third commit

ivr · ivr · commit 5c7e3b77831a · 2013-07-13T00:37:18.000+04:00
diff --git a/firewall b/firewall
@@ -0,0 +1,212 @@
+#!/bin/sh 
+#
+# 1.1 Internet Configuration.
+#
+
+INET_IP="188.127.232.218"
+INET_IFACE="eth1"
+INET_BROADCAST="188.127.232.255"
+
+#
+# 1.2 Local Area Network configuration.
+#
+
+LAN_IP="10.4.2.4"
+LAN_IP_RANGE="10.0.0.0/8"
+LAN_IFACE="eth0"
+
+
+LO_IFACE="lo"
+LO_IP="127.0.0.1"
+
+VPN_IFACE='tun0'
+VPN_IP='10.197.0.1'
+VPN_IP_RANGE='10.197.0.0/16'
+VPN_REMOTE_RENGE='172.16.0.0/12'
+#
+# 1.5 IPTables Configuration.
+#
+
+IPTABLES="/sbin/iptables"
+
+######
+# 4.1 Filter table
+#
+
+#
+# 4.1.1 Set policies
+#
+
+$IPTABLES -P INPUT DROP
+$IPTABLES -P OUTPUT DROP
+$IPTABLES -P FORWARD DROP
+
+#
+# Create chain for bad tcp packets
+#
+
+$IPTABLES -N bad_tcp_packets
+
+#
+# Create separate chains for ICMP, TCP and UDP to traverse
+#
+
+$IPTABLES -N allowed
+$IPTABLES -N tcp_packets
+$IPTABLES -N udp_packets
+$IPTABLES -N icmp_packets
+
+#
+# bad_tcp_packets chain
+#
+
+$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
+-m state --state NEW -j REJECT --reject-with tcp-reset 
+$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
+--log-prefix "New not syn:"
+$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
+
+#
+# allowed chain
+#
+
+$IPTABLES -A allowed -p TCP --syn -j ACCEPT
+$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPTABLES -A allowed -p TCP -j DROP
+
+#
+# TCP rules allowed TCP incoming connections
+#
+
+$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 12456 -j allowed
+
+#
+# UDP ports
+#
+$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 12457 -j ACCEPT
+$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 1194 -j ACCEPT
+
+#
+# ICMP rules
+#
+
+$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
+$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
+
+#
+# 4.1.4 INPUT chain
+#
+
+#
+# Bad TCP packets we don't want.
+#
+
+$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
+
+#
+# Rules for special networks not part of the Internet
+#
+
+$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
+$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
+$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
+$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
+$IPTABLES -A INPUT -p ALL -i $VPN_IFACE -s $VPN_IP_RANGE -j ACCEPT
+$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $VPN_IP_RANGE -j ACCEPT
+$IPTABLES -A INPUT -p ALL -i $VPN_IFACE -s $VPN_REMOTE_RENGE -j ACCEPT
+#
+# Rules for incoming packets from the internet.
+#
+
+$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
+$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
+$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
+
+
+#
+# Log weird packets that don't match the above.
+#
+
+#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
+#--log-level DEBUG --log-prefix "IPT INPUT packet died: "
+
+#
+# 4.1.5 FORWARD chain
+#
+
+#
+# Bad TCP packets we don't want
+#
+
+$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
+
+#
+# Accept the packets we actually want to forward
+#
+$IPTABLES -A FORWARD -i $VPN_IFACE -j ACCEPT
+$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
+$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#
+# Log weird packets that don't match the above.
+#
+
+#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
+#--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
+
+#
+# 4.1.6 OUTPUT chain
+#
+
+#
+# Bad TCP packets we don't want.
+#
+
+$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
+
+#
+# Special OUTPUT rules to decide which IP's to allow.
+#
+
+$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
+$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
+$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
+$IPTABLES -A OUTPUT -p ALL -s $VPN_IP -j ACCEPT
+
+#
+# Log weird packets that don't match the above.
+#
+
+#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
+#--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
+
+######
+# 4.2 nat table
+#
+
+
+#
+# Enable simple IP Forwarding and Network Address Translation
+#
+
+$IPTABLES -t nat -A POSTROUTING -o $LAN_IFACE -j SNAT --to-source $LAN_IP
+#
+# 4.2.6 OUTPUT chain
+#
+
+######
+# 4.3 mangle table
+#
+
+###########################################################################
+#
+# 3. /proc set up.
+#
+
+#
+# 3.1 Required proc configuration
+#
+
+#echo "1" > /proc/sys/net/ipv4/ip_forward
+
diff --git a/image-updater.sh b/image-updater.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+chck_alive ()
+{
+	if ping -c 1 -W 3 $1 &>/dev/null ; then
+		return 0
+	else
+		return 1
+	fi
+}
+
+declare -r image_name=$1
+declare -r OIFS=$IFS
+declare -r script_name="$0"
+declare -r script_dir="$( cd -P "$( dirname "$script_name" )" && pwd )"
+
+[[ -f "/srv/http/img/${image_name}" ]] || echo "file not found /srv/http/img/${image_name}" 
+
+sed -n '/#START_CLIENT_SUBNETS#/,/#END_CLIENT_SUBNETS#/p' /etc/openvpn/server.conf | \
+grep -v "CLIENT_SUBNETS" | \
+while read -r line ; do
+	net_ip=$(echo $line | awk '{print $2}')
+	IFS='.' ; ip_arr=($net_ip) ; IFS=$OIFS
+	((  ++ip_arr[3] ))
+	rout_ip=172.${ip_arr[1]}.${ip_arr[2]}.${ip_arr[3]}
+	if chck_alive $rout_ip ; then
+		echo -e "router $rout_ip is alive \n\n"
+		#scp "/srv/http/img/${image_name}" "root@${rout_ip}:/mnt/rootfs.squashfs"
+	else
+		echo -e "router $rout_ip is down \n\n"
+	fi
+done
+exit
diff --git a/ntp-time.sh b/ntp-time.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+export lim=5
+
+server1='0.ru.pool.ntp.org'
+server2='1.ru.pool.ntp.org'
+server3='2.ru.pool.ntp.org'
+server4='3.ru.pool.ntp.org'
+
+until ntpdate $server1 || ntpdate $server2 || ntpdate $server3 || ntpdate $server4
+do
+	(( lim = $lim - 1 ))
+	if (( $lim == 0 ))
+	then
+		break
+	fi
+	sleep 5
+done
+
+exit 0
+
diff --git a/speed-test.sh b/speed-test.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+#program takes an address of the network and checks the speed on the first 20 network addresses.
+
+###########
+#functions#
+
+function valid_ip () {
+        IFS='.' ; ip=($1) ; IFS=$OIFS
+        if (( ip[0] == 172 && ip[1] >= 16 && ip[1] <= 31 && ip[2] >= 0 && ip[2] <= 255 && ( ip[3] == 0 || ip[3] == 128 )  )) ; then
+                return 0
+        else
+                return 1
+        fi
+}
+
+OIFS=$IFS
+NET_IP=$1
+US_MES="usage: speed-test 172.16.5.0
+valid ip address is 172.16 - 31.0 - 255.0|128"
+
+#validation ip address
+if ! valid_ip $NET_IP ; then
+	echo "bad ip address $NET_IP"
+	echo "$US_MES"
+	exit 1;
+fi
+
+IFS='.' ; ip=($NET_IP) ; IFS=$OIFS
+(( ip[3] += 3 ))
+(( host_max = ip[3] + 124 ))
+fping -g "${ip[0]}.${ip[1]}.${ip[2]}.${ip[3]}" "${ip[0]}.${ip[1]}.${ip[2]}.$host_max" 2>&1 | grep alive | sed 's/ is alive//g' > /tmp/$$.tmp
+
+for i in $(cat /tmp/$$.tmp | head -n 3) ; do
+	echo "testing speed: $i"
+	iperf -c $i -p 12458 
+	echo ; echo ; echo "############################"
+done
+exit 0
