diff options
author | Silvino <silvino@bk.ru> | 2019-06-08 01:49:10 +0100 |
---|---|---|
committer | Silvino <silvino@bk.ru> | 2019-06-08 23:07:46 +0100 |
commit | f905c797c8f2ec87a8aa641a44c49fc1d0a23ebe (patch) | |
tree | a878feb974ad47f33625a9d4b84d0b1258c0e3ec /core/network.html | |
parent | 923321515685eed09a269d5643135b7c3a4e865d (diff) | |
download | doc-f905c797c8f2ec87a8aa641a44c49fc1d0a23ebe.tar.gz |
core network better iptables documentation
Diffstat (limited to 'core/network.html')
-rw-r--r-- | core/network.html | 191 |
1 files changed, 44 insertions, 147 deletions
diff --git a/core/network.html b/core/network.html index 18dd220..c87acf9 100644 --- a/core/network.html +++ b/core/network.html @@ -9,7 +9,8 @@ <h1>2.3. Network</h1> - <p>Operation of the network can be handle with init scripts;</p> + <p>Operation of the network can be handle with init scripts or with + <a href="#nm">network manager</a>;</p> <dl> <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> @@ -24,11 +25,13 @@ <dd>Configure Wireless interface, launch wpa_supplicant to handle wireless authenticationand dynamic (dhcp) connection to router and add as default gateway.</dd> + <dt><a href="conf/rc.d/wlan">/etc/rc.d/networkmanager</a></dt> + <dd>Use network manager to handle connections.</dd> </dl> - <p>Choose wireless or net as connection to outside world and configure - <a href="conf/rc.conf">/etc/rc.conf</a> to run at startup, example - connecting using wireless interface;</p> + <p>Choose wireless (wlan), cable network (net) or network manager in + <a href="conf/rc.conf">/etc/rc.conf</a> to handle configuration of the + network at startup, example using network manager;</p> <pre> # @@ -40,7 +43,7 @@ TIMEZONE="Europe/Lisbon" HOSTNAME=machine SYSLOG=sysklogd - SERVICES=(lo iptables wlan crond) + SERVICES=(lo iptables networkmanager crond) # End of file </pre> @@ -116,33 +119,7 @@ <p>For more information about firewall systems read arch wiki <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a> - an <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> - - <p>To setup iptables rules a set of scripts is used, init script - <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> - loads set of rules from file /etc/iptables/net.v4 at boot time. - Start option "open" option allows everything to outside - and blocks everything from outside, "stop" will block and log - everything. Setup init script and rules ;</p> - - <pre> - # mkdir /etc/iptables - # cp core/conf/iptables/net.v4 /etc/iptables/ - # cp core/conf/rc.d/iptables /etc/rc.d/ - # chmod +x /etc/rc.d/iptables - </pre> - - <p>Change /etc/rc.conf and add iptables;</p> - - <pre> - SERVICES=(iptables lo net crond) - </pre> - - <p>See current rules and packets counts;</p> - - <pre> - # iptables -L -n -v | less - </pre> + and <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> <p>Diagram of a package route throw iptables;</p> @@ -286,135 +263,42 @@ -c, --set-counters packets bytes </pre> - - <h3 id="ipt_scripts">2.3.3.1. Iptable scripts</h3> - - <p><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> sources - host configuration and create tables with rules that later are - used to match packages.</p> + <p>See current rules and packets counts;</p> <pre> - source /etc/iptables/ipt-conf.sh - source /etc/iptables/ipt-firewall.sh - - case $1 in - start) - ipt_clear - ipt_tables - case $TYPE in - bridge) - - ## load bridge configuration - source /etc/iptables/ipt-bridge.sh - - ## log everything else and drop - ipt_log - - iptables-save > /etc/iptables/bridge.v4 - ;; - server) - - - ## load server configuration - source /etc/iptables/iptables-conf.sh - - ## log everything else and drop - ipt_log - - iptables-save > /etc/iptables/server.v4 - ;; - esac - ;; - stop) - - ipt_clear - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Usage: $0 [start|stop|restart]" - ;; - esac + # iptables -L -n -v | less </pre> - <h3 id="ipt_server">2.3.3.2. Server iptables</h3> + <h3 id="ipt_scripts">2.3.3.1. Iptable scripts</h3> - <p>Adjust <a href="conf/ipt-conf.sh">/etc/iptables/ipt-conf.sh</a> - with your network configuration, edit <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a> matching rules with interfaces.</p> + <p>Scripts help to setup iptables rules so they can be saved using iptables-save + and later restored using iptables-restore utilities. Init script + <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> + loads set of rules from /etc/iptables folder at boot time. + Start option "open" option allows everything to outside + and blocks new connections from outside, "stop" will block and log + everything.</p> - <p>Default configuration;</p> + <p>Setup init script and rules;</p> <pre> - echo "setting server network..." - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in - - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out - - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out + # mkdir /etc/iptables + # cp core/conf/iptables/net.v4 /etc/iptables/ + # cp core/conf/rc.d/iptables /etc/rc.d/ + # chmod +x /etc/rc.d/iptables </pre> + <p>Change /etc/rc.conf and add iptables;</p> <pre> - # bash core/scripts/iptables.sh + SERVICES=(iptables lo net crond) </pre> - <h3 id="ipt_client">2.3.3.3. Client iptables </h3> - - <p></p> - <h3 id="ipt_client">2.3.3.4. Bridge iptables</h3> - - <pre> - $IPT -A FORWARD -j blocker - $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + <p>Change <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> and define type; server, bridge or open.</p> - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - </pre> + <p>Adjust <a href="conf/ipt-conf.sh">/etc/iptables/ipt-conf.sh</a> + with your network configuration, and adjust + <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a>, <a href="conf/ipt-bridge.sh">/etc/iptables/ipt-bridge.sh</a>, <a href="conf/ipt-open.sh">/etc/iptables/ipt-open.sh</a> according with host necessities.</p> <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> @@ -503,11 +387,24 @@ > save_config </pre> + <h2 id="nm">2.3.5. Network Manager</h2> + + <p>List wifi networks;</p> + + <pre> + nmcli device wifi list + </pre> + + <p>Connect to a wifi network;</p> + + <pre> + nmcli device wifi connect "network name" password "network password" + </pre> <a href="index.html">Core OS Index</a> <p> This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |