# dans l'idée de ne pas s'embêter avec
# une migration squeeze -> wheezy dans deux mois ;
# et parce qu'on juge wheezy « suffisamment stable ».
+
+readonly local_iodine_ns="i.wiklou.org"
+readonly local_iodine_gateway="10.0.42.1"
; ENREGISTREMENTS « NS » (Name Server)
@ NS ns
@ NS ns6.gandi.net.
+i NS ns
+++ /dev/null
-rouf.grenode.net,91.216.110.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWolyL7ErNN/uHTAoQFIylOOC9sixbd4i0CNxAcGN0Ht7Z7HpquzwAmRj4JHNgRRTkUFnW0GBOB/E3Py5ckU1CZ8SBZyqt3zrBwO0xybZ6ZWNlzebdgiMU3Ke2p9WfZsAd0HKG9oJjeNJFDVATI/ez0IT8pKFR0AT5wO1u5HHDX3szPl19F5Blk8S3XYc//ZypVTokpH7EDgq+tj8FPERAuwIYl3qAJesR0omwn5Gro87pUhTgqK+9mkXcWacUYsLA6m0uR+1DhdTIHwcsHFoVI+DjwOGmfeI5ZallbgRdmoeTUi1lf1RVu5myoBl6eRob9dLWCtp+7zjp0fmPEDaJ root@rouf
-init.ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAwCTomO9DkShIBMIHtP2dQZ8H7tbw3biU0wHEyYkY/eGnf0EKIUsrzOIFgGTq31IO4L8Sqqc8XfeiwJ1EM9keZN22wMpnz0S0y+H0VM+B3s5V64zequaqiKhBDtTln4N1yDIiR9ZIUvekY/NfdUTtrP/Cbo06vWXJlwF+SwR1HWAtlgoMqYG0ST4xCQ9BKi7k8PooX8Elfdx/zZMnsy6X+JFu6nqhMDlaCeIHk3s5zleoULTR/jIw3RHwjtGM3cParv8umm30wTIKFms8ZX9oi6CEcp0rdynrB2HTy02vYQHv+PLIoOXdY4C/Pt4Nar0qsxoeYiMJEr1rnyPq5EYHTOXIKcmST5mVleiFWnq5xJDTtKR29EF+dbepQ07m70E2wOvavgkNuSvNEYeVWpKEWFQwr2k+C/QcDgCI3MRLxTIT+qr91zdG6HhhTapxKGEEr2H6WLpNgoUXIvzZii9dpbt6dC2A33n/qI5aB64HQFgCs4f3Qkrsbdv6BMBhmUlrfD1ea8O8/Kh6JNORwuXKLXyAm3TB9LeVLoFEWeSbtxHaw2DNEi1J1bxaNa6XuTcADEsAnp3yR38JaVfzEDuU2MzcFnj8e+V82dlL1+mlZKPHx6LWxCjbOQI+3SCugn+YNtBC7gCC07iRouocBaTMoF/cInK7pJKvqr/YOipfaClQQ6/ root@ateliers
-ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
-91.216.110.42 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
. "$tool"/etc/local.sh
+
+readonly remote_tsocks_port=2242
+readonly remote_iodine_tsocks_port=5342
--- /dev/null
+use Shorewall::Chains;
+
+insert_rule $nat_table->{PREROUTING}, 1, "-p udp --dport 53 -m string --algo kmp --from 40 --hex-string |01|i|06|wiklou|03|org|00| -j DNAT --to-destination :5353";
+ # NOTE: redirige les requêtes DNS concernant i.wiklou.org et ses sous-domaines vers iodined.
+ # NOTE: --from 40 == 20(IP) + 8(UDP) + 12(entête DNS jusqu'aux requêtes).
+ # XXX: --algo bm effectue une recherche de la fin vers le début du paquet IP
+ # XXX: et par conséquent, bien que plus performant, manque des occurences
+ # XXX: dès qu'il y a de la fragmentation au niveau IP ; --algo kmp n'a pas ce souci.
+ # XXX: VOIR: http://autogeree.net/~julm/txt/iptables-xt_string-bm-fails-on-fragmented-ip.sh
+
+1;
FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
+dns dns0 arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
net eth0 arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags
--- /dev/null
+#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
+# PORT(S) PORT(S) LIMIT GROUP
+PARAM - - udp 5353
# DOC: shorewall-policy(5)
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
-$FW net DROP
+dns all DROP
+$FW all DROP
net all DROP info
# XXX: the following policy must be last
all all REJECT info
#SECTION RELATED
SECTION NEW
+Ping(ACCEPT) dns $FW
+Mosh(ACCEPT) dns $FW
+SSH(ACCEPT) dns $FW
+
+Ping(ACCEPT) $FW dns
+
+ACCEPT $FW net icmp
+DNS(ACCEPT) $FW net
+Git(ACCEPT) $FW net
+HTTP(ACCEPT) $FW net
+HTTPS(ACCEPT) $FW net
+NTP(ACCEPT) $FW net
+SMTP(ACCEPT) $FW net
+SMTPS(ACCEPT) $FW net
+SSH(ACCEPT) $FW net
+
DNS(ACCEPT) net $FW
Git(ACCEPT) net $FW
HTTP(ACCEPT) net $FW
HTTPS(ACCEPT) net $FW
+Iodine(ACCEPT) net $FW
Limit(IMAPS,5,60):info net $FW tcp imaps
IMAPS(ACCEPT) net $FW
Fanout(ACCEPT) net $FW
Limit(SSH,10,60):info net $FW tcp ssh
Submission(ACCEPT) net $FW
Limit(Submission,10,60):info net $FW tcp submission
-
-ACCEPT $FW net icmp
-DNS(ACCEPT) $FW net
-Git(ACCEPT) $FW net
-HTTP(ACCEPT) $FW net
-HTTPS(ACCEPT) $FW net
-NTP(ACCEPT) $FW net
-SMTP(ACCEPT) $FW net
-SMTPS(ACCEPT) $FW net
-SSH(ACCEPT) $FW net
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
+dns ipv4
fw firewall
net ipv4
--- /dev/null
+rouf.grenode.net,91.216.110.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWolyL7ErNN/uHTAoQFIylOOC9sixbd4i0CNxAcGN0Ht7Z7HpquzwAmRj4JHNgRRTkUFnW0GBOB/E3Py5ckU1CZ8SBZyqt3zrBwO0xybZ6ZWNlzebdgiMU3Ke2p9WfZsAd0HKG9oJjeNJFDVATI/ez0IT8pKFR0AT5wO1u5HHDX3szPl19F5Blk8S3XYc//ZypVTokpH7EDgq+tj8FPERAuwIYl3qAJesR0omwn5Gro87pUhTgqK+9mkXcWacUYsLA6m0uR+1DhdTIHwcsHFoVI+DjwOGmfeI5ZallbgRdmoeTUi1lf1RVu5myoBl6eRob9dLWCtp+7zjp0fmPEDaJ root@rouf
+init.ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAwCTomO9DkShIBMIHtP2dQZ8H7tbw3biU0wHEyYkY/eGnf0EKIUsrzOIFgGTq31IO4L8Sqqc8XfeiwJ1EM9keZN22wMpnz0S0y+H0VM+B3s5V64zequaqiKhBDtTln4N1yDIiR9ZIUvekY/NfdUTtrP/Cbo06vWXJlwF+SwR1HWAtlgoMqYG0ST4xCQ9BKi7k8PooX8Elfdx/zZMnsy6X+JFu6nqhMDlaCeIHk3s5zleoULTR/jIw3RHwjtGM3cParv8umm30wTIKFms8ZX9oi6CEcp0rdynrB2HTy02vYQHv+PLIoOXdY4C/Pt4Nar0qsxoeYiMJEr1rnyPq5EYHTOXIKcmST5mVleiFWnq5xJDTtKR29EF+dbepQ07m70E2wOvavgkNuSvNEYeVWpKEWFQwr2k+C/QcDgCI3MRLxTIT+qr91zdG6HhhTapxKGEEr2H6WLpNgoUXIvzZii9dpbt6dC2A33n/qI5aB64HQFgCs4f3Qkrsbdv6BMBhmUlrfD1ea8O8/Kh6JNORwuXKLXyAm3TB9LeVLoFEWeSbtxHaw2DNEi1J1bxaNa6XuTcADEsAnp3yR38JaVfzEDuU2MzcFnj8e+V82dlL1+mlZKPHx6LWxCjbOQI+3SCugn+YNtBC7gCC07iRouocBaTMoF/cInK7pJKvqr/YOipfaClQQ6/ root@ateliers
+ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
+91.216.110.42 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
+10.0.42.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ==
--- /dev/null
+Host 91.216.110.42
+ DynamicForward 127.0.0.1:2242
+Host 10.0.42.1
+ DynamicForward 127.0.0.1:5342
IgnoreUserKnownHosts no
KerberosAuthentication no
KeyRegenerationInterval 3600
-Port 22
-ListenAddress 127.0.0.1
-ListenAddress LOCAL_IPV4
+#ListenAddress 127.0.0.1:22
+#ListenAddress 10.0.42.1:22
+#ListenAddress LOCAL_IPV4:22
+ListenAddress 0.0.0.0:22
LogLevel INFO
LoginGraceTime 120
MaxAuthTries 3
--- /dev/null
+"$tool"/local/apt-get-install iodine
+"$tool"/local/insserv-remove iodined
--- /dev/null
+#!/bin/sh -eux
+sv=${PWD%/log}
+sv=${sv#/etc/sv/}
+
+exec chpst -u root:adm \
+ logger -p auth.1 -t "$sv"
--- /dev/null
+#!/bin/sh -eux
+exec 2>&1
+sv=${PWD#/etc/sv/}
+
+install -d -m 750 -o iodine -g nogroup \
+ /run/iodine
+
+exec /usr/sbin/iodined \
+ </root/.iodined_pass \
+ -c \
+ -f \
+ -l 91.216.110.42 \
+ -p 5353 \
+ -t /run/iodine \
+ -u iodine \
+ 10.0.42.1/27 \
+ i.wiklou.org
"$tool"/local/apt-get-install openssh-server
"$tool"/local/insserv-remove ssh
-ssh-keygen -F "$local_fqdn" -f "$tool"/etc/openssh/known_hosts |
+ssh-keygen -F "$local_fqdn" -f "$tool"/etc/ssh/known_hosts |
( while IFS= read -r line
do case $line in (*" RSA") return 0; break;; esac
done; return 1 ) ||
--- /dev/null
+local = 91.216.110.42/255.255.255.255
+server = 127.0.0.1
+server_port = 2242
+server_type = 5
--- /dev/null
+local = 10.0.42.0/255.255.255.224
+server = 127.0.0.1
+server_port = 5342
+server_type = 5
sudo sed -e '/^configure_networking /s/ &$//' \
-i /usr/share/initramfs-tools/scripts/init-premount/dropbear
# NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
-ssh-keygen -F "init.$local_fqdn" -f "$tool"/etc/openssh/known_hosts |
+ssh-keygen -F "init.$local_fqdn" -f "$tool"/etc/ssh/known_hosts |
( while IFS= read -r line
do case $line in (*" RSA") return 0; break;; esac
done; return 1 ) ||
IFS= read -r pass <<-EOF
$(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg)
EOF
-for fpr in $(remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
+for fpr in $("$tool"/remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
-- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10)
do gpg-preset-passphrase --preset -v $fpr <<-EOF
$pass
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+sudo install -d -m 750 -o iodine -g nogroup \
+ /var/run/iodine
+
+gpg --decrypt "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg |
+sudo iodine -f -t /var/run/iodine/ -u iodine "$@" "$local_iodine_ns"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+mosh --ssh="$tool/remote/iodine-ssh ${ssh_options-}" -- $local_iodine_gateway "$@"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+"$tool"/remote/ssh -v "$@" "$local_iodine_gateway"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+TSOCKS_CONF_FILE="$tool"/etc/tsocks/"$local_iodine_ns".conf \
+exec tsocks "$@"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+install -d -m 700 \
+ "$tool"/var/sec \
+ "$tool"/var/sec/iodine
+if test ! -e "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg
+ then gpg --encrypt $gpg_options -o "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg <<-EOF
+ $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 32)
+ EOF
+ fi
+
+gpg --decrypt ${gpg_options-} "$tool"/var/sec/iodine/"$local_iodine_ns".pass.gpg |
+"$tool"/remote/ssh root@"$local_fqdn" '
+ set -eux
+ test ! -e /root/.iodined_pass
+ install -m 400 -o root -g root /dev/stdin \
+ /root/.iodined_pass
+ '
tool=$(readlink -e "${0%/*}/..")
. "$tool"/remote/lib.sh
+install -d -m 750 \
+ "$tool"/var/run \
+ "$tool"/var/run/ssh
ssh \
- -o StrictHostKeyChecking=yes \
- -o UserKnownHostsFile="$tool"/etc/openssh/known_hosts \
+ -F "$tool"/etc/ssh/remote.conf \
+ -o ControlMaster=autoask \
+ -o ControlPath="$tool"/var/run/ssh/"%h-%p-%r" \
+ -o ControlPersist=no \
-o HashKnownHosts=no \
- "$@"
+ -o StrictHostKeyChecking=yes \
+ -o UserKnownHostsFile="$tool"/etc/ssh/known_hosts \
+ "${@:-$local_ipv4}"
-#!/bin/sh -eux
+#!/bin/sh -eu
tool=$(readlink -e "${0%/*}/..")
. "$tool"/remote/lib.sh
-"$tool"/remote/ssh \
+ssh \
-o CheckHostIP=no \
- -o HashKnownHosts=no \
+ -o ControlMaster=no \
-o StrictHostKeyChecking=no \
- whoami
+ -o UserKnownHostsFile="$tool"/etc/ssh/known_hosts \
+ -o HashKnownHosts=no \
+ "$@" \
+ true
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+TSOCKS_CONF_FILE="$tool"/etc/tsocks/"$local_fqdn".conf \
+exec tsocks "$@"