diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-07-17 00:07:56 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-07-17 00:07:56 +0100 |
| commit | 8e26cc1ca02691e621a82c274e9cfcd90181ccbe (patch) | |
| tree | da34dbb85daf65ed993f5b6d56847d7d37cb0cd3 /core/scripts | |
| parent | f5955b57400b065d77fc115c821c18864f3dae02 (diff) | |
| parent | fa4a1dbc55e566b6f891636ed0301bf6a188b312 (diff) | |
| download | doc-8e26cc1ca02691e621a82c274e9cfcd90181ccbe.tar.gz | |
release 0.3.5
Diffstat (limited to 'core/scripts')
| -rw-r--r-- | core/scripts/backup-system.sh | 157 | ||||
| -rw-r--r-- | core/scripts/iptables-br.sh | 395 | ||||
| -rw-r--r-- | core/scripts/iptables-conf.sh | 21 | ||||
| -rw-r--r-- | core/scripts/iptables.sh | 823 | ||||
| -rw-r--r-- | core/scripts/setup-iso.sh | 103 | ||||
| -rwxr-xr-x | core/scripts/setup-target.sh | 2 |
6 files changed, 635 insertions, 866 deletions
diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 49b9873..ba6a961 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -1,4 +1,12 @@ -#!/bin/sh +#!/bin/bash + +ROOT_DIR= +DEST_DIR=/root/backup +PORT_PKG="${DEST_DIR}/crux" +PORT_PRT="${DEST_DIR}/ports" +DATA_CNF="${DEST_DIR}/conf" +DATA_USR="${DEST_DIR}/user" +DATA_SRV="${DEST_DIR}/srv" ConfirmOrExit () { @@ -50,9 +58,9 @@ mkbk_coll_ports() { --directory=$ROOT_DIR/usr/ports/${col} \ --exclude=.git/ \ . - } + mkbk_metadata() { # archive pkgutils data @@ -158,8 +166,8 @@ mkbk_user_metadata() { # encript data #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ - # --encrypt --recipient user@host \ - # "${DATA_USR}/meta-${user}.tar.gz" + # --encrypt --recipient user@host \ + # "${DATA_USR}/meta-${user}.tar.gz" tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ $dir/gitolite-admin @@ -167,34 +175,56 @@ mkbk_user_metadata() { done } -echo -n "root directory you want backup (/mnt/):\n " -#read ROOT_DIR -ROOT_DIR=$1 - -echo -n "where you want to save (/home/user):\n " -DEST_DIR=$2 - -# Temporary directory -PORT_PKG="${DEST_DIR}/crux" -PORT_PRT="${DEST_DIR}/ports" -DATA_CNF="${DEST_DIR}/conf" -DATA_USR="${DEST_DIR}/user" -DATA_SRV="${DEST_DIR}/srv" +print_data () { + echo "ROOT_DIR=${ROOT_DIR}" + echo "DEST_DIR=${DEST_DIR}" + echo "PORT_PKG=${PORT_PKG}" + echo "PORT_PRT=${PORT_PRT}" + echo "DATA_CNF=${DATA_CNF}" + echo "DATA_USR=${DATA_USR}" + echo "DATA_SRV=${DATA_SRV}" +} -echo "ROOT_DIR=${ROOT_DIR}" -echo "DEST_DIR=${DEST_DIR}" -echo "PORT_PKG=${PORT_PKG}" -echo "PORT_PRT=${PORT_PRT}" -echo "DATA_CNF=${DATA_CNF}" -echo "DATA_USR=${DATA_USR}" -echo "DATA_SRV=${DATA_SRV}" +print_help() { + echo "usage: backup-system [options]" + echo "options:" + echo " -r, --root root directory to backup, default /" + echo " -d, --destination save backup, default /root/backup" + echo " -h, --help print help and exit" +} +while [ "$1" ]; do + case $1 in + -r|--root) + ROOT_DIR=$2 + if [ ${ROOT_DIR} == "/" ]; then + ROOT_DIR="" + fi + shift ;; + -d|--destination) + DEST_DIR=$2 + + # Destination directory + PORT_PKG="${DEST_DIR}/crux" + PORT_PRT="${DEST_DIR}/ports" + DATA_CNF="${DEST_DIR}/conf" + DATA_USR="${DEST_DIR}/user" + DATA_SRV="${DEST_DIR}/srv" + shift ;; + -h|--help) + print_help + exit 0 ;; + *) + echo "backup-system: invalid option $1" + print_help + exit 1 ;; + esac + shift +done + +print_data ConfirmOrExit -if [ ${ROOT_DIR} == "/" ]; then - ROOT_DIR="" -fi - mkdir -p ${PORT_PKG} mkdir -p ${PORT_PRT} mkdir -p ${DATA_CNF} @@ -204,20 +234,59 @@ mkdir -p ${DATA_SRV} # Light backup data mkbk_metadata mkbk_etc_conf -mkbk_user_metadata -mkbk_srv_www -mkbk_srv_pgsql -mkbk_srv_gitolite - -# Port system -mkbk_coll_ports "core" -mkbk_coll_pkg "core" -mkbk_coll_ports "opt" -mkbk_coll_pkg "opt" -mkbk_coll_ports "contrib" -mkbk_coll_pkg "contrib" -mkbk_coll_ports "xorg" -mkbk_coll_pkg "xorg" - -mkbk_coll_pkg "other" +while true +do + echo -n "Backup user metadata ? Please confirm (y or n) :" + read CONFIRM + case $CONFIRM in + n|N|no|NO|No) break ;; + y|Y|YES|yes|Yes) + echo "Accept - you entered $CONFIRM" + mkbk_user_metadata + break + ;; + *) echo "Please enter only y or n" + esac +done + +while true +do + echo -n "Backup server data ? Please confirm (y or n) :" + read CONFIRM + case $CONFIRM in + n|N|no|NO|No) break ;; + y|Y|YES|yes|Yes) + echo "Accept - you entered $CONFIRM" + mkbk_srv_www + mkbk_srv_pgsql + mkbk_srv_gitolite + break + ;; + *) echo "Please enter only y or n" + esac +done + + +while true +do + echo -n "Backup port system ? Please confirm (y or n) :" + read CONFIRM + case $CONFIRM in + n|N|no|NO|No) break ;; + y|Y|YES|yes|Yes) + echo "Accept - you entered $CONFIRM" + mkbk_coll_ports "core" + mkbk_coll_pkg "core" + mkbk_coll_ports "opt" + mkbk_coll_pkg "opt" + mkbk_coll_ports "contrib" + mkbk_coll_pkg "contrib" + mkbk_coll_ports "xorg" + mkbk_coll_pkg "xorg" + mkbk_coll_pkg "other" + break + ;; + *) echo "Please enter only y or n" + esac +done diff --git a/core/scripts/iptables-br.sh b/core/scripts/iptables-br.sh deleted file mode 100644 index be1280c..0000000 --- a/core/scripts/iptables-br.sh +++ /dev/null @@ -1,395 +0,0 @@ -#!/bin/sh - -# -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# + -# | -# v -# +-------------+ +------------------+ -# |table: filter| <---+ | table: nat | -# |chain: INPUT | | | chain: PREROUTING| -# +-----+-------+ | +--------+---------+ -# | | | -# v | v -# [local process] | **************** +--------------+ -# | +---------+ Routing decision +------> |table: filter | -# v **************** |chain: FORWARD| -# **************** +------+-------+ -# Routing decision | -# **************** | -# | | -# v **************** | -# +-------------+ +------> Routing decision <---------------+ -# |table: nat | | **************** -# |chain: OUTPUT| | + -# +-----+-------+ | | -# | | v -# v | +-------------------+ -# +--------------+ | | table: nat | -# |table: filter | +----+ | chain: POSTROUTING| -# |chain: OUTPUT | +--------+----------+ -# +--------------+ | -# v -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] -I chain [rulenum] rule-specification -# -# iptables [-t table] -R chain rulenum rule-specification -# -# iptables [-t table] -D chain rulenum -# -# iptables [-t table] -S [chain [rulenum]] -# -# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] -# -# iptables [-t table] -N chain -# -# iptables [-t table] -X [chain] -# -# iptables [-t table] -P chain target -# -# iptables [-t table] -E old-chain-name new-chain-name -# -# rule-specification = [matches...] [target] -# -# match = -m matchname [per-match-options] -# -# -# Targets -# -# can be a user defined chain -# -# ACCEPT - accepts the packet -# DROP - drop the packet on the floor -# QUEUE - packet will be stent to queue -# RETURN - stop traversing this chain and -# resume ate the next rule in the -# previeus (calling) chain. -# -# if packet reach the end of the chain or -# a target RETURN, default policy for that -# chain is applayed. -# -# Target Extensions -# -# AUDIT -# CHECKSUM -# CLASSIFY -# DNAT -# DSCP -# LOG -# Torn on kernel logging, will print some -# some information on all matching packets. -# Log data can be read with dmesg or syslogd. -# This is a non-terminating target and a rule -# should be created with matching criteria. -# -# --log-level level -# Level of logging (numeric or see sys- -# log.conf(5) -# -# --log-prefix prefix -# Prefix log messages with specified prefix -# up to 29 chars log -# -# --log-uid -# Log the userid of the process with gener- -# ated the packet -# NFLOG -# This target pass the packet to loaded logging -# backend to log the packet. One or more userspace -# processes may subscribe to the group to receive -# the packets. -# -# ULOG -# This target provides userspace logging of maching -# packets. One or more userspace processes may then -# then subscribe to various multicast groups and -# then receive the packets. -# -# -# Commands -# -# -A, --append chain rule-specification -# -C, --check chain rule-specification -# -D, --delete chain rule-specification -# -D, --delete chain rulenum -# -I, --insert chain [rulenum] rule-specification -# -R, --replace chain rulenum rule-specification -# -L, --list [chain] -# -P, --policy chain target -# -# Parameters -# -# -p, --protocol protocol -# tcp, udp, udplite, icmp, esp, ah, sctp, all -# -s, --source address[/mask][,...] -# -d, --destination address[/mask][,...] -# -j, --jump target -# -g, --goto chain -# -i, --in-interface name -# -o, --out-interface name -# -f, --fragment -# -m, --match options module-name -# iptables can use extended packet matching -# modules. -# -c, --set-counters packets bytes - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet -#PUB_IF="wlp7s0" -PUB_IF="enp8s0" -BR_IF="br0" -PUB_IP="10.0.0.254" -NET_ADDR="10.0.0.0/8" -GW="10.0.0.1" -# private interface for virtual/internal -PRIV_IF="wlp7s0" -PRIV_IP="192.168.1.33" - -echo "Stopping ipv4 firewall and deny everyone..." - -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -t raw -F -iptables -t raw -X -iptables -t security -F -iptables -t security -X -iptables -N blocker - -iptables -N netconf_in -iptables -N netconf_out -iptables -N server_in -iptables -N server_out -iptables -N client_in -iptables -N client_out - -# Set Default Rules -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -echo "Starting ipv4 firewall tables..." -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - -#modprobe ip_conntrack -#modprobe ip_conntrack_ftp -#echo 1 > /proc/sys/net/ipv4/ip_forward - -####### blocker Chain ###### -## Block google dns -$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " -$IPT -A blocker -s 8.8.0.0/24 -j DROP -## Block sync -$IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " -$IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP -## Block Fragments -$IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " -$IPT -A blocker -f -j DROP - -$IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - -$IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " -$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - -$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -## Return to caller -$IPT -A blocker -j RETURN - -####### server input Chain ###### -#echo "server_in chain: Allow to VNC Server" -#$IPT -A server_in -p tcp --dport 5900 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow to DataBase Server" -#$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow to SSH server" -#$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow input to HTTPS Server" -#$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow input to HTTP Server" -#$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to DNS Server" -$IPT -A server_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A server_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow input to GIT server" -#$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_in -j RETURN - -####### server output Chain ###### -echo "server_out chain: Allow output from DNS server" -$IPT -A server_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A server_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from GIT server" -#$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from https server" -#$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from http server" -#$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from SSH server" -#$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from Data Base server" -#$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from VNC server" -#$IPT -A server_out -p tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_out -j RETURN - -####### client input Chain ###### -echo "client_in chain: Allow input from IRC server" -$IPT -A client_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from FTP server" -$IPT -A client_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GIT server" -$IPT -A client_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from POP3S server" -$IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SMTPS server" -$IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTP Server" -$IPT -A client_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTPS server" -$IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from DNS Server" -$IPT -A client_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SSH Server" -$IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GPG key Server" -$IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A client_in -j RETURN - -####### client output Chain ###### -echo "client_out chain: Allow output to IRC server" -$IPT -A client_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to FTP server" -$IPT -A client_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GIT server" -$IPT -A client_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to POP3S server" -$IPT -A client_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SMTPS server" -$IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to HTTPS server" -$IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "Allow to HTTP server" -$IPT -A client_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to DNS server" -$IPT -A client_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SSH server" -$IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GPG key Server" -$IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A client_out -j RETURN - -####### netconf input Chain ###### -echo "netconf_in chain: Allow DHCP protocol" -$IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT -echo "netconf_in chain: Allow RIP protocol for ${NET_ADDR}" -$IPT -A netconf_in -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -#echo "netconf chain: Allow ICMP from ${NET_ADDR}" -#$IPT -A netconf_in -p icmp -s ${NET_ADDR} -j ACCEPT -echo "netconf_in chain: Allow ICMP from all" -$IPT -A netconf_in -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_in ICMP: " -$IPT -A netconf_in -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_in -j RETURN - - -####### netconf output Chain ###### -echo "netconf_out chain: Allow output from DHCP server" -$IPT -A netconf_out -p udp --sport 67 --dport 68 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -echo "netconf_out chain: Allow RIP protocol for ${NET_ADDR}" -$IPT -A netconf_out -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -#echo "netconf chain: Allow ICMP output to ${NET_ADDR}" -#$IPT -A netconf_out -p icmp -d ${NET_ADDR} -j ACCEPT -echo "netconf chain: Allow ICMP output to all" -$IPT -A netconf_out -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_out ICMP: " -$IPT -A netconf_out -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_out -j RETURN - -####### AP rules ###### -#$IPT -t nat -A PREROUTING -i ${BR_IF} -p tcp --dport 80 -j DNAT --to 10.0.0.4:80 - -$IPT -A FORWARD -j blocker -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_out -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j client_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j client_out -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j server_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j server_out - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j ACCEPT - -#$IPT -A FORWARD -j server_in - -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j SNAT --to ${PUB_IP} - -####### Input Chain ###### -$IPT -A INPUT -j blocker - -$IPT -A INPUT -i ${BR_IF} -s ${NET_ADDR} -d ${PUB_IP} -j server_in -$IPT -A INPUT -i ${BR_IF} -d ${NET_ADDR} -j client_in -$IPT -A INPUT -i ${BR_IF} -j netconf_in - -#$IPT -A INPUT -i ${PUB_IF} -d ${NET_ADDR} -j client_in - -####### Output Chain ###### -$IPT -A OUTPUT -j blocker - -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${NET_ADDR} -j server_out -$IPT -A OUTPUT -o ${BR_IF} -s ${NET_ADDR} -j client_out -$IPT -A OUTPUT -o ${BR_IF} -j netconf_out - - -#$IPT -A OUTPUT -o ${PUB_IF} -s ${NET_ADDR} -j client_out - -## log everything else and drop -$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " -$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - -iptables-save > /etc/iptables/br-lan.v4 -exit 0 diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh new file mode 100644 index 0000000..478ce08 --- /dev/null +++ b/core/scripts/iptables-conf.sh @@ -0,0 +1,21 @@ +#!/bin/bash +TYPE=bridge +#TYPE=server + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" + +# public interface to network/internet +BR_IF="br0" +BR_NET="10.0.0.0/8" +GW="10.0.0.1" +#DNS="10.0.0.254" +DNS="212.55.154.174" + +PUB_IP="10.0.0.254" +PUB_IF="enp8s0" + +# private interface for virtual/internal +#PRIV_IF="wlp7s0" +#PRIV_NET="192.168.1.0/24" diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index b887204..db1078d 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -1,408 +1,415 @@ -#!/bin/sh - -# -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# + -# | -# v -# +-------------+ +------------------+ -# |table: filter| <---+ | table: nat | -# |chain: INPUT | | | chain: PREROUTING| -# +-----+-------+ | +--------+---------+ -# | | | -# v | v -# [local process] | **************** +--------------+ -# | +---------+ Routing decision +------> |table: filter | -# v **************** |chain: FORWARD| -# **************** +------+-------+ -# Routing decision | -# **************** | -# | | -# v **************** | -# +-------------+ +------> Routing decision <---------------+ -# |table: nat | | **************** -# |chain: OUTPUT| | + -# +-----+-------+ | | -# | | v -# v | +-------------------+ -# +--------------+ | | table: nat | -# |table: filter | +----+ | chain: POSTROUTING| -# |chain: OUTPUT | +--------+----------+ -# +--------------+ | -# v -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] -I chain [rulenum] rule-specification -# -# iptables [-t table] -R chain rulenum rule-specification -# -# iptables [-t table] -D chain rulenum -# -# iptables [-t table] -S [chain [rulenum]] -# -# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] -# -# iptables [-t table] -N chain -# -# iptables [-t table] -X [chain] -# -# iptables [-t table] -P chain target -# -# iptables [-t table] -E old-chain-name new-chain-name -# -# rule-specification = [matches...] [target] -# -# match = -m matchname [per-match-options] -# -# -# Targets -# -# can be a user defined chain -# -# ACCEPT - accepts the packet -# DROP - drop the packet on the floor -# QUEUE - packet will be stent to queue -# RETURN - stop traversing this chain and -# resume ate the next rule in the -# previeus (calling) chain. -# -# if packet reach the end of the chain or -# a target RETURN, default policy for that -# chain is applayed. -# -# Target Extensions -# -# AUDIT -# CHECKSUM -# CLASSIFY -# DNAT -# DSCP -# LOG -# Torn on kernel logging, will print some -# some information on all matching packets. -# Log data can be read with dmesg or syslogd. -# This is a non-terminating target and a rule -# should be created with matching criteria. -# -# --log-level level -# Level of logging (numeric or see sys- -# log.conf(5) -# -# --log-prefix prefix -# Prefix log messages with specified prefix -# up to 29 chars log -# -# --log-uid -# Log the userid of the process with gener- -# ated the packet -# NFLOG -# This target pass the packet to loaded logging -# backend to log the packet. One or more userspace -# processes may subscribe to the group to receive -# the packets. -# -# ULOG -# This target provides userspace logging of maching -# packets. One or more userspace processes may then -# then subscribe to various multicast groups and -# then receive the packets. -# -# -# Commands -# -# -A, --append chain rule-specification -# -C, --check chain rule-specification -# -D, --delete chain rule-specification -# -D, --delete chain rulenum -# -I, --insert chain [rulenum] rule-specification -# -R, --replace chain rulenum rule-specification -# -L, --list [chain] -# -P, --policy chain target -# -# Parameters -# -# -p, --protocol protocol -# tcp, udp, udplite, icmp, esp, ah, sctp, all -# -s, --source address[/mask][,...] -# -d, --destination address[/mask][,...] -# -j, --jump target -# -g, --goto chain -# -i, --in-interface name -# -o, --out-interface name -# -f, --fragment -# -m, --match options module-name -# iptables can use extended packet matching -# modules. -# -c, --set-counters packets bytes - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet -BR_IF="br0" -BR_IP="10.0.0.254" -BR_NET="10.0.0.0/8" -GW="10.0.0.1" - -# private interface for virtual/internal -WIFI_IF="wlp7s0" -WIFI_NET="192.168.1.0/24" -#PRI_IP="192.168.1.33" - -echo "Stopping ipv4 firewall and deny everyone..." - -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -t raw -F -iptables -t raw -X -iptables -t security -F -iptables -t security -X -iptables -N blocker - -iptables -N netconf_in -iptables -N netconf_out -iptables -N server_in -iptables -N server_out -iptables -N client_in -iptables -N client_out - -iptables -N srv_dns_in -iptables -N srv_dns_out -iptables -N cli_dns_in -iptables -N cli_dns_out -iptables -N cli_http_in -iptables -N cli_http_out - -# Set Default Rules -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -####### blocker Chain ###### -## Block google dns -$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " -$IPT -A blocker -s 8.8.0.0/24 -j DROP -## Block sync -$IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " -$IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP -## Block Fragments -$IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " -$IPT -A blocker -f -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " -$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans -$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -## Return to caller -$IPT -A blocker -j RETURN - -######## DNS Server -#echo "server_in chain: Allow input to DNS Server" -$IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_in -j RETURN -#echo "srv_dns_out chain: Allow output from DNS server" -$IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_out -j RETURN - -######## DNS Client -echo "cli_dns_out chain: Allow output to DNS server" -$IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A cli_dns_out -j RETURN -echo "cli_dns_in chain: Allow input from DNS Server" -$IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A cli_dns_in -j RETURN - -######## HTTP Client -$IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A cli_http_in -j RETURN -#echo "Allow to HTTP server" -$IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A cli_http_out -j RETURN - -####### server input Chain ###### -#echo "server_in chain: Allow to VNC Server" -#$IPT -A server_in -p tcp --dport 5900:5910 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to DataBase Server" -$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to SSH server" -$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTPS Server" -$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTP Server" -$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow output from GIT server" -$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_in -j RETURN - -####### server output Chain ###### -echo "server_out chain: Allow output from GIT server" -$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from https server" -$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from http server" -$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from SSH server" -$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from Data Base server" -$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from VNC server" -#$IPT -A server_out -p tcp --sport 5900:5910 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_out -j RETURN - -####### client input Chain ###### -echo "client_in chain: Allow input from IRC server" -$IPT -A client_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from FTP server" -$IPT -A client_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GIT server" -$IPT -A client_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from POP3S server" -$IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SMTPS server" -$IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTPS server" -$IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SSH Server" -$IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GPG key Server" -$IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -j RETURN - -####### client output Chain ###### -echo "client_out chain: Allow output to IRC server" -$IPT -A client_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to FTP server" -$IPT -A client_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GIT server" -$IPT -A client_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to POP3S server" -$IPT -A client_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SMTPS server" -$IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to HTTPS server" -$IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SSH server" -$IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GPG key Server" -$IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -j RETURN - -####### netconf input Chain ###### -echo "netconf_in chain: Allow DHCP protocol" -$IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT -echo "netconf_in chain: Allow RIP protocol for ${BR_NET}" -$IPT -A netconf_in -p udp --sport 520 --dport 520 -j ACCEPT -#echo "netconf chain: Allow ICMP from ${BR_NET}" -#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT -echo "netconf_in chain: Allow ICMP from all" -$IPT -A netconf_in -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_in -j RETURN - - -####### netconf output Chain ###### -echo "netconf_out chain: Allow output from DHCP server" -$IPT -A netconf_out -p udp --sport 67 --dport 68 -j ACCEPT -echo "netconf_out chain: Allow RIP protocol for ${BR_NET}" -$IPT -A netconf_out -p udp --sport 520 --dport 520 -j ACCEPT -#echo "netconf chain: Allow ICMP output to ${BR_NET}" -#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT -echo "netconf chain: Allow ICMP output to all" -$IPT -A netconf_out -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_out -j RETURN - -############################################################ -# -# Start adding rules tables -# - -echo "Starting ipv4 firewall tables..." - -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT - -#modprobe ip_conntrack -#modprobe ip_conntrack_ftp -echo 1 > /proc/sys/net/ipv4/ip_forward - -####### Forward Chain ###### -$IPT -A FORWARD -j blocker -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT -$IPT -A FORWARD -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j ACCEPT -#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j ACCEPT - -####### Input Chain ###### -$IPT -A INPUT -j blocker -$IPT -A INPUT -i ${BR_IF} -j netconf_in -$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j srv_dns_in -$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d ${BR_IP} -j server_in -#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j client_in -#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j cli_dns_in -#$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j client_in -# -##$IPT -A INPUT -i ${WIFI_IF} -j server_in -#$IPT -A INPUT -i ${WIFI_IF} -j netconf_in - -####### Output Chain ###### -$IPT -A OUTPUT -j blocker -$IPT -A OUTPUT -o ${BR_IF} -j netconf_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j srv_dns_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j server_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j client_out -#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j client_out -#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j cli_dns_out - -#$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -j client_out - -#$IPT -A OUTPUT -o ${WIFI_IF} -j server_out -#$IPT -A OUTPUT -o ${WIFI_IF} -j netconf_out - -####### PostRouting Chain ###### -$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j MASQUERADE - -## log everything else and drop -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " -$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " -$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - - -iptables-save > /etc/iptables/net.rules -exit 0 +#!/bin/bash + +source /etc/iptables/iptables-conf.sh + +iptables_clear () { + echo "clear all iptables tables" + + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + iptables -N blocker + + iptables -N srv_dhcp + iptables -N srv_rip + iptables -N srv_icmp + iptables -N srv_dns_in + iptables -N srv_dns_out + iptables -N srv_http_in + iptables -N srv_http_out + iptables -N srv_https_in + iptables -N srv_https_out + iptables -N srv_ssh_in + iptables -N srv_ssh_out + iptables -N srv_git_in + iptables -N srv_git_out + iptables -N srv_db_in + iptables -N srv_db_out + + + iptables -N cli_dns_in + iptables -N cli_dns_out + iptables -N cli_http_in + iptables -N cli_http_out + iptables -N cli_https_in + iptables -N cli_https_out + iptables -N cli_ssh_in + iptables -N cli_ssh_out + iptables -N cli_pops_in + iptables -N cli_pops_out + iptables -N cli_smtps_in + iptables -N cli_smtps_out + iptables -N cli_irc_in + iptables -N cli_irc_out + iptables -N cli_ftp_in + iptables -N cli_ftp_out + iptables -N cli_git_in + iptables -N cli_git_out + iptables -N cli_gpg_in + iptables -N cli_gpg_out + + # Set Default Rules + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP +} + +iptables_log () { + ## log everything else and drop + $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +} + + +iptables_tables () { + echo "start adding tables..." + + ####### blocker Chain ###### + ## Block google dns + $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " + $IPT -A blocker -s 8.8.0.0/24 -j DROP + ## Block sync + $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " + $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP + ## Block Fragments + $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " + $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " + $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller + $IPT -A blocker -j RETURN + + ######## DNS Server + #echo "server_in chain: Allow input to DNS Server" + $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -j RETURN + #echo "srv_dns_out chain: Allow output from DNS server" + $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -j RETURN + + ####### Database Server + $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_db_in -j RETURN + $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_db_out -j RETURN + + ####### SSH Server + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + + $IPT -A srv_ssh_in -j RETURN + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -j RETURN + + ####### HTTP Server + $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_http_in -j RETURN + $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_http_out -j RETURN + + ####### HTTPS Server + $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_https_in -j RETURN + $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_https_out -j RETURN + + ###### GIT server + $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_git_in -j RETURN + $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_git_out -j RETURN + + ######## DNS Client + $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_dns_out -j RETURN + $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_dns_in -j RETURN + + ######## HTTP Client + #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP + + $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -j RETURN + $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -j RETURN + + ######## IRC client + $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_irc_in -j RETURN + $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_irc_out -j RETURN + + ######## FTP client + + $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -j RETURN + $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -j RETURN + ######## GIT client + $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_git_out -j RETURN + + ######## POP3S client + $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_pops_in -j RETURN + $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_pops_out -j RETURN + + ######## SMTPS client + $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_in -j RETURN + $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_out -j RETURN + + ######## HTTPS client + $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -j RETURN + $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -j RETURN + + ######## SSH client + $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -j RETURN + $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -j RETURN + + ######## GPG key client + $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_in -j RETURN + $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_out -j RETURN + + ######## DHCP Server + $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -j RETURN + + ####### RIP Server + $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT + $IPT -A srv_rip -j RETURN + + ####### ICMP Server + $IPT -A srv_icmp -p icmp -j ACCEPT + $IPT -A srv_icmp -j RETURN +} + +case $TYPE in + bridge) + iptables_clear + iptables_tables + + echo "setting bridge network..." + echo 1 > /proc/sys/net/ipv4/ip_forward + + # Unlimited on loopback + $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + + ####### NAT Prerouting Chain ###### + + ####### Forward Chain ###### + $IPT -A FORWARD -j blocker + $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + # Tap1 can access external http + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out + + ####### Forward TAP2 ssh, http and https ###### + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + # + # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + # + # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp + # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + + # Tap1 and Tap2 can access external https + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in + + #Less noise + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP + + ####### Input Chain ###### + $IPT -A INPUT -j blocker + #Less noise + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP + + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in + + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp + + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp + + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in + + ####### Output Chain ###### + $IPT -A OUTPUT -j blocker + + #Less noise + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out + + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out + + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out + #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out + #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out + + ####### PostRouting Chain ###### + #Less noise + #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT + + #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE + + ## log everything else and drop + iptables_log + + #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " + # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + + iptables-save > /etc/iptables/net.v4 + exit 0 + ;; + + server) + iptables_clear + iptables_tables + + echo "setting server network..." + + # Unlimited on loopback + $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + + ####### Input Chain ###### + $IPT -A INPUT -j blocker + + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in + #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + + + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in + + ####### Output Chain ###### + $IPT -A OUTPUT -j blocker + + $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out + #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out + + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out + + ## log everything else and drop + iptables_log + + iptables-save > /etc/iptables/net.v4 + exit 0 + + ;; + *) + + echo "usage: $0 [start|stop|restart]" + ;; +esac + diff --git a/core/scripts/setup-iso.sh b/core/scripts/setup-iso.sh index 11a38bc..ddad787 100644 --- a/core/scripts/setup-iso.sh +++ b/core/scripts/setup-iso.sh @@ -1,19 +1,18 @@ #!/bin/sh -ISO_DIR=$1 -CHROOT="/mnt" - -ISO_URL="https://serverop.de/crux/crux-3.3/iso/crux-3.3.iso" -MD5_URL="https://serverop.de/crux/crux-3.3/iso/crux-3.3.md5" - -ISO_FILE="${ISO_DIR}/crux-3.3.iso" -MD5_FILE="${ISO_DIR}/crux-3.3.md5" +# location of iso and md5 file +ISO_DIR="/usr/ports/iso" +ISO_FILE="${ISO_DIR}/crux-3.4.iso" +MD5_FILE="${ISO_DIR}/crux-3.4.md5" +# iso and md5 remote location +#ISO_URL="https://serverop.de/crux/crux-3.4/iso/crux-3.4.iso" +ISO_URL="https://ftp.spline.inf.fu-berlin.de/pub/crux/crux-3.4/iso/crux-3.4.iso" +MD5_URL="https://serverop.de/crux/crux-3.4/iso/crux-3.4.md5" # First we define the function -ConfirmOrExit () -{ +ConfirmOrExit () { while true do echo -n "Please confirm (y or n) :" @@ -30,7 +29,7 @@ ConfirmOrExit () echo "You entered $CONFIRM. Continuing ..." } -prepare_iso() { +download_iso() { mkdir -p ${ISO_DIR} @@ -50,22 +49,90 @@ prepare_iso() { cd ${ISO_DIR} && { curl -k -O ${MD5_URL} ; cd -; } fi +} + +check_iso() { if cd ${ISO_DIR} && md5sum -c ${MD5_FILE} ; then echo "Valid iso md5sum" else echo "Invalid iso md5sum" fi +} + +mount_iso() { + + if [ ! -f $ISO_FILE ]; + then + echo "File $ISO_FILE does not exist." + exit 0 + fi modprobe isofs modprobe loop - mount -o loop $ISO_FILE $CHROOT/media + mount -o loop $ISO_FILE /media +} + +print_data() { + echo "1.1.1 Paths to iso and md5 files:" + echo "iso dir: ${ISO_DIR}" + echo "iso file: ${ISO_FILE}" + echo "md5 file: ${MD5_FILE}" + echo "iso url: ${ISO_URL}" + echo "md5 url: ${MD5_URL}" } -echo "1.1.1 Paths to iso and md5 files:" -echo "dir: ${ISO_DIR}" -echo "iso url: ${ISO_URL}" -echo "md5 url: ${MD5_URL}" +print_help() { + echo "usage: setup-iso [options]" + echo "options:" + echo " -r, --root default dir is /usr/ports/iso" + echo " -d, --download download iso" + echo " -c, --check check iso md5sum" + echo " -m, --mount mount iso on /media " + echo " -h, --help print help and exit" +} + +while [ "$1" ]; do + case $1 in + -r|--root) + ISO_DIR=$2 + + ISO_FILE="${ISO_DIR}/crux-3.4.iso" + MD5_FILE="${ISO_DIR}/crux-3.4.md5" + + shift ;; + -d|--download) + echo "Download iso:" + echo "_____________________" + print_data + ConfirmOrExit + download_iso + exit 0 ;; + -c|--check) + echo "Check iso md5sum:" + echo "_____________________" + print_data + ConfirmOrExit + check_iso + exit 0 ;; + -m|--mount) + echo "Check iso md5sum:" + echo "_____________________" + print_data + ConfirmOrExit + mount_iso + exit 0 ;; + -h|--help) + print_help + exit 0 ;; + *) + echo "setup-iso: invalid option $1" + print_help + exit 1 ;; + esac + shift +done -ConfirmOrExit -prepare_iso +echo "setup-iso: no option provided" +print_help +exit 1 diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh index b0828e5..ecbe018 100755 --- a/core/scripts/setup-target.sh +++ b/core/scripts/setup-target.sh @@ -13,7 +13,7 @@ SCRIPTPATH=$(dirname "$SCRIPT") DIR=$(dirname "$SCRIPTPATH"); DIR_LOCAL="$(dirname $(dirname ${DIR}))/local"; -ISO_FILE="${DIR_LOCAL}/crux-3.3.iso" +ISO_FILE="${DIR_LOCAL}/crux-3.4.iso" ##read BLK_EFI BLK_EFI="${DEV}2" |