On Mon, Aug 10, 2009 at 08:55:55PM +0200, Martin Langhoff wrote:
> On Fri, Aug 7, 2009 at 2:15 PM, Joshua N Pritikin<jpriti...@pobox.com> wrote:
> > Here is the script I promised Martin.
>
> Right - thanks for that! I assume it works well and it's been tested
> for normal and ppp0 connectivity over there. How do you trigger it?
/etc/init.d/iptables sets IPTABLES_CONFIG to
/etc/sysconfig/iptables-config and runs it.
I'm not sure what /etc/sysconfig/iptables-config.in is for. It seems to
be ignored.
> Can you load the ruleset even if ppp0 is down?
Yes.
> I am wondering -- do we want local admins teams to be able to add
> rules relatively easily, in normal iptables syntax (meaning they can
> copy rules from books and howtos)? If so, a template to run through
> 'sed' might work better?
>
> What do you think?
See my attempt, attached.
>From 339584865b35531cb03f1b52feedb35a2dd1b4a3 Mon Sep 17 00:00:00 2001
From: root <r...@schoolserver.nashik.xs.laptop.org>
Date: Fri, 7 Aug 2009 10:26:23 +0530
Subject: [PATCH] Automate iptable rules generation
---
sysconfig/iptables-config | 7 +----
sysconfig/olpc-scripts/gen-iptables | 37 +++++++++++++++++++++++++++++++++
sysconfig/olpc-scripts/iptables-xs.in | 12 ++++++++++
sysconfig/xs_wan_device | 1 +
4 files changed, 52 insertions(+), 5 deletions(-)
create mode 100755 sysconfig/olpc-scripts/gen-iptables
create mode 100644 sysconfig/olpc-scripts/iptables-xs.in
create mode 100644 sysconfig/xs_wan_device
diff --git a/sysconfig/iptables-config b/sysconfig/iptables-config
index 819d809..f22076e 100755
--- a/sysconfig/iptables-config
+++ b/sysconfig/iptables-config
@@ -7,11 +7,8 @@
## config settings
SERVER_NUM=`cat /etc/sysconfig/xs_server_number`
if [ $SERVER_NUM=1 ];then
- if [ -e /etc/sysconfig/xs_httpcache_on ]; then
- IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal.cache
- else
- IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal
- fi
+ IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables-xs
+ /etc/sysconfig/olpc-scripts/gen-iptables > $IPTABLES_DATA
fi
# Load additional iptables modules (nat helpers)
diff --git a/sysconfig/olpc-scripts/gen-iptables b/sysconfig/olpc-scripts/gen-iptables
new file mode 100755
index 0000000..a049b31
--- /dev/null
+++ b/sysconfig/olpc-scripts/gen-iptables
@@ -0,0 +1,37 @@
+#!/usr/bin/python
+
+import re;
+import os;
+import logging;
+
+#sysconfig = './' # for testing
+sysconfig = '/etc/sysconfig/'
+
+wan = 'eth0'
+try:
+ conf = sysconfig + 'xs_wan_device'
+ file = open(conf)
+ wan = file.readline()
+ wan = re.sub(r'\s$', '', wan)
+except IOError:
+ logging.warning(conf + " not found, assuming "+wan)
+
+try:
+ conf = sysconfig + 'xs_httpcache_on'
+ os.stat(conf)
+ squid = 1
+except OSError:
+ squid = 0
+
+#print("wan="+wan+" squid=%i" % squid)
+
+template = open(sysconfig + 'olpc-scripts/iptables-xs.in')
+for line in template:
+ if re.match('@@MASQ@@', line):
+ print '-A POSTROUTING -o %s -j MASQUERADE' % wan
+ elif (re.match('@@SQUID@@', line)):
+ if squid:
+ for inf in ('lanbond0', 'mshbond0', 'mshbond1', 'mshbond2'):
+ print '-A PREROUTING -i %s -p tcp --dport 80 -j REDIRECT --to-ports 3128' % inf
+ else:
+ print(line.rstrip())
diff --git a/sysconfig/olpc-scripts/iptables-xs.in b/sysconfig/olpc-scripts/iptables-xs.in
new file mode 100644
index 0000000..11dfb9f
--- /dev/null
+++ b/sysconfig/olpc-scripts/iptables-xs.in
@@ -0,0 +1,12 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+@@SQUID@@
+@@MASQ@@
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/sysconfig/xs_wan_device b/sysconfig/xs_wan_device
new file mode 100644
index 0000000..d4398d5
--- /dev/null
+++ b/sysconfig/xs_wan_device
@@ -0,0 +1 @@
+ppp0
--
1.6.0.6
_______________________________________________
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel
