mirror of
https://github.com/pragma-/pbot.git
synced 2024-11-06 03:59:31 +01:00
pbot-vm: consolidate network enable/disable into one script
This commit is contained in:
parent
cc1445be90
commit
111f3bd2e7
@ -1,9 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# disables all incoming, outgoing and forwarded traffic except incoming/established SSH
|
|
||||||
iptables -F
|
|
||||||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
iptables -P INPUT DROP
|
|
||||||
iptables -P FORWARD DROP
|
|
||||||
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
iptables -P OUTPUT DROP
|
|
@ -1,8 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# disables all incoming, outgoing and forwarded traffic except incoming/established SSH
|
|
||||||
nft add table ip filter
|
|
||||||
nft add chain ip filter INPUT '{ type filter hook input priority 0; policy drop; }'
|
|
||||||
nft add chain ip filter OUTPUT '{ type filter hook output priority 0; policy drop; }'
|
|
||||||
nft 'add rule ip filter INPUT ct state related,established counter accept'
|
|
||||||
nft 'add rule ip filter INPUT tcp dport 22 counter accept'
|
|
||||||
nft 'add rule ip filter OUTPUT ct state related,established counter accept'
|
|
@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# removes all iptables rules to re-enable networking
|
|
||||||
iptables -F
|
|
@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# deletes filter table to re-enable networking
|
|
||||||
nft delete table ip filter
|
|
70
applets/pbot-vm/guest/bin/network
Executable file
70
applets/pbot-vm/guest/bin/network
Executable file
@ -0,0 +1,70 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
Usage="$0 <on|off> [iptables|ipt|nftables|nft]"
|
||||||
|
|
||||||
|
DefaultMode="iptables"
|
||||||
|
|
||||||
|
EnableNetwork() {
|
||||||
|
case $1 in
|
||||||
|
iptables)
|
||||||
|
iptables -F ;;
|
||||||
|
nftables)
|
||||||
|
nft delete table ip filter ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
DisableNetwork() {
|
||||||
|
case $1 in
|
||||||
|
iptables)
|
||||||
|
iptables -F
|
||||||
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
iptables -P OUTPUT DROP
|
||||||
|
;;
|
||||||
|
nftables)
|
||||||
|
nft add table ip filter
|
||||||
|
nft add chain ip filter INPUT '{ type filter hook input priority 0; policy drop; }'
|
||||||
|
nft add chain ip filter OUTPUT '{ type filter hook output priority 0; policy drop; }'
|
||||||
|
nft add rule ip filter INPUT ct state related,established counter accept
|
||||||
|
nft add rule ip filter INPUT tcp dport 22 counter accept
|
||||||
|
nft add rule ip filter OUTPUT ct state related,established counter accept
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
Main() {
|
||||||
|
case $1 in
|
||||||
|
on|off) ;;
|
||||||
|
*)
|
||||||
|
echo "Invalid command \`$1\`; usage: $Usage"
|
||||||
|
exit 1 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
Toggle="$1"
|
||||||
|
|
||||||
|
case $2 in
|
||||||
|
iptables|ipt)
|
||||||
|
Mode="iptables" ;;
|
||||||
|
nftables|nft)
|
||||||
|
Mode="nftables" ;;
|
||||||
|
"")
|
||||||
|
Mode=$DefaultMode ;;
|
||||||
|
*)
|
||||||
|
echo "Invalid mode \`$2\`; usage: $Usage"
|
||||||
|
exit 1 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
case $Toggle in
|
||||||
|
"on")
|
||||||
|
echo "Enabling networking with $Mode"
|
||||||
|
EnableNetwork "$Mode" ;;
|
||||||
|
"off")
|
||||||
|
echo "Disabling networking with $Mode"
|
||||||
|
DisableNetwork "$Mode" ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
Main "$@"
|
@ -25,8 +25,8 @@ apt install -y --no-install-recommends default-jre default-jdk
|
|||||||
apt install -y --no-install-recommends libipc-run-perl libjson-xs-perl
|
apt install -y --no-install-recommends libipc-run-perl libjson-xs-perl
|
||||||
|
|
||||||
# disable networking
|
# disable networking
|
||||||
./guest/bin/disable-network-iptables
|
./guest/bin/network off iptables
|
||||||
|
|
||||||
echo 'Networking disabled.'
|
echo 'Networking disabled.'
|
||||||
echo 'To re-enable, run ./guest/bin/enable-networking-iptables'
|
echo 'To re-enable, run ./guest/bin/network on iptables'
|
||||||
echo 'To disable again, run ./guest/bin/disable-network-iptables'
|
echo 'To disable again, run ./guest/bin/network off iptables'
|
||||||
|
@ -22,8 +22,8 @@ zypper -n in --no-recommends clisp gcc-go java java-devel
|
|||||||
zypper -n in perl-IPC-Run perl-JSON-XS
|
zypper -n in perl-IPC-Run perl-JSON-XS
|
||||||
|
|
||||||
# disable networking
|
# disable networking
|
||||||
./guest/bin/disable-network-nftables
|
./guest/bin/network off nftables
|
||||||
|
|
||||||
echo 'Networking disabled.'
|
echo 'Networking disabled.'
|
||||||
echo 'To re-enable, run ./guest/bin/enable-networking-nftables'
|
echo 'To re-enable, run ./guest/bin/network on nftables'
|
||||||
echo 'To disable again, run ./guest/bin/disable-network-nftables'
|
echo 'To disable again, run ./guest/bin/network off nftables'
|
||||||
|
@ -299,8 +299,7 @@ sub main() {
|
|||||||
exit 2;
|
exit 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
print $health "\n";
|
print $health "\n"; # request health
|
||||||
|
|
||||||
|
|
||||||
eval {
|
eval {
|
||||||
alarm 2;
|
alarm 2;
|
||||||
|
@ -25,8 +25,8 @@ use PBot::Imports;
|
|||||||
# These are set by the /misc/update_version script
|
# These are set by the /misc/update_version script
|
||||||
use constant {
|
use constant {
|
||||||
BUILD_NAME => "PBot",
|
BUILD_NAME => "PBot",
|
||||||
BUILD_REVISION => 4747,
|
BUILD_REVISION => 4748,
|
||||||
BUILD_DATE => "2024-04-10",
|
BUILD_DATE => "2024-04-12",
|
||||||
};
|
};
|
||||||
|
|
||||||
sub initialize {}
|
sub initialize {}
|
||||||
|
Loading…
Reference in New Issue
Block a user