diff options
| author | Silvino Silva <silvino@bk.ru> | 2016-10-16 23:43:13 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2016-10-16 23:43:13 +0100 |
| commit | 4228927f72757b63f2121e041a734c86f69f7fd1 (patch) | |
| tree | 565bf56712cf31e86c6672001df7029d0892f008 /core | |
| parent | 4006c1d2a5c82f9136f82b035e4083b487b01b5b (diff) | |
| parent | 64f6ca67031660f60ae6251b617f0afcce16b525 (diff) | |
| download | doc-4228927f72757b63f2121e041a734c86f69f7fd1.tar.gz | |
release 0.2.6
Diffstat (limited to 'core')
| -rw-r--r-- | core/conf/hosts | 4 | ||||
| -rw-r--r-- | core/conf/iptables/rules.v4 | 140 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 8 | ||||
| -rwxr-xr-x | core/conf/rc.d/wlan | 2 | ||||
| -rw-r--r-- | core/configure.html | 4 | ||||
| -rw-r--r-- | core/network.html | 79 | ||||
| -rw-r--r-- | core/scripts/iptables.sh | 334 | ||||
| -rw-r--r-- | core/scripts/setup-install.sh | 1 |
8 files changed, 183 insertions, 389 deletions
diff --git a/core/conf/hosts b/core/conf/hosts index a0e80ae..ee776e2 100644 --- a/core/conf/hosts +++ b/core/conf/hosts @@ -4,10 +4,10 @@ # IPv4 127.0.0.1 localhost.localdomain localhost -127.0.0.1 c9.core c9 +127.0.0.1 c9.localdomain c9 #<ip-address> <hostname.domain.org> <aliases> -10.0.0.1 core.privat-network.net core +192.168.1.9 core.privat-network.net c9.core # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 new file mode 100644 index 0000000..848603c --- /dev/null +++ b/core/conf/iptables/rules.v4 @@ -0,0 +1,140 @@ +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*security +:INPUT ACCEPT [6:2056] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [6:2056] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*raw +:PREROUTING ACCEPT [7:2092] +:OUTPUT ACCEPT [6:2056] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*mangle +:PREROUTING ACCEPT [7:2092] +:INPUT ACCEPT [6:2056] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [6:2056] +:POSTROUTING ACCEPT [6:2056] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -i br0 -j ACCEPT +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A INPUT -f -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +################################################################################# +# INPUT +# Established connections and passive +# + +# Allow established from dns server +#-A INPUT -i wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# INPUT accept passive +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT +# Allow established from http server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from https server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -i wlp7s0 -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from rsync server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from pop3s server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from smtps server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from ntp server +-A INPUT -i wlp7s0 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from whois server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from ftp server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +################################################################################## +# INPUT +# New and established connections to local servers +# + +# INPUT accept from wlp7s0 to dns server +-A INPUT -i wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +# INPUT accept from wlp7s0 to https server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# INPUT accept from wlp7s0 to ssh server +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT + + +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 + +################################################################################## +# Output +# Connections to remote servers +# +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -o br0 -j ACCEPT + +# Allow dns +#-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Allow to rsync server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to pop3s server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to smtps server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ntp server +-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ftp server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to https server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to http server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +################################################################################## +# Output +# Connections from local servers +# + +# Allow from ssh server +-A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow from dns server +-A OUTPUT -o wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*nat +:PREROUTING ACCEPT [1:36] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index d46583b..53224af 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -9,9 +9,9 @@ TYPE="static" # For "static" connections, specify your settings here: # To see your available devices run "ip link". DEV=enp8s0 -ADDR=10.0.0.1 +ADDR=192.168.1.9 MASK=24 -GW=10.0.0.1 +GW=192.168.1.254 # Optional settings: DHCPOPTS="-h $(/bin/hostname) -C resolv.conf $DEV" @@ -23,7 +23,7 @@ case $1 in else /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + /sbin/ip link set ${DEV} up - #/sbin/ip route add default via ${GW} + /sbin/ip route add default via ${GW} fi ;; stop) @@ -31,6 +31,8 @@ case $1 in /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid else + /sbin/ip route del default dev ${DEV} + /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down /sbin/ip addr flush dev ${DEV} fi diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 263cf42..894a69c 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -33,6 +33,8 @@ case $1 in ( $SSD --stop --retry 10 --pidfile $PID_DHCP $SSD --stop --retry 10 --pidfile $PID_WIFI ) RETVAL=$? + /sbin/ip route del default dev ${DEV} + /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down /sbin/ip addr flush dev ${DEV} ;; diff --git a/core/configure.html b/core/configure.html index 7653af9..d7bbc25 100644 --- a/core/configure.html +++ b/core/configure.html @@ -61,10 +61,10 @@ <pre> # IPv4 127.0.0.1 localhost.localdomain localhost - 127.0.0.1 c9.core c9 + 127.0.0.1 c9.localdomain c9 #<ip-address> <hostname.domain.org> <aliases> - 10.0.0.1 core.privat-network.net core + 192.168.1.9 core.privat-network.net c9.core # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/network.html b/core/network.html index b8b7617..e1b590d 100644 --- a/core/network.html +++ b/core/network.html @@ -29,10 +29,7 @@ <h2 id="resolv">2.1.1. Resolver</h2> - <p>Configure your resolver with a server that don't censorship there for - respect your freedom and privacy. Read - <a href="https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers#PublicDNSServers">Tor Dns Resolver</a> - for more information. This example will use + <p>This example will use <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> server, edit /etc/resolv.conf and make it immutable;</p> @@ -51,6 +48,20 @@ <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> <pre> + Address: 192.168.0.1 11000000.10101000.00000000 .00000001 + Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 + Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 + => + Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) + Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 + HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 + HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 + Hosts/Net: 254 (Private Internet) + </pre> + + <p>Other IP class that can used for private network;</p> + + <pre> Address: 10.0.0.1 00001010.00000000.00000000 .00000001 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 @@ -62,78 +73,50 @@ Hosts/Net: 254 (Private Internet) </pre> + <p>Manual configuring like net script;</p> + <pre> # DEV=enp8s0 - # ADDR=10.0.0.1 + # ADDR=192.168.1.9 # MASK=24 - # GW=10.0.0.1 - # ip addr flush dev ${DEV} - # ip route flush dev ${DEV} + # GW=192.168.1.254 </pre> <pre> + # ip addr flush dev ${DEV} + # ip route flush dev ${DEV} # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + # ip link set ${DEV} up - </pre> - - <p>Script don't add above network as gateway;</p> - - <pre> # ip route add default via ${GW} </pre> - <p>Other IP class used in home setups;</p> - - <pre> - Address: 192.168.0.1 11000000.10101000.00000000 .00000001 - Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 - Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 - => - Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) - Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 - HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 - HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 - Hosts/Net: 254 (Private Internet) - </pre> - - <pre> - # DEV=enp8s0 - # ADDR=192.168.1.1 - # MASK=24 - # GW=192.168.1.254 - </pre> - <h2 id="iptables">2.1.3. Iptables</h2> <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. You can use - <a href="scripts/iptables.sh">iptables script</a> - at boot time and iptables-save and iptables-restore tools to - configure nat and filtering;</p> + <a href="conf/iptables/rules.v4">/etc/iptables/rules.v4</a> + as template, replace interface by the one facing the router/gateway. + This configuration file is used at boot time by iptables-restore command, + if you use a script or change the rules of running system you can + use iptables-save command to save configuration to a file.</p> <pre> # mkdir /etc/iptables - # cp c9-doc/core/scripts/iptables.sh /etc/iptables/ + # cp c9-doc/core/conf/iptables/rules.v4 /etc/iptables/ + # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/ + # chmod +x /etc/rc.d/iptables </pre> - <p>Adjust iptables to your needs, then;</p> + <p>Adjust rules.v4 to your needs, then;</p> <pre> - # cd /etc/iptables - # sh iptables.sh - # iptables-save > rules.v4 + # sh /etc/rc.d/iptables start </pre> <p>Copy init script, edit if you dont like to let drop when you call stop.</p> - <pre> - # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/ - # vim /etc/rc.d/iptables - # chmod +x /etc/rc.d/iptables - </pre> - <p>Re-configure your rc.conf and add iptables before (w)lan is up;</p> <pre> diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh deleted file mode 100644 index 714a18a..0000000 --- a/core/scripts/iptables.sh +++ /dev/null @@ -1,334 +0,0 @@ -#!/bin/sh - -# -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# + -# | -# v -# +-------------+ +------------------+ -# |table: filter| <---+ | table: nat | -# |chain: INPUT | | | chain: PREROUTING| -# +-----+-------+ | +--------+---------+ -# | | | -# v | v -# [local process] | **************** +--------------+ -# | +---------+ Routing decision +------> |table: filter | -# v **************** |chain: FORWARD| -# **************** +------+-------+ -# Routing decision | -# **************** | -# | | -# v **************** | -# +-------------+ +------> Routing decision <---------------+ -# |table: nat | | **************** -# |chain: OUTPUT| | + -# +-----+-------+ | | -# | | v -# v | +-------------------+ -# +--------------+ | | table: nat | -# |table: filter | +----+ | chain: POSTROUTING| -# |chain: OUTPUT | +--------+----------+ -# +--------------+ | -# v -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] -I chain [rulenum] rule-specification -# -# iptables [-t table] -R chain rulenum rule-specification -# -# iptables [-t table] -D chain rulenum -# -# iptables [-t table] -S [chain [rulenum]] -# -# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] -# -# iptables [-t table] -N chain -# -# iptables [-t table] -X [chain] -# -# iptables [-t table] -P chain target -# -# iptables [-t table] -E old-chain-name new-chain-name -# -# rule-specification = [matches...] [target] -# -# match = -m matchname [per-match-options] -# -# -# Targets -# -# can be a user defined chain -# -# ACCEPT - accepts the packet -# DROP - drop the packet on the floor -# QUEUE - packet will be stent to queue -# RETURN - stop traversing this chain and -# resume ate the next rule in the -# previeus (calling) chain. -# -# if packet reach the end of the chain or -# a target RETURN, default policy for that -# chain is applayed. -# -# Target Extensions -# -# AUDIT -# CHECKSUM -# CLASSIFY -# DNAT -# DSCP -# LOG -# Torn on kernel logging, will print some -# some information on all matching packets. -# Log data can be read with dmesg or syslogd. -# This is a non-terminating target and a rule -# should be created with matching criteria. -# -# --log-level level -# Level of logging (numeric or see sys- -# log.conf(5) -# -# --log-prefix prefix -# Prefix log messages with specified prefix -# up to 29 chars log -# -# --log-uid -# Log the userid of the process with gener- -# ated the packet -# NFLOG -# This target pass the packet to loaded logging -# backend to log the packet. One or more userspace -# processes may subscribe to the group to receive -# the packets. -# -# ULOG -# This target provides userspace logging of maching -# packets. One or more userspace processes may then -# then subscribe to various multicast groups and -# then receive the packets. -# -# -# Commands -# -# -A, --append chain rule-specification -# -C, --check chain rule-specification -# -D, --delete chain rule-specification -# -D, --delete chain rulenum -# -I, --insert chain [rulenum] rule-specification -# -R, --replace chain rulenum rule-specification -# -L, --list [chain] -# -P, --policy chain target -# -# Parameters -# -# -p, --protocol protocol -# tcp, udp, udplite, icmp, esp, ah, sctp, all -# -s, --source address[/mask][,...] -# -d, --destination address[/mask][,...] -# -j, --jump target -# -g, --goto chain -# -i, --in-interface name -# -o, --out-interface name -# -f, --fragment -# -m, --match options module-name -# iptables can use extended packet matching -# modules. -# -c, --set-counters packets bytes - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" -PUB_IF="wlp7s0" -DHCP_SERV="192.168.1.1" -#PUB_IP="192.168.1.65" -#PRIV_IF="wlp3s0" - -modprobe ip_conntrack -modprobe ip_conntrack_ftp - -echo "Stopping ipv4 firewall and deny everyone..." - -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -t raw -F -iptables -t raw -X -iptables -t security -F -iptables -t security -X - - -echo "Starting ipv4 firewall filter table..." - -# Set Default Rules -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -# Unlimited on local -$IPT -A INPUT -i lo -j ACCEPT -$IPT -A OUTPUT -o lo -j ACCEPT - -# Block sync -$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " -$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP - -# Block Fragments -$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " -$IPT -A INPUT -f -j DROP - -# Block bad stuff -$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP - -$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " -$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - -$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " -$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - -$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " -$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - -$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " -$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - -$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - -##### Add your AP rules below ###### - -#echo 1 > /proc/sys/net/ipv4/ip_forward -#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} -#$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT -#$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT - -#$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT -#$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT - -##### Server rules below ###### - -#echo "Allow ICMP" -#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT - -#echo "Allow DNS Server" -#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT - -#echo "Allow HTTP and HTTPS server" -#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT - -#echo "Allow ssh server" -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT - -##### Add your rules below ###### - -echo "Allow DNS Client" - -$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - -echo "Allow Whois Client" - -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT - -echo "Allow HTTP Client" - -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT - -echo "Allow Rsync Client" -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT - -echo "Allow POP3S Client" -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT - -echo "Allow SMTPS Client" -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT - -echo "Allow NTP Client" -$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT - -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT - -echo "Allow IRC Client" -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT - -echo "Allow Active FTP Client" -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT - -echo "Allow Git" -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT - -echo "Allow ssh client" -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT - -#echo "Allow Passive Connections" -$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT -$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - - -# echo "Allow FairCoin" -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT -# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT -# -# echo "Allow Dashcoin" -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT -# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT -# -# echo "Allow warzone2100" -# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT -# -# echo "Allow wesnoth" -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT -# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT - -##### END your rules ############ -# Less log of known traffic - -# RIP protocol -$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP - -# DHCP -$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT - -# log everything else and drop -$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " -$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - -exit 0 diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh index 7625519..4ca01ff 100644 --- a/core/scripts/setup-install.sh +++ b/core/scripts/setup-install.sh @@ -209,6 +209,7 @@ setup_crux() { vim $CHROOT/etc/fstab echo "1.2.6. Initialization Scripts;" + cp $DIR_CONF/rc.d/* $CHROOT/etc/rc.d/ cp $DIR_CONF/rc.conf $CHROOT/etc/ vim $CHROOT/etc/rc.conf |