initial working router

This commit is contained in:
deflax 2018-01-23 15:49:41 +02:00
parent 14f47abc67
commit ce2a1ecb0f
3 changed files with 303 additions and 47 deletions

View file

@ -1,18 +1,284 @@
# frankenrouter.py by afx (c) 2018 deflax.net [42/9073] # frankenrouter.py by afx (c) 2018 deflax.net
import subprocess import subprocess
import requests import requests
import json import json
import datetime import datetime
import os
dburl = 'https://www.datapoint.bg/vmanager/slavetables/1' dburl = 'https://www.datapoint.bg/vmanager/slavetables/1'
clientiface = 'ens19' clientiface = 'ens19'
workscriptpath = '/root/fr-workscripts/'
### ###
def writefile(filename, data):
wr = open(filename, 'w')
wr.write(data)
wr.close()
def bashexec(workfile, data):
today = int(datetime.datetime.now().strftime("%s")) * 1000
script = """
#!/bin/bash
#
# {0} generated at {1}
#
IPT="/sbin/iptables"
SYSCTL="/sbin/sysctl -w"
# Internet Interface
INET_IFACE="ens18"
INET_ORB="87.120.110.11"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
{2}""".format(workfile, today, data)
filename = os.path.join(workscriptpath, workfile + '.sh')
prevfile = os.path.join(workscriptpath, workfile + '-{}'.format(today) + '.bak')
subprocess.call('mv {0} {1}'.format(filename, prevfile), shell=True)
writefile(filename, script)
subprocess.call('chmod +x {}'.format(filename), shell=True)
subprocess.call('{}'.format(filename), shell=True)
def initfw():
data = """
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe iptable_nat
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_owner
# /sbin/modprobe ipt_REJECT
# /sbin/modprobe ipt_mark
# /sbin/modprobe ipt_tcpmss
# /sbin/modprobe multiport
# /sbin/modprobe ipt_state
# /sbin/modprobe ipt_unclean
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#else
# $SYSCTL net.ipv4.conf.all.log_martians="1"
#fi
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
#DEFAULT
#$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
#$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
#$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
#$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
#$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
### ICMP
#$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
#$IPT -A icmp_packets --fragment -p ICMP -j DROP
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A icmp_packets -p ICMP -j ACCEPT
#LOCAL
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 60022 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
#INPUT index: 3
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
echo "Process FORWARD chain ..."
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -i $INET_IFACE -j ACCEPT
#FORWARD index: 3
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
echo "Process OUTPUT chain ..."
#$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
#OUTPUT index: 3
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
###############################################################################
#$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
"""
return data
def setvlans(clientiface, vlanmin=120, vlanmax=130):
#vlans
data = ''
for vlanid in range(vlanmin, vlanmax, 1):
dhcpconf_template = """
#dhcpd.conf autogenerated by frankenrouter
authoritative;
default-lease-time 3600;
max-lease-time 7200;
ddns-update-style none;
option subnet-mask 255.255.255.0;
option domain-name-servers 87.120.110.2, 8.8.8.8;
#vlan {0}
host vlan{0}-vm {{
hardware ethernet 8A:32:CD:E4:EE:11;
fixed-address 10.0.{0}.10;
}}
subnet 10.0.{0}.0 netmask 255.255.255.0 {{
option routers 10.0.{0}.1;
range 10.0.{0}.11 10.0.{0}.99;
}}
""".format(vlanid)
writefile('/root/fr-vlanconf/v{0}.dhconf'.format(vlanid), dhcpconf_template)
data += """
### VLAN {0}
echo "setting up vlan: {0}"
kill -9 `cat /root/fr-vlanconf/v{0}.dhpid`
rm /root/fr-vlanconf/v{0}.dhpid
ip link del {1}.{0}
ip link add link {1} name {1}.{0} type vlan id {0}
ip link set dev {1}.{0} up
ip addr add 10.0.{0}.1/24 dev {1}.{0}
$IPT -I INPUT 3 -p ALL -i {1}.{0} -d 10.0.{0}.255 -j ACCEPT
$IPT -I INPUT 3 -p ALL -i {1}.{0} -s 10.0.{0}.0/24 -j ACCEPT
#$IPT -I FORWARD 3 -p ALL -i {1}.{0} -j ACCEPT
#$IPT -I FORWARD 3 -p ALL -i $INET_IFACE -o {1}.{0} -d 10.0.{0}.10 -m state --state NEW -j ACCEPT
$IPT -I FORWARD 3 -p ALL -i {1}.{0} -o $INET_IFACE -s 10.0.{0}.10 -j ACCEPT
$IPT -I OUTPUT 3 -p ALL -o {1}.{0} -j ACCEPT
touch /root/fr-vlanconf/v{0}.dhpid
touch /root/fr-vlanconf/v{0}.dhlease
dhcpd -4 -cf /root/fr-vlanconf/v{0}.dhconf -lf /root/fr-vlanconf/v{0}.dhlease -pf /root/fr-vlanconf/v{0}.dhpid {1}.{0}
""".format(vlanid, clientiface)
return data
def setpubips(): def setpubips():
db_result = requests.get(dburl, headers={"content-type": "application/json"}, ti db_result = requests.get(dburl, headers={"content-type": "application/json"}, timeout=30 )
meout=30 )
proxjson = db_result.json() proxjson = db_result.json()
for key, value in proxjson['addresses'].items(): for key, value in proxjson['addresses'].items():
pass pass
@ -21,47 +287,32 @@ meout=30 )
#data += 'iptables -P FORWARD -j ACCEPT -i ' #data += 'iptables -P FORWARD -j ACCEPT -i '
data = """ data = """
ip addr add 87.120.110.43/24 dev $PUBIF label $PUBIF:0 ip link add vtap122 link $INET_IFACE type macvlan
ip addr add 87.120.110.44/24 dev $PUBIF label $PUBIF:1 ip addr add 87.120.110.41/24 dev vtap122
ip addr add 87.120.110.45/24 dev $PUBIF label $PUBIF:2 ip link set dev vtap122 up
""" $IPT -t nat -A PREROUTING -d 87.120.110.41 -j DNAT --to-destination 10.0.122.10
$IPT -t nat -A POSTROUTING -s 10.0.122.10 -j SNAT --to-source 87.120.110.41
ip link add vtap120 link $INET_IFACE type macvlan
ip addr add 87.120.110.43/24 dev vtap120
ip link set dev vtap120 up
$IPT -t nat -A PREROUTING -d 87.120.110.43 -j DNAT --to-destination 10.0.120.10
$IPT -t nat -A POSTROUTING -s 10.0.120.10 -j SNAT --to-source 87.120.110.43
ip link add vtap121 link $INET_IFACE type macvlan
ip addr add 87.120.110.44/24 dev vtap121
ip link set dev vtap121 up
$IPT -t nat -A PREROUTING -d 87.120.110.44 -j DNAT --to-destination 10.0.121.10
$IPT -t nat -A POSTROUTING -s 10.0.121.10 -j SNAT --to-source 87.120.110.44
"""
return data return data
def setvlans(vlanmin=101, vlanmax=200, clientiface)
#vlans
data = ''
for vlanid in range(vlanmin, vlanmax, 1):
data += """
kill -9 `cat /root/vlanconf/v{0}.dhpid`
rm /root/vlanconf/v{0}.dhpid
ip link del {1}.{0}
ip link add link {1} name {1}.{0} type vlan id {0}
ip link set dev {1}.{0} up
ip addr add 10.0.{0}.1/24 dev {1}.{0}
touch /root/vlanconf/v{0}.dhlease
dhcpd -4 -cf /root/vlanconf/v{0}.dhconf -lf /root/vlanconf/v{0}.dhlease -pf /root/vl
anconf/v{0}.dhpid {1}.{0}
""".format(vlanid, clientiface)
return data
def bashexec(workfile, data)
script = """
#!/bin/bash
#
# {0} generated at {1}
#
{2}""".format(workfile, datetime.datetime.now(), data)
wr = open(workfile, 'w')
wr.write(data)
wr.close()
subprocess.call('chmod +x {}'.format(workfile), shell=True)
subprocess.call('./{}'.format(workfile), shell=True)
def routerinit(): def routerinit():
bashexec('globalfwconfig.sh', setglobalfw()) bashexec('fwfconfig', initfw())
bashexec('vlanconfig.sh', setvlans()) bashexec('vlfconfig', setvlans(clientiface))
bashexec('pubipconfig.sh', setpubips()) bashexec('ipfconfig', setpubips())
if __name__ == "__main__": if __name__ == "__main__":
routerinit() routerinit()

View file

@ -2,8 +2,10 @@
Description=Slave FW Autostarter Description=Slave FW Autostarter
[Service] [Service]
Type=oneshot WorkingDirectory=/root/
ExecStart=/root/slavefw.sh Type=forking
ExecStart=/bin/bash /root/frankenrouter/slavefw.sh
KillMode=process
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

9
slavefw.sh Normal file → Executable file
View file

@ -1,11 +1,14 @@
#!/bin/bash #!/bin/bash
PUBIF=ens18 PUBIF=ens18
TRANSPORT_IP="1.2.3.252/24" TRANSPORT_IP="87.120.110.252/24"
TRANSPORT_GW="1.2.3.1" TRANSPORT_GW="87.120.110.1"
mkdir -p /root/fr-vlanconf
mkdir -p /root/fr-workscripts
ip addr add $TRANSPORT_IP dev $PUBIF ip addr add $TRANSPORT_IP dev $PUBIF
sleep 5 sleep 5
ip route add default via $TRANSPORT_GW ip route add default via $TRANSPORT_GW
python3 /root/frankenrouter.py python3 /root/frankenrouter.py