initial import (Boeing r1752, NRL r878)

daemon/examples/services/sampleFirewall

@@ -0,0 +1,30 @@
+# -------- CUSTOMIZATION REQUIRED --------
+#
+# Below are sample iptables firewall rules that you can uncomment and edit.
+# You can also use ip6tables rules for IPv6.
+#
+
+# start by flushing all firewall rules (so this script may be re-run)
+#iptables -F
+
+# allow traffic related to established connections
+#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# allow TCP packets from any source destined for 192.168.1.1
+#iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1  -p TCP -j ACCEPT
+
+# allow OpenVPN server traffic from eth0
+#iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+#iptables -A INPUT -i eth0 -j DROP
+#iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
+#iptables -A OUTPUT -o eth0 -j DROP
+
+# allow ICMP ping traffic
+#iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+#iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT
+
+# allow SSH traffic
+#iptables -A -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+# drop all other traffic coming in eth0
+#iptables -A INPUT -i eth0 -j DROP

daemon/examples/services/sampleIPsec

@@ -0,0 +1,119 @@
+# -------- CUSTOMIZATION REQUIRED --------
+#
+# The IPsec service builds ESP tunnels between the specified peers using the
+# racoon IKEv2 keying daemon. You need to provide keys and the addresses of
+# peers, along with subnets to tunnel.
+
+# directory containing the certificate and key described below
+keydir=/etc/core/keys
+
+# the name used for the "$certname.pem" x509 certificate and 
+# "$certname.key" RSA private key, which can be generated using openssl
+certname=ipsec1
+
+# list the public-facing IP addresses, starting with the localhost and followed
+# by each tunnel peer, separated with a single space
+tunnelhosts="172.16.0.1AND172.16.0.2 172.16.0.1AND172.16.2.1"
+
+# Define T<i> where i is the index for each tunnel peer host from
+# the tunnel_hosts list above (0 is localhost).
+# T<i> is a list of IPsec tunnels with peer i, with a local subnet address
+# followed by the remote subnet address:
+#   T<i>="<local>AND<remote> <local>AND<remote>"
+# For example, 172.16.0.0/24 is a local network (behind this node) to be
+# tunneled and 172.16.2.0/24 is a remote network (behind peer 1)
+T1="172.16.3.0/24AND172.16.5.0/24"
+T2="172.16.4.0/24AND172.16.5.0/24 172.16.4.0/24AND172.16.6.0/24"
+
+# -------- END CUSTOMIZATION --------
+
+echo "building config $PWD/ipsec.conf..." 
+echo "building config $PWD/ipsec.conf..." > $PWD/ipsec.log
+
+checkip=0
+if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
+   echo "WARNING: ip validation disabled because package sipcalc not installed
+        " >> $PWD/ipsec.log
+   checkip=1
+fi
+
+echo "#!/usr/sbin/setkey -f
+    # Flush the SAD and SPD
+    flush;
+    spdflush;
+
+    # Security policies  \
+     " > $PWD/ipsec.conf
+i=0
+for hostpair in $tunnelhosts; do 
+    i=`expr $i + 1`
+    # parse tunnel host IP
+    thishost=${hostpair%%AND*}
+    peerhost=${hostpair##*AND} 
+    if [ $checkip = "0" ] &&
+       [ "$(sipcalc "$thishost" "$peerhost" | grep ERR)" != "" ]; then
+	  echo "ERROR: invalid host address $thishost or $peerhost \
+             " >> $PWD/ipsec.log
+    fi
+    # parse each tunnel addresses 
+    tunnel_list_var_name=T$i
+    eval tunnels="$"$tunnel_list_var_name""
+    for ttunnel in $tunnels; do
+        lclnet=${ttunnel%%AND*}
+        rmtnet=${ttunnel##*AND} 
+    	if [ $checkip = "0" ] && 
+           [ "$(sipcalc "$lclnet" "$rmtnet"| grep ERR)" != "" ]; then
+    	    echo "ERROR: invalid tunnel address $lclnet and $rmtnet \
+                 " >> $PWD/ipsec.log
+	fi
+    	# add tunnel policies
+	echo "
+    spdadd $lclnet $rmtnet any -P out ipsec
+	esp/tunnel/$thishost-$peerhost/require;
+    spdadd $rmtnet $lclnet any -P in ipsec
+	esp/tunnel/$peerhost-$thishost/require; \
+    	    " >> $PWD/ipsec.conf
+    done
+done
+
+echo "building config $PWD/racoon.conf..."
+if [ ! -e $keydir\/$certname.key ] || [ ! -e $keydir\/$certname.pem ]; then
+     echo "ERROR: missing certification files under $keydir \
+$certname.key or $certname.pem " >> $PWD/ipsec.log
+fi
+echo "
+	 path certificate \"$keydir\";
+	 listen {
+		 adminsock disabled;
+	 }
+	 remote anonymous
+	 {
+		 exchange_mode main;
+ 		 certificate_type x509 \"$certname.pem\" \"$certname.key\";
+		 ca_type x509 \"ca-cert.pem\";
+		 my_identifier asn1dn;
+		 peers_identifier asn1dn;
+
+		 proposal {
+			 encryption_algorithm 3des ;
+			 hash_algorithm sha1;
+			 authentication_method rsasig ;
+			 dh_group modp768;
+		 }
+	 }
+	 sainfo anonymous
+	 {
+		 pfs_group modp768;
+		 lifetime time 1 hour ;
+		 encryption_algorithm 3des, blowfish 448, rijndael ;
+		 authentication_algorithm hmac_sha1, hmac_md5 ;
+		 compression_algorithm deflate ;
+	 }
+	" > $PWD/racoon.conf
+
+# the setkey program is required from the ipsec-tools package
+echo "running setkey -f $PWD/ipsec.conf..."
+setkey -f $PWD/ipsec.conf
+
+echo "running racoon -d -f $PWD/racoon.conf..."
+racoon -d -f $PWD/racoon.conf -l racoon.log

daemon/examples/services/sampleVPNClient

@@ -0,0 +1,63 @@
+# -------- CUSTOMIZATION REQUIRED --------
+#
+# The VPNClient service builds a VPN tunnel to the specified VPN server using
+# OpenVPN software and a virtual TUN/TAP device.
+
+# directory containing the certificate and key described below
+keydir=/etc/core/keys
+
+# the name used for a "$keyname.crt" certificate and "$keyname.key" private key.
+keyname=client1
+
+# the public IP address of the VPN server this client should connect with
+vpnserver="10.0.2.10"
+
+# optional next hop for adding a static route to reach the VPN server
+nexthop="10.0.1.1"
+
+# --------- END CUSTOMIZATION --------
+
+# validate addresses
+if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
+    echo "WARNING: ip validation disabled because package sipcalc not installed 
+         " > $PWD/vpnclient.log
+else
+    if [ "$(sipcalc "$vpnserver" "$nexthop" | grep ERR)" != "" ]; then
+        echo "ERROR: invalide address $vpnserver or $nexthop \
+             " > $PWD/vpnclient.log
+    fi
+fi
+
+# validate key and certification files
+if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.crt ] \
+   || [ ! -e $keydir\/ca.crt ] || [ ! -e $keydir\/dh1024.pem ]; then
+     echo "ERROR: missing certification or key files under $keydir \
+$keyname.key or $keyname.crt or ca.crt or dh1024.pem" >> $PWD/vpnclient.log
+fi
+
+# if necessary, add a static route for reaching the VPN server IP via the IF
+vpnservernet=${vpnserver%.*}.0/24
+if [ "$nexthop" != "" ]; then
+    /sbin/ip route add $vpnservernet via $nexthop
+fi
+
+# create openvpn client.conf
+(
+cat << EOF
+client
+dev tun
+proto udp
+remote $vpnserver 1194
+nobind
+ca $keydir/ca.crt
+cert $keydir/$keyname.crt
+key $keydir/$keyname.key
+dh $keydir/dh1024.pem
+cipher AES-256-CBC
+log $PWD/openvpn-client.log
+verb 4
+daemon
+EOF
+) > client.conf
+    
+openvpn --config client.conf

daemon/examples/services/sampleVPNServer

@@ -0,0 +1,147 @@
+# -------- CUSTOMIZATION REQUIRED --------
+#
+# The VPNServer service sets up the OpenVPN server for building VPN tunnels
+# that allow access via TUN/TAP device to private networks.
+#
+# note that the IPForward and DefaultRoute services should be enabled
+
+# directory containing the certificate and key described below, in addition to
+# a CA certificate and DH key
+keydir=/etc/core/keys
+
+# the name used for a "$keyname.crt" certificate and "$keyname.key" private key.
+keyname=server2
+
+# the VPN subnet address from which the client VPN IP (for the TUN/TAP) 
+# will be allocated
+vpnsubnet=10.0.200.0
+
+# public IP address of this vpn server (same as VPNClient vpnserver= setting)
+vpnserver=10.0.2.10
+
+# optional list of private subnets reachable behind this VPN server
+# each subnet and next hop is separated by a space
+# "<subnet1>,<nexthop1> <subnet2>,<nexthop2> ..."
+privatenets="10.0.11.0,10.0.10.1 10.0.12.0,10.0.10.1"
+
+# optional list of VPN clients, for statically assigning IP addresses to
+# clients; also, an optional client subnet can be specified for adding static
+# routes via the client
+# Note: VPN addresses x.x.x.0-3 are reserved
+# "<keyname>,<vpnIP>,<subnetIP> <keyname>,<vpnIP>,<subnetIP> ..."
+vpnclients="client1KeyFilename,10.0.200.5,10.0.0.0 client2KeyFilename,,"
+
+# NOTE: you may need to enable the StaticRoutes service on nodes within the
+# private subnet, in order to have routes back to the client.
+# /sbin/ip ro add <vpnsubnet>/24 via <vpnServerRemoteInterface> 
+# /sbin/ip ro add <vpnClientSubnet>/24 via <vpnServerRemoteInterface>
+
+# -------- END CUSTOMIZATION --------
+
+echo > $PWD/vpnserver.log
+rm -f -r $PWD/ccd
+
+# validate key and certification files
+if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.crt ] \
+   || [ ! -e $keydir\/ca.crt ] || [ ! -e $keydir\/dh1024.pem ]; then
+     echo "ERROR: missing certification or key files under $keydir \
+$keyname.key or $keyname.crt or ca.crt or dh1024.pem" >> $PWD/vpnserver.log
+fi
+
+# validate configuration IP addresses
+checkip=0
+if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
+   echo "WARNING: ip validation disabled because package sipcalc not installed\
+        " >> $PWD/vpnserver.log
+   checkip=1
+else
+    if [ "$(sipcalc "$vpnsubnet" "$vpnserver" | grep ERR)" != "" ]; then
+     echo "ERROR: invalid vpn subnet or server address \
+$vpnsubnet or $vpnserver " >> $PWD/vpnserver.log
+    fi
+fi
+ 
+# create client vpn ip pool file
+(
+cat << EOF
+EOF
+)> $PWD/ippool.txt
+
+# create server.conf file
+(
+cat << EOF
+# openvpn server config
+local $vpnserver
+server $vpnsubnet 255.255.255.0
+push redirect-gateway def1
+EOF
+)> $PWD/server.conf
+
+# add routes to VPN server private subnets, and push these routes to clients
+for privatenet in $privatenets; do
+    if [ $privatenet != "" ]; then
+        net=${privatenet%%,*}
+        nexthop=${privatenet##*,}
+        if [ $checkip = "0" ] &&
+           [ "$(sipcalc "$net" "$nexthop" | grep ERR)" != "" ]; then
+            echo "ERROR: invalid vpn server private net address \
+$net or $nexthop " >> $PWD/vpnserver.log
+	fi
+        echo push route $net 255.255.255.0 >> $PWD/server.conf
+        /sbin/ip ro add $net/24 via $nexthop
+        /sbin/ip ro add $vpnsubnet/24 via $nexthop
+    fi
+done
+
+# allow subnet through this VPN, one route for each client subnet
+for client in $vpnclients; do
+    if [ $client != "" ]; then
+        cSubnetIP=${client##*,}
+        cVpnIP=${client#*,}
+        cVpnIP=${cVpnIP%%,*}
+        cKeyFilename=${client%%,*}
+        if [ "$cSubnetIP" != "" ]; then
+            if [ $checkip = "0" ] &&
+               [ "$(sipcalc "$cSubnetIP" "$cVpnIP" | grep ERR)" != "" ]; then
+                echo "ERROR: invalid vpn client and subnet address \
+$cSubnetIP or $cVpnIP " >> $PWD/vpnserver.log
+	    fi
+            echo route $cSubnetIP 255.255.255.0  >> $PWD/server.conf
+            if ! test -d $PWD/ccd; then
+                mkdir -p $PWD/ccd
+                echo  client-config-dir $PWD/ccd >> $PWD/server.conf
+            fi
+            if test -e $PWD/ccd/$cKeyFilename; then
+              echo iroute $cSubnetIP 255.255.255.0 >> $PWD/ccd/$cKeyFilename
+            else
+              echo iroute $cSubnetIP 255.255.255.0 > $PWD/ccd/$cKeyFilename
+            fi
+        fi
+        if [ "$cVpnIP" != "" ]; then
+            echo $cKeyFilename,$cVpnIP >> $PWD/ippool.txt
+        fi
+    fi
+done
+
+(
+cat << EOF
+keepalive 10 120
+ca $keydir/ca.crt
+cert $keydir/$keyname.crt
+key $keydir/$keyname.key
+dh $keydir/dh1024.pem
+cipher AES-256-CBC
+status /var/log/openvpn-status.log
+log /var/log/openvpn-server.log
+ifconfig-pool-linear
+ifconfig-pool-persist $PWD/ippool.txt
+port 1194
+proto udp
+dev tun
+verb 4
+daemon
+EOF
+)>> $PWD/server.conf
+
+# start vpn server
+openvpn --config server.conf