I am keeping this page for archival purposes in the hope that the material will be useful to others, but my teaching pages are not actively maintained and external links may break. I do not teach at the Villetaneuse IUT or at Université Sorbonne Paris Nord any longer; please see the home page for my current situation.

[2022: je vais garder cette page dans son état actuel, car certains scripts utilisés ailleurs dans mon site pourraient encore être utiles.
Cette page, à l'époque de mes enseignements, était à un autre URL. Je devrais avoir corrigé toute référence.]

Luca Saiu — temporary or extemporary notes, second page

This is a page for random unorganized notes that I may need to share with others occasionally.

Another similar page is ../teaching-scratch/.

Anything here can change or be removed at any time. If you are interested in some piece of information shared in this page please save a copy for yourself.

Some of the notes below may involve Python, as used for teaching beginner classes.
I do not personally endorse Python except as a first language for absolute beginners, and even in that case not as my preferred first choice.


M1101: iptables

Voilà mon script complet, qui bien sûr fait beaucoup de choses inutiles pour vous. Il est plutôt barbare, et pas nécessairement compatible avec Mageia ; moi j'utilise une debian non officiellement stable et très personnalisée.

#!/bin/bash

# Comments and debugging stuff.
###################################################################

# FIXME: this script should be renamed and moved.

# Be verbose and unforgiving of errors.
set -ex


# Definitions.
###################################################################

# Times are in seconds.

# How long to wait before killing services (I want to be reasonably
# sure that they have started).
export before_kill_sleep_time=5

# How long to wait before making network interfaces (I want to be reasonably
# sure that the services have been stopped).
export after_kill_sleep_time=5

# How long to wait after spawning OpenVPN servers in background before I can
# be reasonably sure that their interfaces exist.
export after_openvpn_sleep_time=5

# How long to wait before restarting services (I want to be reasonably
# sure that the interfaces exist; this is probably only a concern for the
# OpenVPN interfaces, which are the only set up by background processes).
export before_restart_sleep_time=3


# Wait before killing services.
###################################################################

# Give the debian scripts time to start up services.
sleep "${before_kill_sleep_time}"


# Kill services.
###################################################################

# Kill some servers automatically started by the debian scripts,
# which cannot work correctly before their network interfaces exist.


# Define the service names in a variable, to be used here to stop
# services and later to restart them.
# Do not include OpenVPN here: we start it in a special way, not using
# the debian scripts at all.
export services="tor bitlbee mumble-server rpcbind nfs-common nfs-kernel-server apache2 proftpd postfix dovecot "

# The SSH server is more delicate.  Make it easy to disable until everything
# is well tested.
#  services="$services ssh"

# Stop all the services plus OpenVPN.
for service in ${services} openvpn; do
    service "${service}" stop || true
done
killall openvpn &> /dev/null || true
sleep 1
killall -KILL openvpn &> /dev/null || true


# Wait before making network interfaces.
###################################################################

# Give the debian scripts time to kill services before setting up
# my custom network interfaces.
sleep "${after_kill_sleep_time}"


# Reset iptables.
###################################################################

# Reset iptables.  I want to be able to run this script multiple
# times in an idempotent way.
iptables -Z
iptables -F
iptables -X
for table in filter nat mangle; do
    iptables -t "${table}" -F
    iptables -t "${table}" -X
    iptables -t "${table}" -Z
done

# Route thru this host.  Is this still needed?  It does no harm anyway.
echo 1 > /proc/sys/net/ipv4/ip_forward


# OpenVPN.
###################################################################

# Setup the master tun interface.
tunctl -3 -t tun-multivpn
ifconfig tun-multivpn 10.109.80.1 up

# Set up masquerading.
iptables -t nat -A POSTROUTING -s 10.109.0.0/16 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun-multivpn -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun-multivpn -o eth0 -j ACCEPT

# Fire up all the servers.
cd /openvpn
for openvpn_configuration in server-on-*.conf; do
    nohup openvpn "${openvpn_configuration}" &
done

# Give the servers some time to start.
sleep ${after_openvpn_sleep_time}


# Tor.
###################################################################

# This is very delicate because of the bandwidth limitation.

# Delete and remake the master network interfaces for Tor.
tunctl -d tun-tor || true
route del -net 10.20.20.0 netmask 255.255.255.0 || true
tunctl -t tun-tor
ifconfig tun-tor 10.20.20.1 netmask 255.255.255.0 up

# FIXME: is this redundant?
# route add -net 10.20.20.0 netmask 255.255.255.0 gw 82.221.139.190 tun-tor

iptables -t nat -A PREROUTING --destination 82.221.139.190 \
         -j DNAT --to-destination 10.20.20.1
iptables -t nat -A POSTROUTING --source 10.20.20.1 \
         -j SNAT --to-source 82.221.139.190

# The HTTP service showing the small web page describing my GNUnet and Tor
# nodes is not subject to bandwidth limitation.  I always serve requests to
# HTTP ports immediately.  Do the same for Tor directory requests.
iptables -t filter -A OUTPUT -m multiport --protocol tcp \
         --source 10.20.20.1 --sport 80,443,9030 \
         -j ACCEPT -v

# # Limit bandwidth on every other port.
# bandwidth=12

# FIXME: this is safe and tested, but probably too conservative. [Possibly it isn't]
# bandwidth=13

#bandwidth=14
bandwidth=15


# FIXME: likely still too high.
# bandwidth=16
# bandwidth=20

# FIXME: almost certainly too high.
# bandwidth=26

unit='kb/s'
iptables -t filter -A OUTPUT -m hashlimit \
         --hashlimit-above "${bandwidth}${unit}" \
         --hashlimit-burst="$((${bandwidth} * 10))${unit}" \
         --hashlimit-mode srcip \
         --source 10.20.20.1 \
         --hashlimit-name tor \
         --hashlimit-htable-expire 1000 \
         --hashlimit-htable-gcinterval 1000 \
         -j DROP -v


# Wait before restarting services.
###################################################################

# Wait until I can be reasonably sure that the interfaces are up.
sleep "${before_restart_sleep_time}"


# Use IPTables to ignore packets on certain ports.
###################################################################

# This is the VPN network: 10.109.80.0/24
# Portmap and NFS.
for p in 111 2049; do
  # Drop every TCP connection not within the VPN.
  iptables -A INPUT -p tcp \
    ! --destination 10.109.80.0/24 --dport "${p}" -j DROP
  # Do the same for UDP traffic.
  iptables -A INPUT -p udp \
    ! --destination 10.109.80.0/24 --dport "${p}" -j DROP
done



# Restart killed services.
###################################################################

# Start all the services we killed before, except for OpenVPN which we
# have started already.  Use "restart" instead of "start", just in case
# I didn't kill something correctly becore because of timing issues.
for service in ${services}; do
    service "${service}" restart || true
done


# Done.
###################################################################

echo "Still alive at the end of $0 ."


[hacker emblem]

Luca Saiu
Last modified: 2022-11-26


Copyright © 2018, 2022 Luca Saiu
Verbatim copying and redistribution of this entire page are permitted provided this notice is preserved.