0k-charms/precise/host/hooks/install.d/90-shorewall.sh

#!/bin/bash

##
## shorewall
##

apt-get install -y shorewall

cat <<EOF > /etc/shorewall/zones
fw                firewall
net               ipv4
lan               ipv4
EOF

cat <<EOF > /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0
## Uncomment to enable vpn setup
#vpn    tun0    detect
lan     lxcbr0  -                       routeback
EOF

cat <<EOF > /etc/shorewall/policy
#SOURCE DEST    RULE     LOG

fw      all     ACCEPT
lan     all     ACCEPT
net     all     DROP info
all     all     DROP info
EOF

cat <<EOF > /etc/shorewall/rules
SSH/ACCEPT      net             fw
Ping/ACCEPT     net             fw


BEGIN SHELL

host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"

for name in \$(lxc-ls-running); do
    ip=\$(dig +short A "\$name")
    [ -e "/var/lib/lxc/\$name/shorewall" ] &&
    cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
                                     | sed -r "s/%%IP%%/\$ip/g"

done

true

END SHELL

EOF

cat <<EOF > /etc/shorewall/masq
eth0    lxcbr0
EOF

cat <<EOF > /etc/shorewall/start
## correct a bug that prevent DHCP packet to be correctly sent between
## LXC, preventing them to receive an IP.

. /etc/default/lxc

if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
    source_file=/etc/init/lxc-net.conf
    code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
    echo "Adding LXC rules:"
    echo "\$code"
    eval "\$code"
fi

EOF