From 884435684ce4fdbb539156e44ca606d6ab2769ef Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Tue, 10 Jan 2017 08:08:21 -0800 Subject: [PATCH] wip --- .bashrc | 179 +++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 139 insertions(+), 40 deletions(-) diff --git a/.bashrc b/.bashrc index d63c6bd..428cc6d 100644 --- a/.bashrc +++ b/.bashrc @@ -223,10 +223,9 @@ source $(dirname $(readlink -f $BASH_SOURCE))/path_add-function source /a/bin/log-quiet/logq-function path_add /a/exe path_add --ifexists --end /a/opt/adt-bundle*/tools /a/opt/adt-bundle*/platform-tools -# todo, these need to be renamed to be less generic. -# sync overrode something else useful -#path_add $HOME/bin/bash-programs-by-ian/utils - +# based on readme.debian. dunno if this will break on other distros. +_x=/usr/share/wcd/wcd-include.sh +if [[ -e $_x ]]; then source $_x; fi ############### @@ -268,6 +267,11 @@ unalias ls ll grep &>/dev/null ||: ##################### +..() { c ..; } +...() { c ../..; } +....() { c ../../..; } +.....() { c ../../../..; } +......() { c ../../../../..; } # file cut copy and paste, like the text buffers :) @@ -344,6 +348,11 @@ astudio() { /a/opt/android-studio/bin/studio.sh "$@" &r; } +b() { + # backwards + c - +} + bashrcpush () { local startdir="$PWD" cd ~ @@ -359,6 +368,11 @@ bashrcpush () { cd "$startdir" } +bkrun() { + # use -p from interactive shell + btrbk-run -p "$@" +} + bfg() { java -jar /a/opt/bfg-1.12.14.jar "$@"; } btc() { @@ -366,6 +380,13 @@ btc() { bitcoin-cli -$(s grep rpcuser= $f) -$(s grep rpcpassword= $f) "$@" } +if [[ $RLC_INSIDE_EMACS ]]; then + c() { wcd -z 50 -o "$@"; } +else + # lets see what the fancy terminal does from time to time + c() { wcd -z 50 "$@"; } +fi + caa() { git commit --amend --no-edit -a; } calc() { echo "scale=3; $*" | bc -l; } @@ -433,6 +454,11 @@ cim() { git commit -m "$*" } +cl() { + # choose recent directory. cl = cd list + c = +} + d() { builtin bg; } complete -A stopped -P '"%' -S '"' d @@ -506,6 +532,10 @@ envload() { # load environment from a previous: export > file done < "$file" } +f() { + # cd forward + c + +} fa() { # find array. make an array of file names found by find into $x @@ -601,6 +631,7 @@ rename-test() { } feh() { + # F = fullscren, z = random, Z = auto zoom command feh -FzZ "$@" } @@ -792,7 +823,7 @@ istext() { } jtail() { - journalctl -n 10000 -f "$@" | grep -Evi "^(\S+\s+){4}(sudo|ovpn|sshd|cron)" + journalctl -n 10000 -f "$@" | grep -Evi "^(\S+\s+){4}(sudo|sshd|cron)" } @@ -1161,6 +1192,11 @@ te() { return $ret } +testmail() { + declare -gi _seq; _seq+=1 + echo "test body" | m mail -s "test mail from $HOSTNAME, $_seq" "${1:-root@localhost}" +} + tm() { # timer in minutes (sleep $(calc "$@ * 60") && mpv --volume 50 /a/bin/data/alarm.mp3 --loop=no) > /dev/null 2>&1 & @@ -1218,7 +1254,7 @@ tx() { # toggle set -x, and the prompt so it doesn't spam fi } -psnsvpn() { +psvpn() { # show all processes in the vpn network namespace. # blank entries appear to be subprocesses/threads of transmission daemon ps -w | head -n 1 @@ -1229,12 +1265,48 @@ psnsvpn() { done } +m() { printf "%s\n" "$*"; "$@"; } + +vpnbash() { + m s nsenter -t $(pgrep openvpn) -n -m bash +} + netnsvpn() { + # todo, make a function to kill all processes in the network namespace. + # manually run vpn so it stays within a network namespace, # until I get it all wired up with systemd. - newns vpn start + if ! s ip netns list | awk '{print $1}' | grep -Fx vpn &>/dev/null; then + newns vpn start || return 1 + fi + + s iptables-restore <<'EOF' +# some traffic leaked, so I recreated the rules here being +# a little more specific. We could also do the reverse rules +# for input, but meh. +# todo: try out rules for process owner. reject all +# packes by transmission-daemon, which are not from brvpn +*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +# -i = interface +# -d = destination +# -p = protocol +# -m = (match, aka extended match module), enabling the next rule +-A FORWARD -i brvpn -d 192.168.1.1 -p udp -m udp --dport 53 -j ACCEPT +-A FORWARD -i brvpn -d 192.168.1.1 -p tcp -m tcp --dport 53 -j ACCEPT +-A FORWARD -i brvpn -d 192.168.1.0/24 -p tcp -m tcp --dport 9091 -j ACCEPT +-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT +-A FORWARD -i brvpn -j REJECT +# prevent transmission daemon from doing anything outside it's +# network namespace. +-A OUTPUT -m owner --uid-owner debian-transmission -j REJECT +COMMIT +EOF + local pid pid=$(< /run/openvpn/client.pid) - vpn_on=false + local vpn_on=false if [[ $pid ]]; then if [[ -e /proc/$pid ]]; then vpn_on=true @@ -1243,10 +1315,52 @@ netnsvpn() { s rm -f /run/openvpn/client.pid fi fi - $vpn_on || s ip netns exec vpn /usr/sbin/openvpn --daemon ovpn --config /etc/openvpn/client.conf --cd /etc/openvpn --writepid /run/openvpn/client.pid + # for testing of disabled firewall rules, run this: + #s ip netns exec vpn iptables -P OUTPUT ACCEPT + s ip netns exec vpn iptables-restore <<'EOF' +# format from iptables-save. [0:0] are comments of packet-count/byte-count +# which I removed +*filter +:INPUT DROP +:FORWARD ACCEPT +:OUTPUT DROP +# from ip route, we can deduce that traffic goes to the +# local 10.8.0.x tun0, then to the normal interface. +# For the normal interface, we allow only some ports: +# dns, vpn, transmission-remote. +# dns is only used to resolve the vpn server ip on initial +# connection. +# rules are mirror on input and output, just for extra safety, +# although just having output should do fine. + +# We could also firewall from outside the nat, for example like this, +# but I'm thinking this is simpler. +#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT +#-A FORWARD -i brvpn -j REJECT + +# help prevent dns leaks, openvpn runs as root +-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT +-A INPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT + +-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT +-A INPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT + +-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT + +# 1195 is used for the secondary vpn server +-A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT +-A INPUT -p udp -m udp --dport 1194:1195 -j ACCEPT + +-A OUTPUT -o tun0 -j ACCEPT +-A INPUT -i tun0 -j ACCEPT +COMMIT +EOF + $vpn_on || s ip netns exec vpn /usr/sbin/openvpn --daemon ovpn --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid } + vc() { [[ $1 ]] || { e "$0: error, expected cmd to run"; return 1; } gksudo -- ip netns exec vpn gksudo -u ${SUDO_USER:-$USER} "$@" @@ -1262,37 +1376,22 @@ transmission-stop() { } +trg() { transmission-remote-gtk&r; } -transmission() { - netnsvpn - vc transmission-gtk& - i=0 - while true; do - if ((i > 10)); then - echo "$0: error: vpn tun0 didn't show up" - return 1 - fi - tun_ip=$(s ip netns exec vpn ip a show dev tun0 | sed -rn 's/^ *inet (10\.8\.\S+).*/\1/p') - [[ ! $tun_ip ]] || break - sleep 1 - i=$((i + 1)) - done - echo "$0: tun_ip=$tun_ip" - [[ $tun_ip ]] || { e "$0: error: no tun0 addr found"; return 1; } - ssh dopub bash <