30 Mar 2008 uruk-rc 20080330
| 1. | ||
| 2. | ||
| 3. | ||
| 4. | ||
| 5. | ||
| 6. | ||
| 7. | ||
| 8. | ||
| 9. | ||
| 10. | ||
| 11. | ||
| 12. | ||
| 13. |
uruk-rc - uruk resource file, defining access policy
rc lists IP addresses, allowed to use services.
interfaces=eth0 ip_eth0=192.168.26.27 net_eth0=192.168.0.0/16 services_eth0_tcp=local ports_eth0_tcp_local="0:65535" sources_eth0_tcp_local="0.0.0.0/0" services_eth0_udp=local ports_eth0_udp_local="0:65535" sources_eth0_udp_local="0.0.0.0/0"This rc file allows all UDP and TCP traffic from publicly routable IPs to eth0's IP. For a more reasonable rc file, look at the well-commented example rc file in /usr/share/doc/uruk/examples/rc.
allowing broadcasts
In rc, there is:
rc_b=$etcdir/bootpwhile the file bootp reads
iptables -A INPUT -m state --state NEW -i eth0 \ --protocol udp --destination-port bootps -j ACCEPT. This enables one to add rules for packets with broadcast addresses in their destination. (Uruk has no support for this in it's regular rc.)
allowing non-matching returntraffic
In rc there is:
rc_d=$etcdir/dnswhile the file dns reads
for source in 10.5.0.27 10.56.0.40
do
$iptables -A INPUT -i eth0 --protocol udp \
--source "$source" --source-port domain \
--destination "$ip_eth0" \
--destination-port 30000: -j ACCEPT
done
This allows one to allow (return)traffic, disregarding the state. (Uruk has no
support for this in it's regular rc.)
allowing NAT
In rc there is:
rc_a=${etcdir}/nat
while the file nat reads
$iptables -t nat -A POSTROUTING \
--out-interface eth0 -j SNAT \
--to-source $ip_eth0
This allows Network Address Translation. However, beware! Like all extensive
use of hooks, this will break the uruk-save script. If you make sure your
active iptables rules are wiped, and invoke uruk manually to load new rules,
you're safe. Using the init-script with it's default settings is safe too.
allowing any traffic on an interface
In rc there is:
interfaces_unprotect="lo eth2"This allows any traffic on eth2 (and on lo, the default), including any ICMP packets and packets from any source address.
using multiple hooks at one entry point in the main uruk process
In case rc_a, rc_b, ... , or rc_i does not have a file as its value, but a
directory, all files matching "$rc_x"/*.rc will get sourced. This helps
configuration management in complex situations involving lots of uruk
configuration files for lots of hosts.
See the section "THE GORY DETAILS: uruk INTERNALS" in uruk(8) (or the uruk source) to find out which hook (there are hooks rc_a, rc_b, ... , rc_i) to use.
If ips_nic is set, e.g. like
ips_eth0="ip0 ip1 ip2"we assume multiple (three in this example) IPs are assigned to eth0. If this variable is not set only one IP is supported on eth0.
In multiple-IP mode, IP addresses are listed as e.g.
ip_eth0_ip0="137.56.247.16"(If you're used to the Linux ifconfig(8) output, you could use the name ip1 for eth0:1, and ip0 for eth0.) The ports, services and sources variables look like e.g.
services_eth0_ip2_tcp=local ports_eth0_ip2_tcp_local=smtp sources_eth0_ip2_tcp_local=$localnetand, similarly,
net_eth0_ip1=192.168.0.0/16Furthermore, for dropping broadcast packets, specify e.g.
bcasts_eth0="ip0 ip2" # yes, possibly a subset of ips_eth0 bcast_eth0_ip0="10.0.0.255" bcast_eth0_ip2="10.0.255.255"The interfaces_nocast variable holds things like eth0 and eth1, like in single-IP-per-nic mode.
Logging
By default, uruk logs denied packets. This is adjustable using the
loglevel variable. The settings are:
| • | "zero": be silent; do not log any packet. rc file features loglevel=10.
| |
| • | "low": log denied packets, which are targetted at one of our IPs.
rc file features loglevel=30.
| |
| • | "medium": log denied non-broadcast packets. This is the default:
loglevel is unset or rc file features loglevel=50.
| |
| • | "fascist": log all packets. rc file features loglevel=90.
|
Debugging
To debug the uruk script, invoke uruk as
sh -x /usr/sbin/urukthis shows what is done, along with executing it. (Like an uruk '-v' option.) (Alternatively, add "set -x" to your rc file.)
If you'd rather prefer not to execute, but just watch what would've been done, invoke uruk as
URUK_IPTABLES='echo iptables' uruk(Like an uruk '-n' option.) If you have this statement set, you can run uruk under a non-priviliged user account. Alternatively, add a
iptables='echo iptables'to your rc file.
If you'd like to test a new rc file before installing it, run something like:
URUK_CONFIG=/path/to/new/uruk/rc/file uruk
Of course, all these tweaks can be combined.
| • | "version" Uruk version compatibility of this rc file
| |
| • | "loglevel"
| |
| • | "iptables" Full pathname of iptables executable.
| |
| • | "ip6tables" Full pathname of ip6tables executable.
| |
| • | "interfaces" List of network interfaces.
|
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.