2 # (using bashism: arrays)
6 preferred_default_route_iface="if"
8 ext_open_tcp="22 80 88" # space-separated
10 # Make ourself one-shot
13 #date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
15 service=`basename $PWD`
16 rundir="/var/run/service/$service"
18 ### filter This is the default table (if no -t option is passed). It contains
19 ### the built-in chains INPUT (for packets coming into the box itself),
20 ### FORWARD (for packets being routed through the box), and OUTPUT (for
21 ### locally-generated packets).
23 ### nat This table is consulted when a packet that creates a new connection
24 ### is encountered. It consists of three built-ins: PREROUTING (for
25 ### altering packets as soon as they come in), OUTPUT (for altering
26 ### locally-generated packets before routing), and POSTROUTING (for
27 ### altering packets as they are about to go out).
29 ### mangle It had two built-in chains: PREROUTING (for altering incoming
30 ### packets before routing) and OUTPUT (for altering locally-generated
31 ### packets before routing). Recently three other built-in
32 ### chains are added: INPUT (for packets coming into the box
33 ### itself), FORWARD (for altering packets being routed through the
34 ### box), and POSTROUTING (for altering packets as they are about to go
37 ### ...iface... ...iface...
40 ### -mangle,NAT- -mangle,filter- -mangle,NAT--
41 ### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
42 ### ------------ | ^ --------------- -------------
44 ### | +--if NATed------------+ |
46 ### -mangle,filter- -mangle,NAT,filter-
47 ### |INPUT | +->[Routing]->|OUTPUT |
48 ### --------------- | -------------------
51 ### ... Local Process...
65 # Make sure rundir/ exists
66 mkdir -p "$rundir" 2>/dev/null
67 chown -R "$user": "$rundir"
68 chmod -R a=rX "$rundir"
69 rm -rf rundir 2>/dev/null
70 ln -s "$rundir" rundir
73 date '+%Y-%m-%d %H:%M:%S'
75 echo; echo "* Reading IP config"
77 # static cfg dhcp,zeroconf etc
78 for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
79 if test -f "$ipconf"; then
85 echo; echo "* Configuring hardware"
86 #doit ethtool -s if autoneg off speed 100 duplex full
87 #doit ethtool -K if rx off tx off sg off tso off
89 echo; echo "* Resetting address and routing info"
90 if $reset_all_netdevs; then
91 devs=`sed -n 's/ //g;s/:.*$//p' </proc/net/dev`
92 for iface in $devs; do
93 doit ip a f dev "$iface"
94 doit ip r f dev "$iface" root 0/0
98 i=0; while test "${if[$i]}"; do
99 doit ip a f dev "${if[$i]}"
100 doit ip r f dev "${if[$i]}" root 0/0
104 echo; echo "* Configuring addresses"
105 doit ip a a dev lo 127.0.0.1/8 scope host
106 doit ip a a dev lo ::1/128 scope host
107 i=0; while test "${if[$i]}"; do
108 if test "${ipmask[$i]}"; then
109 doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
110 doit ip l set dev "${if[$i]}" up
114 echo; echo "* Configuring routes"
115 # If several ifaces are configured via DHCP, they often both have 0/0 route.
116 # They have no way of knowing that this route is offered on more than one iface.
117 # Often, it's desirable to prefer one iface: say, wired eth over wireless.
118 # if preferred_default_route_iface is not set, 0/0 route will be assigned randomly.
119 if test "$preferred_default_route_iface"; then
120 i=0; while test "${if[$i]}"; do
121 if test "${if[$i]}" = "$preferred_default_route_iface" \
122 && test "${net[$i]}" = "0/0" \
123 && test "${gw[$i]}"; then
124 echo "+ default route through ${if[$i]}, ${gw[$i]}:"
125 doit ip r a "${net[$i]}" via "${gw[$i]}"
129 i=0; while test "${if[$i]}"; do
131 if test "${net[$i]}" && test "${gw[$i]}"; then
132 doit ip r a "${net[$i]}" via "${gw[$i]}"
136 echo; echo "* Recreating /etc/* files reflecting new network configuration:"
145 # Usage: new_chain <chain> [<table>]
148 test x"$2" != x"" && t="-t $2"
149 doit iptables $t -N $1
150 ipt="iptables $t -A $1"
153 echo; echo "* Reset iptables"
154 doit iptables --flush
155 doit iptables --delete-chain
157 doit iptables -t nat --flush
158 doit iptables -t nat --delete-chain
159 doit iptables -t nat --zero
160 doit iptables -t mangle --flush
161 doit iptables -t mangle --delete-chain
162 doit iptables -t mangle --zero
164 echo; echo "* Configure iptables"
165 doit modprobe nf_nat_ftp
166 doit modprobe nf_nat_tftp
167 doit modprobe nf_conntrack_ftp
168 doit modprobe nf_conntrack_tftp
172 ipt="iptables -t nat -A PREROUTING"
175 # LOCALLY ORIGINATED TRAFFIC
176 ipt="iptables -t nat -A OUTPUT"
180 ipt="iptables -t nat -A POSTROUTING"
181 # Masquerade boxes on my private net
182 doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
186 ### ipt="iptables -t mangle -A PREROUTING"
187 ### doit $ipt -s 192.168.0.0/24 -j RETURN
188 ### ipt="iptables -t mangle -A FORWARD"
189 ### doit $ipt -s 192.168.0.0/24 -j RETURN
190 ### ipt="iptables -t mangle -A POSTROUTING"
191 ### doit $ipt -s 192.168.0.0/24 -j RETURN
196 new_chain iext filter
197 #doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
198 #doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
199 doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
200 if test "$ext_open_tcp"; then
201 portlist="${ext_open_tcp// /,}"
202 doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
204 doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
205 # (it probes proxy ports, DROP will incur timeout delays)
206 ipt="iptables -t filter -A INPUT"
207 doit $ipt -i $extif -j iext
210 echo; echo "* Enabling forwarding"
211 echo 1 >/proc/sys/net/ipv4/ip_forward
212 echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
215 # Signal everybody that firewall is up
216 date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
218 # Ok, spew out gobs of info and disable ourself
221 echo; echo "* Routing:"
223 echo; echo "* Firewall:"
226 iptables -v -L -x -n;
228 iptables -t nat -v -L -x -n;
230 iptables -t mangle -v -L -x -n;
232 | grep -v '^$' | grep -Fv 'bytes target'
235 echo "* End of firewall configuration"