INDY-1087: re-organise indy iptables scripts for ease of use. (hyperl…

…edger#523) * INDY-1087: re-organise indy iptables scripts for ease of use. Signed-off-by: Sergey Shilov <[email protected]> * Add setup iptables instruction to start-nodes.md Signed-off-by: Sergey Shilov <[email protected]>
lucianoacsilva · Jan 15, 2018 · b86c430 · b86c430
1 parent e92c731
commit b86c430
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 20 deletions.
diff --git a/build-scripts/ubuntu-1604/postinst_node b/build-scripts/ubuntu-1604/postinst_node
@@ -65,15 +65,13 @@ fi
 echo "NODE_NAME=\$1" > $GENERAL_CONFIG_DIR/indy.env
 echo "NODE_PORT=\$2" >> $GENERAL_CONFIG_DIR/indy.env
 echo "NODE_CLIENT_PORT=\$3" >> $GENERAL_CONFIG_DIR/indy.env
+echo "CLIENT_CONNECTIONS_LIMIT=$CLIENT_CONNECTIONS_LIMIT" >> $GENERAL_CONFIG_DIR/indy.env
 
 if [ -z \$4 ]; then
     init_indy_keys --name \$1
 else
     init_indy_keys --name \$1 --seed \$4
 fi
-
-/usr/local/bin/setup_indy_node_iptables \$3 $CLIENT_CONNECTIONS_LIMIT
-
 EOF
 
 chmod +x /usr/local/bin/init_indy_node

diff --git a/docs/start-nodes.md b/docs/start-nodes.md
@@ -32,20 +32,30 @@ In order to run your own Network, you need to do the following for each Node:
             - The file must be named as `domain_transactions_genesis`
             - The file contains initial NYM transactions (for example, Trustees, Stewards, etc.)
             - File must be located in ```/var/lib/indy/{network_name}``` folder
+    - configure iptables to limit the number of simultaneous clients connections (recommended)
 
 ## Scripts for Initialization
 
 There are a number of scripts which can help in generation of keys and running a test network.
 
 #### Generating keys
 
+###### For deb installation
+The following script should be used to generate both ed25519 and BLS keys for a node named `Alpha` with node port `9701` and client port `9702`
+```
+init_indy_node Alpha 9701 9702 [--seed 111111111111111111111111111Alpha]
+```
+Also this script generates indy-node environment file needed for systemd service config and indy-node iptables setup script.
+
+###### For pip installation
 The following script can generate both ed25519 and BLS keys for a node named `Alpha`
 ```
 init_indy_keys --name Alpha [--seed 111111111111111111111111111Alpha] [--force]
 ```
+
 Note: Seed can be any randomly chosen 32 byte value. It does not have to be in the format 11..<name of the node>
 
-Please not that this script must be called *after* CURRENT_NETWORK is set in config (see above).
+Please note that these scripts must be called *after* CURRENT_NETWORK is set in config (see above).
 
 
 #### Generating keys and test genesis transaction files for a test network
@@ -63,6 +73,27 @@ There is a script that can generate keys and corresponding test genesis files to
  
 We can run the script multiple times for different networks. 
 
+#### Setup iptables (recommended)
+
+###### For deb installation
+To setup the limit of the number of simultaneous clients connections it is enough to run the following script without parameters
+```
+setup_indy_node_iptables
+```
+This script gets client port and recommended connections limit from the indy-node environment file.
+
+NOTE: this script should be called *after* `init_indy_node` script.
+
+###### For pip installation
+The `setup_indy_node_iptables` script can not be used in case of pip installation as indy-node environment file does not exist,
+use the `setup_iptables` script instead (9702 is a client port, 15360 is recommended limit for now)
+```
+setup_iptables 9702 15360
+```
+In fact, the `setup_indy_node_iptables` script is just a wrapper for the `setup_iptables` script.
+
+NOTE: you should be a root to operate with iptables.
+
 #### Running Node
 
 The following script will start a Node process which can communicate with other Nodes and Clients

diff --git a/scripts/setup_indy_node_iptables b/scripts/setup_indy_node_iptables
@@ -1,21 +1,14 @@
 #!/bin/bash
 
-if [ $# -lt 2 ]; then
-    echo ""
-    echo "Usage: $0 client_port connlimit";
-    echo "  client_port - node client port";
-    echo "  connlimit   - clients connections limit";
-    echo ""
-    exit 1;
-fi
+GENERAL_CONFIG_DIR="/etc/indy"
+
+ENVFILE=$GENERAL_CONFIG_DIR/indy.env
 
-# Check whether iptables installed and works
-dpkg -s iptables 2>/dev/null 1>&2 && iptables -L 2>/dev/null 1>&2
-if [ $? -eq 0 ]; then
-    # Add iptables rule to limit the number of simultaneous clients connections
-    iptables -I INPUT -p tcp --syn --dport $1 \\
-        -m connlimit --connlimit-above $2 --connlimit-mask 0 \\
-        -j REJECT --reject-with tcp-reset
+if [ -f $ENVFILE ]; then
+    source $ENVFILE
 else
-    echo "Warning: iptables is not installed or permission denied, clients connections limit is not set."
+    echo "Indy-node environment file does not exist ($ENVFILE), run init_indy_node first."
+    exit 1
 fi
+
+/usr/local/bin/setup_iptables $NODE_CLIENT_PORT $CLIENT_CONNECTIONS_LIMIT
diff --git a/scripts/setup_iptables b/scripts/setup_iptables
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]; then
+    echo ""
+    echo "Usage: $0 client_port connlimit";
+    echo "  client_port - node client port";
+    echo "  connlimit   - clients connections limit";
+    echo ""
+    exit 1;
+fi
+
+# Check whether iptables installed and works
+dpkg -s iptables 2>/dev/null 1>&2 && iptables -L 2>/dev/null 1>&2
+if [ $? -eq 0 ]; then
+    # Add iptables rule to limit the number of simultaneous clients connections
+    iptables -I INPUT -p tcp --syn --dport $1 \\
+        -m connlimit --connlimit-above $2 --connlimit-mask 0 \\
+        -j REJECT --reject-with tcp-reset
+else
+    echo "Warning: iptables is not installed or permission denied, clients connections limit is not set."
+fi
diff --git a/setup.py b/setup.py
@@ -95,5 +95,6 @@
              'scripts/enable_bls',
              'scripts/create_dirs.sh',
              'scripts/indy_old_cli_export_dids',
+             'scripts/setup_iptables',
              'scripts/setup_indy_node_iptables']
 )