[Server-devel] iptables generation
Martin Langhoff
martin.langhoff at gmail.com
Mon Aug 24 07:04:38 EDT 2009
Hi Joshua,
Thanks for this! I'll be playing with it today a bit. I think it is
good, though I will make it default to eth0 as the WAN port :-)
cheers,
martin
On Mon, Aug 24, 2009 at 7:29 AM, Joshua N Pritikin<jpritikin at pobox.com> wrote:
> On Tue, Aug 11, 2009 at 10:15:39PM +0530, Joshua N Pritikin wrote:
>> On Tue, Aug 11, 2009 at 11:45:15AM +0530, Joshua N Pritikin wrote:
>> > + if re.match('@@MASQ@@', line):
>> > + print '-A POSTROUTING -o %s -j MASQUERADE' % wan
>>
>> This is dumb. I'll try to fix the patch tomorrow to substitute only
>> @@WAN@@. Or do you really want this written in sed? (I never even
>> learned sed.)
>
> ---
> sysconfig/iptables-config | 7 +----
> sysconfig/olpc-scripts/gen-iptables | 37 +++++++++++++++++++++++++++++++++
> sysconfig/olpc-scripts/iptables-xs.in | 12 ++++++++++
> sysconfig/xs_wan_device | 1 +
> 4 files changed, 52 insertions(+), 5 deletions(-)
> create mode 100755 sysconfig/olpc-scripts/gen-iptables
> create mode 100644 sysconfig/olpc-scripts/iptables-xs.in
> create mode 100644 sysconfig/xs_wan_device
>
> diff --git a/sysconfig/iptables-config b/sysconfig/iptables-config
> index 819d809..f22076e 100755
> --- a/sysconfig/iptables-config
> +++ b/sysconfig/iptables-config
> @@ -7,11 +7,8 @@
> ## config settings
> SERVER_NUM=`cat /etc/sysconfig/xs_server_number`
> if [ $SERVER_NUM=1 ];then
> - if [ -e /etc/sysconfig/xs_httpcache_on ]; then
> - IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal.cache
> - else
> - IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal
> - fi
> + IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables-xs
> + /etc/sysconfig/olpc-scripts/gen-iptables > $IPTABLES_DATA
> fi
>
> # Load additional iptables modules (nat helpers)
> diff --git a/sysconfig/olpc-scripts/gen-iptables b/sysconfig/olpc-scripts/gen-iptables
> new file mode 100755
> index 0000000..91b3ade
> --- /dev/null
> +++ b/sysconfig/olpc-scripts/gen-iptables
> @@ -0,0 +1,37 @@
> +#!/usr/bin/python
> +
> +import re;
> +import os;
> +import logging;
> +
> +#sysconfig = './' # for testing
> +sysconfig = '/etc/sysconfig/'
> +
> +wan = 'eth0'
> +try:
> + conf = sysconfig + 'xs_wan_device'
> + file = open(conf)
> + wan = file.readline()
> + wan = re.sub(r'\s$', '', wan)
> +except IOError:
> + logging.warning(conf + " not found, assuming "+wan)
> +
> +try:
> + conf = sysconfig + 'xs_httpcache_on'
> + os.stat(conf)
> + squid = 1
> +except OSError:
> + squid = 0
> +
> +#print("wan="+wan+" squid=%i" % squid)
> +
> +template = open(sysconfig + 'olpc-scripts/iptables-xs.in')
> +for line in template:
> + if (re.match('@@SQUID@@', line)):
> + if squid:
> + for inf in ('lanbond0', 'mshbond0', 'mshbond1', 'mshbond2'):
> + print '-A PREROUTING -i %s -p tcp --dport 80 -j REDIRECT --to-ports 3128' % inf
> + else:
> + line = line.rstrip()
> + line = re.sub(r'\@\@WAN\@\@', wan, line)
> + print(line)
> diff --git a/sysconfig/olpc-scripts/iptables-xs.in b/sysconfig/olpc-scripts/iptables-xs.in
> new file mode 100644
> index 0000000..610fbe4
> --- /dev/null
> +++ b/sysconfig/olpc-scripts/iptables-xs.in
> @@ -0,0 +1,12 @@
> +*nat
> +:PREROUTING ACCEPT [0:0]
> +:POSTROUTING ACCEPT [0:0]
> +:OUTPUT ACCEPT [0:0]
> +@@SQUID@@
> +-A POSTROUTING -o @@WAN@@ -j MASQUERADE
> +COMMIT
> +*filter
> +:INPUT ACCEPT [0:0]
> +:FORWARD ACCEPT [0:0]
> +:OUTPUT ACCEPT [0:0]
> +COMMIT
> diff --git a/sysconfig/xs_wan_device b/sysconfig/xs_wan_device
> new file mode 100644
> index 0000000..d4398d5
> --- /dev/null
> +++ b/sysconfig/xs_wan_device
> @@ -0,0 +1 @@
> +ppp0
> --
> 1.6.0.6
>
>
--
martin.langhoff at gmail.com
martin at laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Server-devel
mailing list