mirror of
https://github.com/unman/shaker.git
synced 2025-01-23 05:01:01 -05:00
8dba49428f
Move to nftables.
271 lines
7.4 KiB
Bash
Executable File
271 lines
7.4 KiB
Bash
Executable File
#!/usr/bin/bash
|
|
|
|
get_help(){
|
|
cat <<HERE
|
|
Allow remote access to a named qube.
|
|
|
|
Syntax: in.sh [-h | [ a|p ]] {add|delete} target {tcp|udp} {port number|service} [external port]
|
|
options:
|
|
h Print this help
|
|
a Auto mode
|
|
p Permanent rules
|
|
|
|
Specify target qube, action, tcp or udp, and target port, separated by spaces.
|
|
The target port can be given by port number or by name (e.g ssh).
|
|
The action should be "add" or "delete".
|
|
For example:
|
|
in add target_qube tcp 80
|
|
in add target_qube tcp ssh
|
|
in delete target_qube tcp https
|
|
|
|
By default, the script will open a port on the final netvm which is the same as the target port.
|
|
It is possible to specify an alternative port:
|
|
in add target_qube tcp ssh 80
|
|
|
|
In auto mode a port will be opened on the FIRST external interface.
|
|
In permanent mode changes to the firewall will be written in each qube to take effect on qube start up.
|
|
|
|
DO NOT use this script for qubes behind a Tor or VPN proxy.
|
|
At a minimum you risk breaking the security of those proxies.
|
|
|
|
HERE
|
|
exit
|
|
}
|
|
|
|
|
|
# Check input port
|
|
check_port(){
|
|
if ! [ "$2" -eq "$2" >& /dev/null ];then
|
|
status=1
|
|
else
|
|
if [ $2 -lt 65536 ]; then
|
|
status=0
|
|
portnum=$2
|
|
else
|
|
status=1
|
|
fi
|
|
fi
|
|
if [ $status -ne 0 ]; then
|
|
if ! grep -q -w ^$2\ /etc/services ; then
|
|
echo "Specify usable port number or service name"
|
|
exit
|
|
else
|
|
portnum=$( getent services $2 |awk '{split($2,a,"/");print a[1]}')
|
|
if [ $? -ne 0 ]; then
|
|
echo "Specify usable port number or service name"
|
|
exit
|
|
fi
|
|
fi
|
|
fi
|
|
echo $portnum
|
|
}
|
|
|
|
|
|
get_handle(){
|
|
local my_handle=$( qvm-run -q -u root -p $1 " nft -a list table $2|awk 'BEGIN{c=0} /$3/{c++; if (c==$4) print \$NF}' " )
|
|
echo $my_handle
|
|
}
|
|
|
|
|
|
#Tunnel through netvms
|
|
tunnel(){
|
|
declare -a my_netvms=("${!1}")
|
|
declare -a my_ips=("${!2}")
|
|
declare -i numhops
|
|
numhops=${#my_ips[@]}
|
|
lasthop=$((numhops-1))
|
|
local i=1
|
|
iface="eth0"
|
|
qvm-run -q -u root ${my_netvms[$lasthop]} " nft list table nat|grep ' $proto dport $portnum dnat to ${my_ips[$numhops-1]}'"
|
|
if [ $? -eq 0 ]; then
|
|
echo "Are rules already set?"
|
|
exit
|
|
fi
|
|
while [ $i -ne $numhops ]
|
|
do
|
|
if [ $i -eq 1 ]; then
|
|
portnum_used=$external_portnum
|
|
portnum_target=$portnum
|
|
else
|
|
portnum_used=$external_portnum
|
|
portnum_target=$external_portnum
|
|
fi
|
|
echo "${my_netvms[$i]} $portnum_used"
|
|
if [ $i -eq $lasthop ]; then
|
|
iface=$external_iface
|
|
fi
|
|
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
|
|
qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
|
|
if [ $permanent -eq 1 ]; then
|
|
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
|
|
qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
|
|
fi
|
|
((i++))
|
|
done
|
|
}
|
|
|
|
|
|
#Teardown - from top netvm down
|
|
teardown(){
|
|
declare -a my_netvms=("${!1}")
|
|
declare -a my_ips=("${!2}")
|
|
declare -i numhops
|
|
numhops=${#my_ips[@]}
|
|
numhops=$((numhops-1))
|
|
local i=$numhops
|
|
iface="eth0"
|
|
echo "Removing firewall rules"
|
|
while [ $i -gt 0 ]
|
|
do
|
|
if [ $i -eq 1 ]; then
|
|
portnum_used=$external_portnum
|
|
portnum_target=$portnum
|
|
else
|
|
portnum_used=$external_portnum
|
|
portnum_target=$external_portnum
|
|
fi
|
|
local handle=$( get_handle ${my_netvms[$i]} nat "dport $external_portnum " 1 )
|
|
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule nat PR-QBS-SERVICES handle $handle"
|
|
local handle=$( get_handle ${my_netvms[$i]} filter "dport $external_portnum " 1 )
|
|
qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule filter QBS-FORWARD handle $handle"
|
|
if [ $permanent -eq 1 ]; then
|
|
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
|
|
qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d' /rw/config/rc.local"
|
|
fi
|
|
((i--))
|
|
done
|
|
local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
|
|
handle=$( get_handle ${my_netvms[$i]} filter "dport $portnum " 1 )
|
|
qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule filter INPUT handle $handle
|
|
exit
|
|
}
|
|
|
|
|
|
list(){
|
|
return
|
|
}
|
|
|
|
|
|
## Defaults
|
|
auto=0
|
|
permanent=0
|
|
|
|
## Get options
|
|
optstring=":hap"
|
|
while getopts ${optstring} option ; do
|
|
case $option in
|
|
h)
|
|
get_help
|
|
exit ;;
|
|
a)
|
|
auto=1 ;;
|
|
p)
|
|
permanent=1 ;;
|
|
?)
|
|
get_help ;;
|
|
esac
|
|
done
|
|
shift $((OPTIND -1))
|
|
|
|
## Check inputs
|
|
if [ $# -lt 4 ]; then
|
|
get_help
|
|
fi
|
|
qvm-check -q $2 2>/dev/null
|
|
if [ "$?" -ne 0 ];then
|
|
echo "$2 is not the name of any qube"
|
|
exit
|
|
else
|
|
qube_name=$2
|
|
fi
|
|
if [ "$3" != "tcp" -a "$3" != "udp" ]; then
|
|
echo "Specify tcp or udp"
|
|
exit
|
|
else
|
|
proto=$3
|
|
fi
|
|
portnum=$(check_port $3 $4)
|
|
|
|
if [ $# -eq 5 ]; then
|
|
external_portnum=$(check_port $3 $5)
|
|
else
|
|
external_portnum=$portnum
|
|
fi
|
|
|
|
# Get all netvms
|
|
declare -a netvms
|
|
declare -a ips
|
|
declare -a external_ips
|
|
hop=0
|
|
netvms[$hop]=$qube_name
|
|
IFS='|' read -r netvms[$hop+1] ips[$hop] <<< $(qvm-ls $qube_name --raw-data -O netvm,IP)
|
|
while [ ${netvms[hop+1]} != "-" ]
|
|
do
|
|
((hop++))
|
|
IFS='|' read -r netvms[$hop+1] ips[$hop] <<< $(qvm-ls ${netvms[$hop]} --raw-data -O netvm,IP)
|
|
done
|
|
if [ $1 == "delete" ]; then
|
|
teardown netvms[@] ips[@]
|
|
elif [ $1 == "add" ]; then
|
|
if [ $hop -eq 0 ]; then
|
|
echo "$qube_name is not network connected"
|
|
echo "Cannot set up a tunnel"
|
|
exit
|
|
fi
|
|
|
|
# Check last hop has external IP address
|
|
readarray -t external_ips < <( qvm-run -p ${netvms[$hop]} "ip -4 -o a|grep -wv 'lo\|vif[0-9]*.*'"|awk '{print $2,$4}')
|
|
#readarray -t external_ips < <( qvm-run -p ${netvms[$hop]} "ip -4 -o a|grep -wv 'vif[0-9]'"|awk '{print $2,$4}')
|
|
num_ifs=${#external_ips[@]}
|
|
if [ $num_ifs -eq 1 ]; then
|
|
interface=0
|
|
elif [ $auto -eq 1 ]; then
|
|
interface=0
|
|
elif [ $num_ifs -gt 1 ]; then
|
|
echo "${netvms[$hop]} has more than 1 external interface"
|
|
echo "Which one do you want to use?"
|
|
for i in $(seq $num_ifs)
|
|
do
|
|
echo "$i. ${external_ips[$i-1]}"
|
|
done
|
|
read interface
|
|
if ! [ "$interface" -eq "$interface" ] 2> /dev/null; then
|
|
echo "No such interface"
|
|
exit
|
|
elif [ $interface -gt $num_ifs ] || [ $interface -lt 1 ]; then
|
|
echo "No such interface"
|
|
exit
|
|
fi
|
|
((interface--))
|
|
else
|
|
echo "${netvms[$hop]} does not have an external interface"
|
|
echo "Cannot set up a tunnel"
|
|
exit
|
|
fi
|
|
external_ip=${external_ips[$interface]}
|
|
external_iface="${external_ip%[[:space:]]*}"
|
|
ip="${external_ip#*[0-9]}"
|
|
ip="${ip%%/*}"
|
|
ips[$hop]=$ip
|
|
|
|
# Create tunnel
|
|
found=$( qvm-run -p -q -u root $qube_name -- nft list table nat 2>/dev/null )
|
|
qvm-run -q -u root $qube_name "nft list table filter|grep '$proto dport $portnum accept' "
|
|
if [ $? -eq 0 ]; then
|
|
echo "Input rule in $qube_name already exists"
|
|
echo "Please check configuration - exiting now."
|
|
exit
|
|
else
|
|
handle=$( get_handle $qube_name filter related,established 1)
|
|
qvm-run -q -u root $qube_name -- nft add rule filter INPUT position $handle iifname eth0 $proto dport $portnum accept
|
|
fi
|
|
fi
|
|
tunnel netvms[@] ips[@]
|
|
if [ $? -ne 0 ]; then
|
|
teardown netvms[@] ips[@]
|
|
fi
|
|
else
|
|
get_help
|
|
fi
|
|
|