You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

150 lines
3.2 KiB

#!/bin/bash
##
## Install
##
version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; }
shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :))
## Support for docker introduced in 5.0.6
if version_gt "$shorewall_candidate_version" 5.0.5; then
apt-get install -y shorewall
else
(
VERSION="5.0.7.2-1"
cd /tmp &&
wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall-core/shorewall-core_${VERSION}_all.deb &&
wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall/shorewall_${VERSION}_all.deb &&
dpkg -i shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb &&
rm shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb
) || {
echo "Failed to install shorewall."
exit 1
}
fi
##
## Configuration
##
cat <<EOF > /etc/shorewall/zones
fw firewall
net ipv4
lan ipv4
EOF
cat <<EOF > /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
## Uncomment to enable vpn setup
#vpn tun0 detect
lan lxcbr0 - routeback
EOF
cat <<EOF > /etc/shorewall/policy
#SOURCE DEST RULE LOG
fw all ACCEPT
lan all ACCEPT
net all DROP info
all all DROP info
EOF
cat <<EOF > /etc/shorewall/rules
SSH/ACCEPT net fw
Ping/ACCEPT net fw
BEGIN SHELL
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
for name in \$(lxc-ls-running); do
ip=\$(dig +short A "\$name")
[ -e "/var/lib/lxc/\$name/shorewall" ] &&
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
| sed -r "s/%%IP%%/\$ip/g"
done
true
END SHELL
EOF
cat <<EOF > /etc/shorewall/masq
eth0 lxcbr0
EOF
cat <<EOF > /etc/shorewall/start
## correct a bug that prevent DHCP packet to be correctly sent between
## LXC, preventing them to receive an IP.
. /etc/default/lxc
if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
source_file=/etc/init/lxc-net.conf
code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
echo "Adding LXC rules:"
echo "\$code"
eval "\$code"
fi
EOF
##
## Logs
##
mkdir -p /var/log/shorewall
chgrp syslog /var/log/shorewall
chmod g+w /var/log/shorewall
cat <<EOF > /etc/rsyslog.d/shorewall.conf
:msg, contains, "Shorewall:" /var/log/shorewall/main.log
& ~
EOF
cat <<EOF > /etc/logrotate.d/shorewall
/var/log/shorewall/init.log {
weekly
rotate 4
compress
missingok
create 0640 root adm
}
/var/log/shorewall/main.log
{
rotate 7
weekly
missingok
notifempty
compress
delaycompress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
EOF
## Init logs
sed -ri 's%^(STARTUP_LOG=).*$%\1/var/log/shorewall/init.log%g' /etc/shorewall/shorewall.conf
service rsyslog restart
##
##
##
## Activate support for docker
sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf