diff options
author | Simon Rettberg | 2014-01-17 19:39:39 +0100 |
---|---|---|
committer | Simon Rettberg | 2014-01-17 19:39:39 +0100 |
commit | bb0282a103944c6e81d43bc09151b8510e6482ce (patch) | |
tree | c2e4343f4c32f952e0d08893919f6d182692fe28 | |
parent | Merge branch 'master' of simonslx:openslx-ng/tm-scripts (diff) | |
download | tm-scripts-bb0282a103944c6e81d43bc09151b8510e6482ce.tar.gz tm-scripts-bb0282a103944c6e81d43bc09151b8510e6482ce.tar.xz tm-scripts-bb0282a103944c6e81d43bc09151b8510e6482ce.zip |
Make some modules use iptables-helper
6 files changed, 31 insertions, 10 deletions
diff --git a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx index fe2fa252..00d22ba5 100755 --- a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx +++ b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx @@ -163,10 +163,10 @@ case "$1" in # Mark network target as reached systemctl start network.target & - # Port redirection for printing - iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP - iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP - iptables -t nat -A PREROUTING -p tcp --dport 515 -j REDIRECT --to-port 5515 + # Port redirection for printing happens in printergui modules (iptables-helper rule) + ####iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP + ####iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP + ####iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 fi ;; diff --git a/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw new file mode 100755 index 00000000..c0b724a2 --- /dev/null +++ b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw @@ -0,0 +1,8 @@ +#!/bin/ash + +# Close from outside +iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP +iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP +# Redirect from VM to lpd +iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 + diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service index ab10aa55..a1c2b089 100644 --- a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service +++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service @@ -7,5 +7,6 @@ Type=forking User=redsocks PIDFile=/run/redsocks/redsocks.pid ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks/redsocks.pid -ExecStopPost=/bin/rm /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /opt/openslx/iptables/rules.d/10-redoscks-proxy Restart=on-abort diff --git a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy index 4f802f53..94cb7688 100755 --- a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy +++ b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy @@ -29,8 +29,12 @@ mkdir -p /run/redsocks chown redsocks:redsocks /run/redsocks systemctl start redsocks +cat > "/opt/openslx/iptables/rules.d/10-redoscks-proxy" <<HEREDOCBROWN +#!/bin/ash +. /opt/openslx/config + iptables -t nat -N REDSOCKS -iptables -t nat -A REDSOCKS -d "$SLX_PROXY_IP" -j RETURN +iptables -t nat -A REDSOCKS -d "\$SLX_PROXY_IP" -j RETURN iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN @@ -39,9 +43,9 @@ iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN -if [ -n "$SLX_PROXY_BLACKLIST" ]; then - for ADDR in $SLX_PROXY_BLACKLIST; do - iptables -t nat -A REDSOCKS -d "$ADDR" -j RETURN +if [ -n "\$SLX_PROXY_BLACKLIST" ]; then + for ADDR in \$SLX_PROXY_BLACKLIST; do + iptables -t nat -A REDSOCKS -d "\$ADDR" -j RETURN done fi iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port 12345 @@ -49,4 +53,6 @@ iptables -t nat -A PREROUTING -p tcp -j REDSOCKS iptables -t nat -A OUTPUT -p tcp -j REDSOCKS iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE iptables -A INPUT -i br0 -p tcp --dport 12345 -j DROP +HEREDOCBROWN +chmod +x "/opt/openslx/iptables/rules.d/10-redoscks-proxy" diff --git a/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading b/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading new file mode 100755 index 00000000..b0909760 --- /dev/null +++ b/remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading @@ -0,0 +1,3 @@ +#!/bin/ash + +iptables -t nat -A POSTROUTING -o br0 -s 192.168.101.0/24 -j MASQUERADE diff --git a/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env b/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env index 3358a85f..04ea4b0d 100755 --- a/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env +++ b/remote/modules/vmchooser/data/opt/openslx/scripts/systemd-vmchooser_env @@ -150,12 +150,15 @@ done # kvmnet2* for Qemu/KVM # creating and configuring nat0 +# 192.168.101.0/24 is vm nat. If you ever change this there are a couple of other files +# where you'd need to make changes, so think twice before doing so. ;) brctl addbr nat1 ip link set dev nat1 up ip addr add 192.168.101.1/24 dev nat1 echo "1" >/proc/sys/net/ipv4/conf/nat1/forwarding echo "1" >/proc/sys/net/ipv4/conf/br0/forwarding 2>/dev/null -iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE +# iptables masquerade rule is now inserted by /opt/openslx/iptables/rules.d/50-virt-nat1-masquerading +### iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE for wait in 1 1 2 2 3 end; do grep '^SLX_DNS' "/opt/openslx/config" > /dev/null && break |