overall revision

author: Silvino Silva <silvino@bk.ru> 2017-03-01 21:27:03 +0000
committer: Silvino Silva <silvino@bk.ru> 2017-05-13 16:40:44 +0100
commit: 079066bc153f3a6fe84b5da0b8fa8e584641b46d (patch)
tree: 5ed282dccdd6b8004a86f9c765843f0f5852f9c9 /core
parent: 40fc398cab05e1ae769554a50fb423ca38c3bfb6 (diff)
download: doc-079066bc153f3a6fe84b5da0b8fa8e584641b46d.tar.gz
5 files changed, 323 insertions, 284 deletions
diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh
index 58d92c3..491bc3b 100644
--- a/core/conf/iptables/iptables-lan.sh
+++ b/core/conf/iptables/iptables-lan.sh
@@ -1,322 +1,336 @@
 #!/bin/sh
 
-#------------------------------------------------------------------------------
 #
-# File: iptables_mint17.sh
+#                                XXXXXXXXXXXXXXXXX
+#                                XXXX Network XXXX
+#                                XXXXXXXXXXXXXXXXX
+#                                        +
+#                                        |
+#                                        v
+#  +-------------+              +------------------+
+#  |table: filter| <---+        | table: nat       |
+#  |chain: INPUT |     |        | chain: PREROUTING|
+#  +-----+-------+     |        +--------+---------+
+#        |             |                 |
+#        v             |                 v
+#  [local process]     |           ****************          +--------------+
+#        |             +---------+ Routing decision +------> |table: filter |
+#        v                         ****************          |chain: FORWARD|
+# ****************                                           +------+-------+
+# Routing decision                                                  |
+# ****************                                                  |
+#        |                                                          |
+#        v                        ****************                  |
+# +-------------+       +------>  Routing decision  <---------------+
+# |table: nat   |       |         ****************
+# |chain: OUTPUT|       |               +
+# +-----+-------+       |               |
+#       |               |               v
+#       v               |      +-------------------+
+# +--------------+      |      | table: nat        |
+# |table: filter | +----+      | chain: POSTROUTING|
+# |chain: OUTPUT |             +--------+----------+
+# +--------------+                      |
+#                                       v
+#                               XXXXXXXXXXXXXXXXX
+#                               XXXX Network XXXX
+#                               XXXXXXXXXXXXXXXXX
 #
-# http://www.hardenedlinux.org
+# iptables [-t table] {-A|-C|-D} chain rule-specification
 #
-# Reference: Ruslan Abuzant <ruslan@abuzant.com>,  http://www.hackersgarage.com/
-# Changed by: Silvino Silva <silvino@bk.ru>
+# iptables [-t table] {-A|-C|-D} chain  rule-specification
 #
-# License: GNU GPL (version 2, or any later version).
+# iptables  [-t table] -I chain [rulenum] rule-specification
 #
-# Configuration.
-#------------------------------------------------------------------------------
-
-# For debugging use iptables -v.
-IPTABLES="/usr/sbin/iptables"
-IP6TABLES="/usr/sbin/ip6tables"
-MODPROBE="/sbin/modprobe"
-RMMOD="/sbin/rmmod"
-ARP="/usr/sbin/arp"
-
-# NIC interfaces
-NIC_NAME="enp8s0 wlp7s0"
-
-# Logging options.
-#------------------------------------------------------------------------------
-LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options"
-
-
-# Defaults for rate limiting
-#------------------------------------------------------------------------------
-RLIMIT="-m limit --limit 3/s --limit-burst 8"
-
-
-# Unprivileged ports.
-#------------------------------------------------------------------------------
-PHIGH="1024:65535"
-PSSH="1000:1023"
-
-
-# Load required kernel modules
-#------------------------------------------------------------------------------
-$MODPROBE ip_conntrack_ftp
-$MODPROBE ip_conntrack_irc
-
-
-# Mitigate ARP spoofing/poisoning and similar attacks.
-#------------------------------------------------------------------------------
-# Hardcode static ARP cache entries here
-# $ARP -s IP-ADDRESS MAC-ADDRESS
-
-
-# Default policies.
-#------------------------------------------------------------------------------
-
-# Drop everything by default.
-$IPTABLES -P INPUT DROP
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT DROP
-
-# Set the nat/mangle/raw tables' chains to DROP
-
-$IPTABLES -t mangle -P PREROUTING ACCEPT
-$IPTABLES -t mangle -P INPUT ACCEPT
-$IPTABLES -t mangle -P FORWARD ACCEPT
-$IPTABLES -t mangle -P OUTPUT ACCEPT
-$IPTABLES -t mangle -P POSTROUTING ACCEPT
-
-# Cleanup.
-#------------------------------------------------------------------------------
-
-# Delete all
-$IPTABLES -F
-$IPTABLES -t mangle -F
-
-# Delete all
-$IPTABLES -X
-$IPTABLES -t mangle -X
-
-# Zero all packets and counters.
-$IPTABLES -Z
-$IPTABLES -t mangle -Z
-
-# Completely disable IPv6.
-#------------------------------------------------------------------------------
-
-# Block all IPv6 traffic
-# If the ip6tables command is available, try to block all IPv6 traffic.
-#if test -x $IP6TABLES; then
-# Set the default policies
-# drop everything
-#$IP6TABLES -P INPUT DROP
-#$IP6TABLES -P FORWARD DROP
-#$IP6TABLES -P OUTPUT DROP
+# iptables [-t table] -R chain rulenum  rule-specification
+#
+# iptables [-t table] -D chain rulenum
 #
-## The mangle table can pass everything
-#$IP6TABLES -t mangle -P PREROUTING ACCEPT
-#$IP6TABLES -t mangle -P INPUT ACCEPT
-#$IP6TABLES -t mangle -P FORWARD ACCEPT
-#$IP6TABLES -t mangle -P OUTPUT ACCEPT
-#$IP6TABLES -t mangle -P POSTROUTING ACCEPT
-
-# Delete all rules.
-#$IP6TABLES -F 2>/dev/null
-#$IP6TABLES -t mangle -F 2>/dev/null
+# iptables [-t table] -S [chain [rulenum]]
 #
-## Delete all chains.
-#$IP6TABLES -X 2>/dev/null
-#$IP6TABLES -t mangle -X 2>/dev/null
+# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
 #
-## Zero all packets and counters.
-#$IP6TABLES -Z 2>/dev/null
-#$IP6TABLES -t mangle -Z 2>/dev/null
-#fi
-
-# Custom user-defined chains.
-#------------------------------------------------------------------------------
-
-# LOG packets, then ACCEPT.
-$IPTABLES -N ACCEPTLOG
-$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT "
-$IPTABLES -A ACCEPTLOG -j ACCEPT
-
-# LOG packets, then DROP.
-$IPTABLES -N DROPLOG
-$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP "
-$IPTABLES -A DROPLOG -j DROP
-
-# LOG packets, then REJECT.
-# TCP packets are rejected with a TCP reset.
-$IPTABLES -N REJECTLOG
-$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT "
-$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
-$IPTABLES -A REJECTLOG -j REJECT
-
-# Allow loopback interface to do anything.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-
-# Only allows RELATED ICMP types
-# (destination-unreachable, time-exceeded, and parameter-problem).
-# TODO: Rate-limit this traffic?
-# TODO: Allow fragmentation-needed?
-# TODO: Test.
-$IPTABLES -N RELATED_ICMP
-$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
-$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
-$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
-$IPTABLES -A RELATED_ICMP -j DROPLOG
-
-# Make It Even Harder To Multi-PING
-$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
-$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
-$IPTABLES  -A INPUT -p icmp -j DROP
-$IPTABLES  -A OUTPUT -p icmp -j ACCEPT
+# iptables [-t table] -N chain
+#
+# iptables [-t table] -X [chain]
+#
+# iptables [-t table] -P chain target
+#
+# iptables [-t table]  -E  old-chain-name  new-chain-name
+#
+# rule-specification = [matches...] [target]
+#
+# match = -m matchname [per-match-options]
+#
+#
+# Targets
+#
+# can be a user defined chain
+#
+# ACCEPT - accepts the packet
+# DROP   - drop the packet on the floor
+# QUEUE  - packet will be stent to queue
+# RETURN - stop traversing this chain and
+#          resume ate the next rule in the
+#          previeus (calling) chain.
+#
+# if packet reach the end of the chain or
+# a target RETURN, default policy for that
+# chain is applayed.
+#
+# Target Extensions
+#
+# AUDIT
+# CHECKSUM
+# CLASSIFY
+# DNAT
+# DSCP
+# LOG
+#     Torn on kernel logging, will print some
+#     some information on all matching packets.
+#     Log data can be read with dmesg or syslogd.
+#     This is a non-terminating target and a rule
+#     should be created with matching criteria.
+#
+#     --log-level level
+#           Level of logging (numeric or see sys-
+#           log.conf(5)
+#
+#     --log-prefix prefix
+#           Prefix log messages with specified prefix
+#           up to 29 chars log
+#
+#     --log-uid
+#           Log the userid of the process with gener-
+#           ated the packet
+# NFLOG
+#     This target pass the packet to loaded logging
+#     backend to log the packet. One or more userspace
+#     processes may subscribe to the group to receive
+#     the packets.
+#
+# ULOG
+#     This target provides userspace logging of maching
+#     packets. One or more userspace processes may then
+#     then subscribe to various multicast groups and
+#     then receive the packets.
+#
+#
+# Commands
+#
+# -A, --append chain rule-specification
+# -C, --check chain rule-specification
+# -D, --delete chain rule-specification
+# -D, --delete chain rulenum
+# -I, --insert chain [rulenum] rule-specification
+# -R, --replace chain rulenum rule-specification
+# -L, --list [chain]
+# -P, --policy chain target
+#
+# Parameters
+#
+# -p, --protocol protocol
+#       tcp, udp, udplite, icmp, esp, ah, sctp, all
+# -s, --source address[/mask][,...]
+# -d, --destination address[/mask][,...]
+# -j, --jump target
+# -g, --goto chain
+# -i, --in-interface name
+# -o, --out-interface name
+# -f, --fragment
+# -m, --match options module-name
+#       iptables can use extended packet matching
+#       modules.
+# -c, --set-counters packets bytes
+
+IPT="/usr/sbin/iptables"
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+PUB_IF="wlp7s0"
+DHCP_SERV="192.168.1.1"
+PUB_IP="192.168.1.33"
+PRIV_IF="br0"
+
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+
+echo "Stopping ipv4 firewall and deny everyone..."
+
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+
+
+echo "Starting ipv4 firewall filter table..."
+
+# Set Default Rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# Unlimited on local
+$IPT -A INPUT -i lo -j ACCEPT
+$IPT -A OUTPUT -o lo -j ACCEPT
+
+# Block sync
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Block Fragments
+$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+$IPT -A INPUT -f -j DROP
+
+# Block bad stuff
+$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+
+$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+##### Add your AP rules below ######
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
+$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
+
+$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
+$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
+#
+##### Server rules below ######
 
-# Only allow the minimally required/recommended parts of ICMP. Block the rest.
-#------------------------------------------------------------------------------
+#echo "Allow ICMP"
+$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT
 
-# TODO: This section needs a lot of testing!
+#echo "Allow DNS Server"
+#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT
 
-# First, drop all fragmented ICMP packets (almost always malicious).
-$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
-$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
-$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
+echo "Allow HTTP and HTTPS server"
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
-# Allow all ESTABLISHED ICMP traffic.
-$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
-$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
+#echo "Allow ssh server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
 
-# Allow some parts of the RELATED ICMP traffic, block the rest.
-$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
-$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
+##### Add your rules below ######
 
-# Allow incoming ICMP echo requests (ping), but only rate-limited.
-$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+echo "Allow DNS Client"
 
-# Allow outgoing ICMP echo requests (ping), but only rate-limited.
-$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 
-# Drop any other ICMP traffic.
-$IPTABLES -A INPUT -p icmp -j DROPLOG
-$IPTABLES -A OUTPUT -p icmp -j DROPLOG
-$IPTABLES -A FORWARD -p icmp -j DROPLOG
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# Selectively allow certain special types of traffic.
-#------------------------------------------------------------------------------
+echo "Allow Whois Client"
 
-# Allow incoming connections related to existing allowed connections.
-$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# Allow outgoing connections EXCEPT invalid
-$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+echo "Allow HTTP Client"
 
-# Miscellaneous.
-#------------------------------------------------------------------------------
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# We don't care about Milkosoft, Drop SMB/CIFS/etc..
-#                     ^ greedyevilsoft
-$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
-$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+echo "Allow Rsync Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
 
-# Explicitly drop invalid incoming traffic
-$IPTABLES -A INPUT -m state --state INVALID -j DROP
+echo "Allow POP3S Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
 
-# Drop invalid outgoing traffic, too.
-$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+echo "Allow SMTPS Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
 
-# If we would use NAT, INVALID packets would pass - BLOCK them anyways
-$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+echo "Allow NTP Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
 
-# PORT Scanners (stealth also)
-$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
-$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# TODO: Some more anti-spoofing rules? For example:
-$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+echo "Allow IRC Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT
 
-$IPTABLES -N SYN_FLOOD
-$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
-$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
+echo "Allow Active FTP Client"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-$IPTABLES -A SYN_FLOOD -j DROP
+echo "Allow Git"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT
 
-#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7
-#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
+echo "Allow ssh client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT  -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 
-#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
-#$IPTABLES -A INPUT -f -j DROP
-$IPTABLES -A INPUT -f -j DROPLOG
+#echo "Allow Passive Connections"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
 
-# Selectively allow certain inbound connections, block the rest.
-#------------------------------------------------------------------------------
+# echo "Allow FairCoin"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT
+# 
+# echo "Allow Dashcoin"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT
+# 
+# echo "Allow warzone2100"
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT
+# 
+# echo "Allow wesnoth"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT
 
-# Allow incoming SSH requests.
-#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+##### END your rules ############
+# Less log of known traffic
 
-# Allow incoming https server
-#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT
+# RIP protocol
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP
 
+# DHCP
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT
 
-# Selectively allow certain outbound connections, block the rest.
-#------------------------------------------------------------------------------
-#
+# log everything else and drop
+$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
 
-# Allow ping
-$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Allow to ssh clients
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow to dns
-$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow irc
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to xmmp
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Allow to rsync server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to pop3s server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to smtps server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ntp server
-$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ftp server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to https server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to http server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-# Selectively allow certain outbound server connections, block the rest.
-#------------------------------------------------------------------------------
-
-# Allow from https server
-#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT
-
-# Allow from dns server
-#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT
-
-# Explicitly log and reject everything else.
-#------------------------------------------------------------------------------
-# Use REJECT instead of REJECTLOG if you don't need/want logging.
-$IPTABLES -A INPUT -j DROPLOG
-$IPTABLES -A OUTPUT -j DROPLOG
-$IPTABLES -A FORWARD -j REJECTLOG
-
-# Counter hits
-
-#for i in $NIC_NAME
-#do
-#	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set
-#	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP
-#done
-
-#------------------------------------------------------------------------------
-# Testing the firewall.
-#------------------------------------------------------------------------------
-
-# You should check/test that the firewall really works, using
-# iptables -vnL, nmap, ping, telnet, ...
-
-# Exit gracefully.
-#------------------------------------------------------------------------------
 exit 0
diff --git a/core/configure.html b/core/configure.html
index 6349b65..b3ca259 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -253,6 +253,7 @@
         pkgmk                                      /usr/ports/work tmpfs        size=30G,gid=101,uid=100,defaults       0       0
         UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	        defaults,nodev,errors=remount-ro	0	0
         UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4            defaults,nodev,nosuid,errors=remount-ro	0	0
+        #UUID=04f07488ce7b36205acc6d404dcf924643660ac5
 
         # End of file
         </pre>
diff --git a/core/grsecurity.html b/core/grsecurity.html
index 30ee28c..48ac2b2 100644
--- a/core/grsecurity.html
+++ b/core/grsecurity.html
@@ -15,7 +15,7 @@
         <a href="../core/reboot.html#linux">port kernel</a>, for manual
         configuration check <a href="linux.html">linux kernel</a>. Configuration
         is not enable by default, groups with special permissions and other
-        protections are set with <a href="sysctl.html">sysctl.html</a>;</p>
+        protections are set with <a href="sysctl.html">sysctl</a>;</p>
 
         <dl>
 
@@ -56,6 +56,11 @@
         <dd>Deny server sockets to this group.</dd>
 
         </dl>
+        <p>At run time you can change some configurations;</p>
+
+        <pre>
+        # cat /proc/sys/kernel/grsecurity/what_ever_setting
+        </pre>
 
         <p>Kernel configuration related to grsecurity;</p>
 
diff --git a/core/reboot.html b/core/reboot.html
index c60265a..aa45a0f 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -99,7 +99,7 @@
         # grub-probe --target=hints_string /
         </pre>
 
-        <h3>Rescue iso</h3>
+        <h3>1.4.3.1. Rescue iso</h3>
 
         <p>Simple way to have "resque" system is to mount boot as read only,
         this assures that even as root nothing can be changed without remount.
diff --git a/core/toolchain.html b/core/toolchain.html
index b5d4bb1..04b58e3 100644
--- a/core/toolchain.html
+++ b/core/toolchain.html
@@ -74,6 +74,25 @@
         export LDFLAGS=""
         </pre>
 
+        <h4>Openssl</h4>
+
+        <p>Replace openssl by libressl, view if
+        <a href="https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/libressl/Pkgfile">libressl port</a> from 6c37-dropin is updated with
+        latest <a href="https://raw.githubusercontent.com/libressl-portable/portable/master/ChangeLog">libressl upstream</a>. First install libressl
+        to ensure it gets all the sources;
+
+        <pre>
+        $ sudo prt-get depinst libressl
+        </pre>
+
+        <p>After complaining about openssl files remove openssl;
+
+        <pre>
+        $ sudo prt-get remove openssl
+        $ sudo prt-get depinst libressl
+        </pre>
+
+
         <h4>libcap</h4>
 
         <ul>
author	Silvino Silva <silvino@bk.ru>	2017-03-01 21:27:03 +0000
committer	Silvino Silva <silvino@bk.ru>	2017-05-13 16:40:44 +0100
commit	079066bc153f3a6fe84b5da0b8fa8e584641b46d (patch)
tree	5ed282dccdd6b8004a86f9c765843f0f5852f9c9 /core
parent	40fc398cab05e1ae769554a50fb423ca38c3bfb6 (diff)
download	doc-079066bc153f3a6fe84b5da0b8fa8e584641b46d.tar.gz