Created
April 27, 2017 02:09
-
-
Save peterzen/00cd734e7cb2b7ac44d41959fb9ffa09 to your computer and use it in GitHub Desktop.
dcrd jail setup on FreeBSD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/bash | |
export DCRD_VERSION=v0.8.2 | |
export DCRD_DIST_FILE=decred-freebsd-amd64-$DCRD_VERSION.tar.gz | |
export DCRD_RELEASE_BINARY_URL=https://github.com/decred/decred-binaries/releases/download/$DCRD_VERSION/$DCRD_DIST_FILE | |
export HOST_NETIF=vtnet0 | |
export MANAGEMENT_IP=35.157.28.250 | |
export HOST_IP=`grep $HOST_NETIF= /etc/rc.conf |awk '{print $2}'` | |
export JAIL_NAME=dcrd | |
export JAIL_IP=192.168.0.10 | |
export JAIL_ROOT=/usr/jails/$JAIL_NAME | |
# setup required packages | |
sudo pkg install -qy ezjail bash | |
sudo tee -a /etc/rc.conf <<RC_CONF | |
# ^^ empty line needed on DigitalOcean instances | |
cloned_interfaces="lo1" | |
ezjail_enable="YES" | |
firewall_enable="YES" | |
firewall_nat_enable="YES" | |
firewall_script="/etc/ipfw.rules" | |
gateway_enable="YES" | |
RC_CONF | |
sudo tee -a /boot/defaults/loader.conf <<LOADER_CONF | |
ipfw_nat_load=yes | |
LOADER_CONF | |
sudo tee /etc/ipfw.rules <<IPFW_RULES | |
ipfw -f flush | |
ipfw nat 123 config ip $HOST_IP | |
ipfw nat 1 config ip $HOST_IP unreg_only same_ports redirect_port tcp $JAIL_IP:9108 9108 | |
ipfw add 100 allow ip from any to any via lo0 | |
ipfw add 101 allow ip from 192.168.0.0/24 to me via lo1 | |
ipfw add 102 allow ip from 192.168.0.0/24 to 192.168.0.0/24 via lo1 | |
ipfw add 103 nat 1 ip from any to any via $HOST_NETIF | |
ipfw add 300 check-state | |
# Permit out traffic | |
ipfw add 400 allow tcp from any to any out setup keep-state | |
ipfw add 401 allow ip from any to any out keep-state | |
ipfw add 600 allow tcp from any to any dst-port 9108,22 in setup keep-state | |
ipfw add 601 allow icmp from any to any icmptypes 8 in keep-state | |
ipfw add 60000 allow tcp from $MANAGEMENT_IP to any 22 | |
IPFW_RULES | |
sudo chmod +x /etc/ipfw.rules | |
# bring up clone interface and restart firewall/routing | |
sudo service netif cloneup && \ | |
sudo service ipfw restart | |
sudo tee -a /usr/local/etc/ezjail.conf <<JAIL_CONF | |
ezjail_ftphost=http://ftp.FreeBSD.org | |
JAIL_CONF | |
sudo service ezjail start && \ | |
sudo ezjail-admin install && \ | |
sudo ezjail-admin create $JAIL_NAME "lo1|127.0.1.1,$HOST_NETIF|$JAIL_IP" | |
# configure dcrd jail instances | |
sudo tee -a $JAIL_ROOT/etc/resolv.conf <<RESOLV_CONF | |
nameserver 8.8.8.8 | |
nameserver 8.8.4.4 | |
RESOLV_CONF | |
# install dcrd | |
wget -q $DCRD_RELEASE_BINARY_URL && \ | |
sudo mkdir $JAIL_ROOT/root/bin && \ | |
sudo tar xzv -C $JAIL_ROOT/root/bin --strip-components=1 -f $DCRD_DIST_FILE | |
sudo ezjail-admin start $JAIL_NAME | |
sudo ezjail-admin console $JAIL_NAME |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment