Merge branch 'f-net' into develop

author: Silvino Silva <silvino@bk.ru> 2016-09-28 06:45:50 +0100
committer: Silvino Silva <silvino@bk.ru> 2016-09-28 06:45:50 +0100
commit: ba6cbac7b30288ac5582f37a3e0e1ba323b83b75 (patch)
tree: 2f454fdd29b725cb0b1c7912e3be962afa2de6fc /core
parent: c0251af1c2c9a35fc395a8e911aa345519f6b878 (diff)
parent: 2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e (diff)
download: doc-ba6cbac7b30288ac5582f37a3e0e1ba323b83b75.tar.gz
3 files changed, 74 insertions, 11 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index 2d77722..3f29928 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,12 +1,12 @@
 #!/bin/sh
 #
-# /etc/rc.d/iptables: load/unload iptable rules  
+# /etc/rc.d/iptables: load/unload iptable rules
 #
 
 case $1 in
 start)
   	echo "Starting IPv4 firewall filter table..."
-	/usr/sbin/iptables-restore < /etc/iptables/rules.v4	
+	/usr/sbin/iptables-restore < /etc/iptables/rules.v4
 	;;
 stop)
 	echo "Stopping firewall and deny everyone..."
@@ -21,16 +21,60 @@ stop)
         iptables -t security -F
         iptables -t security -X
 
-
         /usr/sbin/iptables -P INPUT DROP
         /usr/sbin/iptables -P FORWARD DROP
         /usr/sbin/iptables -P OUTPUT DROP
+
+	# Unlimited on local
+	/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
+	/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+	# log everything else and drop
+	/usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+	/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+	/usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
+	;;
+open)
+	echo "Outgoing Open firewall and deny everyone..."
+        iptables -F
+        iptables -X
+        iptables -t nat -F
+        iptables -t nat -X
+        iptables -t mangle -F
+        iptables -t mangle -X
+        iptables -t raw -F
+        iptables -t raw -X
+        iptables -t security -F
+        iptables -t security -X
+
+        /usr/sbin/iptables -P INPUT DROP
+        /usr/sbin/iptables -P FORWARD DROP
+        /usr/sbin/iptables -P OUTPUT ACCEPT
+
+	# Unlimited on local
+	/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
+	/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+	# Accept passive
+	/usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+	/usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+	# log everything else and drop
+	/usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+	#/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+	/usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
 	;;
+
 restart)
 	$0 stop
 	$0 start
 	;;
 *)
+
 	echo "usage: $0 [start|stop|restart]"
 	;;
 esac
diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net
index 2b94af0..d46583b 100755
--- a/core/conf/rc.d/net
+++ b/core/conf/rc.d/net
@@ -31,8 +31,6 @@ case $1 in
 			/usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid
 
 		else
-			# /sbin/ip route del default
-			/sbin/ip route flush dev ${DEV}
 			/sbin/ip link set ${DEV} down
 			/sbin/ip addr flush dev ${DEV}
 		fi
diff --git a/core/network.html b/core/network.html
index 39fc9c2..ce4643b 100644
--- a/core/network.html
+++ b/core/network.html
@@ -23,9 +23,9 @@
             connection to router and add as default gateway.</dd>
         </dl>
 
-	<p>If is first boot after install configure iptables and
-	one of above described scripts then proceed to upgrade your
-	system.</p>
+        <p>If is first boot after install configure iptables and
+        one of above described scripts then proceed to upgrade your
+        system.</p>
 
         <h2 id="resolv">2.1.1. Resolver</h2>
 
@@ -113,8 +113,16 @@
         configure nat and filtering;</p>
 
         <pre>
+<<<<<<< HEAD
         # mkdir /etc/iptables
         # cp c9-doc/core/scripts/iptables.sh /etc/iptables/
+=======
+        DEV=tap0
+        ADDR=10.0.0.1
+        NET=10.0.0.0
+        MASK=24
+        GW=10.0.0.1
+>>>>>>> core network revision
         </pre>
 
         <p>Adjust iptables to your needs, then;</p>
@@ -129,9 +137,22 @@
         let drop when you call stop.</p>
 
         <pre>
+<<<<<<< HEAD
         # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
         # vim /etc/rc.d/iptables
         # chmod +x /etc/rc.d/iptables
+=======
+        # ip link add name ${DEV} type bridge
+        # ip link set dev ${DEV} up
+
+        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast 10.0.0.255
+        # ip addr add 0.0.0.0/${MASK} dev ${DEV} broadcast +
+
+        # ip tuntap add ${TAP} mode tap group kvm
+        # ip link set dev ${TAP} up
+
+        # ip link set dev ${TAP} master ${DEV}
+>>>>>>> core network revision
         </pre>
 
         <p>Re-configure your rc.conf and add iptables before (w)lan is up;</p>
@@ -187,10 +208,10 @@
         </pre>
 
         <p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>
-	init script to auto load wpa configuration and dhcp
+        init script to auto load wpa configuration and dhcp
         client.</p>
 
-	<h3>2.1.4.2. Wpa Cli</h3>
+        <h3>2.1.4.2. Wpa Cli</h3>
 
         <pre>
         # wpa_cli
@@ -345,7 +366,7 @@
         <p>Change to act as a router (default of conf/sysctl.conf);</p>
 
         <pre>
-    	# Act as a router, necessary for Access Point
+        # Act as a router, necessary for Access Point
         net.ipv4.ip_forward = 1
         net.ipv4.conf.all.send_redirects = 1
         net.ipv4.conf.default.send_redirects = 1
author	Silvino Silva <silvino@bk.ru>	2016-09-28 06:45:50 +0100
committer	Silvino Silva <silvino@bk.ru>	2016-09-28 06:45:50 +0100
commit	ba6cbac7b30288ac5582f37a3e0e1ba323b83b75 (patch)
tree	2f454fdd29b725cb0b1c7912e3be962afa2de6fc /core
parent	c0251af1c2c9a35fc395a8e911aa345519f6b878 (diff)
parent	2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e (diff)
download	doc-ba6cbac7b30288ac5582f37a3e0e1ba323b83b75.tar.gz