nat -A OUTPUT"
# nothing here

#       OUTGOING TRAFFIC
ipt="iptables -t nat -A POSTROUTING"
# Masquerade boxes on my private net
doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE

#       *** mangle ***
### DEBUG
### ipt="iptables -t mangle -A PREROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A FORWARD"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A POSTROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
# nothing here

#       *** filter ***
#
new_chain iext filter
#doit $ipt -s 203.177.104.72 -j DROP	# Some idiot probes my ssh
#doit $ipt -d 203.177.104.72 -j DROP	# Some idiot probes my ssh
doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN  # FTP data etc is ok
if test "$ext_open_tcp"; then
	portlist="${ext_open_tcp// /,}"
	doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
fi
doit $ipt -p tcp -j REJECT	# Anything else isn't ok. REJECT = irc opens faster
				# (it probes proxy ports, DROP will incur timeout delays)
ipt="iptables -t filter -A INPUT"
doit $ipt -i $extif -j iext


echo; echo "* Enabling forwarding"
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"


# Signal everybody that firewall is up
date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"

# Ok, spew out gobs of info and disable ourself
echo; echo "* IP:"
ip a l
echo; echo "* Routing:"
ip r l
echo; echo "* Firewall:"
{
echo '---FILTER--';
iptables -v -L -x -n;
echo '---NAT-----';
iptables -t nat -v -L -x -n;
echo '---MANGLE--';
iptables -t mangle -v -L -x -n;
} \
| grep -v '^$' | grep -Fv 'bytes target'
echo

echo "* End of firewall configuration"
1	#!/bin/bash
2	# (using bashism: arrays)
3
4	service="${PWD##*/}"
5	rundir="/var/run/service/$service"
6
7	user=root
8	extif=if
9	ext_open_tcp="21 22 80" # space-separated
10
11	# Make ourself one-shot
12	sv o .
13	# Debug
14	#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
15
16	### filter This is the default table (if no -t option is passed). It contains
17	### the built-in chains INPUT (for packets coming into the box itself),
18	### FORWARD (for packets being routed through the box), and OUTPUT (for
19	### locally-generated packets).
20	###
21	### nat This table is consulted when a packet that creates a new connection
22	### is encountered. It consists of three built-ins: PREROUTING (for
23	### altering packets as soon as they come in), OUTPUT (for altering
24	### locally-generated packets before routing), and POSTROUTING (for
25	### altering packets as they are about to go out).
26	###
27	### mangle It had two built-in chains: PREROUTING (for altering incoming
28	### packets before routing) and OUTPUT (for altering locally-generated
29	### packets before routing). Recently three other built-in
30	### chains are added: INPUT (for packets coming into the box
31	### itself), FORWARD (for altering packets being routed through the
32	### box), and POSTROUTING (for altering packets as they are about to go
33	### out).
34	###
35	### ...iface... ...iface...
36	### \| ^
37	### v \|
38	### -mangle,NAT- -mangle,filter- -mangle,NAT--
39	### \|PREROUTING\|-->[Routing]-->\|FORWARD \|-->\|POSTROUTING\|
40	### ------------ \| ^ --------------- -------------
41	### \| \| ^
42	### \| +--if NATed------------+ \|
43	### v \| \|
44	### -mangle,filter- -mangle,NAT,filter-
45	### \|INPUT \| +->[Routing]->\|OUTPUT \|
46	### --------------- \| -------------------
47	### \| \|
48	### v \|
49	### ... Local Process...
50
51	doit() {
52	echo "# $*"
53	"$@"
54	}
55
56	#exec >/dev/null
57	exec >"$0.out"
58	exec 2>&1
59	exec </dev/null
60
61	umask 077
62
63	# Make sure rundir/ exists
64	mkdir -p "$rundir" 2>/dev/null
65	chown -R "$user:" "$rundir"
66	chmod -R a=rX "$rundir"
67	rm -rf rundir 2>/dev/null
68	ln -s "$rundir" rundir
69
70	# Timestamping
71	date '+%Y-%m-%d %H:%M:%S'
72
73
74	echo; echo "* Reading IP config"
75	cfg=-1
76	# static cfg dhcp,zeroconf etc
77	for ipconf in conf/.ipconf "$rundir"/.ipconf; do
78	if test -f "$ipconf"; then
79	echo "+ $ipconf"
80	. "$ipconf"
81	fi
82	done
83
84	echo; echo "* Configuring hardware"
85	#doit ethtool -s if autoneg off speed 100 duplex full
86	#doit ethtool -K if rx off tx off sg off tso off
87
88	echo; echo "* Resetting address and routing info"
89	doit ip a f dev lo
90	i=0; while test "${if[$i]}"; do
91	doit ip a f dev "${if[$i]}"
92	doit ip r f dev "${if[$i]}" root 0/0
93	let i++; done
94
95	echo; echo "* Configuring addresses"
96	doit ip a a dev lo 127.0.0.1/8 scope host
97	doit ip a a dev lo ::1/128 scope host
98	i=0; while test "${if[$i]}"; do
99	if test "${ipmask[$i]}"; then
100	doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
101	doit ip l set dev "${if[$i]}" up
102	fi
103	let i++; done
104
105	echo; echo "* Configuring routes"
106	i=0; while test "${if[$i]}"; do
107	if test "${net[$i]}" && test "${gw[$i]}"; then
108	doit ip r a "${net[$i]}" via "${gw[$i]}"
109	fi
110	let i++; done
111
112	echo; echo "* Recreating /etc/* files reflecting new network configuration:"
113	for i in etc/*; do
114	n=`basename "$i"`
115	echo "+ $n"
116	(. "$i") >"/etc/$n"
117	chmod 644 "/etc/$n"
118	done
119
120
121	# Usage: new_chain <chain> [<table>]
122	new_chain() {
123	local t=""
124	test x"$2" != x"" && t="-t $2"
125	doit iptables $t -N $1
126	ipt="iptables $t -A $1"
127	}
128
129	echo; echo "* Reset iptables"
130	doit iptables --flush
131	doit iptables --delete-chain
132	doit iptables --zero
133	doit iptables -t nat --flush
134	doit iptables -t nat --delete-chain
135	doit iptables -t nat --zero
136	doit iptables -t mangle --flush
137	doit iptables -t mangle --delete-chain
138	doit iptables -t mangle --zero
139
140	echo; echo "* Configure iptables"
141	doit modprobe nf_nat_ftp
142	doit modprobe nf_nat_tftp
143	doit modprobe nf_conntrack_ftp
144	doit modprobe nf_conntrack_tftp
145
146	# * nat *
147	# INCOMING TRAFFIC
148	ipt="iptables -t nat -A PREROUTING"
149	# nothing here
150
151	# LOCALLY ORIGINATED TRAFFIC
152	ipt="iptables -t nat -A OUTPUT"
153	# nothing here
154
155	# OUTGOING TRAFFIC
156	ipt="iptables -t nat -A POSTROUTING"
157	# Masquerade boxes on my private net
158	doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
159
160	# * mangle *
161	### DEBUG
162	### ipt="iptables -t mangle -A PREROUTING"
163	### doit $ipt -s 192.168.0.0/24 -j RETURN
164	### ipt="iptables -t mangle -A FORWARD"
165	### doit $ipt -s 192.168.0.0/24 -j RETURN
166	### ipt="iptables -t mangle -A POSTROUTING"
167	### doit $ipt -s 192.168.0.0/24 -j RETURN
168	# nothing here
169
170	# * filter *
171	#
172	new_chain iext filter
173	#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
174	#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
175	doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
176	if test "$ext_open_tcp"; then
177	portlist="${ext_open_tcp// /,}"
178	doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
179	fi
180	doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
181	# (it probes proxy ports, DROP will incur timeout delays)
182	ipt="iptables -t filter -A INPUT"
183	doit $ipt -i $extif -j iext
184
185
186	echo; echo "* Enabling forwarding"
187	echo 1 >/proc/sys/net/ipv4/ip_forward
188	echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
189
190
191	# Signal everybody that firewall is up
192	date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
193
194	# Ok, spew out gobs of info and disable ourself
195	echo; echo "* IP:"
196	ip a l
197	echo; echo "* Routing:"
198	ip r l
199	echo; echo "* Firewall:"
200	{
201	echo '---FILTER--';
202	iptables -v -L -x -n;
203	echo '---NAT-----';
204	iptables -t nat -v -L -x -n;
205	echo '---MANGLE--';
206	iptables -t mangle -v -L -x -n;
207	} \
208	\| grep -v '^$' \| grep -Fv 'bytes target'
209	echo
210
211	echo "* End of firewall configuration"