You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

150 lines
3.2 KiB

  1. #!/bin/bash
  2. ##
  3. ## Install
  4. ##
  5. version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; }
  6. shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :))
  7. ## Support for docker introduced in 5.0.6
  8. if version_gt "$shorewall_candidate_version" 5.0.5; then
  9. apt-get install -y shorewall
  10. else
  11. (
  12. VERSION="5.0.7.2-1"
  13. cd /tmp &&
  14. wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall-core/shorewall-core_${VERSION}_all.deb &&
  15. wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall/shorewall_${VERSION}_all.deb &&
  16. dpkg -i shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb &&
  17. rm shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb
  18. ) || {
  19. echo "Failed to install shorewall."
  20. exit 1
  21. }
  22. fi
  23. ##
  24. ## Configuration
  25. ##
  26. cat <<EOF > /etc/shorewall/zones
  27. fw firewall
  28. net ipv4
  29. lan ipv4
  30. EOF
  31. cat <<EOF > /etc/shorewall/interfaces
  32. #ZONE INTERFACE BROADCAST OPTIONS
  33. net eth0
  34. ## Uncomment to enable vpn setup
  35. #vpn tun0 detect
  36. lan lxcbr0 - routeback
  37. EOF
  38. cat <<EOF > /etc/shorewall/policy
  39. #SOURCE DEST RULE LOG
  40. fw all ACCEPT
  41. lan all ACCEPT
  42. net all DROP info
  43. all all DROP info
  44. EOF
  45. cat <<EOF > /etc/shorewall/rules
  46. SSH/ACCEPT net fw
  47. Ping/ACCEPT net fw
  48. BEGIN SHELL
  49. host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
  50. for name in \$(lxc-ls-running); do
  51. ip=\$(dig +short A "\$name")
  52. [ -e "/var/lib/lxc/\$name/shorewall" ] &&
  53. cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
  54. | sed -r "s/%%IP%%/\$ip/g"
  55. done
  56. true
  57. END SHELL
  58. EOF
  59. cat <<EOF > /etc/shorewall/masq
  60. eth0 lxcbr0
  61. EOF
  62. cat <<EOF > /etc/shorewall/start
  63. ## correct a bug that prevent DHCP packet to be correctly sent between
  64. ## LXC, preventing them to receive an IP.
  65. . /etc/default/lxc
  66. if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
  67. source_file=/etc/init/lxc-net.conf
  68. code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
  69. echo "Adding LXC rules:"
  70. echo "\$code"
  71. eval "\$code"
  72. fi
  73. EOF
  74. ##
  75. ## Logs
  76. ##
  77. mkdir -p /var/log/shorewall
  78. chgrp syslog /var/log/shorewall
  79. chmod g+w /var/log/shorewall
  80. cat <<EOF > /etc/rsyslog.d/shorewall.conf
  81. :msg, contains, "Shorewall:" /var/log/shorewall/main.log
  82. & ~
  83. EOF
  84. cat <<EOF > /etc/logrotate.d/shorewall
  85. /var/log/shorewall/init.log {
  86. weekly
  87. rotate 4
  88. compress
  89. missingok
  90. create 0640 root adm
  91. }
  92. /var/log/shorewall/main.log
  93. {
  94. rotate 7
  95. weekly
  96. missingok
  97. notifempty
  98. compress
  99. delaycompress
  100. postrotate
  101. reload rsyslog >/dev/null 2>&1 || true
  102. endscript
  103. }
  104. EOF
  105. ## Init logs
  106. sed -ri 's%^(STARTUP_LOG=).*$%\1/var/log/shorewall/init.log%g' /etc/shorewall/shorewall.conf
  107. service rsyslog restart
  108. ##
  109. ##
  110. ##
  111. ## Activate support for docker
  112. sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf