-#!/bin/sh
+#!/bin/bash
# Filename: terminalserver
# Purpose: Program to do something
# Authors: grml-team (grml.org), (c) Michael Gebetsroither <gebi@grml.org>
SERVICES:
tftp Tftp daemon
dhcp Dhcp daemon
+ ipt Iptables setup (snat for clients)
nfs All necessary nfs daemons
<> ALL services
sleep 1
startDhcp
}
+# }}}
-# make sure tcp/113 is rejected
+# IPTABLES {{{
function runIptables
{
- if [ -x /sbin/iptables ] ; then
- # something keeps answering all tftp requests with auth requests (SYN
- # packets to the client tcp/113). Since the PXE client doesn't answer with
- # RST, the auth query has to wait until it times out. Forbidding the
- # terminalserver to send out packets to tcp/113 via iptables _greatly_
- # speeds up the process. But of course the real fix would be to have grml
- # stop sending out auth queries to tftp clients. according to netstat, it
- # is in.tftpd itself sending out the auth queries.
- # Thanks to Marc Haber and Wolfgang Karall for noticing and current fix.
- if iptables -L | grep -q '^REJECT.*tcp dpt:auth reject-with tcp-reset' ; then
- echo "Rule for tcp/113 already present, nothing to be done."
- else
- echo "Rejecting tcp/113 via iptables to speed up booting via PXE, running:"
- echo -n '* iptables -A OUTPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset ... '
- iptables -A OUTPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset && echo done || echo failed
- fi
- # deactivate Multicast-DNS
- if iptables -L | grep -q '^REJECT.*dpt:mdns reject-with icmp-port-unreachable' ; then
- echo "Rule for udp/5353 already present, nothing to be done."
- else
- echo "Rejecting udp/5353 via iptables for deactivating Multicast-DNS, running:"
- echo -n '* iptables -A OUTPUT -p udp -d 224.0.0.0/8 --dport 5353 -j REJECT ... '
- iptables -A OUTPUT -p udp -d 224.0.0.0/8 --dport 5353 -j REJECT && echo done || echo failed
- fi
- if [ "$NAT_INTERFACE_" != "none" ]; then
+ if [[ $IPTABLES_SNAT_ != "true" ]]; then
+ return
+ fi
+ startIptables
+}
+
+function startIptables
+{
+ if [ -x /sbin/iptables ] ; then
+ if [[ $NAT_INTERFACE_ != "" ]]; then
local nat_source_ip_=`netGetIp "$NAT_INTERFACE_" warn`
if iptables -t nat -vnL POSTROUTING | grep -q "SNAT.*${NAT_INTERFACE_}.*to:${nat_source_ip_}" ; then
echo 1 > /proc/sys/net/ipv4/ip_forward && echo done || echo failed
fi
fi
- else
+ else
warn "iptables executable not avilable"
- fi
+ fi
+}
+
+function stopIptables
+{
+ if [[ $IPTABLES_SNAT_ != "true" ]]; then
+ return
+ fi
+ if [ -x /sbin/iptables ] ; then
+ if [[ $NAT_INTERFACE_ != "" ]]; then
+ local nat_source_ip_=`netGetIp "$NAT_INTERFACE_" warn`
+
+ if iptables -t nat -vnL POSTROUTING | grep -q "SNAT.*${NAT_INTERFACE_}.*to:${nat_source_ip_}" ; then
+ iptables -t nat -F POSTROUTING &>/dev/null && \
+ iptables -t nat -D POSTROUTING -o "$NAT_INTERFACE_" -j SNAT --to-source "$nat_source_ip_"
+ fi
+ echo 0 > /proc/sys/net/ipv4/ip_forward
+ fi
+ fi
}
# }}}
/etc/init.d/nfs-common start
# FIXME /etc/init.d/nfs-kernel-server start
$USR_SHARE_/nfs-kernel-server start
+ echo
createNfsConfig
}
echo -n "Starting dhcpd: "
runDhcp && echo done || echo failed
- #runIptables
+ runIptables
echo "Finally starting nfs services..."
- startNfs && echo "Sucessfully finished startup of grml-terminalserver." || echo 'Startup of grml-terminalserver-config failed!'
+ startNfs && echo "Successfully finished startup of grml-terminalserver." || echo 'Startup of grml-terminalserver failed!'
}
function actionStop
{
stopTftp
stopDhcp
+ stopIptables
stopNfs
notice "Terminal-server stopped"
}
"") actionStart ;;
tftp) runTftp ;;
dhcp) runDhcp ;;
+ ipt) startIptables ;;
nfs) startNfs ;;
*) warn "Service $service_ not available" ;;
esac
"") actionStop ;;
tftp) stopTftp ;;
dhcp) stopDhcp ;;
+ ipt) stopIptables ;;
nfs) stopNfs ;;
*) warn "Service $service_ not available" ;;
esac
projects / grml-terminalserver.git / blobdiff