mirror of
https://github.com/unman/shaker.git
synced 2024-10-01 01:25:41 -04:00
Fix errors in tunnelling script
This commit is contained in:
unman
parent
3eded5fd48
commit
56ec5d6781
@ -7,8 +7,6 @@ Allow remote access to a named qube.
|
|||||||
Syntax: in.sh [-h | [ a|p ]] {add|delete} target {tcp|udp} {port number|service} [external port]
|
Syntax: in.sh [-h | [ a|p ]] {add|delete} target {tcp|udp} {port number|service} [external port]
|
||||||
options:
|
options:
|
||||||
h Print this help
|
h Print this help
|
||||||
a Auto mode
|
|
||||||
p Permanent rules
|
|
||||||
|
|
||||||
Specify target qube, action, tcp or udp, and target port, separated by spaces.
|
Specify target qube, action, tcp or udp, and target port, separated by spaces.
|
||||||
The target port can be given by port number or by name (e.g ssh).
|
The target port can be given by port number or by name (e.g ssh).
|
||||||
@ -35,32 +33,29 @@ exit
|
|||||||
|
|
||||||
# Check input port
|
# Check input port
|
||||||
check_port(){
|
check_port(){
|
||||||
if ! [ "$2" -eq "$2" >& /dev/null ];then
|
|
||||||
status=1
|
status=0
|
||||||
else
|
|
||||||
if [ $2 -lt 65536 ]; then
|
if [[ $2 =~ ^[0-9]+$ ]] ;then
|
||||||
status=0
|
if [ "$2" -lt 65536 ]; then
|
||||||
portnum=$2
|
portnum=$2
|
||||||
else
|
else
|
||||||
status=1
|
status=1
|
||||||
fi
|
fi
|
||||||
fi
|
else
|
||||||
if [ $status -ne 0 ]; then
|
if ! grep -q -w ^"$2"\ /etc/services ; then
|
||||||
if ! grep -q -w ^$2\ /etc/services ; then
|
status=1
|
||||||
echo "Specify usable port number or service name"
|
|
||||||
exit
|
|
||||||
else
|
else
|
||||||
portnum=$( getent services $2 |awk '{split($2,a,"/");print a[1]}')
|
portnum=$( getent services "$2" |awk 'match($0, /[0-9]+/){print substr($0, RSTART, RLENGTH)}') || status=1
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
echo "Specify usable port number or service name"
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
echo $portnum
|
if [ $status -eq 1 ]; then
|
||||||
|
echo "Specify usable port number or service name" && exit
|
||||||
|
else
|
||||||
|
echo "$portnum"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
get_handle(){
|
get_handle(){
|
||||||
local my_handle=$( qvm-run -q -u root -p $1 " nft -a list table $2|awk 'BEGIN{c=0} /$3/{c++; if (c==$4) print \$NF}' " )
|
local my_handle=$( qvm-run -q -u root -p $1 " nft -a list table $2|awk 'BEGIN{c=0} /$3/{c++; if (c==$4) print \$NF}' " )
|
||||||
echo $my_handle
|
echo $my_handle
|
||||||
@ -76,7 +71,7 @@ numhops=${#my_ips[@]}
|
|||||||
lasthop=$((numhops-1))
|
lasthop=$((numhops-1))
|
||||||
local i=1
|
local i=1
|
||||||
iface="eth0"
|
iface="eth0"
|
||||||
qvm-run -q -u root ${my_netvms[$lasthop]} " nft list table nat|grep ' $proto dport $portnum dnat to ${my_ips[$numhops-1]}'"
|
qvm-run -q -u root ${my_netvms[$lasthop]} " nft list table qubes|grep ' $proto dport $portnum dnat to ${my_ips[$numhops-1]}'"
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
echo "Are rules already set?"
|
echo "Are rules already set?"
|
||||||
exit
|
exit
|
||||||
@ -94,11 +89,11 @@ do
|
|||||||
if [ $i -eq $lasthop ]; then
|
if [ $i -eq $lasthop ]; then
|
||||||
iface=$external_iface
|
iface=$external_iface
|
||||||
fi
|
fi
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
|
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule qubes dnat-dns meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
|
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule qubes custom-forward meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
|
||||||
if [ $permanent -eq 1 ]; then
|
if [ $permanent -eq 1 ]; then
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
|
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule qubes dnat-dns PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
|
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule qubes dnat-dns meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
|
||||||
fi
|
fi
|
||||||
((i++))
|
((i++))
|
||||||
done
|
done
|
||||||
@ -117,6 +112,7 @@ iface="eth0"
|
|||||||
echo "Removing firewall rules"
|
echo "Removing firewall rules"
|
||||||
while [ $i -gt 0 ]
|
while [ $i -gt 0 ]
|
||||||
do
|
do
|
||||||
|
echo "${my_netvms[$i]}"
|
||||||
if [ $i -eq 1 ]; then
|
if [ $i -eq 1 ]; then
|
||||||
portnum_used=$external_portnum
|
portnum_used=$external_portnum
|
||||||
portnum_target=$portnum
|
portnum_target=$portnum
|
||||||
@ -124,19 +120,19 @@ do
|
|||||||
portnum_used=$external_portnum
|
portnum_used=$external_portnum
|
||||||
portnum_target=$external_portnum
|
portnum_target=$external_portnum
|
||||||
fi
|
fi
|
||||||
local handle=$( get_handle ${my_netvms[$i]} nat "dport $external_portnum " 1 )
|
local handle=$( get_handle ${my_netvms[$i]} qubes "dport $external_portnum " 1 )
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule nat PR-QBS-SERVICES handle $handle"
|
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule qubes custom-forward handle $handle"
|
||||||
local handle=$( get_handle ${my_netvms[$i]} filter "dport $external_portnum " 1 )
|
local handle=$( get_handle ${my_netvms[$i]} qubes "dport $external_portnum " 1 )
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule filter QBS-FORWARD handle $handle"
|
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule qubes dnat-dns handle $handle"
|
||||||
if [ $permanent -eq 1 ]; then
|
if [ $permanent -eq 1 ]; then
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
|
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule qubes dnat-dns meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d' /rw/config/rc.local"
|
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule qubes QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d' /rw/config/rc.local"
|
||||||
fi
|
fi
|
||||||
((i--))
|
((i--))
|
||||||
done
|
done
|
||||||
local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
|
local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table qubes 2>/dev/null )
|
||||||
handle=$( get_handle ${my_netvms[$i]} filter "dport $portnum " 1 )
|
handle=$( get_handle ${my_netvms[$i]} qubes "dport $portnum " 1 )
|
||||||
qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule filter INPUT handle $handle
|
qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule qubes custom-input handle $handle
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -160,6 +156,7 @@ while getopts ${optstring} option ; do
|
|||||||
a)
|
a)
|
||||||
auto=1 ;;
|
auto=1 ;;
|
||||||
p)
|
p)
|
||||||
|
exit
|
||||||
permanent=1 ;;
|
permanent=1 ;;
|
||||||
?)
|
?)
|
||||||
get_help ;;
|
get_help ;;
|
||||||
@ -249,17 +246,16 @@ elif [ $1 == "add" ]; then
|
|||||||
ips[$hop]=$ip
|
ips[$hop]=$ip
|
||||||
|
|
||||||
# Create tunnel
|
# Create tunnel
|
||||||
found=$( qvm-run -p -q -u root $qube_name -- nft list table nat 2>/dev/null )
|
found=$( qvm-run -p -q -u root $qube_name -- nft list table qubes 2>/dev/null )
|
||||||
qvm-run -q -u root $qube_name "nft list table filter|grep '$proto dport $portnum accept' "
|
qvm-run -q -u root $qube_name "nft list table qubes|grep '$proto dport $portnum accept' "
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
echo "Input rule in $qube_name already exists"
|
echo "Input rule in $qube_name already exists"
|
||||||
echo "Please check configuration - exiting now."
|
echo "Please check configuration - exiting now."
|
||||||
exit
|
exit
|
||||||
else
|
else
|
||||||
handle=$( get_handle $qube_name filter related,established 1)
|
#handle=$( get_handle $qube_name qubes related,established 1)
|
||||||
qvm-run -q -u root $qube_name -- nft add rule filter INPUT position $handle iifname eth0 $proto dport $portnum accept
|
qvm-run -q -u root $qube_name -- nft add rule qubes custom-input iifname eth0 $proto dport $portnum accept
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
tunnel netvms[@] ips[@]
|
tunnel netvms[@] ips[@]
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
teardown netvms[@] ips[@]
|
teardown netvms[@] ips[@]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user