diff options
author | Silvino Silva <silvino@bk.ru> | 2016-09-12 23:50:54 +0100 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2016-09-12 23:50:54 +0100 |
commit | e4551d6b59317bb27df5d2bd9c3f1ea6469e089b (patch) | |
tree | 923a2a68664432c51d34b702c9568dfda9a7301d /core | |
parent | c6cf9e79a4df38638ab270fcf92605c1bc30484d (diff) | |
download | doc-e4551d6b59317bb27df5d2bd9c3f1ea6469e089b.tar.gz |
network revision
Diffstat (limited to 'core')
-rw-r--r-- | core/conf/rc.d/iptables | 19 | ||||
-rw-r--r-- | core/index.html | 10 | ||||
-rw-r--r-- | core/network.html | 56 | ||||
-rw-r--r-- | core/scripts/iptables.sh | 19 |
4 files changed, 58 insertions, 46 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index d3bbc9b..2d77722 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -10,12 +10,19 @@ start) ;; stop) echo "Stopping firewall and deny everyone..." - /usr/sbin/iptables -F - /usr/sbin/iptables -X - /usr/sbin/iptables -t nat -F - /usr/sbin/iptables -t nat -X - /usr/sbin/iptables -t mangle -F - /usr/sbin/iptables -t mangle -X + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + + + /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP ;; diff --git a/core/index.html b/core/index.html index a3013f5..fb43ac6 100644 --- a/core/index.html +++ b/core/index.html @@ -20,7 +20,7 @@ folder the install process is automated and <a href="ports/">ports</a> for extra ports used during the installation.</p> - <h2>Install Crux 3.2 Gnu/Linux</h2> + <h2>1. Install Crux 3.2 Gnu/Linux</h2> <ul> <li><a href="install.html">1.1. Install Crux 3.2</a> @@ -67,15 +67,15 @@ </li> </ul> - <h2>System Administration</h2> + <h2>2. System Administration</h2> <ul> <li><a href="network.html">2.1. Network</a> <ul> <li><a href="network.html#iptables">2.1.1. Iptables</a></li> <li><a href="network.html#resolv">2.1.2. Resolver</a></li> - <li><a href="network.html#wpa">2.1.3. Wpa and dhcpd</a></li> - <li><a href="network.html#static">2.1.4. Static ip</a></li> + <li><a href="network.html#static">2.1.3. Static ip</a></li> + <li><a href="network.html#wpa">2.1.4. Wpa and dhcpd</a></li> <li><a href="network.html#sysctl">2.1.5. Sysctl</a></li> </ul> </li> @@ -108,7 +108,7 @@ </li> </ul> - <h2>System Tools</h2> + <h2>3. System Tools</h2> <ul> <li><a href="tar.html">3.1. Tar</a> diff --git a/core/network.html b/core/network.html index e463ac5..8ca5aef 100644 --- a/core/network.html +++ b/core/network.html @@ -29,7 +29,9 @@ <h2 id="iptables">2.1.1. Iptables</h2> - <p>You can use + <p>For more information about iptables read + <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. + You can use <a href="scripts/iptables.sh">iptables script</a> at boot time and iptables-save and iptables-restore tools to configure nat and filtering;</p> @@ -62,6 +64,7 @@ SERVICES=(lo iptables net crond) </pre> + <p> <h2 id="resolv">2.1.2. Resolver</h2> <p>Configure your resolver with a server that don't censorship there for @@ -81,7 +84,22 @@ # chattr +i /etc/resolv.conf </pre> - <h2 id="wpa">4.3. Wpa and dhcpd</h2> + <h2 id="static">2.1.3. Static IP</h2> + + <pre> + # ip link + # ip addr flush dev ${DEV} + # ip route flush dev ${DEV} + </pre> + + <pre> + # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + # ip link set ${DEV} up + # ip route add default via ${GW} + </pre> + + + <h2 id="wpa">2.1.4. Wpa and dhcpd</h2> <p>There is more information on <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and @@ -99,11 +117,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 </pre> - <pre> - # ip addr add 192.168.1.65 dev wlp2s0 - </pre> - - <h3>4.3.1. Wpa Supplicant</h3> + <h3>2.1.4.1. Wpa Supplicant</h3> <p>Configure wpa supplicant edit;</p> @@ -133,7 +147,7 @@ init script to auto load wpa configuration and dhcp client.</p> - <h3>4.3.2. Wpa Cli</h3> + <h3>2.1.4.2. Wpa Cli</h3> <pre> # wpa_cli @@ -146,7 +160,7 @@ </pre> <pre> - > set_network 3 ssid "Valcovo-Network" + > set_network 3 ssid "Crux-Network" OK </pre> @@ -173,21 +187,7 @@ </pre> - <h2 id="static">4.4. Static IP</h2> - - <pre> - # ip link - # ip addr flush dev ${DEV} - # ip route flush dev ${DEV} - </pre> - - <pre> - # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + - # ip link set ${DEV} up - # ip route add default via ${GW} - </pre> - - <h2 id="sysctl">4.5. Sysctl</h2> + <h2 id="sysctl">2.1.5. Sysctl</h2> <p>Sysctl references <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, @@ -203,9 +203,9 @@ kernel.printk = 1 4 1 7 # Disable ipv6 - net.ipv6.conf.all.disable_ipv6 = 1 - net.ipv6.conf.default.disable_ipv6 = 1 - net.ipv6.conf.lo.disable_ipv6 = 1 + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 # net.ipv6.conf.default.router_solicitations = 0 @@ -263,7 +263,7 @@ net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 - # Act as a router, necessary for Access Point + # Don't act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index b450bb3..9fb2872 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -1,9 +1,9 @@ #!/bin/sh # -# XXXXXXXXXXXXXXXXXX -# XXX Network XXX -# XXXXXXXXXXXXXXXXXX +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX # + # | # v @@ -32,9 +32,9 @@ # |chain: OUTPUT | +--------+----------+ # +--------------+ | # v -# XXXXXXXXXXXXXXXXXX -# XXX Network XXX -# XXXXXXXXXXXXXXXXXX +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX # # iptables [-t table] {-A|-C|-D} chain rule-specification # @@ -161,6 +161,11 @@ iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + echo "Starting ipv4 firewall filter table..." @@ -169,7 +174,7 @@ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP -#unlimited +# Unlimited on local $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT |