home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.jcu.edu.au
/
2014.06.ftp.jcu.edu.au.tar
/
ftp.jcu.edu.au
/
v6.3.2b
/
SWBD63
/
fabos-6.3.2b-10.ppc.rpm
/
fabos-6.3.2b.10.cpio.gz
/
fabos-6.3.2b.10.cpio
/
fabos
/
libexec
/
createipf
< prev
next >
Wrap
Text File
|
2010-11-10
|
12KB
|
446 lines
#!/bin/sh
#
# Usage: createipf.sh
#
# Rule are defined as follows.
# ---------- -------
# | INPUT |-------->| TCP |------> Other protocol rules
# ---------- -------
# |
# | -------
# -------------->| UDP |------> Other protocol rules
# -------
#
# splitting rule processing in two levels makes it faster
# to execute.
export PATH=/fabos/sbin:/fabos/bin:/bin:/usr/bin:/sbin
# update version whenever script is changed
# IPTABLES variable is not defined, hence will be null
# this variable is kept if script is changed to use a
# path for iptables, this variable can be set to proper
# location
export debug_on=0
if [ $# != 2 ]; then
echo "ERROR: $0, Incorrect number of parameters."
#Not required.
#iptab_clear_rules;
exit 1
fi
export POLICYTYPE=$1
export CPSTATE=$2
version=v1.1
#NEED TO CREATE IP6TABLES ALSO.
iptab_clear_rules()
{
if [ "$POLICYTYPE" = "v4" ]; then
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
elif [ "$POLICYTYPE" = "v6" ]; then
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -F
ip6tables -X
else
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -F
ip6tables -X
fi
}
function valid_ip()
{
local ip=$1
local stat=1
IP_ADDR_VAL=$(echo "$ip" | grep -Ec '^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])')
if ! [ $IP_ADDR_VAL -eq 0 ]; then
stat=0
fi
return $stat
}
#USER DEFINED PARAMETERS
export ERRFILE="/dev/null"
export INTERNAL_IFACE=eth1
export INTERNAL_IFACE_BP=eth2
export INTERNAL_IFACE_1250=inbd+
export DCE_IFACE="veth+"
export DCE_VLAN_IFACE="vlan+"
export FC="fc"
export SCRDIR="/fabos/libexec"
export PRIV_NET=10.0.0.0/28
export PRIV_NET_BP=127.1.0.0/16
export INTERNAL_IP1=10.0.0.5
export INTERNAL_IP2=10.0.0.6
export RULE_FILE=/tmp/netfilter.rules
export PROTO_TCP=tcp
export PROTO_UDP=udp
export PROTO_ICMP=icmp
export R_TCP=tcp0
export R_UDP=udp0
export R_ICMP=icmp0
export R_TELNET=telnet0
export R_SSH=ssh0
export R_HTTP=http0
export R_APIRPCUDP=apirpcudp0
export R_APIRPCTCP=apirpctcp0
export R_APIPMAP=apipmap0
export R_TCPCOMMON=tcpcommon0
export R_UDPCOMMON=udpcommon0
export R_PRIV_NET=priv_net_rule
rule_chains="tcp0 udp0 telnet0 ssh0 http0 apirpctcp0 apirpcudp0 apipmap0 tcpcommon0 udpcommon0"
CREATECHAINS="createipfchains"
# Determine the system platform identifier.
SWBD=`/sbin/sin | sed -n -e 's/^.\+\(SWBD\)\([[:digit:]]\{1,\}\).\+$/\2/gp' 2> /dev/null`
# Determine the state-sync transport based on the platform identifier.
if [ $SWBD = 62 -o $SWBD = 77 ]; then
export INET_IFACE="bond0"
else
export INET_IFACE="eth0"
fi
echo_debug()
{
echo $* 1>&2
}
iptab_create_header()
{
# Start generating rules file
echo "# Generated by createiptab $version" > $RULE_FILE
echo "*filter" >> $RULE_FILE
echo ":INPUT DROP [0:0]" >> $RULE_FILE
echo ":FORWARD ACCEPT [0:0]" >> $RULE_FILE
echo ":OUTPUT ACCEPT [0:0]" >> $RULE_FILE
}
iptab_create_rule_chains()
{
for rule_item in $rule_chains
do
echo ":$rule_item - [0:0]" >> $RULE_FILE
done
}
iptab_priv_net_create_rule_chain()
{
echo ":$R_PRIV_NET - [0:0]" >> $RULE_FILE
}
# get switch type, term/Ulysses and cp type for Ulysses
iptab_get_cp_association()
{
# Change the names to CPRUL and change it to ACTIVE, STANDBY and PIZZABO
if [ "$ischassis" = "Yes" ] && [ "$CPSTATE" = "Standby" ]; then
ACTIVECP=0 # Dual chassis stanby CP
elif [ "$ischassis" = "Yes" ]; then
ACTIVECP=1 # Dual chassis active CP
else
ACTIVECP=2 # Single Chassis box
fi
export ACTIVECP
}
iptab_priv_net_put_chain_rules()
{
# DO check for Active and pizza box
if [ "$ACTIVECP" = "0" ]; then
echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE -j $R_PRIV_NET"
echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET"
echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET -d $PRIV_NET -j ACCEPT"
echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT"
echo "$IPTABLES -A $R_PRIV_NET -j REJECT"
fi
if [ "$ACTIVECP" = "2" ]; then
#
# setup BP interface only on systems where it is available
#
/sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE
if [ $? -eq 0 ]; then
echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET"
echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT"
echo "$IPTABLES -A $R_PRIV_NET -j REJECT"
fi
fi
}
iptab_create_common_rules()
{
declare -a ipfcarr
ipfcarr=( `/fabos/cliexec/ipaddripfcshow`) # Loads contents
element_count=${#ipfcarr[*]}
# default policy or all, eth1 should always be allowed because
# two CPs talk on this. Terminator does not need eth1 rule.
# These two rules should not be removed at all, as this rule redirects
# all incoming packets to tcp and udp chains.
echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_TCP -j $R_TCP"
echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_UDP -j $R_UDP"
if [ "$POLICYTYPE" = "v4" ]; then
if [ "$CPSTATE" = "Active" ]; then
# detaching FC IP address FC interface, and no specific interface is specified.
# defect # 25011 - because of ARP cache corruption, this association can not be
# enforced,. ARP cache is corrupted because of Linux behaviour where it does
# not support two physical interfaces on same subnet.
for (( i=0; i<${element_count}; i++ ));
do
IP=`echo ${ipfcarr[$i]} | cut -d / -f 1`
NETMASK=`echo ${ipfcarr[$i]} | cut -d / -f 2`
if ! [ -z $(echo $NETMASK | sed -e 's/[0-9]//g') ] || [ "$NETMASK" = "" ]; then
ipfcarr[$i]=$IP
fi
if valid_ip ${ipfcarr[$i]}; then
echo "$IPTABLES -A INPUT -p $PROTO_TCP -d ${ipfcarr[$i]} -j ACCEPT"
echo "$IPTABLES -A INPUT -p $PROTO_UDP -d ${ipfcarr[$i]} -j ACCEPT"
fi
done
fi
echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP1 --icmp-type 8 -j DROP"
echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP2 --icmp-type 8 -j DROP"
if [ "$ACTIVECP" == "2" ]; then
echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP1 --icmp-type 8 -j DROP"
echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP2 --icmp-type 8 -j DROP"
fi
# Explain about the ping request and responses which ping and try to find out
echo "$IPTABLES -A INPUT -p $PROTO_ICMP -m $PROTO_ICMP --icmp-type 0 -j ACCEPT"
echo "$IPTABLES -A INPUT -p $PROTO_ICMP -m $PROTO_ICMP --icmp-type 8 -j ACCEPT"
# Defect 221041, allow fragmentation-needed ICMP packets so we can tunnel management traffic
echo "$IPTABLES -A INPUT -p $PROTO_ICMP --icmp-type fragmentation-needed -j ACCEPT"
elif [ "$POLICYTYPE" = "v6" ]; then
# echo "$IPTABLES -A INPUT -p icmpv6 -j LOG"
# Future work: find about exact icmp types
echo "$IPTABLES -A INPUT -p icmpv6 -j ACCEPT"
fi
#
# setup BP interface only on systems where it is available
#
if [ "$POLICYTYPE" = "v4" ]; then
if /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE; then
echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_BP -j ACCEPT"
echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE_BP -j REJECT"
echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_BP -j REJECT"
fi
fi
#
# setup to always receive anything on DCE interfaces
#
echo "$IPTABLES -A INPUT -i $DCE_IFACE -j ACCEPT" >> $RULE_FILE
echo "$IPTABLES -A INPUT -i $DCE_VLAN_IFACE -j ACCEPT" >> $RULE_FILE
if [ "$ACTIVECP" != "2" ]; then
# set up forwarding rules, no forwarding from/to eth1
echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE -j ACCEPT"
echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE -j REJECT"
echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE -j REJECT"
# echo "$IPTABLES -A INPUT -s $PRIV_NET -j REJECT"
# echo "$IPTABLES -A INPUT -d $PRIV_NET -j REJECT"
fi
echo "$IPTABLES -A INPUT -i lo -j ACCEPT"
if [ "$ACTIVECP" == "2" ]; then # should not be chassis
#
# set up inbd rule for INPUT, inbd0 or inbd1 interface will not be up yet
#
echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_TCP -j $R_TCP"
echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_1250 -p $PROTO_UDP -j $R_UDP"
fi
#
# allow AH, ESP and IKE packets
#
echo "$IPTABLES -A INPUT -p udp --dport 500 --j ACCEPT"
echo "$IPTABLES -A INPUT -p esp -j ACCEPT"
echo "$IPTABLES -A INPUT -p ah -j ACCEPT"
echo "$IPTABLES -A OUTPUT -p udp --dport 500 --j ACCEPT"
echo "$IPTABLES -A OUTPUT -p esp -j ACCEPT"
echo "$IPTABLES -A OUTPUT -p ah -j ACCEPT"
# this is necessary so clients do not hang waiting for response.
# this was discovered with firmwaredownload
echo "$IPTABLES -A INPUT -j REJECT"
# This is a policy to drop all incoming packets which will not hit.
echo "$IPTABLES -P INPUT DROP"
} # iptab_create_common_rules
iptab_nat_create_v4_rules()
{
# Creating rules for nat table
HOSTNAME=`hostname`
HOSTFILE=/etc/hosts
IP_ETH0=`sed -n -e 's/ .*'$HOSTNAME'.*//gp' $HOSTFILE`
IP_TABLES=/sbin/iptables
if [ "$ACTIVECP" = "2" ]; then
$IP_TABLES -t nat -vL 1>$ERRFILE 2>$ERRFILE
if [ $? -eq 0 ]; then
$IP_TABLES -t nat -A POSTROUTING -o $INTERNAL_IFACE_1250 -j SNAT --to $IP_ETH0
fi
fi
} # iptab_nat_create_v4_rules
#///////////////////////////////
################################
# start of this script
################################
#///////////////////////////////
POLICYFILE="/etc/fabos/ipfpolicy."$POLICYTYPE"."$CPSTATE".txt"
POLICYFILE_OLD="/tmp/old_ipfpolicy."$POLICYTYPE"."$CPSTATE".txt"
NEW_IPFCFILE="/etc/fabos/ipfc.txt"
OLD_IPFCFILE="/tmp/oldipfc.txt"
OLD_4RULESFILE="/tmp/oldip4rule.txt"
OLD_6RULESFILE="/tmp/oldip6rule.txt"
# check if text policy file exists. If not, exit.
if [ ! -f $POLICYFILE ]; then
exit 1
fi
/fabos/cliexec/ipaddripfcshow >>$NEW_IPFCFILE
if [ -f $POLICYFILE_OLD ]; then
HASH_NEW=`/usr/bin/md5sum $POLICYFILE`
HASH_NEW=${HASH_NEW%% *}
HASH_OLD=`/usr/bin/md5sum $POLICYFILE_OLD`
HASH_OLD=${HASH_OLD%% *}
if [ "$HASH_NEW" = "$HASH_OLD" ]; then
if [ ! -f $OLD_IPFCFILE ]; then
exit 0
fi
IPFCHASH_NEW=`/usr/bin/md5sum $NEW_IPFCFILE`
IPFCHASH_NEW=${IPFCHASH_NEW%% *}
IPFCHASH_OLD=`/usr/bin/md5sum $OLD_IPFCFILE`
IPFCHASH_OLD=${IPFCHASH_OLD%% *}
if [ "$IPFCHASH_NEW" = "$IPFCHASH_OLD" ]; then
exit 0
fi
fi
fi
chassis_info=`getchassisconfig`
export ischassis=`echo $chassis_info | sed -n -e 's/.*Chassis based system: //p' | \
sed -n -e 's/ .*//p'`
iptab_create_header;
# get switch type, term/Ulysses and cp type for Ulysses
iptab_get_cp_association;
# create rule chain names
iptab_create_rule_chains ;
#SAGAR:Required only for ipv4 Stack
if [ "$POLICYTYPE" = "v4" ]; then
iptab_priv_net_create_rule_chain;
fi
$SCRDIR/$CREATECHAINS $POLICYTYPE $CPSTATE;
if [ "$?" != "0" ]; then
iptab_clear_rules;
exit 1
fi
if [ "$POLICYTYPE" = "v4" ]; then
iptab_priv_net_put_chain_rules >> $RULE_FILE
fi
iptab_create_common_rules >> $RULE_FILE
echo "COMMIT" >> $RULE_FILE
echo "# Completed" >> $RULE_FILE
if [ "$POLICYTYPE" = "v4" ]; then
/sbin/iptables-restore < $RULE_FILE 1> /dev/null 2>&1
else
/sbin/ip6tables-restore < $RULE_FILE 1> /dev/null 2>&1
fi
if [ $? != 0 ]; then
iptab_clear_rules;
echo "ERROR: Failed to enforce new iptables rules"
if [ -f $RULE_FILE ]; then
ERRFILE="/tmp/oldrules.`/bin/date +\"%s\"`.txt"
if [ "$POLICYTYPE" = "v4" ]; then
/sbin/iptables-restore < $RULE_FILE >> $ERRFILE
/bin/mv $RULE_FILE $OLD_4RULESFILE
else
/sbin/ip6tables-restore < $RULE_FILE >> $ERRFILE
/bin/mv $RULE_FILE $OLD_6RULESFILE
fi
fi
exit 1
fi
/bin/mv $POLICYFILE $POLICYFILE_OLD
/bin/mv $NEW_IPFCFILE $OLD_IPFCFILE
# add NAT table rule(s) for inbd interface
if [ "$POLICYTYPE" = "v4" ]; then
iptab_nat_create_v4_rules;
fi
# add forwarding rule, let it be commented, can be uncommented when needed
# if uncommented, FORWARD rule also must be changed to ACCEPT
# echo "1" > /proc/sys/net/ipv4/ip_forward