j'essaye de créer un service systemd lançant un script bash. Cependant, à l'issue de l'installation, lors du lancement du service, le script ne semble pas avoir été exécuté. Pourriez-vous me donner un coup de main svp ?
Ci-dessous les étapes de la démarche
1 - Script à lancer au démarrage
J'ai repris et modifié un script existant, nommé firewall.sh, destiné à appliquer des règles iptables. Le script fonctionne correctement. lorsque le script est lancé avec le paramètre "start", il applique bien les règles voulues (visibles avec iptables -L). Même chose, si le script est lancé avec stop, les règles par défaut sont appliquées.
Code : Tout sélectionner
#! /bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: firewall set up
# placed in /etc/init.d.
### END INIT INFO
# Author: Foo Bar <mapomme@>
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Setting up the system firewall"
NAME=firewall.sh
#~ DAEMON=/usr/sbin/$NAME
#~ DAEMON_ARGS="--options args"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
#~ [ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
#~ [ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
#~ . /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
#~ . /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
start()
{
#~ # Return
#~ # 0 if daemon has been started
#~ # 1 if daemon was already running
#~ # 2 if daemon could not be started
#~ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
#~ || return 1
#~ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
#~ $DAEMON_ARGS \
#~ || return 2
#~ # Add code here, if necessary, that waits for the process to be ready
#~ # to handle requests from services started subsequently which depend
#~ # on this one. As a last resort, sleep for some time.
### Flush puis purge des anciennes règles ###
iptables -F
iptables -X
### Politique par défaut => Tout est refusé ###
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# DNS
iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# HTTP
iptables -A INPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# HTTPS
iptables -A INPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# TOR (+ autorisations sur localhost, cf fin du fichier)
iptables -A INPUT -p tcp -m tcp --sport 9001 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9001 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# FTP
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# NTP
iptables -A OUTPUT -p tcp -m tcp --dport 3596 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 3596 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# DCH Client
iptables -A OUTPUT -p tcp -m tcp --dport 5209 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 5209 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#ICMP depuis le réseau local
iptables -A OUTPUT -d 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
#Autoriser le traffic sur localhost notamment pour TOR
iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
}
#
# Function that stops the daemon/service
#
stop()
{
#~ # Return
#~ # 0 if daemon has been stopped
#~ # 1 if daemon was already stopped
#~ # 2 if daemon could not be stopped
#~ # other if a failure occurred
#~ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
#~ RETVAL="$?"
#~ [ "$RETVAL" = 2 ] && return 2
#~ # Wait for children to finish too if this is a daemon that forks
#~ # and if the daemon is only ever run from this initscript.
#~ # If the above conditions are not satisfied then add some other code
#~ # that waits for the process to drop all resources that could be
#~ # needed by services started subsequently. A last resort is to
#~ # sleep for some time.
#~ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
#~ [ "$?" = 2 ] && return 2
#~ # Many daemons don't delete their pidfiles when they exit.
#~ rm -f $PIDFILE
#~ return "$RETVAL"
### Flush puis purge des anciennes règles ###
iptables -F
iptables -X
### Politique par défaut => Tout est accepté ###
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
#
# Function that sends a SIGHUP to the daemon/service
#
reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
reload|force-reload|restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
stop
case "$?" in
0|1)
start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
if test "$2" = "-v"; then
echo "Firewall activé"
echo "Appuyez sur une touche pour continuer"
read touche
fi
:
J'ai copié le script dans /usr/lib/systemd/
2 - Création du service
J'ai créé ensuite un service, nommé "firewall.sh", avec des options qui me paraissent adaptées à mon cas, notamment "Type=oneshot", comme préconisé dans la page du wiki consacrée à systemd (https://wiki.archlinux.org/index.php/Systemd)
Code : Tout sélectionner
[Unit]
Description=Firewall Rules
[Service]
Type=oneshot
ExecStart=/usr/lib/systemd/scripts/firewall.sh start
ExecStop=/usr/lib/systemd/scripts/firewall.sh stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
J'ajoute le service aux services lancé au démarrage avec
Code : Tout sélectionner
systemctl enable firewall
Code : Tout sélectionner
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Quelqu'un aurait une idée svp ?