diff options
author | Silvino Silva <silvino@bk.ru> | 2017-03-01 21:27:03 +0000 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2017-05-13 16:40:44 +0100 |
commit | 079066bc153f3a6fe84b5da0b8fa8e584641b46d (patch) | |
tree | 5ed282dccdd6b8004a86f9c765843f0f5852f9c9 /core | |
parent | 40fc398cab05e1ae769554a50fb423ca38c3bfb6 (diff) | |
download | doc-079066bc153f3a6fe84b5da0b8fa8e584641b46d.tar.gz |
overall revision
Diffstat (limited to 'core')
-rw-r--r-- | core/conf/iptables/iptables-lan.sh | 578 | ||||
-rw-r--r-- | core/configure.html | 1 | ||||
-rw-r--r-- | core/grsecurity.html | 7 | ||||
-rw-r--r-- | core/reboot.html | 2 | ||||
-rw-r--r-- | core/toolchain.html | 19 |
5 files changed, 323 insertions, 284 deletions
diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index 58d92c3..491bc3b 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -1,322 +1,336 @@ #!/bin/sh -#------------------------------------------------------------------------------ # -# File: iptables_mint17.sh +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX # -# http://www.hardenedlinux.org +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# Reference: Ruslan Abuzant <ruslan@abuzant.com>, http://www.hackersgarage.com/ -# Changed by: Silvino Silva <silvino@bk.ru> +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# License: GNU GPL (version 2, or any later version). +# iptables [-t table] -I chain [rulenum] rule-specification # -# Configuration. -#------------------------------------------------------------------------------ - -# For debugging use iptables -v. -IPTABLES="/usr/sbin/iptables" -IP6TABLES="/usr/sbin/ip6tables" -MODPROBE="/sbin/modprobe" -RMMOD="/sbin/rmmod" -ARP="/usr/sbin/arp" - -# NIC interfaces -NIC_NAME="enp8s0 wlp7s0" - -# Logging options. -#------------------------------------------------------------------------------ -LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" - - -# Defaults for rate limiting -#------------------------------------------------------------------------------ -RLIMIT="-m limit --limit 3/s --limit-burst 8" - - -# Unprivileged ports. -#------------------------------------------------------------------------------ -PHIGH="1024:65535" -PSSH="1000:1023" - - -# Load required kernel modules -#------------------------------------------------------------------------------ -$MODPROBE ip_conntrack_ftp -$MODPROBE ip_conntrack_irc - - -# Mitigate ARP spoofing/poisoning and similar attacks. -#------------------------------------------------------------------------------ -# Hardcode static ARP cache entries here -# $ARP -s IP-ADDRESS MAC-ADDRESS - - -# Default policies. -#------------------------------------------------------------------------------ - -# Drop everything by default. -$IPTABLES -P INPUT DROP -$IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT DROP - -# Set the nat/mangle/raw tables' chains to DROP - -$IPTABLES -t mangle -P PREROUTING ACCEPT -$IPTABLES -t mangle -P INPUT ACCEPT -$IPTABLES -t mangle -P FORWARD ACCEPT -$IPTABLES -t mangle -P OUTPUT ACCEPT -$IPTABLES -t mangle -P POSTROUTING ACCEPT - -# Cleanup. -#------------------------------------------------------------------------------ - -# Delete all -$IPTABLES -F -$IPTABLES -t mangle -F - -# Delete all -$IPTABLES -X -$IPTABLES -t mangle -X - -# Zero all packets and counters. -$IPTABLES -Z -$IPTABLES -t mangle -Z - -# Completely disable IPv6. -#------------------------------------------------------------------------------ - -# Block all IPv6 traffic -# If the ip6tables command is available, try to block all IPv6 traffic. -#if test -x $IP6TABLES; then -# Set the default policies -# drop everything -#$IP6TABLES -P INPUT DROP -#$IP6TABLES -P FORWARD DROP -#$IP6TABLES -P OUTPUT DROP +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum # -## The mangle table can pass everything -#$IP6TABLES -t mangle -P PREROUTING ACCEPT -#$IP6TABLES -t mangle -P INPUT ACCEPT -#$IP6TABLES -t mangle -P FORWARD ACCEPT -#$IP6TABLES -t mangle -P OUTPUT ACCEPT -#$IP6TABLES -t mangle -P POSTROUTING ACCEPT - -# Delete all rules. -#$IP6TABLES -F 2>/dev/null -#$IP6TABLES -t mangle -F 2>/dev/null +# iptables [-t table] -S [chain [rulenum]] # -## Delete all chains. -#$IP6TABLES -X 2>/dev/null -#$IP6TABLES -t mangle -X 2>/dev/null +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] # -## Zero all packets and counters. -#$IP6TABLES -Z 2>/dev/null -#$IP6TABLES -t mangle -Z 2>/dev/null -#fi - -# Custom user-defined chains. -#------------------------------------------------------------------------------ - -# LOG packets, then ACCEPT. -$IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " -$IPTABLES -A ACCEPTLOG -j ACCEPT - -# LOG packets, then DROP. -$IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " -$IPTABLES -A DROPLOG -j DROP - -# LOG packets, then REJECT. -# TCP packets are rejected with a TCP reset. -$IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " -$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -$IPTABLES -A REJECTLOG -j REJECT - -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - - -# Only allows RELATED ICMP types -# (destination-unreachable, time-exceeded, and parameter-problem). -# TODO: Rate-limit this traffic? -# TODO: Allow fragmentation-needed? -# TODO: Test. -$IPTABLES -N RELATED_ICMP -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT -$IPTABLES -A RELATED_ICMP -j DROPLOG - -# Make It Even Harder To Multi-PING -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: -$IPTABLES -A INPUT -p icmp -j DROP -$IPTABLES -A OUTPUT -p icmp -j ACCEPT +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +PRIV_IF="br0" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Unlimited on local +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +##### Add your AP rules below ###### + +echo 1 > /proc/sys/net/ipv4/ip_forward + +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +# +##### Server rules below ###### -# Only allow the minimally required/recommended parts of ICMP. Block the rest. -#------------------------------------------------------------------------------ +#echo "Allow ICMP" +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT -# TODO: This section needs a lot of testing! +#echo "Allow DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT -# First, drop all fragmented ICMP packets (almost always malicious). -$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG +echo "Allow HTTP and HTTPS server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow all ESTABLISHED ICMP traffic. -$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT +#echo "Allow ssh server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -# Allow some parts of the RELATED ICMP traffic, block the rest. -$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT +##### Add your rules below ###### -# Allow incoming ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +echo "Allow DNS Client" -# Allow outgoing ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Drop any other ICMP traffic. -$IPTABLES -A INPUT -p icmp -j DROPLOG -$IPTABLES -A OUTPUT -p icmp -j DROPLOG -$IPTABLES -A FORWARD -p icmp -j DROPLOG +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Selectively allow certain special types of traffic. -#------------------------------------------------------------------------------ +echo "Allow Whois Client" -# Allow incoming connections related to existing allowed connections. -$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow outgoing connections EXCEPT invalid -$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +echo "Allow HTTP Client" -# Miscellaneous. -#------------------------------------------------------------------------------ +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ greedyevilsoft -$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +echo "Allow Rsync Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT -# Explicitly drop invalid incoming traffic -$IPTABLES -A INPUT -m state --state INVALID -j DROP +echo "Allow POP3S Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT -# Drop invalid outgoing traffic, too. -$IPTABLES -A OUTPUT -m state --state INVALID -j DROP +echo "Allow SMTPS Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT -# If we would use NAT, INVALID packets would pass - BLOCK them anyways -$IPTABLES -A FORWARD -m state --state INVALID -j DROP +echo "Allow NTP Client" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT -# PORT Scanners (stealth also) -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -# TODO: Some more anti-spoofing rules? For example: -$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +echo "Allow IRC Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT -$IPTABLES -N SYN_FLOOD -$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD -$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN +echo "Allow Active FTP Client" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A SYN_FLOOD -j DROP +echo "Allow Git" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +echo "Allow ssh client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -#$IPTABLES -A INPUT -f -j DROP -$IPTABLES -A INPUT -f -j DROPLOG +#echo "Allow Passive Connections" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT -# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... -# Selectively allow certain inbound connections, block the rest. -#------------------------------------------------------------------------------ +# echo "Allow FairCoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow Dashcoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow warzone2100" +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT +# +# echo "Allow wesnoth" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT -# Allow incoming SSH requests. -#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +##### END your rules ############ +# Less log of known traffic -# Allow incoming https server -#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT -# Selectively allow certain outbound connections, block the rest. -#------------------------------------------------------------------------------ -# +# log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -# Allow ping -$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to ssh clients -$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow irc -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to xmmp -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to rsync server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -# Selectively allow certain outbound server connections, block the rest. -#------------------------------------------------------------------------------ - -# Allow from https server -#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Allow from dns server -#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Explicitly log and reject everything else. -#------------------------------------------------------------------------------ -# Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j DROPLOG -$IPTABLES -A OUTPUT -j DROPLOG -$IPTABLES -A FORWARD -j REJECTLOG - -# Counter hits - -#for i in $NIC_NAME -#do -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -#done - -#------------------------------------------------------------------------------ -# Testing the firewall. -#------------------------------------------------------------------------------ - -# You should check/test that the firewall really works, using -# iptables -vnL, nmap, ping, telnet, ... - -# Exit gracefully. -#------------------------------------------------------------------------------ exit 0 diff --git a/core/configure.html b/core/configure.html index 6349b65..b3ca259 100644 --- a/core/configure.html +++ b/core/configure.html @@ -253,6 +253,7 @@ pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 + #UUID=04f07488ce7b36205acc6d404dcf924643660ac5 # End of file </pre> diff --git a/core/grsecurity.html b/core/grsecurity.html index 30ee28c..48ac2b2 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -15,7 +15,7 @@ <a href="../core/reboot.html#linux">port kernel</a>, for manual configuration check <a href="linux.html">linux kernel</a>. Configuration is not enable by default, groups with special permissions and other - protections are set with <a href="sysctl.html">sysctl.html</a>;</p> + protections are set with <a href="sysctl.html">sysctl</a>;</p> <dl> @@ -56,6 +56,11 @@ <dd>Deny server sockets to this group.</dd> </dl> + <p>At run time you can change some configurations;</p> + + <pre> + # cat /proc/sys/kernel/grsecurity/what_ever_setting + </pre> <p>Kernel configuration related to grsecurity;</p> diff --git a/core/reboot.html b/core/reboot.html index c60265a..aa45a0f 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -99,7 +99,7 @@ # grub-probe --target=hints_string / </pre> - <h3>Rescue iso</h3> + <h3>1.4.3.1. Rescue iso</h3> <p>Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. diff --git a/core/toolchain.html b/core/toolchain.html index b5d4bb1..04b58e3 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -74,6 +74,25 @@ export LDFLAGS="" </pre> + <h4>Openssl</h4> + + <p>Replace openssl by libressl, view if + <a href="https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/libressl/Pkgfile">libressl port</a> from 6c37-dropin is updated with + latest <a href="https://raw.githubusercontent.com/libressl-portable/portable/master/ChangeLog">libressl upstream</a>. First install libressl + to ensure it gets all the sources; + + <pre> + $ sudo prt-get depinst libressl + </pre> + + <p>After complaining about openssl files remove openssl; + + <pre> + $ sudo prt-get remove openssl + $ sudo prt-get depinst libressl + </pre> + + <h4>libcap</h4> <ul> |