ftp.jcu.edu.au

home *** CD-ROM | disk | FTP | other *** search

/ ftp.jcu.edu.au / 2014.06.ftp.jcu.edu.au.tar / ftp.jcu.edu.au / v6.3.2b / SWBD63 / fabos-6.3.2b-10.ppc.rpm / fabos-6.3.2b.10.cpio.gz / fabos-6.3.2b.10.cpio / fabos / libexec / createipf < prev next >

Wrap

Text File | 2010-11-10 | 12KB | 446 lines

#!/bin/sh # # Usage: createipf.sh # # Rule are defined as follows. # ---------- ------- # | INPUT |-------->| TCP |------> Other protocol rules # ---------- ------- # | # | ------- # -------------->| UDP |------> Other protocol rules # ------- # # splitting rule processing in two levels makes it faster # to execute. export PATH=/fabos/sbin:/fabos/bin:/bin:/usr/bin:/sbin # update version whenever script is changed # IPTABLES variable is not defined, hence will be null # this variable is kept if script is changed to use a # path for iptables, this variable can be set to proper # location export debug_on=0 if [ $# != 2 ]; then echo "ERROR: $0, Incorrect number of parameters." #Not required. #iptab_clear_rules; exit 1 fi export POLICYTYPE=$1 export CPSTATE=$2 version=v1.1 #NEED TO CREATE IP6TABLES ALSO. iptab_clear_rules() { if [ "$POLICYTYPE" = "v4" ]; then iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X elif [ "$POLICYTYPE" = "v6" ]; then ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -F ip6tables -X else iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -F ip6tables -X fi } function valid_ip() { local ip=$1 local stat=1 IP_ADDR_VAL=$(echo "$ip" | grep -Ec '^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])') if ! [ $IP_ADDR_VAL -eq 0 ]; then stat=0 fi return $stat } #USER DEFINED PARAMETERS export ERRFILE="/dev/null" export INTERNAL_IFACE=eth1 export INTERNAL_IFACE_BP=eth2 export INTERNAL_IFACE_1250=inbd+ export DCE_IFACE="veth+" export DCE_VLAN_IFACE="vlan+" export FC="fc" export SCRDIR="/fabos/libexec" export PRIV_NET=10.0.0.0/28 export PRIV_NET_BP=127.1.0.0/16 export INTERNAL_IP1=10.0.0.5 export INTERNAL_IP2=10.0.0.6 export RULE_FILE=/tmp/netfilter.rules export PROTO_TCP=tcp export PROTO_UDP=udp export PROTO_ICMP=icmp export R_TCP=tcp0 export R_UDP=udp0 export R_ICMP=icmp0 export R_TELNET=telnet0 export R_SSH=ssh0 export R_HTTP=http0 export R_APIRPCUDP=apirpcudp0 export R_APIRPCTCP=apirpctcp0 export R_APIPMAP=apipmap0 export R_TCPCOMMON=tcpcommon0 export R_UDPCOMMON=udpcommon0 export R_PRIV_NET=priv_net_rule rule_chains="tcp0 udp0 telnet0 ssh0 http0 apirpctcp0 apirpcudp0 apipmap0 tcpcommon0 udpcommon0" CREATECHAINS="createipfchains" # Determine the system platform identifier. SWBD=`/sbin/sin | sed -n -e 's/^.\+$SWBD$$[[:digit:]]\{1,\}$.\+$/\2/gp' 2> /dev/null` # Determine the state-sync transport based on the platform identifier. if [ $SWBD = 62 -o $SWBD = 77 ]; then export INET_IFACE="bond0" else export INET_IFACE="eth0" fi echo_debug() { echo $* 1>&2 } iptab_create_header() { # Start generating rules file echo "# Generated by createiptab $version" > $RULE_FILE echo "*filter" >> $RULE_FILE echo ":INPUT DROP [0:0]" >> $RULE_FILE echo ":FORWARD ACCEPT [0:0]" >> $RULE_FILE echo ":OUTPUT ACCEPT [0:0]" >> $RULE_FILE } iptab_create_rule_chains() { for rule_item in $rule_chains do echo ":$rule_item - [0:0]" >> $RULE_FILE done } iptab_priv_net_create_rule_chain() { echo ":$R_PRIV_NET - [0:0]" >> $RULE_FILE } # get switch type, term/Ulysses and cp type for Ulysses iptab_get_cp_association() { # Change the names to CPRUL and change it to ACTIVE, STANDBY and PIZZABO if [ "$ischassis" = "Yes" ] && [ "$CPSTATE" = "Standby" ]; then ACTIVECP=0 # Dual chassis stanby CP elif [ "$ischassis" = "Yes" ]; then ACTIVECP=1 # Dual chassis active CP else ACTIVECP=2 # Single Chassis box fi export ACTIVECP } iptab_priv_net_put_chain_rules() { # DO check for Active and pizza box if [ "$ACTIVECP" = "0" ]; then echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE -j $R_PRIV_NET" echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET" echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET -d $PRIV_NET -j ACCEPT" echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT" echo "$IPTABLES -A $R_PRIV_NET -j REJECT" fi if [ "$ACTIVECP" = "2" ]; then # # setup BP interface only on systems where it is available # /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE if [ $? -eq 0 ]; then echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET" echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT" echo "$IPTABLES -A $R_PRIV_NET -j REJECT" fi fi } iptab_create_common_rules() { declare -a ipfcarr ipfcarr=( `/fabos/cliexec/ipaddripfcshow`) # Loads contents element_count=${#ipfcarr[*]} # default policy or all, eth1 should always be allowed because # two CPs talk on this. Terminator does not need eth1 rule. # These two rules should not be removed at all, as this rule redirects # all incoming packets to tcp and udp chains. echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_TCP -j $R_TCP" echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_UDP -j $R_UDP" if [ "$POLICYTYPE" = "v4" ]; then if [ "$CPSTATE" = "Active" ]; then # detaching FC IP address FC interface, and no specific interface is specified. # defect # 25011 - because of ARP cache corruption, this association can not be # enforced,. ARP cache is corrupted because of Linux behaviour where it does # not support two physical interfaces on same subnet. for (( i=0; i<${element_count}; i++ )); do IP=`echo ${ipfcarr[$i]} | cut -d / -f 1` NETMASK=`echo ${ipfcarr[$i]} | cut -d / -f 2` if ! [ -z $(echo $NETMASK | sed -e 's/[0-9]//g') ] || [ "$NETMASK" = "" ]; then ipfcarr[$i]=$IP fi if valid_ip ${ipfcarr[$i]}; then echo "$IPTABLES -A INPUT -p $PROTO_TCP -d ${ipfcarr[$i]} -j ACCEPT" echo "$IPTABLES -A INPUT -p $PROTO_UDP -d ${ipfcarr[$i]} -j ACCEPT" fi done fi echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP1 --icmp-type 8 -j DROP" echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP2 --icmp-type 8 -j DROP" if [ "$ACTIVECP" == "2" ]; then echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP1 --icmp-type 8 -j DROP" echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP2 --icmp-type 8 -j DROP" fi # Explain about the ping request and responses which ping and try to find out echo "$IPTABLES -A INPUT -p $PROTO_ICMP -m $PROTO_ICMP --icmp-type 0 -j ACCEPT" echo "$IPTABLES -A INPUT -p $PROTO_ICMP -m $PROTO_ICMP --icmp-type 8 -j ACCEPT" # Defect 221041, allow fragmentation-needed ICMP packets so we can tunnel management traffic echo "$IPTABLES -A INPUT -p $PROTO_ICMP --icmp-type fragmentation-needed -j ACCEPT" elif [ "$POLICYTYPE" = "v6" ]; then # echo "$IPTABLES -A INPUT -p icmpv6 -j LOG" # Future work: find about exact icmp types echo "$IPTABLES -A INPUT -p icmpv6 -j ACCEPT" fi # # setup BP interface only on systems where it is available # if [ "$POLICYTYPE" = "v4" ]; then if /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE; then echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_BP -j ACCEPT" echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE_BP -j REJECT" echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_BP -j REJECT" fi fi # # setup to always receive anything on DCE interfaces # echo "$IPTABLES -A INPUT -i $DCE_IFACE -j ACCEPT" >> $RULE_FILE echo "$IPTABLES -A INPUT -i $DCE_VLAN_IFACE -j ACCEPT" >> $RULE_FILE if [ "$ACTIVECP" != "2" ]; then # set up forwarding rules, no forwarding from/to eth1 echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE -j ACCEPT" echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE -j REJECT" echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE -j REJECT" # echo "$IPTABLES -A INPUT -s $PRIV_NET -j REJECT" # echo "$IPTABLES -A INPUT -d $PRIV_NET -j REJECT" fi echo "$IPTABLES -A INPUT -i lo -j ACCEPT" if [ "$ACTIVECP" == "2" ]; then # should not be chassis # # set up inbd rule for INPUT, inbd0 or inbd1 interface will not be up yet # echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_TCP -j $R_TCP" echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_UDP -j $R_UDP" fi # # allow AH, ESP and IKE packets # echo "$IPTABLES -A INPUT -p udp --dport 500 --j ACCEPT" echo "$IPTABLES -A INPUT -p esp -j ACCEPT" echo "$IPTABLES -A INPUT -p ah -j ACCEPT" echo "$IPTABLES -A OUTPUT -p udp --dport 500 --j ACCEPT" echo "$IPTABLES -A OUTPUT -p esp -j ACCEPT" echo "$IPTABLES -A OUTPUT -p ah -j ACCEPT" # this is necessary so clients do not hang waiting for response. # this was discovered with firmwaredownload echo "$IPTABLES -A INPUT -j REJECT" # This is a policy to drop all incoming packets which will not hit. echo "$IPTABLES -P INPUT DROP" } # iptab_create_common_rules iptab_nat_create_v4_rules() { # Creating rules for nat table HOSTNAME=`hostname` HOSTFILE=/etc/hosts IP_ETH0=`sed -n -e 's/ .*'$HOSTNAME'.*//gp' $HOSTFILE` IP_TABLES=/sbin/iptables if [ "$ACTIVECP" = "2" ]; then $IP_TABLES -t nat -vL 1>$ERRFILE 2>$ERRFILE if [ $? -eq 0 ]; then $IP_TABLES -t nat -A POSTROUTING -o $INTERNAL_IFACE_1250 -j SNAT --to $IP_ETH0 fi fi } # iptab_nat_create_v4_rules #/////////////////////////////// ################################ # start of this script ################################ #/////////////////////////////// POLICYFILE="/etc/fabos/ipfpolicy."$POLICYTYPE"."$CPSTATE".txt" POLICYFILE_OLD="/tmp/old_ipfpolicy."$POLICYTYPE"."$CPSTATE".txt" NEW_IPFCFILE="/etc/fabos/ipfc.txt" OLD_IPFCFILE="/tmp/oldipfc.txt" OLD_4RULESFILE="/tmp/oldip4rule.txt" OLD_6RULESFILE="/tmp/oldip6rule.txt" # check if text policy file exists. If not, exit. if [ ! -f $POLICYFILE ]; then exit 1 fi /fabos/cliexec/ipaddripfcshow >>$NEW_IPFCFILE if [ -f $POLICYFILE_OLD ]; then HASH_NEW=`/usr/bin/md5sum $POLICYFILE` HASH_NEW=${HASH_NEW%% *} HASH_OLD=`/usr/bin/md5sum $POLICYFILE_OLD` HASH_OLD=${HASH_OLD%% *} if [ "$HASH_NEW" = "$HASH_OLD" ]; then if [ ! -f $OLD_IPFCFILE ]; then exit 0 fi IPFCHASH_NEW=`/usr/bin/md5sum $NEW_IPFCFILE` IPFCHASH_NEW=${IPFCHASH_NEW%% *} IPFCHASH_OLD=`/usr/bin/md5sum $OLD_IPFCFILE` IPFCHASH_OLD=${IPFCHASH_OLD%% *} if [ "$IPFCHASH_NEW" = "$IPFCHASH_OLD" ]; then exit 0 fi fi fi chassis_info=`getchassisconfig` export ischassis=`echo $chassis_info | sed -n -e 's/.*Chassis based system: //p' | \ sed -n -e 's/ .*//p'` iptab_create_header; # get switch type, term/Ulysses and cp type for Ulysses iptab_get_cp_association; # create rule chain names iptab_create_rule_chains ; #SAGAR:Required only for ipv4 Stack if [ "$POLICYTYPE" = "v4" ]; then iptab_priv_net_create_rule_chain; fi $SCRDIR/$CREATECHAINS $POLICYTYPE $CPSTATE; if [ "$?" != "0" ]; then iptab_clear_rules; exit 1 fi if [ "$POLICYTYPE" = "v4" ]; then iptab_priv_net_put_chain_rules >> $RULE_FILE fi iptab_create_common_rules >> $RULE_FILE echo "COMMIT" >> $RULE_FILE echo "# Completed" >> $RULE_FILE if [ "$POLICYTYPE" = "v4" ]; then /sbin/iptables-restore < $RULE_FILE 1> /dev/null 2>&1 else /sbin/ip6tables-restore < $RULE_FILE 1> /dev/null 2>&1 fi if [ $? != 0 ]; then iptab_clear_rules; echo "ERROR: Failed to enforce new iptables rules" if [ -f $RULE_FILE ]; then ERRFILE="/tmp/oldrules.`/bin/date +\"%s\"`.txt" if [ "$POLICYTYPE" = "v4" ]; then /sbin/iptables-restore < $RULE_FILE >> $ERRFILE /bin/mv $RULE_FILE $OLD_4RULESFILE else /sbin/ip6tables-restore < $RULE_FILE >> $ERRFILE /bin/mv $RULE_FILE $OLD_6RULESFILE fi fi exit 1 fi /bin/mv $POLICYFILE $POLICYFILE_OLD /bin/mv $NEW_IPFCFILE $OLD_IPFCFILE # add NAT table rule(s) for inbd interface if [ "$POLICYTYPE" = "v4" ]; then iptab_nat_create_v4_rules; fi # add forwarding rule, let it be commented, can be uncommented when needed # if uncommented, FORWARD rule also must be changed to ACCEPT # echo "1" > /proc/sys/net/ipv4/ip_forward