mirror of
https://github.com/sheumann/hush.git
synced 2025-01-04 22:34:37 +00:00
6b5abc9596
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
236 lines
6.8 KiB
Bash
Executable File
236 lines
6.8 KiB
Bash
Executable File
#!/bin/bash
|
|
# (using bashism: arrays)
|
|
|
|
user="root"
|
|
reset_all_netdevs=true
|
|
preferred_default_route_iface="if"
|
|
extif="if"
|
|
ext_open_tcp="22 80 88" # space-separated
|
|
|
|
# Make ourself one-shot
|
|
sv o .
|
|
# Debug
|
|
#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
|
|
|
|
service=`basename $PWD`
|
|
rundir="/var/run/service/$service"
|
|
|
|
### filter This is the default table (if no -t option is passed). It contains
|
|
### the built-in chains INPUT (for packets coming into the box itself),
|
|
### FORWARD (for packets being routed through the box), and OUTPUT (for
|
|
### locally-generated packets).
|
|
###
|
|
### nat This table is consulted when a packet that creates a new connection
|
|
### is encountered. It consists of three built-ins: PREROUTING (for
|
|
### altering packets as soon as they come in), OUTPUT (for altering
|
|
### locally-generated packets before routing), and POSTROUTING (for
|
|
### altering packets as they are about to go out).
|
|
###
|
|
### mangle It had two built-in chains: PREROUTING (for altering incoming
|
|
### packets before routing) and OUTPUT (for altering locally-generated
|
|
### packets before routing). Recently three other built-in
|
|
### chains are added: INPUT (for packets coming into the box
|
|
### itself), FORWARD (for altering packets being routed through the
|
|
### box), and POSTROUTING (for altering packets as they are about to go
|
|
### out).
|
|
###
|
|
### ...iface... ...iface...
|
|
### | ^
|
|
### v |
|
|
### -mangle,NAT- -mangle,filter- -mangle,NAT--
|
|
### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
|
|
### ------------ | ^ --------------- -------------
|
|
### | | ^
|
|
### | +--if NATed------------+ |
|
|
### v | |
|
|
### -mangle,filter- -mangle,NAT,filter-
|
|
### |INPUT | +->[Routing]->|OUTPUT |
|
|
### --------------- | -------------------
|
|
### | |
|
|
### v |
|
|
### ... Local Process...
|
|
|
|
doit() {
|
|
echo "# $*"
|
|
"$@"
|
|
}
|
|
|
|
#exec >/dev/null
|
|
exec >"$0.out"
|
|
exec 2>&1
|
|
exec </dev/null
|
|
|
|
umask 077
|
|
|
|
# Make sure rundir/ exists
|
|
mkdir -p "$rundir" 2>/dev/null
|
|
chown -R "$user": "$rundir"
|
|
chmod -R a=rX "$rundir"
|
|
rm -rf rundir 2>/dev/null
|
|
ln -s "$rundir" rundir
|
|
|
|
# Timestamping
|
|
date '+%Y-%m-%d %H:%M:%S'
|
|
|
|
echo; echo "* Reading IP config"
|
|
cfg=-1
|
|
# static cfg dhcp,zeroconf etc
|
|
for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
|
|
if test -f "$ipconf"; then
|
|
echo "+ $ipconf"
|
|
. "$ipconf"
|
|
fi
|
|
done
|
|
|
|
echo; echo "* Configuring hardware"
|
|
#doit ethtool -s if autoneg off speed 100 duplex full
|
|
#doit ethtool -K if rx off tx off sg off tso off
|
|
|
|
echo; echo "* Resetting address and routing info"
|
|
if $reset_all_netdevs; then
|
|
devs=`sed -n 's/ //g;s/:.*$//p' </proc/net/dev`
|
|
for iface in $devs; do
|
|
doit ip a f dev "$iface"
|
|
doit ip r f dev "$iface" root 0/0
|
|
done
|
|
else
|
|
doit ip a f dev lo
|
|
i=0; while test "${if[$i]}"; do
|
|
doit ip a f dev "${if[$i]}"
|
|
doit ip r f dev "${if[$i]}" root 0/0
|
|
let i++; done
|
|
fi
|
|
|
|
echo; echo "* Configuring addresses"
|
|
doit ip a a dev lo 127.0.0.1/8 scope host
|
|
doit ip a a dev lo ::1/128 scope host
|
|
i=0; while test "${if[$i]}"; do
|
|
if test "${ipmask[$i]}"; then
|
|
doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
|
|
doit ip l set dev "${if[$i]}" up
|
|
fi
|
|
let i++; done
|
|
|
|
echo; echo "* Configuring routes"
|
|
# If several ifaces are configured via DHCP, they often both have 0/0 route.
|
|
# They have no way of knowing that this route is offered on more than one iface.
|
|
# Often, it's desirable to prefer one iface: say, wired eth over wireless.
|
|
# if preferred_default_route_iface is not set, 0/0 route will be assigned randomly.
|
|
if test "$preferred_default_route_iface"; then
|
|
i=0; while test "${if[$i]}"; do
|
|
if test "${if[$i]}" = "$preferred_default_route_iface" \
|
|
&& test "${net[$i]}" = "0/0" \
|
|
&& test "${gw[$i]}"; then
|
|
echo "+ default route through ${if[$i]}, ${gw[$i]}:"
|
|
doit ip r a "${net[$i]}" via "${gw[$i]}"
|
|
fi
|
|
let i++; done
|
|
fi
|
|
i=0; while test "${if[$i]}"; do
|
|
#echo $i:"${if[$i]}"
|
|
if test "${net[$i]}" && test "${gw[$i]}"; then
|
|
doit ip r a "${net[$i]}" via "${gw[$i]}"
|
|
fi
|
|
let i++; done
|
|
|
|
echo; echo "* Recreating /etc/* files reflecting new network configuration:"
|
|
for i in etc/*; do
|
|
n=`basename "$i"`
|
|
echo "+ $n"
|
|
(. "$i") >"/etc/$n"
|
|
chmod 644 "/etc/$n"
|
|
done
|
|
|
|
|
|
# Usage: new_chain <chain> [<table>]
|
|
new_chain() {
|
|
local t=""
|
|
test x"$2" != x"" && t="-t $2"
|
|
doit iptables $t -N $1
|
|
ipt="iptables $t -A $1"
|
|
}
|
|
|
|
echo; echo "* Reset iptables"
|
|
doit iptables --flush
|
|
doit iptables --delete-chain
|
|
doit iptables --zero
|
|
doit iptables -t nat --flush
|
|
doit iptables -t nat --delete-chain
|
|
doit iptables -t nat --zero
|
|
doit iptables -t mangle --flush
|
|
doit iptables -t mangle --delete-chain
|
|
doit iptables -t mangle --zero
|
|
|
|
echo; echo "* Configure iptables"
|
|
doit modprobe nf_nat_ftp
|
|
doit modprobe nf_nat_tftp
|
|
doit modprobe nf_conntrack_ftp
|
|
doit modprobe nf_conntrack_tftp
|
|
|
|
# *** nat ***
|
|
# INCOMING TRAFFIC
|
|
ipt="iptables -t nat -A PREROUTING"
|
|
# nothing here
|
|
|
|
# LOCALLY ORIGINATED TRAFFIC
|
|
ipt="iptables -t nat -A OUTPUT"
|
|
# nothing here
|
|
|
|
# OUTGOING TRAFFIC
|
|
ipt="iptables -t nat -A POSTROUTING"
|
|
# Masquerade boxes on my private net
|
|
doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
|
|
|
|
# *** mangle ***
|
|
### DEBUG
|
|
### ipt="iptables -t mangle -A PREROUTING"
|
|
### doit $ipt -s 192.168.0.0/24 -j RETURN
|
|
### ipt="iptables -t mangle -A FORWARD"
|
|
### doit $ipt -s 192.168.0.0/24 -j RETURN
|
|
### ipt="iptables -t mangle -A POSTROUTING"
|
|
### doit $ipt -s 192.168.0.0/24 -j RETURN
|
|
# nothing here
|
|
|
|
# *** filter ***
|
|
#
|
|
new_chain iext filter
|
|
#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
|
|
#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
|
|
doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
|
|
if test "$ext_open_tcp"; then
|
|
portlist="${ext_open_tcp// /,}"
|
|
doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
|
|
fi
|
|
doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
|
|
# (it probes proxy ports, DROP will incur timeout delays)
|
|
ipt="iptables -t filter -A INPUT"
|
|
doit $ipt -i $extif -j iext
|
|
|
|
|
|
echo; echo "* Enabling forwarding"
|
|
echo 1 >/proc/sys/net/ipv4/ip_forward
|
|
echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
|
|
|
|
|
|
# Signal everybody that firewall is up
|
|
date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
|
|
|
|
# Ok, spew out gobs of info and disable ourself
|
|
echo; echo "* IP:"
|
|
ip a l
|
|
echo; echo "* Routing:"
|
|
ip r l
|
|
echo; echo "* Firewall:"
|
|
{
|
|
echo '---FILTER--';
|
|
iptables -v -L -x -n;
|
|
echo '---NAT-----';
|
|
iptables -t nat -v -L -x -n;
|
|
echo '---MANGLE--';
|
|
iptables -t mangle -v -L -x -n;
|
|
} \
|
|
| grep -v '^$' | grep -Fv 'bytes target'
|
|
echo
|
|
|
|
echo "* End of firewall configuration"
|