|
@ -8,6 +8,8 @@ |
|
|
## Install |
|
|
## Install |
|
|
## |
|
|
## |
|
|
|
|
|
|
|
|
|
|
|
HOST_EXTERNAL_DEVICE=${HOST_EXTERNAL_DEVICE:-eth0} |
|
|
|
|
|
|
|
|
version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; } |
|
|
version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; } |
|
|
|
|
|
|
|
|
shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :)) |
|
|
shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :)) |
|
@ -29,23 +31,179 @@ else |
|
|
} |
|
|
} |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
case $(lsb_release -is) in |
|
|
|
|
|
Debian) |
|
|
|
|
|
case $(lsb_release -rs) in |
|
|
|
|
|
10) |
|
|
|
|
|
## we had trouble with ``nft`` shorewall |
|
|
|
|
|
update-alternatives --set iptables /usr/sbin/iptables-legacy |
|
|
|
|
|
;; |
|
|
|
|
|
esac |
|
|
|
|
|
;; |
|
|
|
|
|
esac |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
apt-get install -y dnsutils </dev/null |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## |
|
|
## |
|
|
## Configuration |
|
|
## Configuration |
|
|
## |
|
|
## |
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/README |
|
|
|
|
|
Important notes gathered through time: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Shorewall duties on our host |
|
|
|
|
|
|
|
|
|
|
|
- block any access from outside to local ports if not mentionned |
|
|
|
|
|
explicitely in shorewall. |
|
|
|
|
|
|
|
|
|
|
|
- connect external ports to LXC (dockers has its own means) |
|
|
|
|
|
- This uses ``/var/lib/lxc/*/shorewall`` files |
|
|
|
|
|
|
|
|
|
|
|
- let mosh connect correctly |
|
|
|
|
|
|
|
|
|
|
|
- ensure a correct access from Host/LXC/Docker to server's services. |
|
|
|
|
|
For instance, an Host/LXC/Docker should be able to as if it was |
|
|
|
|
|
external: ``curl https://myhostwebsite``. This is called routeback |
|
|
|
|
|
and requires some special rules. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Shorewall restarting and cache |
|
|
|
|
|
|
|
|
|
|
|
Some process in shorewall seems to be using cache in some ways in |
|
|
|
|
|
recent version that implies that it won't take actions if files are |
|
|
|
|
|
not changed. A simple 'touch FILE' seems to be enough. Notice the |
|
|
|
|
|
'Compiling' lines appearing in ``shorewall restart``. |
|
|
|
|
|
|
|
|
|
|
|
It's always good to double-check in ``iptables -nL`` that some rules |
|
|
|
|
|
actually seem to match your intention. |
|
|
|
|
|
|
|
|
|
|
|
Don't forget that ``iptables-save`` is probably the best way to get |
|
|
|
|
|
the full rules printed on stdout. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Debian, ovh kernels and iptables-nft |
|
|
|
|
|
|
|
|
|
|
|
Starting from Debian10, iptables by default uses iptables-nft... which |
|
|
|
|
|
works well with default debian kernel. OVH kernels DO NOT provide |
|
|
|
|
|
necessary kernel and we must: |
|
|
|
|
|
|
|
|
|
|
|
update-alternatives --set iptables /usr/sbin/iptables-legacy |
|
|
|
|
|
|
|
|
|
|
|
Note that transition is a little tricky because BOTH ways can have |
|
|
|
|
|
their tables simultaneously. Use ``iptables-nft -nL`` and |
|
|
|
|
|
``iptables-legacy -nL`` to check. |
|
|
|
|
|
|
|
|
|
|
|
For now, we had little success to properly have the ``nft`` version |
|
|
|
|
|
working properly on debian kernel. So even on debian kernel, we switch |
|
|
|
|
|
here to iptables-legacy if on debian system. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Interaction with docker's iptables rules |
|
|
|
|
|
|
|
|
|
|
|
This is configured in ``shorewall.conf``, thanks to a simple:: |
|
|
|
|
|
|
|
|
|
|
|
DOCKER=Yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Route back |
|
|
|
|
|
|
|
|
|
|
|
Be sure to check in /var/lib/lxc/*/shorewall definitions, they |
|
|
|
|
|
must include special stances (see in next section). |
|
|
|
|
|
|
|
|
|
|
|
On the side of shorewall, all network interface should be declared in |
|
|
|
|
|
``/etc/shorewall/interfaces``. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# lxc ``shorewall`` files |
|
|
|
|
|
|
|
|
|
|
|
Prefer the usage of ``ports`` files. If you insist on having a better |
|
|
|
|
|
control of rules per LXC, you can use ``shorewall`` files. |
|
|
|
|
|
|
|
|
|
|
|
They should be located in /var/lib/lxc/*/shorewall. This is a standard |
|
|
|
|
|
redirection from external host port 10022 to lxc's port 22, on port |
|
|
|
|
|
tcp:: |
|
|
|
|
|
|
|
|
|
|
|
DNAT net lan:%%IP%%:22 tcp 10022 |
|
|
|
|
|
#DNAT net lan:%%IP%%:22 udp 10022 |
|
|
|
|
|
|
|
|
|
|
|
Routeback (access of the same service from Host/LXC/Docker on the external |
|
|
|
|
|
address) is given by these additional rules:: |
|
|
|
|
|
|
|
|
|
|
|
DNAT lan lan:www:80 tcp 80 - %%HOST_INTERNET_IP%% |
|
|
|
|
|
DNAT lan lan:www:443 tcp 443 - %%HOST_INTERNET_IP%% |
|
|
|
|
|
|
|
|
|
|
|
DNAT fw lan:www:80 tcp 80 - %%HOST_INTERNET_IP%% |
|
|
|
|
|
DNAT fw lan:www:443 tcp 443 - %%HOST_INTERNET_IP%% |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# lxc ``ports`` files |
|
|
|
|
|
|
|
|
|
|
|
They should be located in /var/lib/lxc/*/ports. This is a standard |
|
|
|
|
|
redirection from external host port 10022 to lxc's port 22, on both |
|
|
|
|
|
tcp and udp:: |
|
|
|
|
|
|
|
|
|
|
|
10022:22 ## Normal port |
|
|
|
|
|
# 10023:23 ## This is commented ! |
|
|
|
|
|
|
|
|
|
|
|
Note that comments are supported also. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/zones |
|
|
cat <<EOF > /etc/shorewall/zones |
|
|
fw firewall |
|
|
fw firewall |
|
|
net ipv4 |
|
|
net ipv4 |
|
|
lan ipv4 |
|
|
lan ipv4 |
|
|
EOF |
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/macro.Mosh |
|
|
|
|
|
####################################################################################################### |
|
|
|
|
|
# DO NOT REMOVE THE FOLLOWING LINE |
|
|
|
|
|
############################################################################################################################################################## |
|
|
|
|
|
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMITTIME HEADERS SWITCH HELPER |
|
|
|
|
|
# |
|
|
|
|
|
|
|
|
|
|
|
PARAM - - udp 60000:61000 |
|
|
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/interfaces |
|
|
cat <<EOF > /etc/shorewall/interfaces |
|
|
#ZONE INTERFACE BROADCAST OPTIONS |
|
|
#ZONE INTERFACE BROADCAST OPTIONS |
|
|
net eth0 |
|
|
|
|
|
|
|
|
net $HOST_EXTERNAL_DEVICE |
|
|
## Uncomment to enable vpn setup |
|
|
## Uncomment to enable vpn setup |
|
|
#vpn tun0 detect |
|
|
#vpn tun0 detect |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## All interfaces that require route back should be listed |
|
|
|
|
|
## here: |
|
|
lan lxcbr0 - routeback |
|
|
lan lxcbr0 - routeback |
|
|
|
|
|
|
|
|
|
|
|
BEGIN SHELL |
|
|
|
|
|
|
|
|
|
|
|
ifconfig=\$(ifconfig) |
|
|
|
|
|
|
|
|
|
|
|
echo "BEGIN DOCKER adding networks rules:" >&2 |
|
|
|
|
|
for docker_net in \$(docker network list -f driver=bridge -q); do |
|
|
|
|
|
gws=\$(docker network inspect "\$docker_net" --format "{{range .IPAM.Config}}{{.Gateway}}{{\"\n\"}}{{end}}") || continue |
|
|
|
|
|
for gw in \$gws; do |
|
|
|
|
|
if=\$(printf "%s" "\$ifconfig" | egrep "\$gw" -B 1 | head -n 1 | cut -f 1 -d " ") |
|
|
|
|
|
echo " lan \$if - routeback" >&2 |
|
|
|
|
|
echo "lan \$if - routeback" |
|
|
|
|
|
done |
|
|
|
|
|
done |
|
|
|
|
|
echo "END DOCKER" >&2 |
|
|
|
|
|
|
|
|
|
|
|
true |
|
|
|
|
|
|
|
|
|
|
|
END SHELL |
|
|
|
|
|
|
|
|
EOF |
|
|
EOF |
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/policy |
|
|
cat <<EOF > /etc/shorewall/policy |
|
@ -61,16 +219,31 @@ cat <<EOF > /etc/shorewall/rules |
|
|
SSH/ACCEPT net fw |
|
|
SSH/ACCEPT net fw |
|
|
Ping/ACCEPT net fw |
|
|
Ping/ACCEPT net fw |
|
|
|
|
|
|
|
|
|
|
|
Mosh(ACCEPT) net fw |
|
|
|
|
|
|
|
|
BEGIN SHELL |
|
|
BEGIN SHELL |
|
|
|
|
|
|
|
|
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")" |
|
|
|
|
|
|
|
|
host_ip="\$(/sbin/ifconfig $HOST_EXTERNAL_DEVICE 2> /dev/null | sed "s/^.*inet //g" | grep ^[0-9] | sed "s/ .*$//g")" |
|
|
|
|
|
|
|
|
for name in \$(lxc-ls-running); do |
|
|
for name in \$(lxc-ls-running); do |
|
|
ip=\$(dig +short A "\$name") |
|
|
ip=\$(dig +short A "\$name") |
|
|
[ -e "/var/lib/lxc/\$name/shorewall" ] && |
|
|
[ -e "/var/lib/lxc/\$name/shorewall" ] && |
|
|
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \ |
|
|
|
|
|
| sed -r "s/%%IP%%/\$ip/g" |
|
|
|
|
|
|
|
|
cat /var/lib/lxc/\$name/shorewall | |
|
|
|
|
|
sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" | |
|
|
|
|
|
sed -r "s/%%IP%%/\$ip/g" |
|
|
|
|
|
|
|
|
|
|
|
if [ -e "/var/lib/lxc/\$name/ports" ]; then |
|
|
|
|
|
for ports in \$(cat /var/lib/lxc/\$name/ports | sed -r 's/#.*\$//g'); do |
|
|
|
|
|
lxc_port=\${ports#*:} |
|
|
|
|
|
ext_port=\${ports%:*} |
|
|
|
|
|
echo "LXC \$name: redirection from \$host_ip:\$ext_port -> \$ip:\$lxc_port" >&2 |
|
|
|
|
|
for proto in tcp udp; do |
|
|
|
|
|
for zone in net lan fw; do |
|
|
|
|
|
echo "DNAT \$zone lan:\$ip:\$lxc_port \$proto \$ext_port - \$host_ip" |
|
|
|
|
|
done |
|
|
|
|
|
done |
|
|
|
|
|
done |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
done |
|
|
done |
|
|
|
|
|
|
|
@ -81,7 +254,7 @@ END SHELL |
|
|
EOF |
|
|
EOF |
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/masq |
|
|
cat <<EOF > /etc/shorewall/masq |
|
|
eth0 lxcbr0 |
|
|
|
|
|
|
|
|
$HOST_EXTERNAL_DEVICE lxcbr0 |
|
|
EOF |
|
|
EOF |
|
|
|
|
|
|
|
|
cat <<EOF > /etc/shorewall/start |
|
|
cat <<EOF > /etc/shorewall/start |
|
@ -90,12 +263,19 @@ cat <<EOF > /etc/shorewall/start |
|
|
|
|
|
|
|
|
. /etc/default/lxc |
|
|
. /etc/default/lxc |
|
|
|
|
|
|
|
|
if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then |
|
|
|
|
|
source_file=/etc/init/lxc-net.conf |
|
|
|
|
|
code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g') |
|
|
|
|
|
echo "Adding LXC rules:" |
|
|
|
|
|
echo "\$code" |
|
|
|
|
|
eval "\$code" |
|
|
|
|
|
|
|
|
if [ -d "/sys/class/net/\$LXC_BRIDGE" ] && [ "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" = "up" ]; then |
|
|
|
|
|
source_file= |
|
|
|
|
|
if [ -e /etc/init/lxc-net.conf ]; then |
|
|
|
|
|
source_file=/etc/init/lxc-net.conf |
|
|
|
|
|
elif [ -e /usr/lib/x86_64-linux-gnu/lxc/lxc-net ]; then |
|
|
|
|
|
source_file=/usr/lib/x86_64-linux-gnu/lxc/lxc-net |
|
|
|
|
|
fi |
|
|
|
|
|
if [ "\$source_file" ]; then |
|
|
|
|
|
code=\$(egrep '^\s+iptables.*\s+-j\s+' \$source_file | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g') |
|
|
|
|
|
echo "Adding LXC rules:" |
|
|
|
|
|
echo "\$code" |
|
|
|
|
|
eval "\$code" |
|
|
|
|
|
fi |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
EOF |
|
|
EOF |
|
@ -112,9 +292,26 @@ EOF |
|
|
apt-get install -y moreutils ## needed because ``ts`` is used in this script |
|
|
apt-get install -y moreutils ## needed because ``ts`` is used in this script |
|
|
ln -sf /opt/apps/lxc-scripts/etc/cron.d/lxc-shorewall-repair /etc/cron.d/lxc-shorewall-repair |
|
|
ln -sf /opt/apps/lxc-scripts/etc/cron.d/lxc-shorewall-repair /etc/cron.d/lxc-shorewall-repair |
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/logrotate.d/lxc-shorewall-repair |
|
|
|
|
|
/var/log/lxc-shorewall-repair.log { |
|
|
|
|
|
weekly |
|
|
|
|
|
missingok |
|
|
|
|
|
dateext |
|
|
|
|
|
dateyesterday |
|
|
|
|
|
dateformat _%Y-%m-%d |
|
|
|
|
|
extension .log |
|
|
|
|
|
rotate 52 |
|
|
|
|
|
compress |
|
|
|
|
|
delaycompress |
|
|
|
|
|
notifempty |
|
|
|
|
|
create 640 root root |
|
|
|
|
|
sharedscripts |
|
|
|
|
|
} |
|
|
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## |
|
|
## |
|
|
## Logs |
|
|
|
|
|
|
|
|
## LOGS |
|
|
## |
|
|
## |
|
|
|
|
|
|
|
|
mkdir -p /var/log/shorewall |
|
|
mkdir -p /var/log/shorewall |
|
@ -124,25 +321,32 @@ chmod g+w /var/log/shorewall |
|
|
cat <<EOF > /etc/rsyslog.d/shorewall.conf |
|
|
cat <<EOF > /etc/rsyslog.d/shorewall.conf |
|
|
:msg, contains, "Shorewall:" /var/log/shorewall/main.log |
|
|
:msg, contains, "Shorewall:" /var/log/shorewall/main.log |
|
|
& ~ |
|
|
& ~ |
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/logrotate.d/shorewall |
|
|
|
|
|
/var/log/shorewall/init.log { |
|
|
|
|
|
weekly |
|
|
|
|
|
rotate 4 |
|
|
|
|
|
compress |
|
|
|
|
|
missingok |
|
|
|
|
|
create 0640 root adm |
|
|
|
|
|
|
|
|
if \$msg contains 'net-fw DROP IN=' then { |
|
|
|
|
|
action(type="omfile" file="/var/log/shorewall/net-fw.log") |
|
|
|
|
|
stop |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF > /etc/logrotate.d/shorewall |
|
|
|
|
|
/var/log/shorewall/init.log |
|
|
|
|
|
/var/log/shorewall/net-fw.log |
|
|
/var/log/shorewall/main.log |
|
|
/var/log/shorewall/main.log |
|
|
{ |
|
|
{ |
|
|
rotate 7 |
|
|
|
|
|
weekly |
|
|
weekly |
|
|
missingok |
|
|
missingok |
|
|
notifempty |
|
|
|
|
|
|
|
|
dateext |
|
|
|
|
|
dateyesterday |
|
|
|
|
|
dateformat _%Y-%m-%d |
|
|
|
|
|
extension .log |
|
|
|
|
|
rotate 52 |
|
|
compress |
|
|
compress |
|
|
delaycompress |
|
|
delaycompress |
|
|
|
|
|
notifempty |
|
|
|
|
|
create 640 root root |
|
|
|
|
|
sharedscripts |
|
|
postrotate |
|
|
postrotate |
|
|
reload rsyslog >/dev/null 2>&1 || true |
|
|
reload rsyslog >/dev/null 2>&1 || true |
|
|
endscript |
|
|
endscript |
|
@ -157,9 +361,12 @@ service rsyslog restart |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## |
|
|
## |
|
|
## |
|
|
|
|
|
|
|
|
## Final settings |
|
|
## |
|
|
## |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Activate support for docker |
|
|
## Activate support for docker |
|
|
sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf |
|
|
sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sed -ri 's/^IP_FORWARDING=Keep$/IP_FORWARDING=On/g' /etc/shorewall/shorewall.conf |