ze's sandcastle

User Tools

Site Tools

Trace: initial
system:tunnelling:initial

Configuration Initiale

Quelques informations sur la configuration initiale.

srv / firewall

Les serveurs srv1 et srv2 ont un firewall minimal permettant de faire du SNAT (masquerading en fait) vers “le net”.

La configuration sur les deux machines est similaire. Une interface réseau pour le NET (eth0), et une interface réseau pour le LAN (eth1).

Voici le script de firewall complet présent sur les deux machines dans /etc/init.d/firewall. 

#! /bin/sh
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $local_fs
# Required-Stop:     $local_fs
# Default-Start:     S
# Default-Stop:      
# Short-Description: Load firewall at boot
# Description:       Load the firewall rules at boot (or later manualy)
### END INIT INFO

set -e

iptables()
{
	die "Hey, you should not use iptables, but \$iptables"
}

iptables=/sbin/iptables
ip6tables=/sbin/ip6tables
iptablessave=/sbin/iptables-save
ip6tablessave=/sbin/ip6tables-save

usage()
{
  cat <<EOF
Usage:
  $0 {start|reload}

Loads the firewall rules.

EOF
  exit 0
}
die()
{
  # just to avoid any echo option to work
  cat <<EOF >&2
$@
EOF
  exit 1
}

checkbin()
{
  for bin ; do
    file=$(eval "echo \"\$$bin\"")
    [ -x "${file}" ] || die "$file missing"
  done
}
checkbin iptables iptablessave
checkbin ip6tables ip6tablessave

case "$1" in
  start) echo "Loading firewall" ;; # only real reason to be here
  stop) die "A firewall doesn't just stop" ;;
  reload) echo "Ok, we will pretend to reload ourself..." ;;
  *) usage ;;
esac


# if we want to run the same command in both, ip4 and ip6
both()
{
  case "$1" in
    iptables)
      shift
      $iptables "$@"
      $ip6tables "$@"
      ;;
    *)
      "$@"
      ( iptables="${ip6tables}" iptablessave="${ip6tablessave}" "$@" )
      ;;
  esac
}
# set policies to ACCEPT, but filters to DROP
policies()
{
  table=
  chain=
  $iptablessave | grep '^[:*]' | while read a b c ; do
    case "$a" in
      # table change
      "*"*) table="${a#\*}" ;;
      # chain policy
      ":"*)
        [ "$b" = - ] && continue ; # user-chain
        [ "$table" = filter ] && continue ; # filter is always set to drop
        # make sure built-in non-filter chains have an accept policy
        chain="${a#:}"
        $iptables -t "$table" -P "$chain" ACCEPT ; 
        ;;
      # rules, nothing to do
      *) : ;;
    esac
  done
  for chain in INPUT OUTPUT FORWARD ; do
    $iptables -t filter -P "$chain" DROP
  done
}
flush()
{
  $iptablessave | grep '^*' | while read table unused ; do
    table="${table#\*}"
    $iptables -t "$table" -F
    $iptables -t "$table" -X
  done
}
both policies
both flush

load()
{
# let us talk to ourself via loopback
both iptables -t filter -A OUTPUT -o lo -j ACCEPT
both iptables -t filter -A INPUT -i lo -j ACCEPT

# let established/related be
for chain in INPUT OUTPUT FORWARD ; do
  both iptables -A "$chain" -m state --state ESTABLISHED,RELATED -j ACCEPT
done
load_local
echo "Firewall loaded"
}

load_local()
{
:
########################################################################
# local rules

# eth0 = net, we should masquerade what gets out
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# very low level security - we don't care yet
# accept everything
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT

}

load

Utilisant le mode de dépendance pour les scripts d'init, il m'a suffit de lancer la commande suivante pour qu'il créé le lien qui va bien : 

update-rc.d firewall start 42

Il ajoute le runlevel, et réajuste automatiquement le numéro de démarrage.

system/tunnelling/initial.txt · Last modified: 2011/08/21 19:48 by ze

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki