ftp.jcu.edu.au

home *** CD-ROM | disk | FTP | other *** search

/ ftp.jcu.edu.au / 2014.06.ftp.jcu.edu.au.tar / ftp.jcu.edu.au / v6.3.2b / SWBD63 / fabos-6.3.2b-10.ppc.rpm / fabos-6.3.2b.10.cpio.gz / fabos-6.3.2b.10.cpio / fabos / libexec / createiptab < prev next >

Wrap

Text File | 2010-11-10 | 10KB | 371 lines

#!/bin/sh # # Usage: createiptab.sh # # Rule are defined as follows. # ---------- ------- # | INPUT |-------->| TCP |------> Other protocol rules # ---------- ------- # | # | ------- # -------------->| UDP |------> Other protocol rules # ------- # # splitting rule processing in two levels makes it faster # to execute. export PATH=/fabos/sbin:/fabos/bin:/bin:/usr/bin:/sbin # update version whenever script is changed # IPTABLES variable is not defined, hence will be null # this variable is kept if script is changed to use a # path for iptables, this variable can be set to proper # location export debug_on=0 iptab_clear_rules() { iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X } if [ $# != 3 ]; then echo "ERROR: $0, Incorrect number of parameters." iptab_clear_rules; exit 1 fi # third parameter is CP IP, script will differentiate based on CPSTATE export ACTCP_IP=$1 export CPNAME=$2 export CPSTATE=$3 version=v1.0 iptables_restore=/sbin/iptables-restore export ERRFILE="/dev/null" export INTERNAL_IFACE=eth1 export INTERNAL_IFACE_BP=eth2 export INET_IFACE="eth0" export DCE_IFACE="veth+" export DCE_VLAN_IFACE="vlan+" export FC="fc" export SCRDIR="/fabos/libexec" export PRIV_NET=10.0.0.0/28 export PRIV_NET_BP=127.1.0.0/16 export INTERNAL_IP1=10.0.0.5 export INTERNAL_IP2=10.0.0.6 export rule_file=/tmp/netfilter.rules export proto_tcp=tcp export proto_udp=udp export proto_icmp=icmp PROTO_TELNET=telnet PROTO_SSH=ssh PROTO_HTTP=http PROTO_APIRPC=apirpc PROTO_APIPMAP=apipmap PROTO_TCPCOMM=tcpcommon PROTO_UDPCOMM=udpcommon PRIV_NET_RULE=priv_net_rule rule_chains="tcp udp telnet ssh http apirpc apipmap tcpcommon udpcommon" CREATECHAINS="createchains" echo_debug() { echo $* 1>&2 } iptab_clean_up () { rm -f $rule_file } iptab_create_header() { # Start generating rules file echo "# Generated by createiptab $version" > $rule_file echo "*filter" >> $rule_file echo ":INPUT DROP [0:0]" >> $rule_file echo ":FORWARD ACCEPT [0:0]" >> $rule_file echo ":OUTPUT ACCEPT [0:0]" >> $rule_file } iptab_sw_create_rule_chains() { swinst=$1; for rule_item in $rule_chains do # need this for both tcp and udp if [ "apirpc" = "$rule_item" ]; then echo ":$rule_item$swinst$proto_tcp - [0:0]" >> $rule_file echo ":$rule_item$swinst$proto_udp - [0:0]" >> $rule_file continue; fi echo ":$rule_item$swinst - [0:0]" >> $rule_file done } iptab_priv_net_create_rule_chain() { echo ":$PRIV_NET_RULE - [0:0]" >> $rule_file } iptab_cp_create_rule_chains() { cp_code=$1; echo ":$proto_tcp$cp_code - [0:0]" >> $rule_file echo ":$proto_udp$cp_code - [0:0]" >> $rule_file } iptab_get_cp_association() { if [ "$ischassis" = "Yes" ] && [ "$CPSTATE" = "Standby" ]; then ACTIVECP=0 # Dual chassis stanby CP elif [ "$ischassis" = "Yes" ]; then ACTIVECP=1 # Dual chassis active CP else ACTIVECP=2 # Single Chassis box fi export ACTIVECP } iptab_priv_net_put_chain_rules() { echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE -j $R_PRIV_NET" >> $rule_file echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET" >> $rule_file echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET -d $PRIV_NET -j ACCEPT" >> $rule_file echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT" >> $rule_file echo "$IPTABLES -A $R_PRIV_NET -j REJECT" >> $rule_file } iptab_BP_priv_net_put_chain_rules() { echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET" >> $rule_file echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT" >> $rule_file echo "$IPTABLES -A $R_PRIV_NET -j REJECT" >> $rule_file } iptab_create_common_rules() { if [ "$ACTIVECP" = "1" ]; then secmode0=`/fabos/libexec/secModeGet 0` secmode1=`/fabos/libexec/secModeGet 1` if [ "$secmode0" != "0" -o "$secmode1" != "0" ]; then secmode=1 else secmode=0 fi # echo_debug "debug: secmode=$secmode" # 600 is arbitrarily chosen to allow mounts from switch # it was observed that mount used port above 800 in most cases echo "$IPTABLES -A $R_ACTTCP -p $proto_tcp -m $proto_tcp --dport 897 -j REJECT" >> $rule_file if [ "$secmode" = "0" ]; then echo "$IPTABLES -A $R_ACTTCP -p $proto_tcp -m $proto_tcp --dport 23 -j ACCEPT" >> $rule_file echo "$IPTABLES -A $R_ACTTCP -p $proto_tcp -m $proto_tcp --dport 22 -j ACCEPT" >> $rule_file fi echo "$IPTABLES -A $R_ACTTCP -p $proto_tcp -m $proto_tcp --dport 600: -j ACCEPT" >> $rule_file echo "$IPTABLES -A $R_ACTUDP -p $proto_udp -m $proto_udp --dport 8000 -j REJECT" >> $rule_file echo "$IPTABLES -A $R_ACTUDP -p $proto_udp -m $proto_udp --dport 9090 -j REJECT" >> $rule_file echo "$IPTABLES -A $R_ACTUDP -p $proto_udp -m $proto_udp --dport 123 -j ACCEPT" >> $rule_file echo "$IPTABLES -A $R_ACTUDP -p $proto_udp -m $proto_udp --dport 600: -j ACCEPT" >> $rule_file echo "$IPTABLES -A INPUT -p $proto_tcp -i $INET_IFACE -d $ACTCP_IP -j $R_ACTTCP" >> $rule_file echo "$IPTABLES -A INPUT -p $proto_udp -i $INET_IFACE -d $ACTCP_IP -j $R_ACTUDP" >> $rule_file fi # end for active CP rules # default policy for all, eth1 should always be allowed because # two CPs talk on this. Terminator does not need eth1 rule. echo "$IPTABLES -A INPUT -i $INET_IFACE -p $proto_icmp -m $proto_icmp -d $INTERNAL_IP1 --icmp-type 8 -j DROP" >> $rule_file echo "$IPTABLES -A INPUT -i $INET_IFACE -p $proto_icmp -m $proto_icmp -d $INTERNAL_IP2 --icmp-type 8 -j DROP" >> $rule_file echo "$IPTABLES -A INPUT -p $proto_icmp -m $proto_icmp --icmp-type 0 -j ACCEPT" >> $rule_file echo "$IPTABLES -A INPUT -p $proto_icmp -m $proto_icmp --icmp-type 8 -j ACCEPT" >> $rule_file # # setup BP interface only on systems where it is available # /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE if [ $? -eq 0 ]; then echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_BP -j ACCEPT" >> $rule_file echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE_BP -j REJECT" >> $rule_file echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_BP -j REJECT" >> $rule_file fi # # setup to always receive anything on DCE interfaces # echo "$IPTABLES -A INPUT -i $DCE_IFACE -j ACCEPT" >> $rule_file echo "$IPTABLES -A INPUT -i $DCE_VLAN_IFACE -j ACCEPT" >> $rule_file if [ "$ACTIVECP" != "2" ]; then # set up forwarding rules, no forwarding from/to eth1 echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE -j ACCEPT" >> $rule_file echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE -j REJECT" >> $rule_file echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE -j REJECT" >> $rule_file # echo "$IPTABLES -A INPUT -s $PRIV_NET -j REJECT" >> $rule_file # echo "$IPTABLES -A INPUT -d $PRIV_NET -j REJECT" >> $rule_file fi echo "$IPTABLES -A INPUT -i lo -j ACCEPT" >> $rule_file # this is necessary so clients do not hang waiting for response. # this was discovered with firmwaredownload echo "$IPTABLES -A INPUT -j REJECT" >> $rule_file echo "$IPTABLES -P INPUT DROP" >> $rule_file } # iptab_create_common_rules iptab_export_rule_names() { MYSWITCH=$1 export R_TCP=$proto_tcp$MYSWITCH export R_UDP=$proto_udp$MYSWITCH export R_TELNET=$PROTO_TELNET$MYSWITCH export R_SSH=$PROTO_SSH$MYSWITCH export R_HTTP=$PROTO_HTTP$MYSWITCH export R_APIRPCUDP=$PROTO_APIRPC$MYSWITCH"udp" export R_APIRPCTCP=$PROTO_APIRPC$MYSWITCH"tcp" export R_APIPMAP=$PROTO_APIPMAP$MYSWITCH export R_TCPCOMMON=$PROTO_TCPCOMM$MYSWITCH export R_UDPCOMMON=$PROTO_UDPCOMM$MYSWITCH export R_PRIV_NET=$PRIV_NET_RULE if [ "$ACTIVECP" = "1" ]; then export R_ACTTCP="tcp"A export R_ACTUDP="udp"A fi } #/////////////////////////////// ################################ # start of this script ################################ #/////////////////////////////// chassis_info=`getchassisconfig` export ischassis=`echo $chassis_info | sed -n -e 's/.*Chassis based system: //gp' | \ sed -n -e 's/ .*//gp'` export num_switches=`echo $chassis_info | sed -n -e 's/Number of switches: //gp' | \ sed -n -e 's/ .*//gp'` iptab_create_header; # get switch type, term/Ulysses and cp type for Ulysses iptab_get_cp_association; # create rule chain names # standby CP on Ulysses if [ $ACTIVECP = 0 ]; then iptab_sw_create_rule_chains S; iptab_priv_net_create_rule_chain; iptab_export_rule_names S; $SCRDIR/$CREATECHAINS 0; if [ "$?" != "0" ]; then iptab_clear_rules; exit 1 fi iptab_priv_net_put_chain_rules; fi # Dual chassis active CP if [ $ACTIVECP = 1 ]; then number=0 while [ $number -lt $num_switches ]; do iptab_sw_create_rule_chains $number; number=$((number + 1)) done iptab_cp_create_rule_chains A; iptab_priv_net_create_rule_chain; number=0 while [ $number -lt $num_switches ]; do iptab_export_rule_names $number; $SCRDIR/$CREATECHAINS $number; if [ "$?" != "0" ]; then iptab_clear_rules; exit 1 fi number=$((number + 1)) done iptab_priv_net_put_chain_rules; fi # Single chassis box if [ $ACTIVECP = 2 ]; then iptab_sw_create_rule_chains 0; iptab_priv_net_create_rule_chain; iptab_export_rule_names 0; $SCRDIR/$CREATECHAINS 0; if [ "$?" != "0" ]; then iptab_clear_rules; exit 1 fi # # setup BP interface only on systems where it is available # /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE if [ $? -eq 0 ]; then iptab_BP_priv_net_put_chain_rules; fi fi iptab_create_common_rules; echo "COMMIT" >> $rule_file echo "# Completed" >> $rule_file $iptables_restore < $rule_file 1> /dev/null 2>&1 if [ $? != 0 ]; then iptab_clear_rules; echo "ERROR: Failed to enforce new iptables rules" exit 1 fi # add forwarding rule, let it be commented, can be uncommented when needed # if uncommented, FORWARD rule also must be changed to ACCEPT # echo "1" > /proc/sys/net/ipv4/ip_forward # cleanup previous state #iptab_clean_up;