Last active
September 7, 2015 17:06
-
-
Save alexmerser/e1b29ea53d56e3d6149b to your computer and use it in GitHub Desktop.
Patch & Install OpenVZ Kernel & Setup IPTables Rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| el_version="6" | |
| kernel_major="2.6.32" | |
| kernel_minor="279.5.1" | |
| vz_major="042stab061" | |
| vz_minor=".2" | |
| echo "Fetching OpenVZ Repo..." | |
| cd /etc/yum.repos.d | |
| wget -nv http://download.openvz.org/openvz.repo | |
| echo "Installing OpenVZ Repo..." | |
| rpm --import --quiet http://download.openvz.org/RPM-GPG-Key-OpenVZ | |
| echo "Installing OpenVZ Kernel and Patch Tools..." | |
| yum -y install -q vzkernel-firmware vzkernel-headers vzkernel-devel vzkernel gcc gcc-c++ glibc-devel glibc-headers libtool systemtap patch | |
| echo "Fetching Kernel Source..." | |
| cd ~ | |
| wget -nv http://download.openvz.org/kernel/branches/rhel$el_version-$kernel_major/$vz_major$vz_minor/vzkernel-$kernel_major-$vz_major$vz_minor.src.rpm | |
| echo "Unpacking Source RPM..." | |
| rpm --install --quiet vzkernel-$kernel_major-$vz_major$vz_minor.src.rpm | |
| echo "Decompressing Kernel Source..." | |
| cd rpmbuild/SOURCES | |
| tar -xjf linux-$kernel_major-$kernel_minor.el$el_version.tar.bz2 | |
| echo "Applying OpenVZ Patch..." | |
| cp -r linux-$kernel_major-$kernel_minor.el$el_version $kernel_major-$vz_major$vz_minor | |
| cd $kernel_major-$vz_major$vz_minor | |
| patch --quiet -p 1 < ../patch-$vz_major | |
| echo "Patching Fuse Support..." | |
| alias cp=cp | |
| cp -r /usr/src/kernels/$kernel_major-$vz_major$vz_minor ~/rpmbuild/SOURCES/ | |
| cp -r /usr/src/kernels/$kernel_major-$vz_major$vz_minor/.config . | |
| make prepare | |
| sed --in-place --expression "s/fuse_abort_conn/\/\/fuse_abort_conn/g" fs/fuse/inode.c | |
| make M=fs/fuse modules | |
| make M=fs/fuse INSTALL_MOD_STRIP=1 modules_install | |
| cd /lib/modules/$kernel_major-$vz_major$vz_minor/kernel/fs/fuse | |
| cp -r ../../../extra/* . | |
| echo "Fixing grub.conf..." | |
| rm /boot/grub/menu.lst | |
| cp /boot/grub/grub.conf /boot/grub/menu.lst | |
| echo "Adjusting floppy.conf" | |
| cat >> /etc/modprobe.d/floppy.conf <<SCRIPT | |
| alias floppy off | |
| SCRIPT | |
| echo "Cleaning-Up..." | |
| rm -rf ~/rpmbuild | |
| rm -rf ~/vzkernel*.src.rpm | |
| echo "Seting IPTables Rules..." | |
| dev="eth" | |
| ip link show | grep bond | |
| if [ $? == 0 ]; then | |
| dev="bond" | |
| fi | |
| # flush rules | |
| iptables -F | |
| # flush nat (postrouting) rules | |
| iptables -t nat -F | |
| # here we create an internal network for containers to have unique local IP Addresses | |
| # we need to masquerade their outbound packets so that returning packets come back to | |
| # the host first. | |
| iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o ${dev}0 -j MASQUERADE | |
| iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o br0 -j MASQUERADE | |
| iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o ${dev}1 -j MASQUERADE | |
| iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o br1 -j MASQUERADE | |
| # set default input policy to accept for local and internal network | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A INPUT -i ${dev}0 -j ACCEPT | |
| iptables -A INPUT -i br0 -j ACCEPT | |
| # allow ssh from office | |
| iptables -A INPUT -s 24.116.177.208/29 -i ${dev}1 -p tcp -m tcp --dport 22 -j ACCEPT | |
| iptables -A INPUT -s 24.116.177.208/29 -i br1 -p tcp -m tcp --dport 22 -j ACCEPT | |
| # allow established connections to return | |
| iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # allow ping | |
| iptables -A INPUT -p icmp -j ACCEPT | |
| # allow established, forwarded connections to return | |
| iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # allow containers to forward on to email queue (temporary) | |
| iptables -A FORWARD -d 10.60.38.81/32 -o ${dev}0 -p tcp -m tcp --dport 11300 -j ACCEPT | |
| iptables -A FORWARD -d 10.60.38.81/32 -o br0 -p tcp -m tcp --dport 11300 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.11/32 -o ${dev}0 -p tcp -m tcp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.11/32 -o br0 -p tcp -m tcp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.11/32 -o ${dev}0 -p udp -m udp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.11/32 -o br0 -p udp -m udp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.12/32 -o ${dev}0 -p tcp -m tcp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.12/32 -o br0 -p tcp -m tcp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.12/32 -o ${dev}0 -p udp -m udp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -d 10.0.80.12/32 -o br0 -p udp -m udp --dport 53 -j ACCEPT | |
| # allow containers to make outbound connections | |
| iptables -A FORWARD -o ${dev}1 -j ACCEPT | |
| iptables -A FORWARD -o br1 -j ACCEPT | |
| # set default drop input policy | |
| iptables -P INPUT DROP | |
| # set default drop forward policy | |
| iptables -P FORWARD DROP | |
| # set default accept outbound policy | |
| iptables -P OUTPUT ACCEPT | |
| # close up ip6 for now | |
| ip6tables -A INPUT -p icmp -j ACCEPT | |
| ip6tables -A INPUT -i lo -j ACCEPT | |
| ip6tables -A INPUT -i ${dev}0 -j ACCEPT | |
| ip6tables -A INPUT -i br0 -j ACCEPT | |
| ip6tables -P INPUT DROP | |
| ip6tables -P FORWARD DROP | |
| ip6tables -P OUTPUT ACCEPT | |
| service iptables save | |
| service ip6tables save |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment