You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
#!/bin/bash
## ## Install ##
version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; }
shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :))
## Support for docker introduced in 5.0.6 if version_gt "$shorewall_candidate_version" 5.0.5; then apt-get install -y shorewall else ( VERSION="5.0.7.2-1" cd /tmp && wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall-core/shorewall-core_${VERSION}_all.deb && wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall/shorewall_${VERSION}_all.deb && dpkg -i shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb && rm shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb ) || { echo "Failed to install shorewall." exit 1 } fi
## ## Configuration ##
cat <<EOF > /etc/shorewall/zones fw firewall net ipv4 lan ipv4 EOF
cat <<EOF > /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 ## Uncomment to enable vpn setup #vpn tun0 detect lan lxcbr0 - routeback EOF
cat <<EOF > /etc/shorewall/policy #SOURCE DEST RULE LOG
fw all ACCEPT lan all ACCEPT net all DROP info all all DROP info EOF
cat <<EOF > /etc/shorewall/rules SSH/ACCEPT net fw Ping/ACCEPT net fw
BEGIN SHELL
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
for name in \$(lxc-ls-running); do ip=\$(dig +short A "\$name") [ -e "/var/lib/lxc/\$name/shorewall" ] && cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
| sed -r "s/%%IP%%/\$ip/g"
done
true
END SHELL
EOF
cat <<EOF > /etc/shorewall/masq eth0 lxcbr0 EOF
cat <<EOF > /etc/shorewall/start ## correct a bug that prevent DHCP packet to be correctly sent between ## LXC, preventing them to receive an IP.
. /etc/default/lxc
if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then source_file=/etc/init/lxc-net.conf code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g') echo "Adding LXC rules:" echo "\$code" eval "\$code" fi
EOF
## ## Logs ##
mkdir -p /var/log/shorewall chgrp syslog /var/log/shorewall chmod g+w /var/log/shorewall
cat <<EOF > /etc/rsyslog.d/shorewall.conf :msg, contains, "Shorewall:" /var/log/shorewall/main.log & ~ EOF
cat <<EOF > /etc/logrotate.d/shorewall /var/log/shorewall/init.log { weekly rotate 4 compress missingok create 0640 root adm }
/var/log/shorewall/main.log { rotate 7 weekly missingok notifempty compress delaycompress postrotate reload rsyslog >/dev/null 2>&1 || true endscript }
EOF
## Init logs sed -ri 's%^(STARTUP_LOG=).*$%\1/var/log/shorewall/init.log%g' /etc/shorewall/shorewall.conf
service rsyslog restart
## ## ##
## Activate support for docker sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf
|