forked from 0k/0k-charms
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73 lines
1.6 KiB
73 lines
1.6 KiB
#!/bin/bash
|
|
|
|
##
|
|
## shorewall
|
|
##
|
|
|
|
apt-get install -y shorewall
|
|
|
|
cat <<EOF > /etc/shorewall/zones
|
|
fw firewall
|
|
net ipv4
|
|
lan ipv4
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/interfaces
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0
|
|
## Uncomment to enable vpn setup
|
|
#vpn tun0 detect
|
|
lan lxcbr0 - routeback
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/policy
|
|
#SOURCE DEST RULE LOG
|
|
|
|
fw all ACCEPT
|
|
lan all ACCEPT
|
|
net all DROP info
|
|
all all DROP info
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/rules
|
|
SSH/ACCEPT net fw
|
|
Ping/ACCEPT net fw
|
|
|
|
|
|
BEGIN SHELL
|
|
|
|
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
|
|
|
|
for name in \$(lxc-ls-running); do
|
|
ip=\$(dig +short A "\$name")
|
|
[ -e "/var/lib/lxc/\$name/shorewall" ] &&
|
|
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
|
|
| sed -r "s/%%IP%%/\$ip/g"
|
|
|
|
done
|
|
|
|
true
|
|
|
|
END SHELL
|
|
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/masq
|
|
eth0 lxcbr0
|
|
EOF
|
|
|
|
cat <<EOF > /etc/shorewall/start
|
|
## correct a bug that prevent DHCP packet to be correctly sent between
|
|
## LXC, preventing them to receive an IP.
|
|
|
|
. /etc/default/lxc
|
|
|
|
if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
|
|
source_file=/etc/init/lxc-net.conf
|
|
code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
|
|
echo "Adding LXC rules:"
|
|
echo "\$code"
|
|
eval "\$code"
|
|
fi
|
|
|
|
EOF
|