#!/bin/sh #------------------------------------------------------------------------------ # /etc/rc.d/rc900.stunnel - start stunnel proxies # # Last Update: $Id$ #------------------------------------------------------------------------------ # $1 = name stunnel_write_conf_entry() { cat <>/etc/stunnel.conf [$1] client=$client accept=$2:$incoming_port ${outgoing_addr:+local=$outgoing_addr} delay=${delay_dns:-no} $cert_file $cert_ca_file $cert_verify EOF shift 2 echo "connect=${1#@}:$outgoing_remote_port" >>/etc/stunnel.conf if [ -n "$2" -a "$1" != "$2" ] then echo "connect=${2#@}:$outgoing_remote_port" >>/etc/stunnel.conf fi } case $OPT_STUNNEL in yes) begin_script STUNNEL "starting stunnel daemon..." # create PID directory mkdir -p /var/run/stunnel chown nobody /var/run/stunnel case ${STUNNEL_DEBUG:-no} in yes) debug="debug=7";; no) debug="debug=4";; *) debug="debug=$STUNNEL_DEBUG";; esac cat </etc/stunnel.conf $debug setgid=nogroup setuid=nobody foreground=no pid=/var/run/stunnel/stunnel.pid socket = a:IPV6_V6ONLY=yes EOF n=0 for idx in $(seq 1 $STUNNEL_N) do eval name='$STUNNEL_'$idx'_NAME' eval client='$STUNNEL_'$idx'_CLIENT' eval accept_ipv4='$STUNNEL_'$idx'_ACCEPT_IPV4' eval accept_ipv6='$STUNNEL_'$idx'_ACCEPT_IPV6' eval accept='$STUNNEL_'$idx'_ACCEPT' eval connect='$STUNNEL_'$idx'_CONNECT' eval outgoing_ip='$STUNNEL_'$idx'_OUTGOING_IP' eval delay_dns='$STUNNEL_'$idx'_DELAY_DNS' eval cert_file='$STUNNEL_'$idx'_CERT_FILE' eval cert_ca_file='$STUNNEL_'$idx'_CERT_CA_FILE' eval cert_verify='$STUNNEL_'$idx'_CERT_VERIFY' : ${accept_ipv4:=yes} : ${accept_ipv6:=${OPT_IPV6:-no}} # process local address for incoming connections incoming_ip=${accept%:*} incoming_ip=${incoming_ip#\[} incoming_ip=${incoming_ip%\]} incoming_port=${accept##*:} incoming_ip4= incoming_ip6= case "$incoming_ip" in any) case $accept_ipv6 in yes) incoming_ip6="::";; esac case $accept_ipv4 in yes) incoming_ip4="0.0.0.0";; esac ;; *) if [ "$accept_ipv4" = "yes" ] && can_translate_ip_net "$incoming_ip" then translate_ip_net "$incoming_ip" 'STUNNEL_'$idx'_ACCEPT' \ incoming_ip4 || continue incoming_ip4=${incoming_ip4%/*} elif [ "$accept_ipv6" = "yes" ] && can_translate_ip6_net "$incoming_ip" then translate_ip6_net "$incoming_ip" 'STUNNEL_'$idx'_ACCEPT' \ incoming_ip6 || continue incoming_ip6=${incoming_ip6%/*} fi ;; esac # process remote address for outgoing connections case $connect in \[*\]:*) outgoing_remote_ip=${connect%:*} outgoing_remote_ip=${outgoing_remote_ip#\[} outgoing_remote_ip=${outgoing_remote_ip%\]} outgoing_remote_port=${connect##*:} ;; *.*.*.*:*|@*:*) outgoing_remote_ip=${connect%:*} outgoing_remote_port=${connect##*:} ;; *) outgoing_remote_ip=$connect outgoing_remote_port=$incoming_port ;; esac outgoing_remote_ip4= outgoing_remote_ip6= if can_translate_ip_net "$outgoing_remote_ip" then translate_ip_net "$outgoing_remote_ip" \ 'STUNNEL_'$idx'_CONNECT' outgoing_remote_ip4 || continue fi if [ "$OPT_IPV6" = "yes" ] && can_translate_ip6_net "$outgoing_remote_ip" then translate_ip6_net "$outgoing_remote_ip" \ 'STUNNEL_'$idx'_CONNECT' outgoing_remote_ip6 || continue fi if [ -z "$outgoing_remote_ip4" -a -z "$outgoing_remote_ip6" -a \ "${outgoing_remote_ip#@}" != "$outgoing_remote_ip" ] then outgoing_remote_ip4=$outgoing_remote_ip outgoing_remote_ip6=$outgoing_remote_ip fi # process local address for outgoing connections outgoing_addr= if [ -n "$outgoing_ip" ] then if can_translate_ip_net "$outgoing_ip" then translate_ip_net $outgoing_ip \ 'STUNNEL_'$idx'_OUTGOING_IP' outgoing_addr || continue outgoing_remote_ip6= elif [ "$OPT_IPV6" = "yes" ] && can_translate_ip6_net "$outgoing_ip" then translate_ip6_net $outgoing_ip \ 'STUNNEL_'$idx'_OUTGOING_IP' outgoing_addr || continue outgoing_remote_ip4= else log_error "Outgoing address $outgoing_ip could not be translated" continue fi fi if [ -z "$outgoing_remote_ip4" -a -z "$outgoing_remote_ip6" ] then log_error "Remote address $outgoing_remote_ip could not be translated or it does not match the outgoing address $outgoing_ip" continue fi # process remaining options case $cert_file in '') cert_file="";; *) cert_file="cert=/etc/ssl/stunnel/$cert_file";; esac case $cert_ca_file in '') cert_ca_file="CApath=/etc/ssl/certs";; *) cert_ca_file="CAfile=/etc/ssl/stunnel/$cert_ca_file";; esac case ${cert_verify:-none} in none) cert_verify="verify=0";; optional) cert_verify="verify=1";; onlyca) cert_verify="verify=2";; onlycert) cert_verify="verify=4";; both) cert_verify="verify=3";; esac # write configuration entries if [ -n "$incoming_ip4" ] then stunnel_write_conf_entry "$name" $incoming_ip4 $outgoing_remote_ip4 $outgoing_remote_ip6 fi if [ -n "$incoming_ip6" ] then stunnel_write_conf_entry "$name" $incoming_ip6 $outgoing_remote_ip4 $outgoing_remote_ip6 fi # configure firewall if [ -n "$incoming_ip4" ] then add_rule filter in-stunnel-ports "prot:tcp $incoming_ip4:$incoming_port ACCEPT" fi if [ -n "$incoming_ip6" ] then add_rule6 filter in-stunnel-ports "prot:tcp [$incoming_ip6]:$incoming_port ACCEPT" fi if [ -n "$outgoing_remote_ip4" ] then add_rule filter out-stunnel-ports "prot:tcp $outgoing_remote_ip4:$outgoing_remote_port ACCEPT" fi if [ -n "$outgoing_remote_ip6" ] then add_rule6 filter out-stunnel-ports "prot:tcp [$outgoing_remote_ip6]:$outgoing_remote_port ACCEPT" fi n=$((n+1)) done if [ $n -gt 0 ] then stunnel /etc/stunnel.conf else log_error "No tunnels created, stunnel not started" fi end_script ;; esac