adding example runit-style service directory

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2009-11-06 04:04:19 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> 2009-11-06 04:04:19 +0100
commit: 6cf7f01256c39677a0a5561ebca60e8def9d6d7e (patch)
tree: 9751616a6653806d6703da369616d74e38f8b785 /examples/var_service/fw
parent: 85bb843f47342b19c4f0814331c1f4c78b0011ad (diff)
download: busybox-w32-6cf7f01256c39677a0a5561ebca60e8def9d6d7e.tar.gz
busybox-w32-6cf7f01256c39677a0a5561ebca60e8def9d6d7e.tar.bz2
busybox-w32-6cf7f01256c39677a0a5561ebca60e8def9d6d7e.zip
7 files changed, 306 insertions, 0 deletions
diff --git a/examples/var_service/fw/conf/11.22.33.44.ipconf-- b/examples/var_service/fw/conf/11.22.33.44.ipconf--
new file mode 100644
index 000000000..9b44e9048
--- /dev/null
+++ b/examples/var_service/fw/conf/11.22.33.44.ipconf--
@@ -0,0 +1,10 @@
+#!/bin/sh
+# If we have simple static address...
+#
+let cfg=cfg+1
+if[$cfg]=if
+ip[$cfg]=11.22.33.44
+ipmask[$cfg]=11.22.33.44/24
+gw[$cfg]=11.22.33.1
+net[$cfg]=0/0
+dns[$cfg]='11.22.33.2 11.22.33.3'
diff --git a/examples/var_service/fw/conf/192.168.0.1.ipconf b/examples/var_service/fw/conf/192.168.0.1.ipconf
new file mode 100644
index 000000000..5cf55dbc7
--- /dev/null
+++ b/examples/var_service/fw/conf/192.168.0.1.ipconf
@@ -0,0 +1,11 @@
+#!/bin/sh
+# A small network with no routers
+# (maybe *we* are their router)
+#
+let cfg=cfg+1
+if[$cfg]=if
+ip[$cfg]=192.168.0.1
+ipmask[$cfg]=192.168.0.1/24
+### gw[$cfg]=
+### net[$cfg]=0/0
+### dns[$cfg]=''
diff --git a/examples/var_service/fw/conf/lo.ipconf b/examples/var_service/fw/conf/lo.ipconf
new file mode 100644
index 000000000..e6be5f063
--- /dev/null
+++ b/examples/var_service/fw/conf/lo.ipconf
@@ -0,0 +1,10 @@
+#!/bin/bash
+# Mostly redundant except when you need dns[]=your_static_dns_srv
+#
+let cfg=cfg+1
+if[$cfg]=lo
+ip[$cfg]=127.0.0.1
+ipmask[$cfg]=127.0.0.1/8
+gw[$cfg]=''
+net[$cfg]=''
+#dns[$cfg]=127.0.0.1
diff --git a/examples/var_service/fw/etc/hosts b/examples/var_service/fw/etc/hosts
new file mode 100644
index 000000000..f7ee533d2
--- /dev/null
+++ b/examples/var_service/fw/etc/hosts
@@ -0,0 +1,21 @@
+#!/bin/sh
+echo "\
+# This file is automagically regenerated
+# Note! /etc/nsswitch.conf may override this!
+# For loopbacking
+127.0.0.1 localhost
+# Our local IPs"
+hostname=`hostname`
+test "$hostname" || hostname=localhost
+domain=`(. /boot.conf; echo "$DNSDOMAINNAME")`
+test "$domain" && hostname="$hostname $hostname.$domain"
+ip -o a l \
+| grep -F 'inet ' \
+| sed -e 's/^.*inet //' -e 's:[ /].*$: '"$hostname"':'
+echo
+echo "# End of /etc/hosts"
diff --git a/examples/var_service/fw/etc/resolv.conf b/examples/var_service/fw/etc/resolv.conf
new file mode 100644
index 000000000..3f37b86f5
--- /dev/null
+++ b/examples/var_service/fw/etc/resolv.conf
@@ -0,0 +1,31 @@
+#!/bin/bash
+domain=`(. /boot.conf; echo "$DNSDOMAINNAME") 2>/dev/null`
+echo "# This file is automagically regenerated with each boot"
+echo
+test "$domain" && echo "domain $domain"
+test "$domain" && echo "search $domain"
+echo
+echo "# Note that nslookup can choke on DNS server which itself"
+echo "# does NOT have domain name. Other things can work fine."
+echo
+# # If we run DNS cache:
+# echo "nameserver 127.0.0.1"
+# exit
+prio=0
+i=0; while test "${if[$i]}"; do
+    test x"${dns_prio[$i]}" != x"" \
+    && test "${dns_prio[$i]}" -gt "$prio" \
+    && prio="${dns_prio[$i]}"
+let i++; done
+i=0; while test "${if[$i]}"; do
+    for d in ${dns[$i]}; do
+        p="${dns_prio[$i]}"
+        test x"$p" == x"" && p=0
+        test x"$p" == x"$prio" || continue
+        echo "nameserver $d"
+    done
+let i++; done
diff --git a/examples/var_service/fw/run b/examples/var_service/fw/run
new file mode 100755
index 000000000..f02f53dc1
--- /dev/null
+++ b/examples/var_service/fw/run
@@ -0,0 +1,211 @@
+#!/bin/bash
+# (using bashisms: "function", arrays)
+user=root
+extif=if
+ext_open_tcp="21 22 80" # space-separated
+# Make ourself one-shot
+sv o .
+# Debug
+#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
+service=`basename "$PWD"`
+rundir="/var/run/service/$service"
+### filter This is the default table (if no -t option is passed).  It contains
+###        the  built-in chains INPUT (for packets coming into the box itself),
+###        FORWARD (for packets being routed through the box), and OUTPUT (for
+###        locally-generated packets).
+###
+### nat    This table is consulted when a packet that creates a new connection
+###        is encountered.  It consists of three built-ins: PREROUTING (for
+###        altering packets as soon as they come in), OUTPUT (for altering
+###        locally-generated packets before routing), and POSTROUTING (for
+###        altering packets as they are about to go out).
+###
+### mangle It had two built-in chains: PREROUTING (for altering incoming
+###        packets before routing) and OUTPUT (for altering locally-generated
+###        packets before routing).  Recently three other built-in
+###        chains are added: INPUT (for packets coming into the box
+###        itself), FORWARD (for altering packets being routed through the
+###        box), and POSTROUTING (for altering packets as they are about to go
+###        out).
+###
+###       ...iface...                              ...iface...
+###          |                                        ^
+###          v                                        |
+### -mangle,NAT-               -mangle,filter-   -mangle,NAT--
+### |PREROUTING|-->[Routing]-->|FORWARD      |-->|POSTROUTING|
+### ------------    |    ^     ---------------   -------------
+###                 |    |                           ^
+###                 |    +--if NATed------------+    |
+###                 v                           |    |
+###      -mangle,filter-                -mangle,NAT,filter-
+###      |INPUT        |  +->[Routing]->|OUTPUT           |
+###      ---------------  |             -------------------
+###                 |     |
+###                 v     |
+###         ... Local Process...
+doit() {
+    echo "# $*"
+    "$@"
+}
+#exec >/dev/null
+exec >"$0.out"
+exec 2>&1
+exec </dev/null
+umask 077
+# Make sure rundir/ exists
+mkdir -p "$rundir" 2>/dev/null
+chown -R "$user:" "$rundir"
+chmod -R a=rX "$rundir"
+rm -rf rundir 2>/dev/null
+ln -s "$rundir" rundir
+# Timestamping
+date '+%Y-%m-%d %H:%M:%S'
+echo; echo "* Reading IP config"
+cfg=-1
+#             static cfg    dhcp,zeroconf etc
+for ipconf in conf/*.ipconf "$rundir"/*.ipconf; do
+        if test -f "$ipconf"; then
+                echo "+ $ipconf"
+                . "$ipconf"
+        fi
+done
+echo; echo "* Configuring hardware"
+#doit ethtool -s if autoneg off speed 100 duplex full
+#doit ethtool -K if rx off tx off sg off tso off
+echo; echo "* Resetting address and routing info"
+doit ip a f dev lo
+i=0; while test "${if[$i]}"; do
+    doit ip a f dev "${if[$i]}"
+    doit ip r f dev "${if[$i]}" root 0/0
+let i++; done
+echo; echo "* Configuring addresses"
+doit ip a a dev lo 127.0.0.1/8 scope host
+doit ip a a dev lo ::1/128 scope host
+i=0; while test "${if[$i]}"; do
+    if test "${ipmask[$i]}"; then
+        doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
+        doit ip l set dev "${if[$i]}" up
+    fi
+let i++; done
+echo; echo "* Configuring routes"
+i=0; while test "${if[$i]}"; do
+    if test "${net[$i]}" && test "${gw[$i]}"; then
+        doit ip r a "${net[$i]}" via "${gw[$i]}"
+    fi
+let i++; done
+echo; echo "* Recreating /etc/* files reflecting new network configuration:"
+for i in etc/*; do
+        n=`basename "$i"`
+        echo "+ $n"
+        (. "$i") >"/etc/$n"
+        chmod 644 "/etc/$n"
+done
+# Usage: new_chain <chain> [<table>]
+new_chain() {
+        local t=""
+        test x"$2" != x"" && t="-t $2"
+        doit iptables $t -N $1
+        ipt="iptables $t -A $1"
+}
+echo; echo "* Reset iptables"
+doit iptables           --flush
+doit iptables           --delete-chain
+doit iptables           --zero
+doit iptables -t nat    --flush
+doit iptables -t nat    --delete-chain
+doit iptables -t nat    --zero
+doit iptables -t mangle --flush
+doit iptables -t mangle --delete-chain
+doit iptables -t mangle --zero
+echo; echo "* Configure iptables"
+doit modprobe nf_nat_ftp
+doit modprobe nf_nat_tftp
+doit modprobe nf_conntrack_ftp
+doit modprobe nf_conntrack_tftp
+#       *** nat ***
+#       INCOMING TRAFFIC
+ipt="iptables -t nat -A PREROUTING"
+# nothing here
+#       LOCALLY ORIGINATED TRAFFIC
+ipt="iptables -t nat -A OUTPUT"
+# nothing here
+#       OUTGOING TRAFFIC
+ipt="iptables -t nat -A POSTROUTING"
+# Masquerade boxes on my private net
+doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
+#       *** mangle ***
+### DEBUG
+### ipt="iptables -t mangle -A PREROUTING"
+### doit $ipt -s 192.168.0.0/24 -j RETURN
+### ipt="iptables -t mangle -A FORWARD"
+### doit $ipt -s 192.168.0.0/24 -j RETURN
+### ipt="iptables -t mangle -A POSTROUTING"
+### doit $ipt -s 192.168.0.0/24 -j RETURN
+# nothing here
+#       *** filter ***
+#
+new_chain iext filter
+#doit $ipt -s 203.177.104.72 -j DROP    # Some idiot probes my ssh
+#doit $ipt -d 203.177.104.72 -j DROP    # Some idiot probes my ssh
+doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN  # FTP data etc is ok
+if test "$ext_open_tcp"; then
+        portlist="${ext_open_tcp// /,}"
+        doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
+fi
+doit $ipt -p tcp -j REJECT      # Anything else isn't ok. REJECT = irc opens faster
+                                # (it probes proxy ports, DROP will incur timeout delays)
+ipt="iptables -t filter -A INPUT"
+doit $ipt -i $extif -j iext
+echo; echo "* Enabling forwarding"
+echo 1 >/proc/sys/net/ipv4/ip_forward
+echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
+# Signal everybody that firewall is up
+date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
+# Ok, spew out gobs of info and disable ourself
+echo; echo "* IP:"
+ip a l
+echo; echo "* Routing:"
+ip r l
+echo; echo "* Firewall:"
+{
+echo '---FILTER--';
+iptables -v -L -x -n;
+echo '---NAT-----';
+iptables -t nat -v -L -x -n;
+echo '---MANGLE--';
+iptables -t mangle -v -L -x -n;
+} \
+| grep -v '^$' | grep -Fv 'bytes target'
+echo
+echo "* End of firewall configuration"
diff --git a/examples/var_service/fw/stat b/examples/var_service/fw/stat
new file mode 100755
index 000000000..08736ada8
--- /dev/null
+++ b/examples/var_service/fw/stat
@@ -0,0 +1,12 @@
+#!/bin/sh
+echo; echo "* Firewall:"
+{
+echo '---FILTER--';
+iptables -v -L -x -n;
+echo '---NAT-----';
+iptables -t nat -v -L -x -n;
+echo '---MANGLE--';
+iptables -t mangle -v -L -x -n;
+} \
+| grep -v '^$' | grep -Fv 'bytes target' | $PAGER
author	Denys Vlasenko <vda.linux@googlemail.com>	2009-11-06 04:04:19 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2009-11-06 04:04:19 +0100
commit	6cf7f01256c39677a0a5561ebca60e8def9d6d7e (patch)
tree	9751616a6653806d6703da369616d74e38f8b785 /examples/var_service/fw
parent	85bb843f47342b19c4f0814331c1f4c78b0011ad (diff)
download	busybox-w32-6cf7f01256c39677a0a5561ebca60e8def9d6d7e.tar.gz busybox-w32-6cf7f01256c39677a0a5561ebca60e8def9d6d7e.tar.bz2 busybox-w32-6cf7f01256c39677a0a5561ebca60e8def9d6d7e.zip

diff --git a/examples/var_service/fw/conf/11.22.33.44.ipconf-- b/examples/var_service/fw/conf/11.22.33.44.ipconf-- new file mode 100644 index 000000000..9b44e9048 --- /dev/null +++ b/examples/var_service/fw/conf/11.22.33.44.ipconf--
@@ -0,0 +1,10 @@
	1	#!/bin/sh
	2	# If we have simple static address...
	3	#
	4	let cfg=cfg+1
	5	if[$cfg]=if
	6	ip[$cfg]=11.22.33.44
	7	ipmask[$cfg]=11.22.33.44/24
	8	gw[$cfg]=11.22.33.1
	9	net[$cfg]=0/0
	10	dns[$cfg]='11.22.33.2 11.22.33.3'


diff --git a/examples/var_service/fw/conf/192.168.0.1.ipconf b/examples/var_service/fw/conf/192.168.0.1.ipconf new file mode 100644 index 000000000..5cf55dbc7 --- /dev/null +++ b/examples/var_service/fw/conf/192.168.0.1.ipconf
@@ -0,0 +1,11 @@
	1	#!/bin/sh
	2	# A small network with no routers
	3	# (maybe we are their router)
	4	#
	5	let cfg=cfg+1
	6	if[$cfg]=if
	7	ip[$cfg]=192.168.0.1
	8	ipmask[$cfg]=192.168.0.1/24
	9	### gw[$cfg]=
	10	### net[$cfg]=0/0
	11	### dns[$cfg]=''


diff --git a/examples/var_service/fw/conf/lo.ipconf b/examples/var_service/fw/conf/lo.ipconf new file mode 100644 index 000000000..e6be5f063 --- /dev/null +++ b/examples/var_service/fw/conf/lo.ipconf
@@ -0,0 +1,10 @@
	1	#!/bin/bash
	2	# Mostly redundant except when you need dns[]=your_static_dns_srv
	3	#
	4	let cfg=cfg+1
	5	if[$cfg]=lo
	6	ip[$cfg]=127.0.0.1
	7	ipmask[$cfg]=127.0.0.1/8
	8	gw[$cfg]=''
	9	net[$cfg]=''
	10	#dns[$cfg]=127.0.0.1


diff --git a/examples/var_service/fw/etc/hosts b/examples/var_service/fw/etc/hosts new file mode 100644 index 000000000..f7ee533d2 --- /dev/null +++ b/examples/var_service/fw/etc/hosts
@@ -0,0 +1,21 @@
	1	#!/bin/sh
	2	echo "\
	3	# This file is automagically regenerated
	4	# Note! /etc/nsswitch.conf may override this!
	5
	6	# For loopbacking
	7	127.0.0.1 localhost
	8
	9	# Our local IPs"
	10
	11	hostname=`hostname`
	12	test "$hostname" \|\| hostname=localhost
	13	domain=`(. /boot.conf; echo "$DNSDOMAINNAME")`
	14	test "$domain" && hostname="$hostname $hostname.$domain"
	15
	16	ip -o a l \
	17	\| grep -F 'inet ' \
	18	\| sed -e 's/^.inet //' -e 's:[ /].$: '"$hostname"':'
	19
	20	echo
	21	echo "# End of /etc/hosts"


diff --git a/examples/var_service/fw/etc/resolv.conf b/examples/var_service/fw/etc/resolv.conf new file mode 100644 index 000000000..3f37b86f5 --- /dev/null +++ b/examples/var_service/fw/etc/resolv.conf
@@ -0,0 +1,31 @@
	1	#!/bin/bash
	2
	3	domain=`(. /boot.conf; echo "$DNSDOMAINNAME") 2>/dev/null`
	4
	5	echo "# This file is automagically regenerated with each boot"
	6	echo
	7	test "$domain" && echo "domain $domain"
	8	test "$domain" && echo "search $domain"
	9	echo
	10	echo "# Note that nslookup can choke on DNS server which itself"
	11	echo "# does NOT have domain name. Other things can work fine."
	12	echo
	13	# # If we run DNS cache:
	14	# echo "nameserver 127.0.0.1"
	15	# exit
	16
	17	prio=0
	18	i=0; while test "${if[$i]}"; do
	19	test x"${dns_prio[$i]}" != x"" \
	20	&& test "${dns_prio[$i]}" -gt "$prio" \
	21	&& prio="${dns_prio[$i]}"
	22	let i++; done
	23
	24	i=0; while test "${if[$i]}"; do
	25	for d in ${dns[$i]}; do
	26	p="${dns_prio[$i]}"
	27	test x"$p" == x"" && p=0
	28	test x"$p" == x"$prio" \|\| continue
	29	echo "nameserver $d"
	30	done
	31	let i++; done


diff --git a/examples/var_service/fw/run b/examples/var_service/fw/run new file mode 100755 index 000000000..f02f53dc1 --- /dev/null +++ b/examples/var_service/fw/run
@@ -0,0 +1,211 @@
	1	#!/bin/bash
	2	# (using bashisms: "function", arrays)
	3
	4	user=root
	5	extif=if
	6	ext_open_tcp="21 22 80" # space-separated
	7
	8	# Make ourself one-shot
	9	sv o .
	10	# Debug
	11	#date '+%Y-%m-%d %H:%M:%S' >>"$0.log"
	12
	13	service=`basename "$PWD"`
	14	rundir="/var/run/service/$service"
	15
	16	### filter This is the default table (if no -t option is passed). It contains
	17	### the built-in chains INPUT (for packets coming into the box itself),
	18	### FORWARD (for packets being routed through the box), and OUTPUT (for
	19	### locally-generated packets).
	20	###
	21	### nat This table is consulted when a packet that creates a new connection
	22	### is encountered. It consists of three built-ins: PREROUTING (for
	23	### altering packets as soon as they come in), OUTPUT (for altering
	24	### locally-generated packets before routing), and POSTROUTING (for
	25	### altering packets as they are about to go out).
	26	###
	27	### mangle It had two built-in chains: PREROUTING (for altering incoming
	28	### packets before routing) and OUTPUT (for altering locally-generated
	29	### packets before routing). Recently three other built-in
	30	### chains are added: INPUT (for packets coming into the box
	31	### itself), FORWARD (for altering packets being routed through the
	32	### box), and POSTROUTING (for altering packets as they are about to go
	33	### out).
	34	###
	35	### ...iface... ...iface...
	36	### \| ^
	37	### v \|
	38	### -mangle,NAT- -mangle,filter- -mangle,NAT--
	39	### \|PREROUTING\|-->[Routing]-->\|FORWARD \|-->\|POSTROUTING\|
	40	### ------------ \| ^ --------------- -------------
	41	### \| \| ^
	42	### \| +--if NATed------------+ \|
	43	### v \| \|
	44	### -mangle,filter- -mangle,NAT,filter-
	45	### \|INPUT \| +->[Routing]->\|OUTPUT \|
	46	### --------------- \| -------------------
	47	### \| \|
	48	### v \|
	49	### ... Local Process...
	50
	51	doit() {
	52	echo "# $*"
	53	"$@"
	54	}
	55
	56	#exec >/dev/null
	57	exec >"$0.out"
	58	exec 2>&1
	59	exec </dev/null
	60
	61	umask 077
	62
	63	# Make sure rundir/ exists
	64	mkdir -p "$rundir" 2>/dev/null
	65	chown -R "$user:" "$rundir"
	66	chmod -R a=rX "$rundir"
	67	rm -rf rundir 2>/dev/null
	68	ln -s "$rundir" rundir
	69
	70	# Timestamping
	71	date '+%Y-%m-%d %H:%M:%S'
	72
	73
	74	echo; echo "* Reading IP config"
	75	cfg=-1
	76	# static cfg dhcp,zeroconf etc
	77	for ipconf in conf/.ipconf "$rundir"/.ipconf; do
	78	if test -f "$ipconf"; then
	79	echo "+ $ipconf"
	80	. "$ipconf"
	81	fi
	82	done
	83
	84	echo; echo "* Configuring hardware"
	85	#doit ethtool -s if autoneg off speed 100 duplex full
	86	#doit ethtool -K if rx off tx off sg off tso off
	87
	88	echo; echo "* Resetting address and routing info"
	89	doit ip a f dev lo
	90	i=0; while test "${if[$i]}"; do
	91	doit ip a f dev "${if[$i]}"
	92	doit ip r f dev "${if[$i]}" root 0/0
	93	let i++; done
	94
	95	echo; echo "* Configuring addresses"
	96	doit ip a a dev lo 127.0.0.1/8 scope host
	97	doit ip a a dev lo ::1/128 scope host
	98	i=0; while test "${if[$i]}"; do
	99	if test "${ipmask[$i]}"; then
	100	doit ip a a dev "${if[$i]}" "${ipmask[$i]}" brd +
	101	doit ip l set dev "${if[$i]}" up
	102	fi
	103	let i++; done
	104
	105	echo; echo "* Configuring routes"
	106	i=0; while test "${if[$i]}"; do
	107	if test "${net[$i]}" && test "${gw[$i]}"; then
	108	doit ip r a "${net[$i]}" via "${gw[$i]}"
	109	fi
	110	let i++; done
	111
	112	echo; echo "* Recreating /etc/* files reflecting new network configuration:"
	113	for i in etc/*; do
	114	n=`basename "$i"`
	115	echo "+ $n"
	116	(. "$i") >"/etc/$n"
	117	chmod 644 "/etc/$n"
	118	done
	119
	120
	121	# Usage: new_chain <chain> [<table>]
	122	new_chain() {
	123	local t=""
	124	test x"$2" != x"" && t="-t $2"
	125	doit iptables $t -N $1
	126	ipt="iptables $t -A $1"
	127	}
	128
	129	echo; echo "* Reset iptables"
	130	doit iptables --flush
	131	doit iptables --delete-chain
	132	doit iptables --zero
	133	doit iptables -t nat --flush
	134	doit iptables -t nat --delete-chain
	135	doit iptables -t nat --zero
	136	doit iptables -t mangle --flush
	137	doit iptables -t mangle --delete-chain
	138	doit iptables -t mangle --zero
	139
	140	echo; echo "* Configure iptables"
	141	doit modprobe nf_nat_ftp
	142	doit modprobe nf_nat_tftp
	143	doit modprobe nf_conntrack_ftp
	144	doit modprobe nf_conntrack_tftp
	145
	146	# * nat *
	147	# INCOMING TRAFFIC
	148	ipt="iptables -t nat -A PREROUTING"
	149	# nothing here
	150
	151	# LOCALLY ORIGINATED TRAFFIC
	152	ipt="iptables -t nat -A OUTPUT"
	153	# nothing here
	154
	155	# OUTGOING TRAFFIC
	156	ipt="iptables -t nat -A POSTROUTING"
	157	# Masquerade boxes on my private net
	158	doit $ipt -s 192.168.0.0/24 -o $extif -j MASQUERADE
	159
	160	# * mangle *
	161	### DEBUG
	162	### ipt="iptables -t mangle -A PREROUTING"
	163	### doit $ipt -s 192.168.0.0/24 -j RETURN
	164	### ipt="iptables -t mangle -A FORWARD"
	165	### doit $ipt -s 192.168.0.0/24 -j RETURN
	166	### ipt="iptables -t mangle -A POSTROUTING"
	167	### doit $ipt -s 192.168.0.0/24 -j RETURN
	168	# nothing here
	169
	170	# * filter *
	171	#
	172	new_chain iext filter
	173	#doit $ipt -s 203.177.104.72 -j DROP # Some idiot probes my ssh
	174	#doit $ipt -d 203.177.104.72 -j DROP # Some idiot probes my ssh
	175	doit $ipt -m state --state ESTABLISHED,RELATED -j RETURN # FTP data etc is ok
	176	if test "$ext_open_tcp"; then
	177	portlist="${ext_open_tcp// /,}"
	178	doit $ipt -p tcp -m multiport --dports $portlist -j RETURN
	179	fi
	180	doit $ipt -p tcp -j REJECT # Anything else isn't ok. REJECT = irc opens faster
	181	# (it probes proxy ports, DROP will incur timeout delays)
	182	ipt="iptables -t filter -A INPUT"
	183	doit $ipt -i $extif -j iext
	184
	185
	186	echo; echo "* Enabling forwarding"
	187	echo 1 >/proc/sys/net/ipv4/ip_forward
	188	echo "/proc/sys/net/ipv4/ip_forward: `cat /proc/sys/net/ipv4/ip_forward`"
	189
	190
	191	# Signal everybody that firewall is up
	192	date '+%Y-%m-%d %H:%M:%S' >"$rundir/up"
	193
	194	# Ok, spew out gobs of info and disable ourself
	195	echo; echo "* IP:"
	196	ip a l
	197	echo; echo "* Routing:"
	198	ip r l
	199	echo; echo "* Firewall:"
	200	{
	201	echo '---FILTER--';
	202	iptables -v -L -x -n;
	203	echo '---NAT-----';
	204	iptables -t nat -v -L -x -n;
	205	echo '---MANGLE--';
	206	iptables -t mangle -v -L -x -n;
	207	} \
	208	\| grep -v '^$' \| grep -Fv 'bytes target'
	209	echo
	210
	211	echo "* End of firewall configuration"


diff --git a/examples/var_service/fw/stat b/examples/var_service/fw/stat new file mode 100755 index 000000000..08736ada8 --- /dev/null +++ b/examples/var_service/fw/stat
@@ -0,0 +1,12 @@
	1	#!/bin/sh
	2
	3	echo; echo "* Firewall:"
	4	{
	5	echo '---FILTER--';
	6	iptables -v -L -x -n;
	7	echo '---NAT-----';
	8	iptables -t nat -v -L -x -n;
	9	echo '---MANGLE--';
	10	iptables -t mangle -v -L -x -n;
	11	} \
	12	\| grep -v '^$' \| grep -Fv 'bytes target' \| $PAGER