diff --git a/README.rst b/README.rst index efc0fcf..1b3c405 100644 --- a/README.rst +++ b/README.rst @@ -86,7 +86,10 @@ Currently all web traffic (ie, ports 80 and 443) is routed over virtual network links to an "exit" peer (although other ports may be added/dropped in future releases). In adhoc mode, the default network rules allow all traffic, however, only the ports above are automatically routed over FPN -network links. **Do** use ``https`` for everything (*especially* anything +network links. In peer mode *no* other TCP/UDP traffic is allowed between +peers *except* the routed ports above. + +The general advice is: **do** use ``https`` for everything (*especially* anything sensitive/private) and **don't** use ``http`` for anything. At all. Period. * adhoc mode - *you* own the network link and the peers diff --git a/bin/fpn0-down.sh b/bin/fpn0-down.sh index c2cb0b5..5596a0f 100755 --- a/bin/fpn0-down.sh +++ b/bin/fpn0-down.sh @@ -19,8 +19,15 @@ exec 2> >(tee -ia /tmp/fpn0-down-${DATE}_error.log) #VERBOSE="anything" -# set allowed ports -ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u" +# set allowed ports (still TBD)) +ports_to_fwd="http https domain submission imaps ircs ircs-u" + +[[ -n $VERBOSE ]] && echo "Checking iptables binary..." +IPTABLES=$(which iptables) +HAS_LEGACY=$(which iptables-legacy) +if [[ -n $HAS_LEGACY ]]; then + IPTABLES="${HAS_LEGACY}" +fi [[ -n $VERBOSE ]] && echo "Checking kernel rp_filter setting..." RP_NEED="1" @@ -103,11 +110,11 @@ if [[ -n $VERBOSE ]]; then fi [[ -n $VERBOSE ]] && echo "Deleting nat and mangle rules..." -iptables -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS} -iptables -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS} +$IPTABLES -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS} +$IPTABLES -D POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS} -iptables -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1 -iptables -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1 +$IPTABLES -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1 +$IPTABLES -D OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1 [[ -n $VERBOSE ]] && echo "" if ((failures < 1)); then diff --git a/bin/fpn0-setup.sh b/bin/fpn0-setup.sh index e99b269..bd40f1d 100755 --- a/bin/fpn0-setup.sh +++ b/bin/fpn0-setup.sh @@ -25,15 +25,15 @@ exec 2> >(tee -ia /tmp/fpn0-setup-${DATE}_error.log) #VERBOSE="anything" -# set allowed ports -ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u" - -#ZT_UP=$(/etc/init.d/zerotier status | grep -o started) -#if [[ $ZT_UP != "started" ]]; then - #echo "FPN zerotier service is not running!!" - #echo "Please start the zerotier service and re-run this script." - #exit 1 -#fi +# set allowed ports (still TBD)) +ports_to_fwd="http https domain submission imaps ircs ircs-u" + +[[ -n $VERBOSE ]] && echo "Checking iptables binary..." +IPTABLES=$(which iptables) +HAS_LEGACY=$(which iptables-legacy) +if [[ -n $HAS_LEGACY ]]; then + IPTABLES="${HAS_LEGACY}" +fi [[ -n $VERBOSE ]] && echo "Checking kernel rp_filter setting..." RP_NEED="2" @@ -122,12 +122,12 @@ ip rule add fwmark 0x1 table "${TABLE_NAME}" sleep 2 # Mark these packets so that ip can route web traffic through fpn0 -iptables -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1 -iptables -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1 +$IPTABLES -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 443 -j MARK --set-mark 1 +$IPTABLES -A OUTPUT -t mangle -o ${IPV4_INTERFACE} -p tcp --dport 80 -j MARK --set-mark 1 # now rewrite the src-addr using snat -iptables -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS} -iptables -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS} +$IPTABLES -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 443 -j SNAT --to ${ZT_ADDRESS} +$IPTABLES -A POSTROUTING -t nat -s ${INET_ADDRESS} -o ${ZT_INTERFACE} -p tcp --dport 80 -j SNAT --to ${ZT_ADDRESS} [[ -n $VERBOSE ]] && echo "" if ((failures < 1)); then diff --git a/bin/fpn1-down.sh b/bin/fpn1-down.sh index 4bba457..53f7475 100755 --- a/bin/fpn1-down.sh +++ b/bin/fpn1-down.sh @@ -21,19 +21,15 @@ exec 2> >(tee -ia /tmp/fpn1-setup-${DATE}_error.log) # uncomment for more output #VERBOSE="anything" -# set allowed ports -ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u" - -# uncomment AND set if you have a weird interface name that depends -# on eth0 UP but null, eg, this is needed on espressobin -#ETH0_NULL="lan1" - -#ZT_UP=$(/etc/init.d/zerotier status | grep -o started) -#if [[ $ZT_UP != "started" ]]; then - #echo "FPN zerotier service is not running!!" - #echo "Please start the zerotier service and then re-run this script." - #exit 1 -#fi +# set allowed ports (still TBD)) +ports_to_fwd="http https domain submission imaps ircs ircs-u" + +[[ -n $VERBOSE ]] && echo "Checking iptables binary..." +IPTABLES=$(which iptables) +HAS_LEGACY=$(which iptables-legacy) +if [[ -n $HAS_LEGACY ]]; then + IPTABLES="${HAS_LEGACY}" +fi zt_route_tgts=( $(ip route show | grep zt | cut -d" " -f3) ) num_zt_tgts=${#zt_route_tgts[@]} @@ -105,11 +101,11 @@ fi # setup nat/masq to forward outbound/return traffic [[ -n $VERBOSE ]] && echo "Deleting nat and forwarding rules..." -iptables -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT -iptables -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT -iptables -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT -iptables -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT -iptables -t nat -D POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}" +$IPTABLES -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT +$IPTABLES -D FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT +$IPTABLES -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT +$IPTABLES -D FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT +$IPTABLES -t nat -D POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}" #echo "Leaving FPN1 network..." #zerotier-cli leave "${ZT_SRC_NETID}" diff --git a/bin/fpn1-setup.sh b/bin/fpn1-setup.sh index c07d4e0..9dc3cfe 100755 --- a/bin/fpn1-setup.sh +++ b/bin/fpn1-setup.sh @@ -24,25 +24,15 @@ exec 2> >(tee -ia /tmp/fpn1-setup-${DATE}_error.log) # uncomment for more output #VERBOSE="anything" -# set allowed ports -ports_to_fwd="http https domain ntp ssh submission imaps ircs ircs-u" - -# uncomment AND set if you have a weird interface name that depends -# on eth0 UP but null, eg, this is needed on espressobin -#ETH0_NULL="lan1" - -#DISTRO=$(cat /etc/os-release | grep ^ID= | cut -f2 -d=) -#if [[ $DISTRO == ubuntu || $DISTRO == debian ]]; then - #ZT_UP=$(service zerotier-one status | grep -o active) -#else - #ZT_UP=$(/etc/init.d/zerotier status | grep -o started) -#fi - -#if [[ $ZT_UP != "started" ]]; then - #[[ -n $VERBOSE ]] && echo "FPN zerotier service is not running!!" - #[[ -n $VERBOSE ]] && echo "Please start the zerotier service and then re-run this script." - #exit 1 -#fi +# set allowed ports (still TBD)) +ports_to_fwd="http https domain submission imaps ircs ircs-u" + +[[ -n $VERBOSE ]] && echo "Checking iptables binary..." +IPTABLES=$(which iptables) +HAS_LEGACY=$(which iptables-legacy) +if [[ -n $HAS_LEGACY ]]; then + IPTABLES="${HAS_LEGACY}" +fi zt_route_tgts=( $(ip route show | grep zt | cut -d" " -f3) ) num_zt_tgts=${#zt_route_tgts[@]} @@ -114,11 +104,11 @@ else fi # setup nat/masq to forward outbound/return traffic -iptables -t nat -A POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}" -iptables -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT -iptables -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT -iptables -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT -iptables -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT +$IPTABLES -t nat -A POSTROUTING -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -j SNAT --to-source "${INET_ADDRESS}" +$IPTABLES -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 80 -j ACCEPT +$IPTABLES -A FORWARD -i "${ZT_INTERFACE}" -o "${IPV4_INTERFACE}" -s "${ZT_SRC_NET}" -p tcp --dport 443 -j ACCEPT +$IPTABLES -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 80 -j ACCEPT +$IPTABLES -A FORWARD -i "${IPV4_INTERFACE}" -o "${ZT_INTERFACE}" -d "${ZT_SRC_NET}" -p tcp --sport 443 -j ACCEPT [[ -n $VERBOSE ]] && echo "" if ((failures < 1)); then diff --git a/etc/fpnd.service b/etc/fpnd.service index 6d1ef25..6f6305d 100644 --- a/etc/fpnd.service +++ b/etc/fpnd.service @@ -5,11 +5,12 @@ After=zerotier-one.service [Service] ExecStart=/usr/lib/fpnd/fpnd.py start -ExecStop=/usr/lib/fpnd/fpnd.py stop +ExecStop=/bin/kill -TERM $MAINPID +KillMode=none PIDFile=/run/fpnd.pid -Type=simple -Restart=on-failure -RestartSec=5 +Type=forking +TimeoutStartSec=5 +TimeoutStopSec=7 [Install] WantedBy=multi-user.target diff --git a/node_tools/node_funcs.py b/node_tools/node_funcs.py index 278089c..4e5be86 100644 --- a/node_tools/node_funcs.py +++ b/node_tools/node_funcs.py @@ -123,7 +123,8 @@ def do_cleanup(path=None, addr=None): logger.info('CLEANUP: shutting down {}'.format(iface)) cmd = get_net_cmds(path, iface) res = do_net_cmd(cmd) - logger.info('CLEANUP: leaving network ID: {}'.format(state[net])) + logger.info('CLEANUP: {} shutdown returned {}'.format(iface, res)) + # logger.info('CLEANUP: leaving network ID: {}'.format(state[net])) res = run_ztcli_cmd(action='leave', extra=state[net]) logger.debug('CLEANUP: action leave returned: {}'.format(res))