wirespot
10-12-2007, 20:37
I thought it would be a good idea to have a thread were we post our /usr/local/sbin stuff: post-boot, post-mount, post-firewall, and pre-shutdown. Learning by example is a really good thing.
For those who don't know yet, these files under the Oleg firmware are the router's startup/shutdown system. Use them to make the router do special things when it starts and when it stops.
-----------------------------------
Remember! These files need to be executables (chmod +x filename), and start with #!/bin/sh on the 1st line, in order to work. After you modify them use this command to save them to flash, otherwise all modification will be lost upon reboot:
flashfs save && flashfs commit
-----------------------------------
OK so here goes. I'm using a HDD connected via USB and that's all as far as USB stuff is concerned. Here's my post-boot:
#!/bin/sh
# very important! this gives you SSH access to the
# router! you most likely don't want to leave it out!
dropbear -p 24 -j -k
# Make sure the kernel modules needed for the
# USB harddrive to work are loaded
[ ! -d /dev/discs ] && \
insmod scsi_mod && \
insmod sd_mod && \
insmod usb-storage && \
sleep 5
# Wait for /opt to mount. For 30 seconds I will try
# each second to mount the hdd partition that
# holds the main system. Be warned that mine is
# on the 2nd partition, yours is probably on 1st!
# Once it's mounted it will stop trying (common sense).
i=0; while [ $i -le 30 ]; do
mount /dev/discs/disc0/part2 /opt -t ext3
[ -d /opt/etc ] && break
sleep 1
i=$(expr $i + 1)
done
# Unload kernel modules I'm not using:
rmmod printer
# If we couldn't mount the HDD just bail out on the
# rest of post-boot. All the stuff from this point on
# depends on it being mounted. If you have stuff
# that will work regardless, put it before this section.
[ $i -gt 30 ] && return
# Activate swap. Again, be careful. My swap is on
# the 1st partition, yours is probably on 2nd.
swapon /dev/discs/disc0/part1
# Umount redundant mountpoint
umount /tmp/harddisk
# If you want syslog to log to a file on the HDD
# instead of /tmp/syslog.log (which is in RAM),
# here's how you do it:
#killall syslogd && \
#/sbin/syslogd -m 0 -O /opt/var/log/messages -S -l 7
# Start a ftp server. If vsftpd is available use that,
# otherwise use stupid-ftpd (which is called that for a reason).
[ -x /opt/sbin/vsftpd ] && \
/opt/sbin/vsftpd /opt/etc/vsftpd.conf || \
/usr/sbin/stupid-ftpd -f /opt/etc/stupid-ftpd.conf -p /tmp/var/run/stupid-ftpd.pid
# Start transmission. I use rtorrent nowadays so
# for me it's disabled.
#/opt/sbin/transmission_watchdog
# Run all active services - active means starts with S
/opt/etc/init.d/rc.unslung
# Anonymization proxy: Tor and Privoxy
/opt/sbin/privoxy --pidfile /opt/var/run/privoxy.pid /opt/etc/privoxy/config
/opt/bin/tor &
# Start DynDNS automatic updater:
/opt/sbin/ddclient &
# Start rtorrent:
(cd /opt/files/rtorrent && \
/opt/bin/screen -d -m -fn \
/opt/bin/rtorrent -o \
import=/usr/local/root/.rtorrent.rc) &
Now post-firewall. Careful with this one! Don't mess with the firewall if you don't know what you're doing!
#!/bin/sh
## FIREWALL SECTION
# set default policy (for extra paranoia)
iptables -P INPUT DROP
# Drop access to certain external ports. Again,
# paranoia. My FTP and Asus web interface don't
# even use these ports, but just in case I ever
# forget, I block them here.
iptables -D INPUT -p tcp --dport 21 -j DROP
iptables -D INPUT -p tcp --dport 80 -d "$4" -j DROP
# Allow access to various router services from WAN.
# Below you can see me activating the rtorrent
# external port range, a webserver and 27 is SSH:
for P in 10000:11000 8000 27; do
iptables -I INPUT 1 -p tcp -i "$1" --syn --dport $P -j ACCEPT
done
# Manual port forwarding. Normally it's done from
# the router's web config interface. But if you ever
# don't want to do it there for some reason, or need
# to do it from the command line without rebooting
# the router, here's how. Basically you add a rule
# to the VSERVER chain in the nat table. Note the
# protocol (-p udp), the interface (-i vlan1), the
# destination port (--dport and again at the end of
# --to) and the LAN IP that should receive it:
iptables -t nat -A VSERVER -p udp -i vlan1 --dport 5904 -j DNAT --to 192.168.123.1:5904
## WONDERSHAPER SECTION
# The wshaper script is an easy to use wrapper
# over the tc tool. It will cap your upper download
# and upload speed in order to take full advantage
# of it and prioritize certain types of LAN traffic
# over others (including traffic done by the router
# itself. For example, no matter how hard transmission
# will download or upload, you'll be able to browse
# the web properly from your LAN computer.
# the download and upload cap:
SPEEDS="10240 1024"
# LAN ports to prioritize:
PORTS="20 21 22 25 110 143 80 443 587 995 5050 1863 5222 6667"
# I try my modified wshaper (see my post in its
# thread!) which accepts ports too. The original
# whaper only accepted IP's for prioritizing. Except
# I don't want bittorrent to eat bandwidth even
# when I run it from my LAN station, so I prefer ports.
# If my wshaper is not installed I use the original.
[ -x /opt/app/local/bin/wshaper ] && \
/opt/app/local/bin/wshaper start $1 $SPEEDS "" "" "" "" "$PORTS" || \
/sbin/wshaper start $1 $SPEEDS
# priority ports
#20/21:FTP, 22:SSH, 25:SMTP, 110:POP3, 143:IMAP, 80:HTTP, 443:HTTPS
#587+995:secure SMTP/POP3, 5050/1863/5222:YM/MSN/Jabber, 6667:IRC
# Log the parameters ($1 to $4) to a file.
# It's useful when I edit these files and forget
# which stands for what.
echo "$@" > /usr/local/root/param.log
Finally, pre-shutdown:
#!/bin/sh
# This one is simple. I send signal INT to rtorrent
# to tell it to do a graceful shutdown that will make
# it save its hashes and full status. (You need to
# enable sessions with session=dir in rtorrent.rc
# for this to work!):
/bin/kill -INT $(/bin/pidof rtorrent) &
# Then I wait for 10 seconds to be sure it died
# gracefully. The rtorrent docs say it dies in 5,
# I just wanna make extra sure.
/bin/sleep 10
For those who don't know yet, these files under the Oleg firmware are the router's startup/shutdown system. Use them to make the router do special things when it starts and when it stops.
-----------------------------------
Remember! These files need to be executables (chmod +x filename), and start with #!/bin/sh on the 1st line, in order to work. After you modify them use this command to save them to flash, otherwise all modification will be lost upon reboot:
flashfs save && flashfs commit
-----------------------------------
OK so here goes. I'm using a HDD connected via USB and that's all as far as USB stuff is concerned. Here's my post-boot:
#!/bin/sh
# very important! this gives you SSH access to the
# router! you most likely don't want to leave it out!
dropbear -p 24 -j -k
# Make sure the kernel modules needed for the
# USB harddrive to work are loaded
[ ! -d /dev/discs ] && \
insmod scsi_mod && \
insmod sd_mod && \
insmod usb-storage && \
sleep 5
# Wait for /opt to mount. For 30 seconds I will try
# each second to mount the hdd partition that
# holds the main system. Be warned that mine is
# on the 2nd partition, yours is probably on 1st!
# Once it's mounted it will stop trying (common sense).
i=0; while [ $i -le 30 ]; do
mount /dev/discs/disc0/part2 /opt -t ext3
[ -d /opt/etc ] && break
sleep 1
i=$(expr $i + 1)
done
# Unload kernel modules I'm not using:
rmmod printer
# If we couldn't mount the HDD just bail out on the
# rest of post-boot. All the stuff from this point on
# depends on it being mounted. If you have stuff
# that will work regardless, put it before this section.
[ $i -gt 30 ] && return
# Activate swap. Again, be careful. My swap is on
# the 1st partition, yours is probably on 2nd.
swapon /dev/discs/disc0/part1
# Umount redundant mountpoint
umount /tmp/harddisk
# If you want syslog to log to a file on the HDD
# instead of /tmp/syslog.log (which is in RAM),
# here's how you do it:
#killall syslogd && \
#/sbin/syslogd -m 0 -O /opt/var/log/messages -S -l 7
# Start a ftp server. If vsftpd is available use that,
# otherwise use stupid-ftpd (which is called that for a reason).
[ -x /opt/sbin/vsftpd ] && \
/opt/sbin/vsftpd /opt/etc/vsftpd.conf || \
/usr/sbin/stupid-ftpd -f /opt/etc/stupid-ftpd.conf -p /tmp/var/run/stupid-ftpd.pid
# Start transmission. I use rtorrent nowadays so
# for me it's disabled.
#/opt/sbin/transmission_watchdog
# Run all active services - active means starts with S
/opt/etc/init.d/rc.unslung
# Anonymization proxy: Tor and Privoxy
/opt/sbin/privoxy --pidfile /opt/var/run/privoxy.pid /opt/etc/privoxy/config
/opt/bin/tor &
# Start DynDNS automatic updater:
/opt/sbin/ddclient &
# Start rtorrent:
(cd /opt/files/rtorrent && \
/opt/bin/screen -d -m -fn \
/opt/bin/rtorrent -o \
import=/usr/local/root/.rtorrent.rc) &
Now post-firewall. Careful with this one! Don't mess with the firewall if you don't know what you're doing!
#!/bin/sh
## FIREWALL SECTION
# set default policy (for extra paranoia)
iptables -P INPUT DROP
# Drop access to certain external ports. Again,
# paranoia. My FTP and Asus web interface don't
# even use these ports, but just in case I ever
# forget, I block them here.
iptables -D INPUT -p tcp --dport 21 -j DROP
iptables -D INPUT -p tcp --dport 80 -d "$4" -j DROP
# Allow access to various router services from WAN.
# Below you can see me activating the rtorrent
# external port range, a webserver and 27 is SSH:
for P in 10000:11000 8000 27; do
iptables -I INPUT 1 -p tcp -i "$1" --syn --dport $P -j ACCEPT
done
# Manual port forwarding. Normally it's done from
# the router's web config interface. But if you ever
# don't want to do it there for some reason, or need
# to do it from the command line without rebooting
# the router, here's how. Basically you add a rule
# to the VSERVER chain in the nat table. Note the
# protocol (-p udp), the interface (-i vlan1), the
# destination port (--dport and again at the end of
# --to) and the LAN IP that should receive it:
iptables -t nat -A VSERVER -p udp -i vlan1 --dport 5904 -j DNAT --to 192.168.123.1:5904
## WONDERSHAPER SECTION
# The wshaper script is an easy to use wrapper
# over the tc tool. It will cap your upper download
# and upload speed in order to take full advantage
# of it and prioritize certain types of LAN traffic
# over others (including traffic done by the router
# itself. For example, no matter how hard transmission
# will download or upload, you'll be able to browse
# the web properly from your LAN computer.
# the download and upload cap:
SPEEDS="10240 1024"
# LAN ports to prioritize:
PORTS="20 21 22 25 110 143 80 443 587 995 5050 1863 5222 6667"
# I try my modified wshaper (see my post in its
# thread!) which accepts ports too. The original
# whaper only accepted IP's for prioritizing. Except
# I don't want bittorrent to eat bandwidth even
# when I run it from my LAN station, so I prefer ports.
# If my wshaper is not installed I use the original.
[ -x /opt/app/local/bin/wshaper ] && \
/opt/app/local/bin/wshaper start $1 $SPEEDS "" "" "" "" "$PORTS" || \
/sbin/wshaper start $1 $SPEEDS
# priority ports
#20/21:FTP, 22:SSH, 25:SMTP, 110:POP3, 143:IMAP, 80:HTTP, 443:HTTPS
#587+995:secure SMTP/POP3, 5050/1863/5222:YM/MSN/Jabber, 6667:IRC
# Log the parameters ($1 to $4) to a file.
# It's useful when I edit these files and forget
# which stands for what.
echo "$@" > /usr/local/root/param.log
Finally, pre-shutdown:
#!/bin/sh
# This one is simple. I send signal INT to rtorrent
# to tell it to do a graceful shutdown that will make
# it save its hashes and full status. (You need to
# enable sessions with session=dir in rtorrent.rc
# for this to work!):
/bin/kill -INT $(/bin/pidof rtorrent) &
# Then I wait for 10 seconds to be sure it died
# gracefully. The rtorrent docs say it dies in 5,
# I just wanna make extra sure.
/bin/sleep 10