emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
86350f8d5f5d5a1006cffe0bedccd625f012702f
busybox/examples/var_service/fw/run
Denys Vlasenko fae9f499b2 ntpd: make it work w/o -g too :( 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2009-12-01 02:32:01 +01:00

212 lines
5.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# (using bashism: arrays)
service="${PWD##*/}"
rundir="/var/run/service/$service"
user=root
extif=if
ext_open_tcp="21 22 80" # space-separated
# Make ourself one-shot
sv o .
# Debug
#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
### filter This is the default table (if no -t option is passed). It contains
### the built-in chains INPUT (for packets coming into the box itself),
### FORWARD (for packets being routed through the box), and OUTPUT (for
### locally-generated packets).
###
### nat This table is consulted when a packet that creates a new connection
### is encountered. It consists of three built-ins: PREROUTING (for
### altering packets as soon as they come in), OUTPUT (for altering
### locally-generated packets before routing), and POSTROUTING (for
### altering packets as they are about to go out).
###
### mangle It had two built-in chains: PREROUTING (for altering incoming
### packets before routing) and OUTPUT (for altering locally-generated
### packets before routing). Recently three other built-in
### chains are added: INPUT (for packets coming into the box
### itself), FORWARD (for altering packets being routed through the
### box), and POSTROUTING (for altering packets as they are about to go
### out).
###
### ...iface... ...iface...
### | ^
### v |
### -mangle,NAT- -mangle,filter- -mangle,NAT--
### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
### ------------ | ^ --------------- -------------
### | | ^
### | +--if NATed------------+ |
### v | |
### -mangle,filter- -mangle,NAT,filter-
### |INPUT | +->[Routing]->|OUTPUT |
### --------------- | -------------------
### | |
### v |
### ... Local Process...
doit() {
echo "# $*"
"$@"
}
#exec >/dev/null
exec >"$0.out"
exec 2>&1
exec </dev/null
umask 077
# Make sure rundir/ exists
mkdir -p "$rundir" 2>/dev/null
chown -R "$user:" "$rundir"
chmod -R a=rX "$rundir"
rm -rf rundir 2>/dev/null
ln -s "$rundir" rundir
# Timestamping
date '+%Y-%m-%d %H:%M:%S'
echo; echo "* Reading IP config"
cfg=-1
# static cfg dhcp,zeroconf etc
for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
if test -f "$ipconf"; then
echo "+ $ipconf"
. "$ipconf"
fi
done
echo; echo "* Configuring hardware"
#doit ethtool -s if autoneg off speed 100 duplex full
#doit ethtool -K if rx off tx off sg off tso off
echo; echo "* Resetting address and routing info"
doit ip a f dev lo
i=0; while test "${if[$i]}"; do
doit ip a f dev "${if[$i]}"
doit ip r f dev "${if[$i]}" root 0/0
let i++; done
echo; echo "* Configuring addresses"
doit ip a a dev lo 127.0.0.1/8 scope host
doit ip a a dev lo ::1/128 scope host
i=0; while test "${if[$i]}"; do
if test "${ipmask[$i]}"; then
doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
doit ip l set dev "${if[$i]}" up
fi
let i++; done
echo; echo "* Configuring routes"
i=0; while test "${if[$i]}"; do
if test "${net[$i]}" && test "${gw[$i]}"; then
doit ip r a "${net[$i]}" via "${gw[$i]}"
fi
let i++; done
echo; echo "* Recreating /etc/* files reflecting new network configuration:"
for i in etc/*; do
n=`basename "$i"`
echo "+ $n"
(. "$i") >"/etc/$n"
chmod 644 "/etc/$n"
done
# Usage: new_chain <chain> [<table>]
new_chain() {
local t=""
test x"$2" != x"" && t="-t $2"
doit iptables $t -N $1
ipt="iptables $t -A $1"
}
echo; echo "* Reset iptables"
doit iptables --flush
doit iptables --delete-chain
doit iptables --zero
doit iptables -t nat --flush
doit iptables -t nat --delete-chain
doit iptables -t nat --zero
doit iptables -t mangle --flush
doit iptables -t mangle --delete-chain
doit iptables -t mangle --zero
echo; echo "* Configure iptables"
doit modprobe nf_nat_ftp
doit modprobe nf_nat_tftp
doit modprobe nf_conntrack_ftp
doit modprobe nf_conntrack_tftp
# *** nat ***
# INCOMING TRAFFIC
ipt="iptables -t nat -A PREROUTING"
# nothing here
# LOCALLY ORIGINATED TRAFFIC
ipt="iptables -t nat -A OUTPUT"
# nothing here
# OUTGOING TRAFFIC
ipt="iptables -t nat -A POSTROUTING"
# Masquerade boxes on my private net
doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
# *** mangle ***
### DEBUG
### ipt="iptables -t mangle -A PREROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A FORWARD"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A POSTROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
# nothing here
# *** filter ***
#
new_chain iext filter
#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
if test "$ext_open_tcp"; then
portlist="${ext_open_tcp// /,}"
doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
fi
doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
# (it probes proxy ports, DROP will incur timeout delays)
ipt="iptables -t filter -A INPUT"
doit $ipt -i $extif -j iext
echo; echo "* Enabling forwarding"
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
# Signal everybody that firewall is up
date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
# Ok, spew out gobs of info and disable ourself
echo; echo "* IP:"
ip a l
echo; echo "* Routing:"
ip r l
echo; echo "* Firewall:"
{
echo '---FILTER--';
iptables -v -L -x -n;
echo '---NAT-----';
iptables -t nat -v -L -x -n;
echo '---MANGLE--';
iptables -t mangle -v -L -x -n;
} \
| grep -v '^$' | grep -Fv 'bytes target'
echo
echo "* End of firewall configuration"
Reference in New Issue View Git Blame Copy Permalink