diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-02-13 21:44:14 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-02-13 21:44:14 +0000 |
| commit | d11608eafc201f6fc5e6fad86eb76908f489deda (patch) | |
| tree | b4db540ef22fd721a4cd3c28960cdb5d94976b07 /tools/conf/etc/rc.d | |
| parent | fe8a27dbed462a55c7f5cdfd993664abb07ce997 (diff) | |
| download | doc-d11608eafc201f6fc5e6fad86eb76908f489deda.tar.gz | |
tools network revision
Diffstat (limited to 'tools/conf/etc/rc.d')
| -rwxr-xr-x | tools/conf/etc/rc.d/blan | 14 | ||||
| -rwxr-xr-x | tools/conf/etc/rc.d/iptables | 81 |
2 files changed, 93 insertions, 2 deletions
diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan index f3ea322..56d1809 100755 --- a/tools/conf/etc/rc.d/blan +++ b/tools/conf/etc/rc.d/blan @@ -4,10 +4,10 @@ # DEV="br0" +PHY="enp8s0" -ADDR=10.0.0.254 +ADDR=10.0.0.1 NET=10.0.0.0 -GW=192.168.1.254 MASK=24 # one tap for each cpu core @@ -20,6 +20,16 @@ case $1 in /sbin/ip link set dev ${DEV} up /bin/sleep 0.2s + /sbin/ip link set dev ${PHY} down + /bin/sleep 0.1s + /sbin/ip route flush dev ${PHY} + /sbin/ip addr flush dev ${PHY} + /sbin/ip link set dev ${PHY} up + /bin/sleep 0.2s + + /sbin/ip link set dev ${PHY} master ${DEV} + #/sbin/ip route add default via ${GW} + for i in `/usr/bin/seq $NTAPS` do TAP="tap$i" diff --git a/tools/conf/etc/rc.d/iptables b/tools/conf/etc/rc.d/iptables new file mode 100755 index 0000000..23f5485 --- /dev/null +++ b/tools/conf/etc/rc.d/iptables @@ -0,0 +1,81 @@ +#!/bin/sh +# +# /etc/rc.d/iptables: load/unload iptable rules +# + +#rules=rules.v4 +rules=vlan.v4 + +iptables_clear () { + echo "clear all iptables tables" + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X +} + +case $1 in + start) + iptables_clear + echo "starting IPv4 firewall filter table..." + /usr/sbin/iptables-restore < /etc/iptables/${rules} + ;; + stop) + iptables_clear + echo "stopping firewall and deny everyone..." + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD DROP + /usr/sbin/iptables -P OUTPUT DROP + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + + ;; + open) + iptables_clear + echo "outgoing Open firewall and deny everyone..." + + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD DROP + /usr/sbin/iptables -P OUTPUT ACCEPT + + /usr/sbin/iptables -A OUTPUT -j ACCEPT + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + + ;; + + restart) + $0 stop + $0 start + ;; + *) + + echo "usage: $0 [start|stop|restart]" + ;; +esac + +# End of file |