examples/var_service/fw/run

#!/bin/bash
# (using bashism: arrays)

user="root"
reset_all_netdevs=true
preferred_default_route_iface="if"
extif="if"
ext_open_tcp="22 80 88" # space-separated

# Make ourself one-shot
sv o .
# Debug
#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"

service=`basename $PWD`
rundir="/var/run/service/$service"

### filter This is the default table (if no -t option is passed).  It contains
###        the  built-in chains INPUT (for packets coming into the box itself),
###        FORWARD (for packets being routed through the box), and OUTPUT (for
###        locally-generated packets).
###
### nat    This table is consulted when a packet that creates a new connection
###        is encountered.  It consists of three built-ins: PREROUTING (for
###        altering packets as soon as they come in), OUTPUT (for altering
###        locally-generated packets before routing), and POSTROUTING (for
###        altering packets as they are about to go out).
###
### mangle It had two built-in chains: PREROUTING (for altering incoming
###        packets before routing) and OUTPUT (for altering locally-generated
###        packets before routing).  Recently three other built-in
###        chains are added: INPUT (for packets coming into the box
###        itself), FORWARD (for altering packets being routed through the
###        box), and POSTROUTING (for altering packets as they are about to go
###        out).
###
###       ...iface...                              ...iface...
###          |                                        ^
###          v                                        |
### -mangle,NAT-               -mangle,filter-   -mangle,NAT--
### |PREROUTING|-->[Routing]-->|FORWARD      |-->|POSTROUTING|
### ------------    |    ^     ---------------   -------------
###                 |    |                           ^
###                 |    +--if NATed------------+    |
###                 v                           |    |
###      -mangle,filter-                -mangle,NAT,filter-
###      |INPUT        |  +->[Routing]->|OUTPUT           |
###      ---------------  |             -------------------
###                 |     |
###                 v     |
###         ... Local Process...

doit() {
	echo "# $*"
	"$@"
}

#exec >/dev/null
exec >"$0.out"
exec 2>&1
exec </dev/null

umask 077

# Make sure rundir/ exists
mkdir -p "$rundir" 2>/dev/null
chown -R "$user": "$rundir"
chmod -R a=rX "$rundir"
rm -rf rundir 2>/dev/null
ln -s "$rundir" rundir

# Timestamping
date '+%Y-%m-%d %H:%M:%S'

echo; echo "* Reading IP config"
cfg=-1
#             static cfg    dhcp,zeroconf etc
for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
	if test -f "$ipconf"; then
		echo "+ $ipconf"
		. "$ipconf"
	fi
done

echo; echo "* Configuring hardware"
#doit ethtool -s if autoneg off speed 100 duplex full
#doit ethtool -K if rx off tx off sg off tso off

echo; echo "* Resetting address and routing info"
if $reset_all_netdevs; then
	devs=`sed -n 's/ //g;s/:.*$//p' </proc/net/dev`
	for if in $devs; do
		doit ip a f dev "$if"
		doit ip r f dev "$if" root 0/0
	done
else
	doit ip a f dev lo
	i=0; while test "${if[$i]}"; do
		doit ip a f dev "${if[$i]}"
		doit ip r f dev "${if[$i]}" root 0/0
	let i++; done
fi

echo; echo "* Configuring addresses"
doit ip a a dev lo 127.0.0.1/8 scope host
doit ip a a dev lo ::1/128 scope host
i=0; while test "${if[$i]}"; do
	if test "${ipmask[$i]}"; then
		doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
		doit ip l set dev "${if[$i]}" up
	fi
let i++; done

echo; echo "* Configuring routes"
# If several ifaces are configured via DHCP, they often both have 0/0 route.
# They have no way of knowing that this route is offered on more than one iface.
# Often, it's desirable to prefer one iface: say, wired eth over wireless.
# if preferred_default_route_iface is not set, 0/0 route will be assigned randomly.
if test "$preferred_default_route_iface"; then
	i=0; while test "${if[$i]}"; do
		if test "${if[$i]}" = "$preferred_default_route_iface" \
		&& test "${net[$i]}" = "0/0" \
		&& test "${gw[$i]}"; then
			echo "+ default route through ${if[$i]}, ${gw[$i]}:"
			doit ip r a "${net[$i]}" via "${gw[$i]}"
		fi
	let i++; done
fi
i=0; while test "${if[$i]}"; do
	#echo $i:"${if[$i]}"
	if test "${net[$i]}" && test "${gw[$i]}"; then
		doit ip r a "${net[$i]}" via "${gw[$i]}"
	fi
let i++; done

echo; echo "* Recreating /etc/* files reflecting new network configuration:"
for i in etc/*; do
	n=`basename "$i"`
	echo "+ $n"
	(. "$i") >"/etc/$n"
	chmod 644 "/etc/$n"
done


# Usage: new_chain <chain> [<table>]
new_chain() {
	local t=""
	test x"$2" != x"" && t="-t $2"
	doit iptables $t -N $1
	ipt="iptables $t -A $1"
}

echo; echo "* Reset iptables"
doit iptables           --flush
doit iptables           --delete-chain
doit iptables           --zero
doit iptables -t nat    --flush
doit iptables -t nat    --delete-chain
doit iptables -t nat    --zero
doit iptables -t mangle --flush
doit iptables -t mangle --delete-chain
doit iptables -t mangle --zero

echo; echo "* Configure iptables"
doit modprobe nf_nat_ftp
doit modprobe nf_nat_tftp
doit modprobe nf_conntrack_ftp
doit modprobe nf_conntrack_tftp

#       *** nat ***
#       INCOMING TRAFFIC
ipt="iptables -t nat -A PREROUTING"
# nothing here

#       LOCALLY ORIGINATED TRAFFIC
ipt="iptables -t nat -A OUTPUT"
# nothing here

#       OUTGOING TRAFFIC
ipt="iptables -t nat -A POSTROUTING"
# Masquerade boxes on my private net
doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE

#       *** mangle ***
### DEBUG
### ipt="iptables -t mangle -A PREROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A FORWARD"
### doit $ipt -s 192.168.0.0/24 -j RETURN
### ipt="iptables -t mangle -A POSTROUTING"
### doit $ipt -s 192.168.0.0/24 -j RETURN
# nothing here

#       *** filter ***
#
new_chain iext filter
#doit $ipt -s 203.177.104.72 -j DROP	# Some idiot probes my ssh
#doit $ipt -d 203.177.104.72 -j DROP	# Some idiot probes my ssh
doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN  # FTP data etc is ok
if test "$ext_open_tcp"; then
	portlist="${ext_open_tcp// /,}"
	doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
fi
doit $ipt -p tcp -j REJECT	# Anything else isn't ok. REJECT = irc opens faster
				# (it probes proxy ports, DROP will incur timeout delays)
ipt="iptables -t filter -A INPUT"
doit $ipt -i $extif -j iext


echo; echo "* Enabling forwarding"
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"


# Signal everybody that firewall is up
date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"

# Ok, spew out gobs of info and disable ourself
echo; echo "* IP:"
ip a l
echo; echo "* Routing:"
ip r l
echo; echo "* Firewall:"
{
echo '---FILTER--';
iptables -v -L -x -n;
echo '---NAT-----';
iptables -t nat -v -L -x -n;
echo '---MANGLE--';
iptables -t mangle -v -L -x -n;
} \
| grep -v '^$' | grep -Fv 'bytes target'
echo

echo "* End of firewall configuration"