1 Nov 2007 uruk-rc 20071101
| 1. | ||
| 2. | ||
| 3. | ||
| 4. | ||
| 5. | ||
| 6. | ||
| 7. | ||
| 8. | ||
| 9. | ||
| 10. | ||
| 11. | ||
| 12. | ||
| 13. |
uruk-rc - uruk resource file, defining access policy
rc lists IP addresses, allowed to use services.
interfaces=eth0 ip_eth0=192.168.26.27 net_eth0=192.168.0.0/16 services_eth0_tcp=local ports_eth0_tcp_local="0:65535" sources_eth0_tcp_local="0.0.0.0/0" services_eth0_udp=local ports_eth0_udp_local="0:65535" sources_eth0_udp_local="0.0.0.0/0"This rc file allows all UDP and TCP traffic from publicly routable IPs to eth0's IP. For a more reasonable rc file, look at the well-commented example rc file in /usr/share/doc/uruk/examples/rc.
allowing broadcasts
In rc, there is:
rc_b=$etcdir/bootpwhile the file bootp reads
iptables -A INPUT -m state --state NEW -i eth0 \ --protocol udp --destination-port bootps -j ACCEPT. This enables one to add rules for packets with broadcast addresses in their destination. (Uruk has no support for this in it's regular rc.)
allowing non-matching returntraffic
In rc there is:
rc_d=$etcdir/dnswhile the file dns reads
for source in 10.5.0.27 10.56.0.40
do
$iptables -A INPUT -i eth0 --protocol udp \
--source "$source" --source-port domain \
--destination "$ip_eth0" \
--destination-port 30000: -j ACCEPT
done
This allows one to allow (return)traffic, disregarding the state. (Uruk has no
support for this in it's regular rc.)
allowing NAT
In rc there is:
rc_a=${etcdir}/nat
while the file nat reads
$iptables -t nat -A POSTROUTING \
--out-interface eth0 -j SNAT \
--to-source $ip_eth0
This allows Network Address Translation. However, beware! Like all extensive
use of hooks, this will break the uruk-save script. If you make sure your
active iptables rules are wiped, and invoke uruk manually to load new rules,
you're safe. Using the init-script with it's default settings is safe too.
allowing any traffic on an interface
In rc there is:
interfaces_unprotect="lo eth2"This allows any traffic on eth2 (and on lo, the default), including any ICMP packets and packets from any source address.
See the section "THE GORY DETAILS: uruk INTERNALS" in uruk(8) (or the uruk source) to find out which hook (there are hooks rc_a, rc_b, ... , rc_i) to use.
If ips_nic is set, e.g. like
ips_eth0="ip0 ip1 ip2"we assume multiple (three in this example) IPs are assigned to eth0. If this variable is not set only one IP is supported on eth0.
In multiple-IP mode, IP addresses are listed as e.g.
ip_eth0_ip0="137.56.247.16"(If you're used to the Linux ifconfig(8) output, you could use the name ip1 for eth0:1, and ip0 for eth0.) The ports, services and sources variables look like e.g.
services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnetand, similarly,
net_eth0_ip1=192.168.0.0/16Furthermore, for dropping broadcast packets, specify e.g.
bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10.0.0.255" bcast_eth0_ip2="10.0.255.255"The interfaces_nocast variable holds things like eth0 and eth1, like in single-IP-per-nic mode.
Logging
By default, uruk logs denied packets. This is adjustable using the
loglevel variable. The settings are:
| * | "zero": be silent; do not log any packet. rc file features loglevel=10.
| |
| * | "low": log denied packets, which are targetted at one of our IPs.
rc file features loglevel=30.
| |
| * | "medium": log denied non-broadcast packets. This is the default:
loglevel is unset or rc file features loglevel=50.
| |
| * | "fascist": log all packets. rc file features loglevel=90.
|
Debugging
To debug the uruk script, invoke uruk as
sh -x /usr/sbin/urukthis shows what is done, along with executing it. (Like an uruk '-v' option.) (Alternatively, add "set -x" to your rc file.)
If you'd rather prefer not to execute, but just watch what would've been done, invoke uruk as
URUK_IPTABLES='echo iptables' uruk(Like an uruk '-n' option.) If you have this statement set, you can run uruk under a non-priviliged user account. Alternatively, add a
iptables='echo iptables'to your rc file.
If you'd like to test a new rc file before installing it, run something like:
URUK_CONFIG=/path/to/new/uruk/rc/file uruk
Of course, all these tweaks can be combined.
| * | "version" Uruk version compatibility of this rc file
| |
| * | "loglevel"
| |
| * | "iptables" Full pathname of iptables executable.
| |
| * | "ip6tables" Full pathname of ip6tables executable.
| |
| * | "interfaces" List of network interfaces.
|
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.