A hacker sent me these 3 scripts, parts of
which were extracted from a web site I posted
to this groups some time ago.
The 3 scripts have to be executable and in the PATH.
The front end script is vboxbr, it invokes the
other two.
You may have to edit one of the scripts to name your
EXternal interface (such as eth0) an your INTernal
interface (such as tap0).
So before you start vbox, you
sudo vboxbr start
and after you shut down vbox, you do
vboxbr stop
It is a terrible hack job by all I see, and some firewall
people will hate it because it sets the system firewall
to promiscuous mode. If you can improve upon it and make
it work without compromising the firewall, then please be
sure to post it back to this list.
Cheers,
JD
Jonathan Larsen wrote:
Hello all. i created a script to start and stop a TAP device and add it
to a bridge. http://pastebin.ca/947116 . when i test running it, it
creates the bridge and tap device. and stopping it removes both of
them.
when i add the info to host interface and start the vbox, i get this
error. http://pastebin.ca/947119 .
How i add it is putting tap0 as interface name and
sudo /home/agentc0re/rc.vbox_host_if start ,
sudo /home/agentc0re/rc.vbox_host_if stop for setup/terminate
application fields. i am part of the no password sudoers.
If i start the script before i start the vbox, it will start. However
my bridge does not work. Any idea's?
_______________________________________________
vbox-users mailing list
[email protected]
http://vbox.innotek.de/mailman/listinfo/vbox-users
#!/bin/sh
#
# rc.firewall-iptables
FWVER=0.76
#
# Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.76 - Added comments on why the default policy is ACCEPT
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="eth0"
INTIF="tap0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo "----------------------------------------------------------------------"
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
echo -e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
# Isn't ACCEPT insecure? To some degree, YES, but this is our testing
# phase. Once we know that IPMASQ is working well, I recommend you run
# the rc.firewall-*-stronger rulesets which set the defaults to DROP but
# also include the critical additional rulesets to still let you connect to
# the IPMASQ server, etc.
#
echo " Clearing any existing rules and setting default policy.."
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-iptables v$FWVER done.\n"
exit 0
#!/bin/sh
case "$PATH" in
*/usr/local/bin*)
;;
*) PATH=$PATH:/usr/local/bin
;;
esac
set -x
[ $# -lt 1 ] && echo "Usage: %0 <start|stop>" && exit 1
# What I suggest you do is ensure the `iptables' tweaks don't execute.
# Change the following line as follows:
#
# From
# ----
# if [ $CHAIN_COUNT -gt 0 ] ; then
#
# To
# --
# if [ 1 -eq 0 -a $CHAIN_COUNT -gt 0 ] ; then
# ^^^^^^^^^^
#
# Once you get script working, you can add security back in ... :)
#
# Change the `TAP_OWNER' to your user name. I'm using `eth0' on my
# machine so you may need to ^eth0^YOUR_IFACE_HERE^
#
# The script creates two taps:
#
# tap0 - is bridged (see brctl) with `br0'
# tap1 - is used for a VM which doesn't get Internet access - see
# comments below
#
# I'm using static IP's on this machine so I assign a static IP to `br0'
#
# Cheers,
# -pablo
#
# -------8-<--8-<--8-<--8-<--8-<--8-<--
TUN_OWNER=jd
TAPS="tap0"
#
# tap0 is used by 'rim4db-server' and doesn't get Internet access
#
# If we need Internet access, include 'tap0' in the above list
# and set the Server's NIC to DHCP or manually configure
# it:
#
# ifconfig eth0 192.168.25.78 netmask 255.255.255.0
# route add default gw 192.168.25.1
#
# Notes:
# - might need to tweak /etc/resolv.conf too
# - 192.168.25.78 is a completely arbitrary value
#
case $1 in
start)
tunctl -t tap0 -u $TUN_OWNER
ifconfig tap0 10.1.1.1 netmask 255.255.255.0
#
# Release any IP information by downing the device
#
ifdown eth0
ifconfig eth0 0.0.0.0 promisc
brctl addbr br0
brctl addif br0 eth0
for TAP in $TAPS ; do
tunctl -t $TAP -u $TUN_OWNER
brctl addif br0 $TAP
ifconfig $TAP up
done
# ifconfig br0 192.168.25.4 netmask 255.255.255.0
# route add default gw 192.168.25.1
dhclient br0
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp
ifdown eth0
ifconfig eth0 0.0.0.0 promisc
vboxfw start
cp /etc/resolv.conf.sav /etc/resolv.conf
;;
stop)
pid=`ps -ef | grep dhclient | grep br0 | grep -v grep | awk '{ print $2
}'`
[ x$pid != x ] && kill -9 $pid
ifconfig br0 down
brctl delif br0 eth0
brctl delif br0 tap0
brctl delbr br0
tunctl -d tap0
vboxfw stop
service network restart
cp /etc/resolv.conf.sav /etc/resolv.conf
;;
restart)
$0 stop
$0 start
;;
esac
exit 0
#!/bin/sh
PATH=$HOME/bin:$PATH
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-iptables ruleset.
#
# processname: firewall-iptables
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-iptables
# probe: true
# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# [EMAIL PROTECTED]
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
# improper SGML ampersand conversions.
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Check that networking is up.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
# See how we were called.
case "$1" in
start)
$HOME/bin/vbox-firewall-iptables
;;
stop)
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -A INPUT -i any -j ACCEPT
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -F FORWARD
iptables -P FORWARD ACCEPT
iptables -A FORWARD -i any -o any -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG
iptables -F -t nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L
;;
mlist)
cat /proc/net/ip_conntrack
;;
*)
echo "Usage: firewall-iptables {start|stop|status|mlist}"
exit 1
esac
exit 0
_______________________________________________
vbox-users mailing list
[email protected]
http://vbox.innotek.de/mailman/listinfo/vbox-users
