diff options
author | Silvino Silva <silvino@bk.ru> | 2018-07-16 14:33:23 +0100 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2018-07-16 14:33:23 +0100 |
commit | bdea1c23d13c417a00b71654670aed309cfa302a (patch) | |
tree | 397f398b79141f234e18cd4619c96c71d4bf0862 /core | |
parent | 8c5096c08932dc5d636f5ddbc65392dacf3bc962 (diff) | |
download | doc-bdea1c23d13c417a00b71654670aed309cfa302a.tar.gz |
core linux, backup and iptables script fix
Diffstat (limited to 'core')
-rw-r--r-- | core/linux.html | 13 | ||||
-rw-r--r-- | core/scripts/backup-system.sh | 157 | ||||
-rw-r--r-- | core/scripts/iptables.sh | 36 |
3 files changed, 151 insertions, 55 deletions
diff --git a/core/linux.html b/core/linux.html index f04b193..1592fc4 100644 --- a/core/linux.html +++ b/core/linux.html @@ -559,6 +559,9 @@ <dd>HugeTLB file system support</dd> + <dt>CONFIG_FUSE_FS=y</dt> + <dd>FUSE (Filesystem in Userspace) support</dd> + </dl> <h3 id="hack">2.1.2.12 Kernel hacking</h3> @@ -682,6 +685,16 @@ </dl> <h3 id="crypt">2.1.2.14 Cryptographic API</h3> + + <pre> + RIPEMD-160 digest algorithm + SHA384 and SHA512 digest algorithms + Whirlpool digest algorithms + LRW support + Serpent cipher algorithm + Twofish cipher algorithm + </pre> + <h3 id="virt">2.1.2.15 Virtualization</h3> <dl> diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 49b9873..ba6a961 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -1,4 +1,12 @@ -#!/bin/sh +#!/bin/bash + +ROOT_DIR= +DEST_DIR=/root/backup +PORT_PKG="${DEST_DIR}/crux" +PORT_PRT="${DEST_DIR}/ports" +DATA_CNF="${DEST_DIR}/conf" +DATA_USR="${DEST_DIR}/user" +DATA_SRV="${DEST_DIR}/srv" ConfirmOrExit () { @@ -50,9 +58,9 @@ mkbk_coll_ports() { --directory=$ROOT_DIR/usr/ports/${col} \ --exclude=.git/ \ . - } + mkbk_metadata() { # archive pkgutils data @@ -158,8 +166,8 @@ mkbk_user_metadata() { # encript data #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ - # --encrypt --recipient user@host \ - # "${DATA_USR}/meta-${user}.tar.gz" + # --encrypt --recipient user@host \ + # "${DATA_USR}/meta-${user}.tar.gz" tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ $dir/gitolite-admin @@ -167,34 +175,56 @@ mkbk_user_metadata() { done } -echo -n "root directory you want backup (/mnt/):\n " -#read ROOT_DIR -ROOT_DIR=$1 - -echo -n "where you want to save (/home/user):\n " -DEST_DIR=$2 - -# Temporary directory -PORT_PKG="${DEST_DIR}/crux" -PORT_PRT="${DEST_DIR}/ports" -DATA_CNF="${DEST_DIR}/conf" -DATA_USR="${DEST_DIR}/user" -DATA_SRV="${DEST_DIR}/srv" +print_data () { + echo "ROOT_DIR=${ROOT_DIR}" + echo "DEST_DIR=${DEST_DIR}" + echo "PORT_PKG=${PORT_PKG}" + echo "PORT_PRT=${PORT_PRT}" + echo "DATA_CNF=${DATA_CNF}" + echo "DATA_USR=${DATA_USR}" + echo "DATA_SRV=${DATA_SRV}" +} -echo "ROOT_DIR=${ROOT_DIR}" -echo "DEST_DIR=${DEST_DIR}" -echo "PORT_PKG=${PORT_PKG}" -echo "PORT_PRT=${PORT_PRT}" -echo "DATA_CNF=${DATA_CNF}" -echo "DATA_USR=${DATA_USR}" -echo "DATA_SRV=${DATA_SRV}" +print_help() { + echo "usage: backup-system [options]" + echo "options:" + echo " -r, --root root directory to backup, default /" + echo " -d, --destination save backup, default /root/backup" + echo " -h, --help print help and exit" +} +while [ "$1" ]; do + case $1 in + -r|--root) + ROOT_DIR=$2 + if [ ${ROOT_DIR} == "/" ]; then + ROOT_DIR="" + fi + shift ;; + -d|--destination) + DEST_DIR=$2 + + # Destination directory + PORT_PKG="${DEST_DIR}/crux" + PORT_PRT="${DEST_DIR}/ports" + DATA_CNF="${DEST_DIR}/conf" + DATA_USR="${DEST_DIR}/user" + DATA_SRV="${DEST_DIR}/srv" + shift ;; + -h|--help) + print_help + exit 0 ;; + *) + echo "backup-system: invalid option $1" + print_help + exit 1 ;; + esac + shift +done + +print_data ConfirmOrExit -if [ ${ROOT_DIR} == "/" ]; then - ROOT_DIR="" -fi - mkdir -p ${PORT_PKG} mkdir -p ${PORT_PRT} mkdir -p ${DATA_CNF} @@ -204,20 +234,59 @@ mkdir -p ${DATA_SRV} # Light backup data mkbk_metadata mkbk_etc_conf -mkbk_user_metadata -mkbk_srv_www -mkbk_srv_pgsql -mkbk_srv_gitolite - -# Port system -mkbk_coll_ports "core" -mkbk_coll_pkg "core" -mkbk_coll_ports "opt" -mkbk_coll_pkg "opt" -mkbk_coll_ports "contrib" -mkbk_coll_pkg "contrib" -mkbk_coll_ports "xorg" -mkbk_coll_pkg "xorg" - -mkbk_coll_pkg "other" +while true +do + echo -n "Backup user metadata ? Please confirm (y or n) :" + read CONFIRM + case $CONFIRM in + n|N|no|NO|No) break ;; + y|Y|YES|yes|Yes) + echo "Accept - you entered $CONFIRM" + mkbk_user_metadata + break + ;; + *) echo "Please enter only y or n" + esac +done + +while true +do + echo -n "Backup server data ? Please confirm (y or n) :" + read CONFIRM + case $CONFIRM in + n|N|no|NO|No) break ;; + y|Y|YES|yes|Yes) + echo "Accept - you entered $CONFIRM" + mkbk_srv_www + mkbk_srv_pgsql + mkbk_srv_gitolite + break + ;; + *) echo "Please enter only y or n" + esac +done + + +while true +do + echo -n "Backup port system ? Please confirm (y or n) :" + read CONFIRM + case $CONFIRM in + n|N|no|NO|No) break ;; + y|Y|YES|yes|Yes) + echo "Accept - you entered $CONFIRM" + mkbk_coll_ports "core" + mkbk_coll_pkg "core" + mkbk_coll_ports "opt" + mkbk_coll_pkg "opt" + mkbk_coll_ports "contrib" + mkbk_coll_pkg "contrib" + mkbk_coll_ports "xorg" + mkbk_coll_pkg "xorg" + mkbk_coll_pkg "other" + break + ;; + *) echo "Please enter only y or n" + esac +done diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 1304210..db1078d 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -265,14 +265,23 @@ case $TYPE in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + # Tap1 can access external http $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out - ####### Forward TAP2 ssh and https ###### + ####### Forward TAP2 ssh, http and https ###### $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out # @@ -296,35 +305,40 @@ case $TYPE in #Less noise $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in ####### Output Chain ###### $IPT -A OUTPUT -j blocker + #Less noise $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j srv_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.3 -j srv_dns_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out + #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d cli_ssh_out + #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out ####### PostRouting Chain ###### #Less noise @@ -337,8 +351,8 @@ case $TYPE in ## log everything else and drop iptables_log - #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " + # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " iptables-save > /etc/iptables/net.v4 exit 0 @@ -363,7 +377,7 @@ case $TYPE in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in @@ -375,7 +389,7 @@ case $TYPE in $IPT -A OUTPUT -j blocker $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out + #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out |