<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2. Network</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1>2. Network</h1>
<p>Operation of the network can be handle with init scripts;</p>
<dl>
<dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt>
<dd>Configure iptables, start option loads set of rules from
file /etc/iptables/rules_file_name, open option allows everything
to outside and blocks everything from outside, stop will block
and log everything.</dd>
<dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt>
<dd>Configure Ethernet interface with static or dynamic (dhcp)
IP, set default route and add default gateway.</dd>
<dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt>
<dd>Configure Wireless interface, launch wpa_supplicant to handle
wireless authenticationand dynamic (dhcp)
connection to router and add as default gateway.</dd>
</dl>
<p>Choose wireless or net as connection to outside world and configure
<a href="conf/rc.conf">/etc/rc.conf</a> to run at startup, example
connecting using wireless interface;</p>
<pre>
#
# /etc/rc.conf: system configuration
#
FONT=default
KEYMAP=dvorak
TIMEZONE="Europe/Lisbon"
HOSTNAME=c9
SYSLOG=sysklogd
SERVICES=(lo iptables wlan crond)
# End of file
</pre>
<p>If is first boot after install configure iptables and one of above
described scripts then proceed to
<a href="package.html#sysup">update system.</a></p>
<h2 id="resolv">2.1.1. Resolver</h2>
<p>This example will use
<a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
server, edit /etc/resolv.conf and make it immutable;</p>
<pre>
# /etc/resolv.conf.head can replace this line
nameserver 213.73.91.35
# /etc/resolv.conf.tail can replace this line
</pre>
<pre>
# chattr +i /etc/resolv.conf
</pre>
<h2 id="static">2.1.2. Static IP</h2>
<p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p>
<pre>
Address: 192.168.0.1 11000000.10101000.00000000 .00000001
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111
=>
Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C)
Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111
HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001
HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110
Hosts/Net: 254 (Private Internet)
</pre>
<p>Other IP class that can used for private network;</p>
<pre>
Address: 10.0.0.1 00001010.00000000.00000000 .00000001
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111
=>
Network: 10.0.0.0/24 00001010.00000000.00000000 .00000000 (Class A)
Broadcast: 10.0.0.255 00001010.00000000.00000000 .11111111
HostMin: 10.0.0.1 00001010.00000000.00000000 .00000001
HostMax: 10.0.0.254 00001010.00000000.00000000 .11111110
Hosts/Net: 254 (Private Internet)
</pre>
<p>Manual configuring like net script;</p>
<pre>
# DEV=enp8s0
# ADDR=192.168.1.9
# MASK=24
# GW=192.168.1.254
</pre>
<pre>
# ip addr flush dev ${DEV}
# ip route flush dev ${DEV}
# ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
# ip link set ${DEV} up
# ip route add default via ${GW}
</pre>
<h2 id="iptables">2.1.3. Iptables</h2>
<p>For more information about iptables read
<a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
You can use
<a href="conf/iptables/rules.v4">/etc/iptables/rules.v4</a>
as template, replace interface by the one facing the router/gateway.
This configuration file is used at boot time by iptables-restore command,
if you use a script or change the rules of running system you can
use iptables-save command to save configuration to a file.</p>
<pre>
# mkdir /etc/iptables
# cp c9-doc/core/conf/iptables/rules.v4 /etc/iptables/
# cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
# chmod +x /etc/rc.d/iptables
</pre>
<p>Adjust rules.v4 to your needs, then;</p>
<pre>
# sh /etc/rc.d/iptables start
</pre>
<p>Copy init script, edit if you dont like to
let drop when you call stop.</p>
<p>Re-configure your rc.conf and add iptables before (w)lan is up;</p>
<pre>
SERVICES=(lo iptables net crond)
</pre>
<p>
<h2 id="wpa">2.1.4. Wpa and dhcpd</h2>
<p>There is more information on
<a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
see <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>. Manual or first time configuration;</p>
<pre>
# ip link
</pre>
<pre>
# iwlist wlp2s0 scan
</pre>
<pre>
# iwconfig wlp2s0 essid NAME key s:ABCDE12345
</pre>
<h3>2.1.4.1. Wpa Supplicant</h3>
<p>Configure wpa supplicant edit;</p>
<pre>
# vim /etc/wpa_supplicant.conf
</pre>
<pre>
ctrl_interface=/var/run/wpa_supplicant
update_config=1
fast_reauth=1
ap_scan=1
</pre>
<pre>
# wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf
</pre>
<p>Now start wpa_supplicant with:</p>
<pre>
# wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
</pre>
<p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>
init script to auto load wpa configuration and dhcp
client.</p>
<h3>2.1.4.2. Wpa Cli</h3>
<pre>
# wpa_cli
> status
</pre>
<pre>
> add_network
3
</pre>
<pre>
> set_network 3 ssid "Crux-Network"
OK
</pre>
<pre>
> set_network 3 psk "uber-secret-pass"
OK
</pre>
<pre>
> enable_network 3
OK
</pre>
<pre>
> list_networks
</pre>
<pre>
> select_network 3
</pre>
<pre>
> save_config
</pre>
<h2 id="sysctl">2.1.5. Sysctl</h2>
<p>Sysctl references
<a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
<a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
<a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
edit /etc/sysctl.conf;</p>
<pre>
#
# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
#
kernel.printk = 1 4 1 7
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# Tuen IPv6
# net.ipv6.conf.default.router_solicitations = 0
# net.ipv6.conf.default.accept_ra_rtr_pref = 0
# net.ipv6.conf.default.accept_ra_pinfo = 0
# net.ipv6.conf.default.accept_ra_defrtr = 0
# net.ipv6.conf.default.autoconf = 0
# net.ipv6.conf.default.dad_transmits = 0
# net.ipv6.conf.default.max_addresses = 0
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
## sets the kernels reverse path filtering mechanism to value 1(on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv6.conf.default.rp_filter = 1
net.ipv6.conf.all.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.shmmax = 500000000
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
# End of file
</pre>
<p>Change to act as a router (default of conf/sysctl.conf);</p>
<pre>
# Act as a router, necessary for Access Point
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
</pre>
<p>Load new settings;</p>
<pre>
# sysctl -p
</pre>
<a href="index.html">Core OS Index</a>
<p>
This is part of the c9-doc Manual.
Copyright (C) 2016
c9 team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>