From bb0282a103944c6e81d43bc09151b8510e6482ce Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 17 Jan 2014 19:39:39 +0100 Subject: Make some modules use iptables-helper --- .../dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx | 8 ++++---- .../opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw | 8 ++++++++ .../redsocks/data/etc/systemd/system/redsocks.service | 3 ++- .../redsocks/data/opt/openslx/scripts/systemd-setup_proxy | 14 ++++++++++---- .../opt/openslx/iptables/rules.d/50-virt-nat1-masquerading | 3 +++ .../data/opt/openslx/scripts/systemd-vmchooser_env | 5 ++++- 6 files changed, 31 insertions(+), 10 deletions(-) create mode 100755 remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw create mode 100755 remote/modules/vmchooser/data/opt/openslx/iptables/rules.d/50-virt-nat1-masquerading diff --git a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx index fe2fa252..00d22ba5 100755 --- a/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx +++ b/remote/modules/dhcpc-busybox/data/opt/openslx/scripts/udhcpc-openslx @@ -163,10 +163,10 @@ case "$1" in # Mark network target as reached systemctl start network.target & - # Port redirection for printing - iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP - iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP - iptables -t nat -A PREROUTING -p tcp --dport 515 -j REDIRECT --to-port 5515 + # Port redirection for printing happens in printergui modules (iptables-helper rule) + ####iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP + ####iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP + ####iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 fi ;; diff --git a/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw new file mode 100755 index 00000000..c0b724a2 --- /dev/null +++ b/remote/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw @@ -0,0 +1,8 @@ +#!/bin/ash + +# Close from outside +iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP +iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP +# Redirect from VM to lpd +iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 + diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service index ab10aa55..a1c2b089 100644 --- a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service +++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service @@ -7,5 +7,6 @@ Type=forking User=redsocks PIDFile=/run/redsocks/redsocks.pid ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks/redsocks.pid -ExecStopPost=/bin/rm /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /run/redsocks/redsocks.pid +ExecStopPost=/bin/rm -f /opt/openslx/iptables/rules.d/10-redoscks-proxy Restart=on-abort diff --git a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy index 4f802f53..94cb7688 100755 --- a/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy +++ b/remote/modules/redsocks/data/opt/openslx/scripts/systemd-setup_proxy @@ -29,8 +29,12 @@ mkdir -p /run/redsocks chown redsocks:redsocks /run/redsocks systemctl start redsocks +cat > "/opt/openslx/iptables/rules.d/10-redoscks-proxy" </proc/sys/net/ipv4/conf/nat1/forwarding echo "1" >/proc/sys/net/ipv4/conf/br0/forwarding 2>/dev/null -iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE +# iptables masquerade rule is now inserted by /opt/openslx/iptables/rules.d/50-virt-nat1-masquerading +### iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/16 -j MASQUERADE for wait in 1 1 2 2 3 end; do grep '^SLX_DNS' "/opt/openslx/config" > /dev/null && break -- cgit v1.2.3-55-g7522