source /a/bin/log-quiet/logq-function
path_add /a/exe
path_add --ifexists --end /a/opt/adt-bundle*/tools /a/opt/adt-bundle*/platform-tools
-# todo, these need to be renamed to be less generic.
-# sync overrode something else useful
-#path_add $HOME/bin/bash-programs-by-ian/utils
-
+# based on readme.debian. dunno if this will break on other distros.
+_x=/usr/share/wcd/wcd-include.sh
+if [[ -e $_x ]]; then source $_x; fi
###############
#####################
+..() { c ..; }
+...() { c ../..; }
+....() { c ../../..; }
+.....() { c ../../../..; }
+......() { c ../../../../..; }
# file cut copy and paste, like the text buffers :)
/a/opt/android-studio/bin/studio.sh "$@" &r;
}
+b() {
+ # backwards
+ c -
+}
+
bashrcpush () {
local startdir="$PWD"
cd ~
cd "$startdir"
}
+bkrun() {
+ # use -p from interactive shell
+ btrbk-run -p "$@"
+}
+
bfg() { java -jar /a/opt/bfg-1.12.14.jar "$@"; }
btc() {
bitcoin-cli -$(s grep rpcuser= $f) -$(s grep rpcpassword= $f) "$@"
}
+if [[ $RLC_INSIDE_EMACS ]]; then
+ c() { wcd -z 50 -o "$@"; }
+else
+ # lets see what the fancy terminal does from time to time
+ c() { wcd -z 50 "$@"; }
+fi
+
caa() { git commit --amend --no-edit -a; }
calc() { echo "scale=3; $*" | bc -l; }
git commit -m "$*"
}
+cl() {
+ # choose recent directory. cl = cd list
+ c =
+}
+
d() { builtin bg; }
complete -A stopped -P '"%' -S '"' d
done < "$file"
}
+f() {
+ # cd forward
+ c +
+}
fa() {
# find array. make an array of file names found by find into $x
}
feh() {
+ # F = fullscren, z = random, Z = auto zoom
command feh -FzZ "$@"
}
}
jtail() {
- journalctl -n 10000 -f "$@" | grep -Evi "^(\S+\s+){4}(sudo|ovpn|sshd|cron)"
+ journalctl -n 10000 -f "$@" | grep -Evi "^(\S+\s+){4}(sudo|sshd|cron)"
}
return $ret
}
+testmail() {
+ declare -gi _seq; _seq+=1
+ echo "test body" | m mail -s "test mail from $HOSTNAME, $_seq" "${1:-root@localhost}"
+}
+
tm() {
# timer in minutes
(sleep $(calc "$@ * 60") && mpv --volume 50 /a/bin/data/alarm.mp3 --loop=no) > /dev/null 2>&1 &
fi
}
-psnsvpn() {
+psvpn() {
# show all processes in the vpn network namespace.
# blank entries appear to be subprocesses/threads of transmission daemon
ps -w | head -n 1
done
}
+m() { printf "%s\n" "$*"; "$@"; }
+
+vpnbash() {
+ m s nsenter -t $(pgrep openvpn) -n -m bash
+}
+
netnsvpn() {
+ # todo, make a function to kill all processes in the network namespace.
+
# manually run vpn so it stays within a network namespace,
# until I get it all wired up with systemd.
- newns vpn start
+ if ! s ip netns list | awk '{print $1}' | grep -Fx vpn &>/dev/null; then
+ newns vpn start || return 1
+ fi
+
+ s iptables-restore <<'EOF'
+# some traffic leaked, so I recreated the rules here being
+# a little more specific. We could also do the reverse rules
+# for input, but meh.
+# todo: try out rules for process owner. reject all
+# packes by transmission-daemon, which are not from brvpn
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+# -i = interface
+# -d = destination
+# -p = protocol
+# -m = (match, aka extended match module), enabling the next rule
+-A FORWARD -i brvpn -d 192.168.1.1 -p udp -m udp --dport 53 -j ACCEPT
+-A FORWARD -i brvpn -d 192.168.1.1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A FORWARD -i brvpn -d 192.168.1.0/24 -p tcp -m tcp --dport 9091 -j ACCEPT
+-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
+-A FORWARD -i brvpn -j REJECT
+# prevent transmission daemon from doing anything outside it's
+# network namespace.
+-A OUTPUT -m owner --uid-owner debian-transmission -j REJECT
+COMMIT
+EOF
+ local pid
pid=$(< /run/openvpn/client.pid)
- vpn_on=false
+ local vpn_on=false
if [[ $pid ]]; then
if [[ -e /proc/$pid ]]; then
vpn_on=true
s rm -f /run/openvpn/client.pid
fi
fi
- $vpn_on || s ip netns exec vpn /usr/sbin/openvpn --daemon ovpn --config /etc/openvpn/client.conf --cd /etc/openvpn --writepid /run/openvpn/client.pid
+ # for testing of disabled firewall rules, run this:
+ #s ip netns exec vpn iptables -P OUTPUT ACCEPT
+ s ip netns exec vpn iptables-restore <<'EOF'
+# format from iptables-save. [0:0] are comments of packet-count/byte-count
+# which I removed
+*filter
+:INPUT DROP
+:FORWARD ACCEPT
+:OUTPUT DROP
+# from ip route, we can deduce that traffic goes to the
+# local 10.8.0.x tun0, then to the normal interface.
+# For the normal interface, we allow only some ports:
+# dns, vpn, transmission-remote.
+# dns is only used to resolve the vpn server ip on initial
+# connection.
+# rules are mirror on input and output, just for extra safety,
+# although just having output should do fine.
+
+# We could also firewall from outside the nat, for example like this,
+# but I'm thinking this is simpler.
+#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
+#-A FORWARD -i brvpn -j REJECT
+
+# help prevent dns leaks, openvpn runs as root
+-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A INPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
+
+-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
+
+-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
+
+# 1195 is used for the secondary vpn server
+-A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
+-A INPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
+
+-A OUTPUT -o tun0 -j ACCEPT
+-A INPUT -i tun0 -j ACCEPT
+COMMIT
+EOF
+ $vpn_on || s ip netns exec vpn /usr/sbin/openvpn --daemon ovpn --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid
}
+
vc() {
[[ $1 ]] || { e "$0: error, expected cmd to run"; return 1; }
gksudo -- ip netns exec vpn gksudo -u ${SUDO_USER:-$USER} "$@"
}
+trg() { transmission-remote-gtk&r; }
-transmission() {
- netnsvpn
- vc transmission-gtk&
- i=0
- while true; do
- if ((i > 10)); then
- echo "$0: error: vpn tun0 didn't show up"
- return 1
- fi
- tun_ip=$(s ip netns exec vpn ip a show dev tun0 | sed -rn 's/^ *inet (10\.8\.\S+).*/\1/p')
- [[ ! $tun_ip ]] || break
- sleep 1
- i=$((i + 1))
- done
- echo "$0: tun_ip=$tun_ip"
- [[ $tun_ip ]] || { e "$0: error: no tun0 addr found"; return 1; }
- ssh dopub bash <<EOF
-set -e
-rule="-A PREROUTING -i eth0 -p tcp -m tcp --dport 63324 -j DNAT --to-destination $tun_ip:63324"
-found=false
-while read -r line; do
- if [[ \$line == \$rule ]] && ! \$found; then
- found=true
- else
- iptables -t nat -D \${line#-A}
- fi
-done < <(iptables -t nat -S | grep -E -- '--dport\s+63324')
-\$found || iptables -t nat \$rule
-EOF
-}
+# transmission() {
+# local pid=$(cat /var/lib/transmission-daemon/transmission-daemon.pid)
+# if [[ $pid && -e /proc/$pid ]]; then
+# echo "noop. already running."
+# return
+# fi
+
+# local NAME=transmission-daemon
+# local DAEMON=/usr/bin/$NAME
+# local duser=debian-transmission
+
+# [ -e /etc/default/$NAME ] && . /etc/default/$NAME
+# s ip netns exec vpn sudo -u $duser ionice -c 3 nice -n 19 $DAEMON $OPTIONS
+# }
virshrm() {
for x in "$@"; do virsh destroy "$x"; virsh undefine "$x"; done
if [[ $- == *i* ]]; then
# commands to run when bash exits normally
- trap "hl; _smh" EXIT
+ trap "hl" EXIT
fi
iankelling.org / git / distro-setup / commitdiff