diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-02-08 21:36:43 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-02-08 21:36:43 +0000 |
| commit | fe8a27dbed462a55c7f5cdfd993664abb07ce997 (patch) | |
| tree | 46816b5bad7afd4092f7510dace0ef2104f6d275 /core/conf | |
| parent | 4d7fb876df126a17b4e3e80644d54460b6eac3b2 (diff) | |
| download | doc-fe8a27dbed462a55c7f5cdfd993664abb07ce997.tar.gz | |
core network revision
Diffstat (limited to 'core/conf')
| -rw-r--r-- | core/conf/hosts | 18 | ||||
| -rw-r--r-- | core/conf/iptables/rules.v4 | 88 | ||||
| -rw-r--r-- | core/conf/rc.conf | 2 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 7 | ||||
| -rwxr-xr-x | core/conf/rc.d/wlan | 67 |
5 files changed, 93 insertions, 89 deletions
diff --git a/core/conf/hosts b/core/conf/hosts index 449949b..4069af5 100644 --- a/core/conf/hosts +++ b/core/conf/hosts @@ -3,25 +3,11 @@ # # IPv4 LocalHosts 127.0.0.1 localhost.localdomain localhost -127.0.0.1 c9.core c9 - -127.0.0.1 wiki.localhost -127.0.0.1 git.localhost -127.0.0.1 doc.localhost -127.0.0.1 ports.localhost - -# IPv4 Intranet -#<ip-address> <hostname.domain.org> <aliases> - -10.0.0.254 c9.core -10.0.0.254 wiki.c9.core -10.0.0.254 git.c9.core -10.0.0.254 doc.c9.core -10.0.0.254 ports.c9.core +127.0.0.1 c9.core c9 # IPv4 Internet #<ip-address> <hostname.domain.org> <aliases> -10.0.0.254 core.privat-network.net +10.0.0.1 c9.core.cx # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 848603c..419962f 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -48,43 +48,49 @@ COMMIT # # Allow established from dns server -#-A INPUT -i wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - +#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # INPUT accept passive --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT -# Allow established from http server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT + + +# Allow irc +-A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow xmmp +-A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established from https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow established from http server +-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from rsync server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from pop3s server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from smtps server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ntp server --A INPUT -i wlp7s0 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from whois server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ftp server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT ################################################################################## # INPUT # New and established connections to local servers # # INPUT accept from wlp7s0 to dns server --A INPUT -i wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to ssh server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT -A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 @@ -97,35 +103,47 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -# Allow dns -#-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ssh clients +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow from dns server +#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow irc +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow xmmp +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + # Allow to rsync server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to pop3s server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to smtps server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ntp server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ftp server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to https server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to http server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ################################################################################## # Output # Connections from local servers # -# Allow from ssh server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT + -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 COMMIT diff --git a/core/conf/rc.conf b/core/conf/rc.conf index a9fffb8..661500c 100644 --- a/core/conf/rc.conf +++ b/core/conf/rc.conf @@ -7,6 +7,6 @@ KEYMAP=dvorak TIMEZONE="Europe/Lisbon" HOSTNAME=c9 SYSLOG=sysklogd -SERVICES=(lo net crond) +SERVICES=(lo iptables wlan crond) # End of file diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 53224af..e512dc7 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -4,7 +4,8 @@ # # Connection type: "DHCP" or "static" -TYPE="static" +#TYPE="static" +TYPE="DHCP" # For "static" connections, specify your settings here: # To see your available devices run "ip link". @@ -33,8 +34,8 @@ case $1 in else /sbin/ip route del default dev ${DEV} /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} fi ;; restart) diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 894a69c..d009c1c 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -2,53 +2,52 @@ # # /etc/rc.d/wlan: start/stop wireless interface # + DEV=wlp7s0 + SSD=/sbin/start-stop-daemon PROG_DHCP=/sbin/dhcpcd PROG_WIFI=/usr/sbin/wpa_supplicant -PID_DHCP=/var/run/dhcpcd-${DEV}.pid +PID_DHCP=/var/run/dhcpcd.pid PID_WIFI=/var/run/wpa_supplicant.pid -OPTS_DHCP="-h $(/bin/hostname) -C resolv.conf $DEV" +OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" + print_status() { - $SSD --status --pidfile $2 - case $? in - 0) echo "$1 is running with pid $(cat $2)" ;; - 1) echo "$1 is not running but the pid file $2 exists" ;; - 3) echo "$1 is not running" ;; - 4) echo "Unable to determine the program status" ;; - esac + $SSD --status --pidfile $2 + case $? in + 0) echo "$1 is running with pid $(cat $2)" ;; + 1) echo "$1 is not running but the pid file $2 exists" ;; + 3) echo "$1 is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac } case $1 in - start) - $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ - $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP - RETVAL=$? - ;; - stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP - $SSD --stop --retry 10 --pidfile $PID_WIFI ) - RETVAL=$? - /sbin/ip route del default dev ${DEV} - /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} - ;; - restart) - $0 stop - $0 start - ;; - status) - print_status $PROG_WIFI $PID_WIFI - print_status $PROG_DHCP $PID_DHCP - ;; - *) - echo "Usage: $0 [start|stop|restart|status]" - ;; + start) + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ + $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP + RETVAL=$? + ;; + stop) + ( $SSD --stop --retry 10 --pidfile $PID_DHCP + $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + ;; + restart) + $0 stop + $0 start + ;; + status) + print_status $PROG_WIFI $PID_WIFI + print_status $PROG_DHCP $PID_DHCP + ;; + *) + echo "Usage: $0 [start|stop|restart|status]" + ;; esac exit $RETVAL |