29 Nov 2005 uruk-rc 20051129
| 1. | ||
| 2. | ||
| 3. | ||
| 4. | ||
| 5. | ||
| 6. | ||
| 7. | ||
| 8. | ||
| 9. | ||
| 10. | ||
| 11. | ||
| 12. |
uruk-rc - uruk resource file, defining access policy
rc lists IP addresses, allowed to use services.
The simplest valid rc file is
interfaces=This rc file blocks all tcp and udp traffic: this is the default behaviour. The simplest rc file which does allow traffic looks like e.g.:
interfaces=eth0 ip_eth0=192.168.26.27 net_eth0=192.168.0.0/16 services_eth0_tcp=local ports_eth0_tcp_local="0:65535" sources_eth0_tcp_local="0.0.0.0/0" services_eth0_udp=local ports_eth0_udp_local="0:65535" sources_eth0_udp_local="0.0.0.0/0"This rc file allows all traffic. For a more reasonable rc file, look at the well-commented example rc file in /usr/share/doc/uruk/examples/rc.
In rc, there is:
rc_b=$etcdir/bootpwhile the file bootp reads
iptables -A INPUT -m state --state NEW -i eth0 \ --protocol udp --destination-port bootps -j ACCEPT. This enables one to add rules for packets with broadcast addresses in their destination. (Uruk has no support for this in it's regular rc.)
In rc there is:
rc_d=$etcdir/dnswhile the file dns reads
for source in 10.5.0.27 10.56.0.40
do
$iptables -A INPUT -i eth0 --protocol udp \
--source "$source" --source-port domain \
--destination "$ip_eth0" \
--destination-port 30000: -j ACCEPT
done
This allows one to allow (return)traffic, disregarding the state. (Uruk has no
support for this in it's regular rc.)
In rc there is:
rc_a=${etcdir}/nat
while the file nat reads
$iptables -t nat -A POSTROUTING \
--out-interface eth0 -j SNAT \
--to-source $ip_eth0
This allows Network Address Translation. However, beware! Like all extensive
use of hooks, this will break the uruk-save script. If you make sure your
active iptables rules are wiped, and invoke uruk manually to load new rules,
you're save.
For now, you'll have to study the uruk source to find out which hook (there are hooks rc_a, rc_b, ... , rc_i) to use.
If ips_nic is set, e.g. like
ips_eth0="ip0 ip1 ip2"we assume multiple (three in this example) IPs are assigned to eth0. If this variable is not set, behaviour is compatible with Uruk version < 20040213, and only one IP is supported on eth0.
In multiple-IP mode, IP addresses are listed as e.g.
ip_eth0_ip0="137.56.247.16"(If you're used to the Linux ifconfig(8) output, you could use the name ip1 for eth0:1, and ip0 for eth0.) The old-style ports, services and sources variables look like e.g.
services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnetand, similarly,
net_eth0_ip1=192.168.0.0/16Furthermore, for dropping broadcast packets, specify e.g.
bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10.0.0.255" bcast_eth0_ip2=""10.0.255.255"The interfaces_nocast variable still holds things like eth0 and eth1. Old-style rc files are still valid and behave fully backwards compatible.
Logging
By default, uruk logs denied packets. This is adjustable using the
loglevel variable. The settings are:
| * | "zero": be silent; do not log any packet. rc file features loglevel=10.
| |
| * | "low": log denied packets, which are targetted at one of our IPs.
rc file features loglevel=30.
| |
| * | "medium": log denied non-broadcast packets. This is the default:
loglevel is unset or rc file features loglevel=50.
| |
| * | "fascist": log all packets. rc file features loglevel=90.
|
Debugging
To debug the uruk script, invoke uruk as
sh -x /usr/sbin/urukthis shows what is done, along with executing it. (Like an uruk '-v' option.) (Alternatively, add "set -x" to your rc file.)
If you'd rather prefer not to execute, but just watch what would've been done, invoke uruk as
URUK_IPTABLES='echo iptables' uruk(Like an uruk '-n' option.) If you have this statement set, you can run uruk under a non-priviliged user account. Alternatively, add a
iptables='echo iptables'to your rc file.
If you'd like to test a new rc file before installing it, run something like:
URUK_CONFIG=/path/to/new/uruk/rc/file uruk
Of course, all these tweaks can be combined. See also the notes on loglevel.
| * | "version" Uruk version compatibility of this rc file
| |
| * | "loglevel"
| |
| * | "iptables" Full pathname of iptables executable.
| |
| * | "ip6tables" Full pathname of ip6tables executable.
| |
| * | "interfaces" List of network interfaces.
|
| * | "URUK_CONFIG" Full pathname of rc file
| |
| * | "URUK_IPTABLES" Full pathname of iptables executable. Overrides iptables.
| |
| * | "URUK_IP6TABLES" Full pathname of ip6tables executable. Overrides ip6tables.
|
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html or write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.