reverseproxy_ssh_setup
1.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/sh
set -e
set -x
port="$1"
reverseproxy_external="$2"
reverseproxy_ip="$3"
integration_ip="$4"
# switch SSH to port $port
sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config
# Install SELinux
yum install -y selinux-policy policycoreutils-python
# Tell SELinux to allow the new port
if grep -q '/$' /proc/1/cgroup; then
# not in a container
semanage port -a -t ssh_port_t -p tcp "$port"
else
# in container; will fail if host does not have SELinux enabled
if ! semanage port -a -t ssh_port_t -p tcp "$port"; then
echo "I: can't use SELinux, your host probably does not have it enabled"
fi
fi
# Restart SSH
systemctl restart sshd
# Clean iptables before adding our rules
systemctl stop iptables || echo "Iptables server not installed. Does not needed to stop service. Moving on..."
iptables -F
iptables -F -t nat
# Setup port redirect
iptables -t nat -A PREROUTING -d $reverseproxy_external/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination $integration_ip:22
iptables -t nat -A POSTROUTING -d $integration_ip/32 -p tcp -m tcp --dport 22 -j SNAT --to-source $reverseproxy_ip
if grep -q '/$' /proc/1/cgroup; then
# only on non-containers
sysctl -w net.ipv4.ip_forward=1
fi