FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Some Linux + Bash + a nice init script = nice forwarding





BlueVD
Well, I'm a lazy admin in general and I like things to be done automatically.
Due to an upgrade on my server (and to my lack of attention) I've lost my old scripts for automation regarding forwarding/masquerading/NATing. So, I found myself in a "world of pain" every time I had to reboot my server or every time the power would be out for more than 15 minutes (the lifespan of my UPS)...
So I got my lazy admin *** movin' and wrote a script. Main difference between my old script and this new one is that the later is LSB compatible and works just as nice as all other init scripts, providing the basic functionality... So, without further a due, here's the source code:

Save it as /etc/init.d/firewall or /etc/rc.d/init.d/firewall depending on your distro
Code:
#!/bin/sh
#
# Startup script to initialize network mansquerading/forwarding
#
# chkconfig: 2345 89 11
#
# description: Automatic base configuration for iptables to allow forwarding/masquerading IPV4 only
#
# Script Author:   Iscu Andrei <bluevd[at]gmail[dot]com>
# config: /etc/sysconfig/firewall
#
### BEGIN INIT INFO
# Provides: masquerading
# Default-Start: 2 3 4 5
# Short-Description: iptables baseic forwarding
# Description: Automates basic rule creation for forwarding internal
#              networks using a simple config file located in
#              /etc/sysconfig/firewall
### END INIT INFO

# Get basic functions =]
. /etc/init.d/functions

CONFIG_FILE=/etc/sysconfig/firewall

sanity_check() {
    # check for various needed things...
    if [ ! -x /sbin/iptables ] || [ ! -f $CONFIG_FILE ] || [ ! `grep -c ^IF $CONFIG_FILE` -eq 2 ]; then
   SANITY_CHECK=1
    else
   SANITY_CHECK=0
   . /etc/sysconfig/firewall
    fi
   
    return $SANITY_CHECK;
}

start() {
    if [ ! `sysctl -n net.ipv4.ip_forward` -eq 1 ]; then
   /sbin/sysctl -w net.ipv4.ip_forward=1
    fi
    gprintf "Starting simple forwarding:" && \
    sanity_check
    [ $? -eq 0 ] && \
    /sbin/iptables -F && \
    /sbin/iptables -t nat -F && \
    /sbin/iptables -t nat -A POSTROUTING -o $IF_OUT -j MASQUERADE && \
    /sbin/iptables -A FORWARD -i $IF_IN -o $IF_OUT -j ACCEPT && \
    /sbin/iptables -A FORWARD -i $IF_OUT -o $IF_IN -m state --state RELATED,ESTABLISHED -j ACCEPT && \
    success "Starting simple forwarding" || \
    failure "Starting simple forwarding"
echo
}

stop() {
    gprintf "Stopping simple forwarding:" && \
    # A simple iptables flush sould bring up defaults
    # or you could use the iptables init file with the restart
    # param to have your default loaded. feel free to
    # use any of them
    /sbin/sysctl -p
    sanity_check
    [ $? -eq 0 ] && \
    # init way; uncomment it and comment the flush way =]
    # `/etc/init.d/iptables restart`
    # the flush way, comment out both iptables line if using
    #the iptables restart method...
    /sbin/iptables -t nat -F && \
    /sbin/iptables -F && \
    success "Stopping simple forwarding" || \
    failure "Stopping simple forwarding"
    echo
}

restart(){
    stop
    start
}

status(){
    sanity_check
    if [ $? -eq 0 ] && [ `/sbin/iptables -t nat -vL | grep -c ^.*MASQ*.*$IF_OUT` -eq 1 ]; then
   echo "Forwarding is working from $IF_IN to $IF_OUT"
    else
   echo "Forwarding is not working."
    fi
}

case "$1" in
  start)
   start
   ;;

  stop)
   stop
   ;;

  restart|reload)
   restart
   ;;
  status)
   status
   ;;
  *)
   gprintf "Usage: %s {start|stop|restart|reload|status|}\n" "$0"
   exit 1
esac

exit 0

And here's the config file (you need to save in /etc/ sysconfig/firewall
Code:
# Basic firewall forwarding setup for the firewall init script...
# No white spaces before the param values please =]
###################
# INTERFACES CONFIG
###################
# IF_IN represents the internal NIC
# ex: IF_IN=eth1
IF_IN=eth1

# IF_OUT represents the uplink NIC
# ex: IF_OUT=eth0
IF_OUT=eth2

###################
# PORT CONFIGS
###################
# Drop ports:
# not done yet...
# Reject ports:
# not done yet...
# Log ports:
# not done yet...
# Accept ports:
# not done yet...


A few nice things about the script iself is that it checks if everything is ok (iptables exists, if the config file exists and has the proper lines) and if ip forwarding is disabled (net.ipv4.ip_forward=0) it sets it as 1 via sysconfig and not the "brute force" way (echo 1 > /proc/sys/net/[...]).
It works out of the box, compatible with chkconfig... A future version will include some ports configs and a few other misc stuff...
albuferque
It seems correct to me, you guys from Bacau are good at Linux.

Best regards
Related topics
Script to automatically restart Apache (for server 1)
Start rtorrent using init scripts
bash scripting help
Why direct admin
Including file with same definition on Win & Linux
Smallest Linux Live CD software ?
Myspace
Search for free music on Google.
[Community Project] Easy Simple Content Management System
Online Album software
Cheap form hosting
Lineage II (C4 chronicle)
What System Are You Running?
Rap Website
Reply to topic    Frihost Forum Index -> Scripting -> Others

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.