Shorewall restart on PPP link change

I’ve found great joy running a Shorewall firewall on a Linux box but I came across the problem that when the PPP interface for an ADSL, WiMAX or VPN link goes up or down, Shorewall needs to be restarted to take the new IP address assignments into account. To this solve this problem I’ve written a few scripts to make it all work nicely for South African users.

Firstly put the following two scripts in the /usr/bin directory (or any directory of your choice):

/usr/bin/shorewall-flag-restart.sh (chmod u+x):

#!/bin/bash
set –e
set –u
RESTART_NEEDED=/var/lib/shorewall/shorewall-restartneeded
set -o noclobber
if [ ! -r $RESTART_NEEDED ]; then
    date > $RESTART_NEEDED 2>&1
fi

/usr/bin/shorewall-check-restart.sh (chmod u+x):

#!/bin/bash

set -e
set -u

RESTART_NEEDED=/var/lib/shorewall/shorewall-restartneeded
RESTARTING=/var/lib/shorewall/shorewall-restarting
RESTARTED=/var/lib/shorewall/shorewall-restarted

# The restart needed flag is put in place by the ip up/down scripts.  If
# it doesn’t exist or is older than the shorewall restart flag file, we
# don’t need to do anything.
if [ ! -r $RESTART_NEEDED ]; then
    exit 0
fi
if [ -r $RESTARTING ]; then
    exit 0
fi
if [ $RESTARTED -nt $RESTART_NEEDED ]; then
    rm -f $RESTART_NEEDED
    exit 0
fi

# Make a mutex – should exit the script if this file already exists,
# due to the combination of the set -e and noclobber options.
set -o noclobber
echo "$$: `date`" >$RESTARTING

## We only remove the $RESTART_NEEDED if the restart succeeds.
#if /sbin/shorewall restart >/dev/null 2>&1; then
#    rm -f $RESTARTING
#    rm -f $RESTART_NEEDED
#else
#    rm -f $RESTARTING
#fi

# Remove the $RESTART_NEEDED and replace if failure.
rm -f $RESTART_NEEDED
if /sbin/shorewall restart >/dev/null 2>&1; then
    rm -f $RESTARTING
else
    rm -f $RESTARTING
    if [ ! -r $RESTARTING ]; then
        echo "$$: `date`" >$RESTART_NEEDED
    fi
fi

Then symbolic link the shorewall-flag-restart.sh script in the /etc/ppp/ip-up.d/ and /etc/ppp-ip-down.d/ directories so that the firewall gets restarted when a PPP interface goes up or down:

ln -s /usr/bin/shorewall-flag-restart.sh /etc/ppp/ip-up.d/shorewall-flag-restart
ln -s /usr/bin/shorewall-flag-restart.sh /etc/ppp/ip-down.d/shorewall-flag-restart

Then schedule cron to check for the restart flag every minute:

/etc/cron.d/shorewall-restart:

MAILTO=root
*/1 * * * * root  [ -x /usr/bin/shorewall-check-restart.sh ] && /usr/bin/shorewall-check-restart.sh >/dev/null

These scripts were developed and tested on a Debian system. If anyone has any improvements or recommendations I’d appreciate to hear from you.

Linux running under Virtual Server 2005

image Recently we decided to put up a virtual Linux server in one of our hosting environments. The host machine is a Windows Server 2003 x64 edition running Virtual Server 2005 R2 x64 SP1. We chose to install CentOS 5.1 which is community Linux distribution based on Red Hat Enterprise Linux (RHEL).

The installation went perfectly fine but I noticed that the system time was going way too fast. So the first thing I did was configure ntpd to synchronise the system time with an NTP time source. Unfortunately after about 12 hours the time was still about 40 minutes out, obviously traditional time synchonisation was not going to cut it. After a bit of searching I found this knowledge base article on the Linux kernel 2.6 clock source. I set the kernel option clock=pit which configures the Linux kernel to use the programmable interrupt timer, only to find that now the clock was too slow. Could it get any worse!

Then I recalled that Microsoft had been working on virtual machine additions for Linux and that one of the features was time synchronisation. Unfortunately they only officially support Red Hat and SuSE Linux so I took a long-shot and installed them anyway. I had to manually force install the RHEL RPM but it worked and now the time is perfectly synchronised with the host server – which of course is already NTP synchronised to the hosting environment’s NTP server.

[tags]Virtual Server 2005,Linux,CentOS,NTP,time synchronisation[/tags]