Make some modules use iptables-helper

6 files changed, 31 insertions, 10 deletions

diff --git a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx
index fe2fa252..00d22ba5 100755
--- a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx
+++ b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx
@@ -163,10 +163,10 @@ case "$1" in
 			
 			# Mark network target as reached
 			systemctl start network.target &
-			# Port redirection for printing
-			iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP
-			iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP
-			iptables -t nat -A PREROUTING -p tcp --dport 515 -j REDIRECT --to-port 5515
+			# Port redirection for printing happens in printergui modules (iptables-helper rule)
+			####iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP
+			####iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP
+			####iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515
 		fi
 		
 	;;
diff --git a/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw
new file mode 100755
index 00000000..c0b724a2
--- /dev/null
+++ b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw
@@ -0,0 +1,8 @@
+#!/bin/ash
+
+# Close from outside
+iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP
+iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP
+# Redirect from VM to lpd
+iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515
+
diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service
index ab10aa55..a1c2b089 100644
--- a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service
+++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service
@@ -7,5 +7,6 @@ Type=forking
 User=redsocks
 PIDFile=/run/redsocks/redsocks.pid
 ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks/redsocks.pid
-ExecStopPost=/bin/rm /run/redsocks/redsocks.pid
+ExecStopPost=/bin/rm -f /run/redsocks/redsocks.pid
+ExecStopPost=/bin/rm -f /opt/openslx/iptables/rules.d/10-redoscks-proxy
 Restart=on-abort
diff --git a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy
index 4f802f53..94cb7688 100755
--- a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy
+++ b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy
@@ -29,8 +29,12 @@ mkdir -p /run/redsocks
 chown redsocks:redsocks /run/redsocks
 systemctl start redsocks
 
+cat > "/opt/openslx/iptables/rules.d/10-redoscks-proxy" <<HEREDOCBROWN
+#!/bin/ash
+. /opt/openslx/config
+
 iptables -t nat -N REDSOCKS
-iptables -t nat -A REDSOCKS -d "$SLX_PROXY_IP" -j RETURN
+iptables -t nat -A REDSOCKS -d "\$SLX_PROXY_IP" -j RETURN
 iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
 iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
 iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
@@ -39,9 +43,9 @@ iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
 iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
 iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
 iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
-if [ -n "$SLX_PROXY_BLACKLIST" ]; then
-	for ADDR in $SLX_PROXY_BLACKLIST; do
-		iptables -t nat -A REDSOCKS -d "$ADDR" -j RETURN
+if [ -n "\$SLX_PROXY_BLACKLIST" ]; then
+	for ADDR in \$SLX_PROXY_BLACKLIST; do
+		iptables -t nat -A REDSOCKS -d "\$ADDR" -j RETURN
 	done
 fi
 iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port 12345
@@ -49,4 +53,6 @@ iptables -t nat -A PREROUTING -p tcp -j REDSOCKS
 iptables -t nat -A OUTPUT -p tcp -j REDSOCKS
 iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
 iptables -A INPUT -i br0 -p tcp --dport 12345 -j DROP
+HEREDOCBROWN
+chmod +x "/opt/openslx/iptables/rules.d/10-redoscks-proxy"
 
diff --git a/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading b/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading
new file mode 100755
index 00000000..b0909760
--- /dev/null
+++ b/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading
@@ -0,0 +1,3 @@
+#!/bin/ash
+
+iptables -t nat -A POSTROUTING -o br0 -s 192.168.101.0/24 -j MASQUERADE
diff --git a/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env b/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env
index 3358a85f..04ea4b0d 100755
--- a/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env
+++ b/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env
@@ -150,12 +150,15 @@ done
 #    kvmnet2* for Qemu/KVM
 
 # creating and configuring nat0
+# 192.168.101.0/24 is vm nat. If you ever change this there are a couple of other files
+# where you'd need to make changes, so think twice before doing so. ;)
 brctl addbr nat1
 ip link set dev nat1 up
 ip addr add 192.168.101.1/24 dev nat1
 echo "1" >/proc/sys/net/ipv4/conf/nat1/forwarding
 echo "1" >/proc/sys/net/ipv4/conf/br0/forwarding 2>/dev/null
-iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE
+# iptables masquerade rule is now inserted by /opt/openslx/iptables/rules.d/50-virt-nat1-masquerading
+### iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE
 
 for wait in 1 1 2 2 3 end; do
 	grep '^SLX_DNS' "/opt/openslx/config" > /dev/null && break