Jon's questions

我正在将各种服务器的备份自动化到一个中心点，然后将这些配置更改推送到一个 git repo 中，这样我就可以随着时间的推移跟踪任何更改。其余脚本运行良好，我可以通过网络将文件复制/同步到中心点。最后一个脚本是获取要放入/更新存储库的配置文件。脚本如下：

#!/bin/bash
clear

SERVERNAME="betty"
SCRIPTDIR="/home/jon"
GITROOT="/tmp/git"
TEMPROOT="/tmp/backups"
BACKUPROOTDIR="/mnt/backups"

echo "  - running as user: $UID"

echo "backingup git config on $SERVERNAME"
echo ""

# check to see if root backup folder exists, otherwise create it.
if [ -d $GITROOT ]; then
    rm -rf $GITROOT
fi
mkdir $GITROOT

cd $GITROOT

echo "  - testing if home is where I think it should be!"
echo $HOME
echo "  - testing if it can see netrc"
tail $HOME/.netrc


git clone http://192.168.10.97:8000/repositories/HOH-config-backups.git
cd HOH-config-backups

echo "  - copy Configuration Folders across"
cp -r $BACKUPROOTDIR/Configuration/* $GITROOT/HOH-config-backups/
cp -r $BACKUPROOTDIR/scripts $GITROOT/HOH-config-backups/

git add .
git commit -a -m "committing any new configuration changes!"
git push origin master

echo ""
echo "Git repo updated"

echo ""
echo "  - backing up this script"
FIREWIGSCRIPTLOC="$BACKUPROOTDIR/scripts/$SERVERNAME"

if [ ! -d $FIREWIGSCRIPTLOC ]; then
    mkdir $FIREWIGSCRIPTLOC
fi

cp /home/jon/gitConfig.sh  $FIREWIGSCRIPTLOC

git repo 位于使用 Apache 和 HTTP-backend.exe（智能 HTTP 协议）的网络中的另一台机器上。如果我以“jon”身份运行这个脚本，它就可以工作。如果我在 crontab 中运行它，它会失败。git 使用 /home/jon/.netrc 文件进行身份验证：

machine 192.168.10.97
login gitconfig
password 1234579

来自 crontab 的日志是：

TERM environment variable not set.
  - running as user: 1000
backingup git config on betty

  - testing if home is where I think it should be!
/home/jon
  - testing if it can see netrc
machine 192.168.10.97
login gitconfig
password 1234579
got 08de5bc2b27b4940d9412256e76d5e3c3d9dbcdd
walk 08de5bc2b27b4940d9412256e76d5e3c3d9dbcdd
got be880f2d306778a538d592e7a02eb19f416612f7
got bd387e8def9f77aafa798bf53e80d949aba443e8
got 1bc1a59e12775841d4c59d77c63b8a73823138c2
walk bd387e8def9f77aafa798bf53e80d949aba443e8
Getting alternates list for http://192.168.10.97:8000/repositories/HOH-config-backups.git
got 030512237bca72faf211e0e8ec2906164eac34f6
got 9bc2f575240bc1f61ff7d69777ce1a165d06b184
got b8400f7f01429104a9d4786a6bb1a16d293e37c1
got 2403b5bf611010e0b401f776f0e23b09ce744838
got 1a27944c48269ef3608a8f2466e43402d06faac0
got b686f45b7d57af4fa8ca0d528bb85216d6247e19
Getting pack list for http://192.168.10.97:8000/repositories/HOH-config-backups.git
Getting index for pack ae881957c0f0e8c22eb6cc889a22ef78eb4ce6ff
Getting pack ae881957c0f0e8c22eb6cc889a22ef78eb4ce6ff
 which contains ff84d6d48e9326066438d167a10251218d612b3d
walk b686f45b7d57af4fa8ca0d528bb85216d6247e19
got 364e30daec17814073e668f490bb84af891fe1f7
got 23f6497e7f9b80e0d90adad73bd0407a0e5ac6ce
got 9e77c47574b5e23ea669afe0c23ab235e4917ee1
got 6654e0d328a216b3783e98c47206cb2d01b3353d
got 28821ffd437d2689ffb82c6e4b9c3f5372c95c4b
got 8c384a24f645389e4d4b08013c79e9e73a658342
got d203be0123736ee025ce20c081f1489098648dfc
got 1852603bf7709e71417d8ccec02390279d533642
got fb753a26b20b04694419fce8ecdaa8dbec105cf1
got 736028997cd84dd1c135f57e9d246674b9cd0b9d
got 7af836249e20096d0476a548d5be702a071cdd4b
got 240dc39d9db50df63073fc7927b2d002dfa0f54c
got 93abd36e3935a01011eb753b635a1a0e984bf31e
got c6269e28fecf4d8d0d98b9358aecb3acff02df44
got b0aa29432f73e64032682a351d436c24b14078ab
walk 240dc39d9db50df63073fc7927b2d002dfa0f54c
got 58fb66d9f35f8a5e32ff4683309c5f0c2a3a03c5
got 0da2def4de0565483cdbe6b87418ee2beb122e58
got 0f6a86c6f87ed52ad2ed01e5c6edd661d364930c
got 437a93d27b5bb89c739a0564a34a616e832c3ebe
got fe0385abe5c0acd8462268dac330bae00e934f1b
got 24259f8f5c5c9ee974a75fe3d1e07c02e3e20fe9
got d29f624bf1a5eceedaa86c10fee35f62747c7d04
got 0154e4c987132585ea7a92b77d02dba285512d6b

got eda8bf526567c25ee70addb2ad3c3c6aa57eac77
got 9f3d9d7262d66f9fa4f6a13b7c86199953f4bc4e
got 8e20881e19667aa22245d0598646991067455a4d
got abb1123145689b35eb19519952c71253ee45fa98
got dfeff593c79b4156ce2ce1adf043d0e80356488c
got e20c5b48b1d360e0bcf34189e3f3d2bbf23e92cc
got b13eb81cc274780322ecf786372320343926bec9
walk 8de83868b3fac748b0a55eba16c8f668ec852abb
got b5961421bbc42afe7a07cc1c8b615aba26ba74d7
got 2650ba819019df4193b482733e29ca79b29f3f2c
got b3111e1be8103e91803a97a817ed81f28025aca1
got b060be934d709684f5eb5dad3c03932a3589e864
got cf70d2043f081d7a4438e9d5a290a9f986c84060
got 80bf0f1cc836feab86d6935bb7968d8555a8d531
got da318d167920e34bc6573e4fc236249ccbbee316
got d82ac853d387b760149599e6e1ab96403f6ec672
got 0005f691d1f46550fdb4e56025f52e30a5b18cc2
Initialized empty Git repository in /tmp/git/HOH-config-backups/.git/
  - copy Configuration Folders across
Created commit 424df2f: committing any new configuration changes!
 3 files changed, 55 insertions(+), 1 deletions(-)
 create mode 100755 scripts/betty/gitConfig.sh
error: Cannot access URL http://192.168.10.97:8000/repositories/HOH-config-backups.git/, return code 22
error: failed to push some refs to 'http://192.168.10.97:8000/repositories/HOH-config-backups.git'

    Git repo updated

      - backing up this script
    cp: cannot create regular file `/mnt/backups/scripts/betty/gitConfig.sh': Permission denied

我的 crontab 是：

# m h  dom mon dow   command
04 * * * * /home/jon/gitConfig.sh > /tmp/gitconfig.log 2>&1

我通过以下方式打开它：

$crontab -e

即不是根。

了解用户标识：

jon@betty:~$ id
uid=1000(jon) gid=1000(jon)  groups=4(adm),20(dialout),24(cdrom),46(plugdev),109(sambashare),114(lpadmin),115(admin),1000(jon)

这是我的 $HOME/.gitconfig 文件：

[user]
    name = Jon Hawkins
    email = [email protected]

我有一台运行我的防火墙、dhcp 和 dns 的 Ubuntu (10.04) 机器。我刚刚从软件包中安装了 squid 并将其设置为在端口 8888 上运行。在对我的防火墙进行任何更改之前，网页将正常工作，如果我在 firefox 上手动将代理设置为 192.168.10.1:8888 它可以工作。当我尝试将 squid 变成透明代理时，就会出现问题。

我的防火墙如下：

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow GRE 47 for VPN"
$iptables -A INPUT -p 47 -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF - allow LAN internet access"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "  port 139 for netBios-ssn smb"
#$iptables -A INPUT -i $INTIF -p tcp --dport 139 -j ACCEPT
#$iptables -A OUTPUT -o $INTIF -p tcp --dport 139 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for WS2008-CI"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.97
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 -j ACCEPT

echo "  opening ssh for web on port 2302  for firewig 2302"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 2302 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

echo "  opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

#echo "  opening Hudson"
#$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 81 -j DNAT --to 192.168.10.97:81
#$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 --dport 81 -j ACCEPT

echo "  opening Target Process"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 90 -j DNAT --to 192.168.10.98:90
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.98 --dport 90 -j ACCEPT


#echo "  This is designed to stop brute force attacks"
$iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 6/minute --limit-burst 5 -j ACCEPT

#echo "  setting up squid proxy server"
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888

#echo "  Diverting port 80 traffic through Squid."
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#  NOTE THE THREE LINES BELOW ALLOW ACCESS FOR THE VPN CONNECTION...Ry.

$iptables -A INPUT -i $EXTIF -p TCP --dport 1723 -j ACCEPT

$iptables -A INPUT -i ppp+ -j ACCEPT
$iptables -A FORWARD -i ppp+ -o $INTIF -j ACCEPT
$iptables -A FORWARD -i $INTIF -o ppp+ -j ACCEPT
$iptables -A OUTPUT -o ppp+ -j ACCEPT

# ICMP for vpn
$iptables -A INPUT -i ppp+ -p icmp -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p icmp -j ACCEPT


# DNS for vpn
$iptables -A INPUT -i ppp+ -p tcp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p tcp --sport 0:65535 --dport 53 -j ACCEPT
$iptables -A INPUT -i ppp+  -p udp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p udp --sport 0:65535 --dport 53 -j ACCEPT

# forward vpn--->internet
$iptables -A FORWARD -i ppp+ -o $EXTIF -p ALL -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o ppp+ -p ALL -j ACCEPT


#$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "


}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "$1" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac

如果我取消注释 squid 预路由线路，互联网将停止工作。

我不确定我错过了什么。你认为这可能是 Squid 配置的东西吗？