forked from 0k/0k-charms
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
150 lines
3.2 KiB
150 lines
3.2 KiB
#!/bin/bash
|
|
|
|
|
|
##
|
|
## Install
|
|
##
|
|
|
|
version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; }
|
|
|
|
shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :))
|
|
|
|
## Support for docker introduced in 5.0.6
|
|
if version_gt "$shorewall_candidate_version" 5.0.5; then
|
|
apt-get install -y shorewall
|
|
else
|
|
(
|
|
VERSION="5.0.7.2-1"
|
|
cd /tmp &&
|
|
wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall-core/shorewall-core_${VERSION}_all.deb &&
|
|
wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall/shorewall_${VERSION}_all.deb &&
|
|
dpkg -i shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb &&
|
|
rm shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb
|
|
) || {
|
|
echo "Failed to install shorewall."
|
|
exit 1
|
|
}
|
|
fi
|
|
|
|
|
|
##
|
|
## Configuration
|
|
##
|
|
|
|
cat <<EOF > /etc/shorewall/zones
|
|
fw firewall
|
|
net ipv4
|
|
lan ipv4
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/interfaces
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0
|
|
## Uncomment to enable vpn setup
|
|
#vpn tun0 detect
|
|
lan lxcbr0 - routeback
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/policy
|
|
#SOURCE DEST RULE LOG
|
|
|
|
fw all ACCEPT
|
|
lan all ACCEPT
|
|
net all DROP info
|
|
all all DROP info
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/rules
|
|
SSH/ACCEPT net fw
|
|
Ping/ACCEPT net fw
|
|
|
|
|
|
BEGIN SHELL
|
|
|
|
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
|
|
|
|
for name in \$(lxc-ls-running); do
|
|
ip=\$(dig +short A "\$name")
|
|
[ -e "/var/lib/lxc/\$name/shorewall" ] &&
|
|
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
|
|
| sed -r "s/%%IP%%/\$ip/g"
|
|
|
|
done
|
|
|
|
true
|
|
|
|
END SHELL
|
|
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/masq
|
|
eth0 lxcbr0
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/start
|
|
## correct a bug that prevent DHCP packet to be correctly sent between
|
|
## LXC, preventing them to receive an IP.
|
|
|
|
. /etc/default/lxc
|
|
|
|
if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
|
|
source_file=/etc/init/lxc-net.conf
|
|
code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
|
|
echo "Adding LXC rules:"
|
|
echo "\$code"
|
|
eval "\$code"
|
|
fi
|
|
|
|
EOF
|
|
|
|
|
|
##
|
|
## Logs
|
|
##
|
|
|
|
mkdir -p /var/log/shorewall
|
|
chgrp syslog /var/log/shorewall
|
|
chmod g+w /var/log/shorewall
|
|
|
|
cat <<EOF > /etc/rsyslog.d/shorewall.conf
|
|
:msg, contains, "Shorewall:" /var/log/shorewall/main.log
|
|
& ~
|
|
EOF
|
|
|
|
cat <<EOF > /etc/logrotate.d/shorewall
|
|
/var/log/shorewall/init.log {
|
|
weekly
|
|
rotate 4
|
|
compress
|
|
missingok
|
|
create 0640 root adm
|
|
}
|
|
|
|
/var/log/shorewall/main.log
|
|
{
|
|
rotate 7
|
|
weekly
|
|
missingok
|
|
notifempty
|
|
compress
|
|
delaycompress
|
|
postrotate
|
|
reload rsyslog >/dev/null 2>&1 || true
|
|
endscript
|
|
}
|
|
|
|
EOF
|
|
|
|
## Init logs
|
|
sed -ri 's%^(STARTUP_LOG=).*$%\1/var/log/shorewall/init.log%g' /etc/shorewall/shorewall.conf
|
|
|
|
service rsyslog restart
|
|
|
|
|
|
##
|
|
##
|
|
##
|
|
|
|
|
|
## Activate support for docker
|
|
sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf
|