1#!/bin/bash 2# (using bashism: arrays) 3 4service="${PWD##*/}" 5rundir="/var/run/service/$service" 6 7user=root 8extif=if 9ext_open_tcp="21 22 80" # space-separated 10 11# Make ourself one-shot 12sv o . 13# Debug 14#date '+%Y-%m-%d %H:%M:%S' >>"$0.log" 15 16### filter This is the default table (if no -t option is passed). It contains 17### the built-in chains INPUT (for packets coming into the box itself), 18### FORWARD (for packets being routed through the box), and OUTPUT (for 19### locally-generated packets). 20### 21### nat This table is consulted when a packet that creates a new connection 22### is encountered. It consists of three built-ins: PREROUTING (for 23### altering packets as soon as they come in), OUTPUT (for altering 24### locally-generated packets before routing), and POSTROUTING (for 25### altering packets as they are about to go out). 26### 27### mangle It had two built-in chains: PREROUTING (for altering incoming 28### packets before routing) and OUTPUT (for altering locally-generated 29### packets before routing). Recently three other built-in 30### chains are added: INPUT (for packets coming into the box 31### itself), FORWARD (for altering packets being routed through the 32### box), and POSTROUTING (for altering packets as they are about to go 33### out). 34### 35### ...iface... ...iface... 36### | ^ 37### v | 38### -mangle,NAT- -mangle,filter- -mangle,NAT-- 39### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING| 40### ------------ | ^ --------------- ------------- 41### | | ^ 42### | +--if NATed------------+ | 43### v | | 44### -mangle,filter- -mangle,NAT,filter- 45### |INPUT | +->[Routing]->|OUTPUT | 46### --------------- | ------------------- 47### | | 48### v | 49### ... Local Process... 50 51doit() { 52 echo "# $*" 53 "$@" 54} 55 56#exec >/dev/null 57exec >"$0.out" 58exec 2>&1 59exec </dev/null 60 61umask 077 62 63# Make sure rundir/ exists 64mkdir -p "$rundir" 2>/dev/null 65chown -R "$user:" "$rundir" 66chmod -R a=rX "$rundir" 67rm -rf rundir 2>/dev/null 68ln -s "$rundir" rundir 69 70# Timestamping 71date '+%Y-%m-%d %H:%M:%S' 72 73 74echo; echo "* Reading IP config" 75cfg=-1 76# static cfg dhcp,zeroconf etc 77for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do 78 if test -f "$ipconf"; then 79 echo "+ $ipconf" 80 . "$ipconf" 81 fi 82done 83 84echo; echo "* Configuring hardware" 85#doit ethtool -s if autoneg off speed 100 duplex full 86#doit ethtool -K if rx off tx off sg off tso off 87 88echo; echo "* Resetting address and routing info" 89doit ip a f dev lo 90i=0; while test "${if[$i]}"; do 91 doit ip a f dev "${if[$i]}" 92 doit ip r f dev "${if[$i]}" root 0/0 93let i++; done 94 95echo; echo "* Configuring addresses" 96doit ip a a dev lo 127.0.0.1/8 scope host 97doit ip a a dev lo ::1/128 scope host 98i=0; while test "${if[$i]}"; do 99 if test "${ipmask[$i]}"; then 100 doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd + 101 doit ip l set dev "${if[$i]}" up 102 fi 103let i++; done 104 105echo; echo "* Configuring routes" 106i=0; while test "${if[$i]}"; do 107 if test "${net[$i]}" && test "${gw[$i]}"; then 108 doit ip r a "${net[$i]}" via "${gw[$i]}" 109 fi 110let i++; done 111 112echo; echo "* Recreating /etc/* files reflecting new network configuration:" 113for i in etc/*; do 114 n=`basename "$i"` 115 echo "+ $n" 116 (. "$i") >"/etc/$n" 117 chmod 644 "/etc/$n" 118done 119 120 121# Usage: new_chain <chain> [<table>] 122new_chain() { 123 local t="" 124 test x"$2" != x"" && t="-t $2" 125 doit iptables $t -N $1 126 ipt="iptables $t -A $1" 127} 128 129echo; echo "* Reset iptables" 130doit iptables --flush 131doit iptables --delete-chain 132doit iptables --zero 133doit iptables -t nat --flush 134doit iptables -t nat --delete-chain 135doit iptables -t nat --zero 136doit iptables -t mangle --flush 137doit iptables -t mangle --delete-chain 138doit iptables -t mangle --zero 139 140echo; echo "* Configure iptables" 141doit modprobe nf_nat_ftp 142doit modprobe nf_nat_tftp 143doit modprobe nf_conntrack_ftp 144doit modprobe nf_conntrack_tftp 145 146# *** nat *** 147# INCOMING TRAFFIC 148ipt="iptables -t nat -A PREROUTING" 149# nothing here 150 151# LOCALLY ORIGINATED TRAFFIC 152ipt="iptables -t nat -A OUTPUT" 153# nothing here 154 155# OUTGOING TRAFFIC 156ipt="iptables -t nat -A POSTROUTING" 157# Masquerade boxes on my private net 158doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE 159 160# *** mangle *** 161### DEBUG 162### ipt="iptables -t mangle -A PREROUTING" 163### doit $ipt -s 192.168.0.0/24 -j RETURN 164### ipt="iptables -t mangle -A FORWARD" 165### doit $ipt -s 192.168.0.0/24 -j RETURN 166### ipt="iptables -t mangle -A POSTROUTING" 167### doit $ipt -s 192.168.0.0/24 -j RETURN 168# nothing here 169 170# *** filter *** 171# 172new_chain iext filter 173#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh 174#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh 175doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok 176if test "$ext_open_tcp"; then 177 portlist="${ext_open_tcp// /,}" 178 doit $ipt -p tcp -m multiport --dports $portlist -j RETURN 179fi 180doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster 181 # (it probes proxy ports, DROP will incur timeout delays) 182ipt="iptables -t filter -A INPUT" 183doit $ipt -i $extif -j iext 184 185 186echo; echo "* Enabling forwarding" 187echo 1 >/proc/sys/net/ipv4/ip_forward 188echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`" 189 190 191# Signal everybody that firewall is up 192date '+%Y-%m-%d %H:%M:%S' >"$rundir/up" 193 194# Ok, spew out gobs of info and disable ourself 195echo; echo "* IP:" 196ip a l 197echo; echo "* Routing:" 198ip r l 199echo; echo "* Firewall:" 200{ 201echo '---FILTER--'; 202iptables -v -L -x -n; 203echo '---NAT-----'; 204iptables -t nat -v -L -x -n; 205echo '---MANGLE--'; 206iptables -t mangle -v -L -x -n; 207} \ 208| grep -v '^$' | grep -Fv 'bytes target' 209echo 210 211echo "* End of firewall configuration" 212