From 5d19acb9207898def9326e1a006766e908cfc7f1 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Tue, 10 Jan 2017 08:18:15 -0800
Subject: [PATCH] finish wip

---
 .bashrc | 117 +++++---------------------------------------------------
 1 file changed, 9 insertions(+), 108 deletions(-)

diff --git a/.bashrc b/.bashrc
index 428cc6d..00198c0 100644
--- a/.bashrc
+++ b/.bashrc
@@ -1254,11 +1254,13 @@ tx() { # toggle set -x, and the prompt so it doesn't spam
     fi
 }
 
-psvpn() {
-    # show all processes in the vpn network namespace.
-    # blank entries appear to be subprocesses/threads of transmission daemon
+psnetns() {
+    # show all processes in the network namespace $1.
+    # blank entries appear to be subprocesses/threads
+    local x netns
+    netns=$1
     ps -w | head -n 1
-    s find -L /proc/[1-9]*/task/*/ns/net -samefile /run/netns/vpn | cut -d/ -f5 | \
+    s find -L /proc/[1-9]*/task/*/ns/net -samefile /run/netns/$netns | cut -d/ -f5 | \
         while read l; do
             x=$(ps -w --no-headers -p $l);
             if [[ $x ]]; then echo "$x"; else echo $l; fi;
@@ -1269,110 +1271,9 @@ m() { printf "%s\n" "$*";  "$@"; }
 
 vpnbash() {
     m s nsenter -t $(pgrep openvpn) -n -m bash
-}
-
-netnsvpn() {
-    # todo, make a function to kill all processes in the network namespace.
-
-    # manually run vpn so it stays within a network namespace,
-    # until I get it all wired up with systemd.
-    if ! s ip netns list | awk '{print $1}' | grep -Fx vpn &>/dev/null; then
-        newns vpn start || return 1
-    fi
-
-    s iptables-restore <<'EOF'
-# some traffic leaked, so I recreated the rules here being
-# a little more specific. We could also do the reverse rules
-# for input, but meh.
-# todo: try out rules for process owner. reject all
-# packes by transmission-daemon, which are not from brvpn
-*filter
-:INPUT ACCEPT
-:FORWARD ACCEPT
-:OUTPUT ACCEPT
-# -i = interface
-# -d = destination
-# -p = protocol
-# -m = (match, aka extended match module), enabling the next rule
--A FORWARD -i brvpn -d 192.168.1.1 -p udp -m udp --dport 53 -j ACCEPT
--A FORWARD -i brvpn -d 192.168.1.1 -p tcp -m tcp --dport 53 -j ACCEPT
--A FORWARD -i brvpn -d 192.168.1.0/24 -p tcp -m tcp --dport 9091 -j ACCEPT
--A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
--A FORWARD -i brvpn -j REJECT
-# prevent transmission daemon from doing anything outside it's
-# network namespace.
--A OUTPUT -m owner --uid-owner debian-transmission -j REJECT
-COMMIT
-EOF
-    local pid
-    pid=$(< /run/openvpn/client.pid)
-    local vpn_on=false
-    if [[ $pid ]]; then
-        if [[ -e /proc/$pid ]]; then
-            vpn_on=true
-        else
-            vpn_on=false
-            s rm -f /run/openvpn/client.pid
-        fi
-    fi
-    # for testing of disabled firewall rules, run this:
-    #s ip netns exec vpn iptables -P OUTPUT ACCEPT
-    s ip netns exec vpn iptables-restore <<'EOF'
-# format from iptables-save. [0:0] are comments of packet-count/byte-count
-# which I removed
-*filter
-:INPUT DROP
-:FORWARD ACCEPT
-:OUTPUT DROP
-# from ip route, we can deduce that traffic goes to the
-# local 10.8.0.x tun0, then to the normal interface.
-# For the normal interface, we allow only some ports:
-# dns, vpn, transmission-remote.
-# dns is only used to resolve the vpn server ip on initial
-# connection.
-# rules are mirror on input and output, just for extra safety,
-# although just having output should do fine.
-
-# We could also firewall from outside the nat, for example like this,
-# but I'm thinking this is simpler.
-#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
-#-A FORWARD -i brvpn -j REJECT
-
-# help prevent dns leaks, openvpn runs as root
--A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
--A INPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
-
--A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
--A INPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-
--A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-
-# 1195 is used for the secondary vpn server
--A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
--A INPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
-
--A OUTPUT -o tun0 -j ACCEPT
--A INPUT -i tun0 -j ACCEPT
-COMMIT
-EOF
-    $vpn_on || s ip netns exec vpn /usr/sbin/openvpn --daemon ovpn --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid
-}
-
-
-
-vc() {
-    [[ $1 ]] || { e "$0: error, expected cmd to run"; return 1; }
-    gksudo -- ip netns exec vpn gksudo -u ${SUDO_USER:-$USER} "$@"
-}
-
-transmission-stop() {
-    local pid=$(cat /var/lib/transmission-daemon/transmission-daemon.pid)
-    if [[ $pid ]]; then
-        sudo kill $pid
-    else
-        psg transmission-daemon
-    fi
+    # note, if we wanted to run a graphical program,
+    # instead of bash, we could use
+    # gksudo -u ${SUDO_USER:-$USER} "$@"
 }
 
 
-- 
2.30.2