From 0aab852e51b9511a1abe6a8970a2e26620bc079b Mon Sep 17 00:00:00 2001 From: Sapan Bhatia Date: Tue, 24 Feb 2009 11:32:00 +0000 Subject: [PATCH] More PL-specific stuff --- iptables-config | 37 +++++ iptables.init | 373 +++++++++++++++++++++++++++++++++++++++++++++++ planetlab-config | 22 +++ 3 files changed, 432 insertions(+) create mode 100644 iptables-config create mode 100755 iptables.init create mode 100644 planetlab-config diff --git a/iptables-config b/iptables-config new file mode 100644 index 0000000..c7d81cf --- /dev/null +++ b/iptables-config @@ -0,0 +1,37 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modules.conf. +IPTABLES_MODULES="ip_conntrack vnet_tun" + +# Unload modules on restart and stop +# Value: yes|no, default: yes +# This option has to be 'yes' to get to a sane state for a firewall +# restart or stop. Only set to 'no' if there are problems unloading netfilter +# modules. +#IPTABLES_MODULES_UNLOAD="yes" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +#IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +#IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +#IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: no +# Print IP addresses and port numbers in numeric format in the status output. +#IPTABLES_STATUS_NUMERIC="no" diff --git a/iptables.init b/iptables.init new file mode 100755 index 0000000..ec50ee0 --- /dev/null +++ b/iptables.init @@ -0,0 +1,373 @@ +#!/bin/sh +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config + +# Source function library. +. /etc/init.d/functions + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"/sbin/$IPTABLES does not exist."; warning; echo + exit 0 +fi + +if lsmod 2>/dev/null | grep -q ipchains ; then + echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo + exit 0 +fi + +# Old or new modutils +/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ + && NEW_MODUTILS=1 \ + || NEW_MODUTILS=0 + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_MODULES_UNLOAD="yes" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="no" + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +rmmod_r() { + # Unload module with all referring modules. + # At first all referring modules will be unloaded, then the module itself. + local mod=$1 + local ret=0 + local ref= + + # Get referring modules. + # New modutils have another output format. + [ $NEW_MODUTILS = 1 ] \ + && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ + || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + + # recursive call for all referring modules + for i in $ref; do + rmmod_r $i + let ret+=$?; + done + + # Unload module. + # The extra test is for 2.6: The module might have autocleaned, + # after all referring modules are unloaded. + if grep -q "^${mod}" /proc/modules ; then + modprobe -r $mod > /dev/null 2>&1 + let ret+=$?; + fi + + return $ret +} + +flush_n_delete() { + # Flush firewall rules and delete chains. + [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Flushing firewall rules: " + ret=0 + # For all tables + for i in $tables; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +start() { + # Do not start if there is no config file. + [ -f "$IPTABLES_DATA" ] || return 1 + + echo -n $"Applying $IPTABLES firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + + # Tuntap initialization + + if [ -z "$taps" -a -r /etc/planetlab/node_id ] ; then + # If this node is not "virtually multi-homed", just bring up + # the tap interface with a PLB private address. The PLB + # convention is to assign a unique 10.x.y.0/24 network to each + # node where x.y is the PlanetLab node ID of the machine in + # host order: + # + # x = (node_id / 256) % 256 + # y = node_id % 256 + # + node_id=$(cat /etc/planetlab/node_id) + taps="tap0" + tap0=$(printf 10.%d.%d.1 $((($node_id / 256) % 256)) $(($node_id % 256))) + tapmask=255.0.0.0 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"Loading additional $IPTABLES modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + for tap in $taps ; do + # Configuration for this tap (address/proxy) + eval cfg=\$$tap + addr=${cfg%/*} + proxy=${cfg#*/} + + # Set MAC address to something predictable + mac=$(printf 00:FF:%X:%X:%X:%X $(echo $addr | sed -e 's/\./ /g')) + + # Bring up this interface. Optimize the MTU for the PlanetLab + # Backbone (1500/Ethernet - 4/GRE - 8/UDP - 20/IP = 1468). + ifconfig $tap down && \ + ifconfig $tap hw ether $mac mtu 1468 && \ + ifconfig $tap $addr ${proxy:+pointopoint $proxy} netmask ${tapmask:=255.255.255.255} up + + # Stuffing the proxy for this address in the pointopoint field + # creates a static route to the proxy that we do not want + # present. + if [ -n "$proxy" -a "$proxy" != "$addr" ] ; then + ip route del $proxy + fi + + # Enable route through this interface + ip route add default dev $tap tab 1 && \ + ip rule add from $addr tab 1 + done + + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + + # Do not stop if iptables module is not loaded. + [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + + flush_n_delete + set_policy ACCEPT + + if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then + echo -n $"Unloading $IPTABLES modules: " + ret=0 + rmmod_r ${IPV}_tables + let ret+=$?; + rmmod_r ${IPV}_conntrack + let ret+=$?; + [ $ret -eq 0 ] && success || failure + echo + fi + + # Take down vnet interfaces + for dev in $taps tap0 ; do + action $"Shutting down interface $dev: " \ + ifconfig $dev 0.0.0.0 down + done + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + cp -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + || ret=1 + fi + fi + [ $ret -eq 0 ] && success || failure + echo + rm -f $TMP_FILE + return $ret +} + +status() { + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable module is loaded + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then + echo $"Firewall is stopped." + return 1 + fi + + # Check if firewall is configured (has tables) + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"Firewall is not configured. " + return 1 + fi + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + if [ -z "$tables" ]; then + echo $"Firewall is not configured. " + return 1 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + + for table in $tables; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM && echo + done + + return 0 +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + +case "$1" in + start) + stop + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart) + restart + RETVAL=$? + ;; + condrestart) + [ -e "$VAR_SUBSYS_IPTABLES" ] && restart + ;; + status) + status + RETVAL=$? + ;; + panic) + flush_n_delete + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/planetlab-config b/planetlab-config new file mode 100644 index 0000000..b5954cf --- /dev/null +++ b/planetlab-config @@ -0,0 +1,22 @@ +*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +:BLACKLIST - +:LOGDROP - +-A OUTPUT -j BLACKLIST +-A LOGDROP -j LOG +-A LOGDROP -j DROP +COMMIT + +*mangle +:PREROUTING ACCEPT +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT +-A INPUT -j MARK --copy-xid 0x0 +-A POSTROUTING -j MARK --copy-xid 0x0 +-A POSTROUTING -j CLASSIFY --set-class 0001:1000 --add-mark +-A POSTROUTING -o eth0 -j ULOG --ulog-cprange 54 --ulog-qthreshold 16 +COMMIT -- 2.43.0