blob: c2fff125acf03627ed80e5cddbe3ac17a92c5d3b (
plain) (
tree)
|
|
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2. Network</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1>2. Network</h1>
<p>Examples describe a network that will be configured with
two interfaces Ethernet and Wireless. Ethernet interface will
be configured as default route, wireless interface covered here
is simple alternative to Ethernet connection.</p>
<dl>
<dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt>
<dd>Configure Ethernet interface and static or dynamic (dhcp)
connection to the router and add as default gateway.</dd>
<dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt>
<dd>Configure Wireless interface, wpa_supplicant and dynamic (dhcp)
connection to router and add as default gateway.</dd>
</dl>
<p>If is first boot after install configure iptables and
one of above described scripts then proceed to upgrade your
system.</p>
<h2 id="iptables">2.1.1. Iptables</h2>
<p>For more information about iptables read
<a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
You can use
<a href="scripts/iptables.sh">iptables script</a>
at boot time and iptables-save and iptables-restore tools to
configure nat and filtering;</p>
<pre>
# mkdir /etc/iptables
# cp c9-doc/core/scripts/iptables.sh /etc/iptables/
</pre>
<p>Adjust iptables to your needs, then;</p>
<pre>
# cd /etc/iptables
# sh iptables.sh
# iptables-save > rules.v4
</pre>
<p>Copy init script, edit if you dont like to
let drop when you call stop.</p>
<pre>
# cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
# vim /etc/rc.d/iptables
# chmod +x /etc/rc.d/iptables
</pre>
<p>Re-configure your rc.conf and add iptables before (w)lan is up;</p>
<pre>
SERVICES=(lo iptables net crond)
</pre>
<p>
<h2 id="resolv">2.1.2. Resolver</h2>
<p>Configure your resolver with a server that don't censorship there for
respect your freedom and privacy. Read
<a href="https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers#PublicDNSServers">Tor Dns Resolver</a>
for more information. This example will use
<a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
server, edit /etc/resolv.conf and make it immutable;</p>
<pre>
# /etc/resolv.conf.head can replace this line
nameserver 213.73.91.35
# /etc/resolv.conf.tail can replace this line
</pre>
<pre>
# chattr +i /etc/resolv.conf
</pre>
<h2 id="static">2.1.3. Static IP</h2>
<pre>
# ip link
# ip addr flush dev ${DEV}
# ip route flush dev ${DEV}
</pre>
<pre>
# ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
# ip link set ${DEV} up
# ip route add default via ${GW}
</pre>
<h2 id="wpa">2.1.4. Wpa and dhcpd</h2>
<p>There is more information on
<a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
see <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>. Manual or first time configuration;</p>
<pre>
# ip link
</pre>
<pre>
# iwlist wlp2s0 scan
</pre>
<pre>
# iwconfig wlp2s0 essid NAME key s:ABCDE12345
</pre>
<h3>2.1.4.1. Wpa Supplicant</h3>
<p>Configure wpa supplicant edit;</p>
<pre>
# vim /etc/wpa_supplicant.conf
</pre>
<pre>
ctrl_interface=/var/run/wpa_supplicant
update_config=1
fast_reauth=1
ap_scan=1
</pre>
<pre>
# wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf
</pre>
<p>Now start wpa_supplicant with:</p>
<pre>
# wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
</pre>
<p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>
init script to auto load wpa configuration and dhcp
client.</p>
<h3>2.1.4.2. Wpa Cli</h3>
<pre>
# wpa_cli
> status
</pre>
<pre>
> add_network
3
</pre>
<pre>
> set_network 3 ssid "Crux-Network"
OK
</pre>
<pre>
> set_network 3 psk "uber-secret-pass"
OK
</pre>
<pre>
> enable_network 3
OK
</pre>
<pre>
> list_networks
</pre>
<pre>
> select_network 3
</pre>
<pre>
> save_config
</pre>
<h2 id="sysctl">2.1.5. Sysctl</h2>
<p>Sysctl references
<a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
<a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
<a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
edit /etc/sysctl.conf;</p>
<pre>
#
# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
#
kernel.printk = 1 4 1 7
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# Tuen IPv6
# net.ipv6.conf.default.router_solicitations = 0
# net.ipv6.conf.default.accept_ra_rtr_pref = 0
# net.ipv6.conf.default.accept_ra_pinfo = 0
# net.ipv6.conf.default.accept_ra_defrtr = 0
# net.ipv6.conf.default.autoconf = 0
# net.ipv6.conf.default.dad_transmits = 0
# net.ipv6.conf.default.max_addresses = 0
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
## sets the kernels reverse path filtering mechanism to value 1(on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv6.conf.default.rp_filter = 1
net.ipv6.conf.all.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.shmmax = 500000000
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
# End of file
</pre>
<p>Change to act as a router (default of conf/sysctl.conf);</p>
<pre>
# Act as a router, necessary for Access Point
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
</pre>
<p>Load new settings;</p>
<pre>
# sysctl -p
</pre>
<a href="index.html">Core OS Index</a>
<p>
This is part of the c9-doc Manual.
Copyright (C) 2016
Silvino Silva.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>
|