about summary refs log blame commit diff stats
path: root/core/network.html
blob: 39fc9c24d1365c66a23756d0774952778960c519 (plain) (tree)
1
2
3
4
5
6
7
8
9






                                 
                                              
 
                           






                                                                       
                                                              

                                                                         
                                                                







                                                                               




















                                                                                                                                        













                                                                                       
             



                       






                                                            




                                                         


                                        



















                                                                                       

                                              
 


                                                                              





                                                                    
                                                           













                                                     
                                                      



                                     





                                                                              
           

                                              

                                       
                                                                                      
                                                                                                












                                                     
                                        
























                                                                                        
                                                          


                                                           
                                 











                        
                                              

























                                                 
                                          














                                                                                                                                


                                              


















                                                            











                                                                                    




                                                                      

                                                                                          




                                                     


                                                                                                    


                                           
                                       






                                                       
                               


































                                                                                          
                                                                       







                                                     





                                 
                                              
           
                                          
                          
                


                                                                                            

           
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2. Network</title>
    </head>
    <body>
        <a href="index.html">Core OS Index</a>

        <h1>2. Network</h1>

        <p>Examples describe a network that will be configured with
        two interfaces Ethernet and Wireless. Ethernet interface will
        be configured as default route, wireless interface covered here
        is simple alternative to Ethernet connection.</p>

        <dl>
            <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt>
            <dd>Configure Ethernet interface and static or dynamic (dhcp)
            connection to the router and add as default gateway.</dd>
            <dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt>
            <dd>Configure Wireless interface, wpa_supplicant and dynamic (dhcp)
            connection to router and add as default gateway.</dd>
        </dl>

	<p>If is first boot after install configure iptables and
	one of above described scripts then proceed to upgrade your
	system.</p>

        <h2 id="resolv">2.1.1. Resolver</h2>

        <p>Configure your resolver with a server that don't censorship there for
        respect your freedom and privacy. Read
        <a href="https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers#PublicDNSServers">Tor Dns Resolver</a>
        for more information. This example will use
        <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
        server, edit /etc/resolv.conf and make it immutable;</p>

        <pre>
        # /etc/resolv.conf.head can replace this line
        nameserver 213.73.91.35
        # /etc/resolv.conf.tail can replace this line
        </pre>

        <pre>
        # chattr +i /etc/resolv.conf
        </pre>

        <h2 id="static">2.1.2. Static IP</h2>

        <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p>

        <pre>
        Address:   10.0.0.1              00001010.00000000.00000000 .00000001
        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
        =>
        Network:   10.0.0.0/24           00001010.00000000.00000000 .00000000 (Class A)
        Broadcast: 10.0.0.255            00001010.00000000.00000000 .11111111
        HostMin:   10.0.0.1              00001010.00000000.00000000 .00000001
        HostMax:   10.0.0.254            00001010.00000000.00000000 .11111110
        Hosts/Net: 254                   (Private Internet)
        </pre>

        <pre>
        # DEV=enp8s0
        # ADDR=10.0.0.1
        # MASK=24
        # GW=10.0.0.1
        # ip addr flush dev ${DEV}
        # ip route flush dev ${DEV}
        </pre>

        <pre>
        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
        # ip link set ${DEV} up
        </pre>

        <p>Script don't add above network as gateway;</p>

        <pre>
        # ip route add default via ${GW}
        </pre>

        <p>Other IP class used in home setups;</p>

        <pre>
        Address:   192.168.0.1           11000000.10101000.00000000 .00000001
        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
        =>
        Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
        Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
        HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
        HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
        Hosts/Net: 254                   (Private Internet)
        </pre>

        <pre>
        # DEV=enp8s0
        # ADDR=192.168.1.1
        # MASK=24
        # GW=192.168.1.254
        </pre>

	<h2 id="iptables">2.1.3. Iptables</h2>

        <p>For more information about iptables read
        <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
        You can use
        <a href="scripts/iptables.sh">iptables script</a>
        at boot time and iptables-save and iptables-restore tools to
        configure nat and filtering;</p>

        <pre>
        # mkdir /etc/iptables
        # cp c9-doc/core/scripts/iptables.sh /etc/iptables/
        </pre>

        <p>Adjust iptables to your needs, then;</p>

        <pre>
        # cd /etc/iptables
        # sh iptables.sh
        # iptables-save > rules.v4
        </pre>

        <p>Copy init script, edit if you dont like to
        let drop when you call stop.</p>

        <pre>
        # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
        # vim /etc/rc.d/iptables
        # chmod +x /etc/rc.d/iptables
        </pre>

        <p>Re-configure your rc.conf and add iptables before (w)lan is up;</p>

        <pre>
        SERVICES=(lo iptables net crond)
        </pre>

        <p>

        <h2 id="wpa">2.1.4. Wpa and dhcpd</h2>

        <p>There is more information on
        <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
        see <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>. Manual or first time configuration;</p>

        <pre>
        # ip link
        </pre>

        <pre>
        # iwlist wlp2s0 scan
        </pre>

        <pre>
        # iwconfig wlp2s0 essid NAME key s:ABCDE12345
        </pre>

        <h3>2.1.4.1. Wpa Supplicant</h3>

        <p>Configure wpa supplicant edit;</p>

        <pre>
        # vim /etc/wpa_supplicant.conf
        </pre>

        <pre>
        ctrl_interface=/var/run/wpa_supplicant
        update_config=1
        fast_reauth=1
        ap_scan=1
        </pre>

        <pre>
        # wpa_passphrase &lt;ssid&gt; &lt;password&gt; &gt;&gt; /etc/wpa_supplicant.conf
        </pre>

        <p>Now start wpa_supplicant with:</p>

        <pre>
        # wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
        Successfully initialized wpa_supplicant
        </pre>

        <p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>
	init script to auto load wpa configuration and dhcp
        client.</p>

	<h3>2.1.4.2. Wpa Cli</h3>

        <pre>
        # wpa_cli
        &gt; status
        </pre>

        <pre>
        &gt; add_network
        3
        </pre>

        <pre>
        &gt; set_network 3 ssid "Crux-Network"
        OK
        </pre>

        <pre>
        &gt; set_network 3 psk "uber-secret-pass"
        OK
        </pre>

        <pre>
        &gt; enable_network 3
        OK
        </pre>

        <pre>
        &gt; list_networks
        </pre>

        <pre>
        &gt; select_network 3
        </pre>

        <pre>
        &gt; save_config
        </pre>


        <h2 id="sysctl">2.1.5. Sysctl</h2>

        <p>Sysctl references
        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
        edit /etc/sysctl.conf;</p>

        <pre>
        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 1 4 1 7

        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        # net.ipv6.conf.default.router_solicitations = 0
        # net.ipv6.conf.default.accept_ra_rtr_pref = 0
        # net.ipv6.conf.default.accept_ra_pinfo = 0
        # net.ipv6.conf.default.accept_ra_defrtr = 0
        # net.ipv6.conf.default.autoconf = 0
        # net.ipv6.conf.default.dad_transmits = 0
        # net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # No source routed packets here
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        net.ipv6.conf.default.rp_filter = 1
        net.ipv6.conf.all.rp_filter = 1

        # Make sure no one can alter the routing tables
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0

        # Don't act as a router
        net.ipv4.ip_forward = 0
        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.default.send_redirects = 0

        kernel.shmmax = 500000000
        # Turn on execshild
        kernel.exec-shield = 1
        kernel.randomize_va_space = 1

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        # End of file
        </pre>

        <p>Change to act as a router (default of conf/sysctl.conf);</p>

        <pre>
    	# Act as a router, necessary for Access Point
        net.ipv4.ip_forward = 1
        net.ipv4.conf.all.send_redirects = 1
        net.ipv4.conf.default.send_redirects = 1
        </pre>

        <p>Load new settings;</p>

        <pre>
        # sysctl -p
        </pre>

        <a href="index.html">Core OS Index</a>
        <p>
        This is part of the c9-doc Manual.
        Copyright (C) 2016
        c9 team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>