mammadori/gist:2700758

## gistfile1.sh
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Where our dataproxy is
DATAPROXY_IP=<%= datastore_host_ip %>
# What the IP of the host on the LXCs internal network is - this will serve all
# the http/https/ftpproxy and DNS, and acts as route for the networking from
# inside the LXCs
HOST_IP_ON_BRIDGE=10.0.0.1

brctl addbr br0
brctl setfd br0 0
ifconfig br0 $HOST_IP_ON_BRIDGE up

# Clear all existing firewall rules
iptables -t nat -F
iptables -F

# NAT general HTTP/HTTPS/FTP traffic to the (local) httpproxy/httpsproxy/ftpproxy
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # HTTP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # HTTP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 7777:7877 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # Oracle HTTP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 5000 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # Webstore HTTP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to $HOST_IP_ON_BRIDGE:9006 # HTTPS
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 21 -j DNAT --to $HOST_IP_ON_BRIDGE:9004 # FTP

# Traffic for dataproxy (port 9003) routes to another box on port 9003
# XXX we need this ip_forward, while using MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -p tcp --dport 9003 --destination $DATAPROXY_IP -j MASQUERADE

# Block any new TCP/IP connections going anywhere else
iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9004 -j ACCEPT # FTP proxy
iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9005 -j ACCEPT # HTTP proxy
iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9006 -j ACCEPT # HTTPS proxy
iptables -i br0 -p tcp --syn -A INPUT -d $DATAPROXY_IP --dport 9003 -j ACCEPT # Dataproxy
iptables -i br0 -p tcp --syn -A INPUT -j DROP

# Allow UDP packets for DNS only to $HOST_IP_ON_BRIDGE and back, and no other UDP packets
# See http://www.cyberciti.biz/tips/linux-iptables-12-how-to-block-or-open-dnsbind-service-port-53.html
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $HOST_IP_ON_BRIDGE --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $HOST_IP_ON_BRIDGE --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $HOST_IP_ON_BRIDGE --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $HOST_IP_ON_BRIDGE --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -i br0 -p udp -A INPUT -j DROP

# Debugging - show all:
iptables -t nat -L -v; iptables -L -v

sysctl -w net.ipv4.ip_forward=1
	#!/bin/sh -e
	#
	# rc.local
	#
	# This script is executed at the end of each multiuser runlevel.
	# Make sure that the script will "exit 0" on success or any other
	# value on error.
	#
	# In order to enable or disable this script just change the execution
	# bits.
	#
	# By default this script does nothing.

	# Where our dataproxy is
	DATAPROXY_IP=<%= datastore_host_ip %>
	# What the IP of the host on the LXCs internal network is - this will serve all
	# the http/https/ftpproxy and DNS, and acts as route for the networking from
	# inside the LXCs
	HOST_IP_ON_BRIDGE=10.0.0.1

	brctl addbr br0
	brctl setfd br0 0
	ifconfig br0 $HOST_IP_ON_BRIDGE up

	# Clear all existing firewall rules
	iptables -t nat -F
	iptables -F

	# NAT general HTTP/HTTPS/FTP traffic to the (local) httpproxy/httpsproxy/ftpproxy
	iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # HTTP
	iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # HTTP
	iptables -t nat -A PREROUTING -i br0 -p tcp --dport 7777:7877 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # Oracle HTTP
	iptables -t nat -A PREROUTING -i br0 -p tcp --dport 5000 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # Webstore HTTP
	iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to $HOST_IP_ON_BRIDGE:9006 # HTTPS
	iptables -t nat -A PREROUTING -i br0 -p tcp --dport 21 -j DNAT --to $HOST_IP_ON_BRIDGE:9004 # FTP

	# Traffic for dataproxy (port 9003) routes to another box on port 9003
	# XXX we need this ip_forward, while using MASQUERADE
	echo 1 > /proc/sys/net/ipv4/ip_forward
	iptables -t nat -A POSTROUTING -p tcp --dport 9003 --destination $DATAPROXY_IP -j MASQUERADE

	# Block any new TCP/IP connections going anywhere else
	iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9004 -j ACCEPT # FTP proxy
	iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9005 -j ACCEPT # HTTP proxy
	iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9006 -j ACCEPT # HTTPS proxy
	iptables -i br0 -p tcp --syn -A INPUT -d $DATAPROXY_IP --dport 9003 -j ACCEPT # Dataproxy
	iptables -i br0 -p tcp --syn -A INPUT -j DROP

	# Allow UDP packets for DNS only to $HOST_IP_ON_BRIDGE and back, and no other UDP packets
	# See http://www.cyberciti.biz/tips/linux-iptables-12-how-to-block-or-open-dnsbind-service-port-53.html
	iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $HOST_IP_ON_BRIDGE --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp -s $HOST_IP_ON_BRIDGE --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp -s 0/0 --sport 53 -d $HOST_IP_ON_BRIDGE --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp -s $HOST_IP_ON_BRIDGE --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT
	iptables -i br0 -p udp -A INPUT -j DROP

	# Debugging - show all:
	iptables -t nat -L -v; iptables -L -v

	sysctl -w net.ipv4.ip_forward=1