On Mon, Aug 10, 2009 at 08:55:55PM +0200, Martin Langhoff wrote: > On Fri, Aug 7, 2009 at 2:15 PM, Joshua N Pritikin<jpriti...@pobox.com> wrote: > > Here is the script I promised Martin. > > Right - thanks for that! I assume it works well and it's been tested > for normal and ppp0 connectivity over there. How do you trigger it?
/etc/init.d/iptables sets IPTABLES_CONFIG to /etc/sysconfig/iptables-config and runs it. I'm not sure what /etc/sysconfig/iptables-config.in is for. It seems to be ignored. > Can you load the ruleset even if ppp0 is down? Yes. > I am wondering -- do we want local admins teams to be able to add > rules relatively easily, in normal iptables syntax (meaning they can > copy rules from books and howtos)? If so, a template to run through > 'sed' might work better? > > What do you think? See my attempt, attached.
>From 339584865b35531cb03f1b52feedb35a2dd1b4a3 Mon Sep 17 00:00:00 2001 From: root <r...@schoolserver.nashik.xs.laptop.org> Date: Fri, 7 Aug 2009 10:26:23 +0530 Subject: [PATCH] Automate iptable rules generation --- sysconfig/iptables-config | 7 +---- sysconfig/olpc-scripts/gen-iptables | 37 +++++++++++++++++++++++++++++++++ sysconfig/olpc-scripts/iptables-xs.in | 12 ++++++++++ sysconfig/xs_wan_device | 1 + 4 files changed, 52 insertions(+), 5 deletions(-) create mode 100755 sysconfig/olpc-scripts/gen-iptables create mode 100644 sysconfig/olpc-scripts/iptables-xs.in create mode 100644 sysconfig/xs_wan_device diff --git a/sysconfig/iptables-config b/sysconfig/iptables-config index 819d809..f22076e 100755 --- a/sysconfig/iptables-config +++ b/sysconfig/iptables-config @@ -7,11 +7,8 @@ ## config settings SERVER_NUM=`cat /etc/sysconfig/xs_server_number` if [ $SERVER_NUM=1 ];then - if [ -e /etc/sysconfig/xs_httpcache_on ]; then - IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal.cache - else - IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal - fi + IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables-xs + /etc/sysconfig/olpc-scripts/gen-iptables > $IPTABLES_DATA fi # Load additional iptables modules (nat helpers) diff --git a/sysconfig/olpc-scripts/gen-iptables b/sysconfig/olpc-scripts/gen-iptables new file mode 100755 index 0000000..a049b31 --- /dev/null +++ b/sysconfig/olpc-scripts/gen-iptables @@ -0,0 +1,37 @@ +#!/usr/bin/python + +import re; +import os; +import logging; + +#sysconfig = './' # for testing +sysconfig = '/etc/sysconfig/' + +wan = 'eth0' +try: + conf = sysconfig + 'xs_wan_device' + file = open(conf) + wan = file.readline() + wan = re.sub(r'\s$', '', wan) +except IOError: + logging.warning(conf + " not found, assuming "+wan) + +try: + conf = sysconfig + 'xs_httpcache_on' + os.stat(conf) + squid = 1 +except OSError: + squid = 0 + +#print("wan="+wan+" squid=%i" % squid) + +template = open(sysconfig + 'olpc-scripts/iptables-xs.in') +for line in template: + if re.match('@@MASQ@@', line): + print '-A POSTROUTING -o %s -j MASQUERADE' % wan + elif (re.match('@@SQUID@@', line)): + if squid: + for inf in ('lanbond0', 'mshbond0', 'mshbond1', 'mshbond2'): + print '-A PREROUTING -i %s -p tcp --dport 80 -j REDIRECT --to-ports 3128' % inf + else: + print(line.rstrip()) diff --git a/sysconfig/olpc-scripts/iptables-xs.in b/sysconfig/olpc-scripts/iptables-xs.in new file mode 100644 index 0000000..11dfb9f --- /dev/null +++ b/sysconfig/olpc-scripts/iptables-xs.in @@ -0,0 +1,12 @@ +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +@@SQUID@@ +@@MASQ@@ +COMMIT +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/sysconfig/xs_wan_device b/sysconfig/xs_wan_device new file mode 100644 index 0000000..d4398d5 --- /dev/null +++ b/sysconfig/xs_wan_device @@ -0,0 +1 @@ +ppp0 -- 1.6.0.6
_______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel