diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-04-11 18:05:41 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-04-11 18:05:41 +0100 |
| commit | f5955b57400b065d77fc115c821c18864f3dae02 (patch) | |
| tree | 211e76707a3e978afd8fc6ac55e68285ba7c2c62 /tools | |
| parent | 8ee63f12e337f97013cfa3cb3d3b27f15f88dfcd (diff) | |
| parent | f3ec364b8579a2aa7a31e6b385424403e9fd131e (diff) | |
| download | doc-f5955b57400b065d77fc115c821c18864f3dae02.tar.gz | |
Doc version 0.0.4
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/conf/etc/iptables/iptables-br.sh | 382 | ||||
| -rw-r--r-- | tools/conf/etc/iptables/vlan.v4 | 136 | ||||
| -rwxr-xr-x | tools/conf/etc/rc.d/iptables | 81 | ||||
| -rw-r--r-- | tools/conf/etc/syslog-ng.conf | 11 | ||||
| -rwxr-xr-x | tools/conf/srv/gitolite/deploy.sh | 2 | ||||
| -rw-r--r-- | tools/gitolite.html | 316 | ||||
| -rw-r--r-- | tools/index.html | 4 | ||||
| -rw-r--r-- | tools/network.html | 13 | ||||
| -rw-r--r-- | tools/openssh.html | 2 | ||||
| -rw-r--r-- | tools/syslog-ng.html | 132 |
10 files changed, 282 insertions, 797 deletions
diff --git a/tools/conf/etc/iptables/iptables-br.sh b/tools/conf/etc/iptables/iptables-br.sh deleted file mode 100644 index 96475f4..0000000 --- a/tools/conf/etc/iptables/iptables-br.sh +++ /dev/null @@ -1,382 +0,0 @@ -#!/bin/sh - -# -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# + -# | -# v -# +-------------+ +------------------+ -# |table: filter| <---+ | table: nat | -# |chain: INPUT | | | chain: PREROUTING| -# +-----+-------+ | +--------+---------+ -# | | | -# v | v -# [local process] | **************** +--------------+ -# | +---------+ Routing decision +------> |table: filter | -# v **************** |chain: FORWARD| -# **************** +------+-------+ -# Routing decision | -# **************** | -# | | -# v **************** | -# +-------------+ +------> Routing decision <---------------+ -# |table: nat | | **************** -# |chain: OUTPUT| | + -# +-----+-------+ | | -# | | v -# v | +-------------------+ -# +--------------+ | | table: nat | -# |table: filter | +----+ | chain: POSTROUTING| -# |chain: OUTPUT | +--------+----------+ -# +--------------+ | -# v -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] -I chain [rulenum] rule-specification -# -# iptables [-t table] -R chain rulenum rule-specification -# -# iptables [-t table] -D chain rulenum -# -# iptables [-t table] -S [chain [rulenum]] -# -# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] -# -# iptables [-t table] -N chain -# -# iptables [-t table] -X [chain] -# -# iptables [-t table] -P chain target -# -# iptables [-t table] -E old-chain-name new-chain-name -# -# rule-specification = [matches...] [target] -# -# match = -m matchname [per-match-options] -# -# -# Targets -# -# can be a user defined chain -# -# ACCEPT - accepts the packet -# DROP - drop the packet on the floor -# QUEUE - packet will be stent to queue -# RETURN - stop traversing this chain and -# resume ate the next rule in the -# previeus (calling) chain. -# -# if packet reach the end of the chain or -# a target RETURN, default policy for that -# chain is applayed. -# -# Target Extensions -# -# AUDIT -# CHECKSUM -# CLASSIFY -# DNAT -# DSCP -# LOG -# Torn on kernel logging, will print some -# some information on all matching packets. -# Log data can be read with dmesg or syslogd. -# This is a non-terminating target and a rule -# should be created with matching criteria. -# -# --log-level level -# Level of logging (numeric or see sys- -# log.conf(5) -# -# --log-prefix prefix -# Prefix log messages with specified prefix -# up to 29 chars log -# -# --log-uid -# Log the userid of the process with gener- -# ated the packet -# NFLOG -# This target pass the packet to loaded logging -# backend to log the packet. One or more userspace -# processes may subscribe to the group to receive -# the packets. -# -# ULOG -# This target provides userspace logging of maching -# packets. One or more userspace processes may then -# then subscribe to various multicast groups and -# then receive the packets. -# -# -# Commands -# -# -A, --append chain rule-specification -# -C, --check chain rule-specification -# -D, --delete chain rule-specification -# -D, --delete chain rulenum -# -I, --insert chain [rulenum] rule-specification -# -R, --replace chain rulenum rule-specification -# -L, --list [chain] -# -P, --policy chain target -# -# Parameters -# -# -p, --protocol protocol -# tcp, udp, udplite, icmp, esp, ah, sctp, all -# -s, --source address[/mask][,...] -# -d, --destination address[/mask][,...] -# -j, --jump target -# -g, --goto chain -# -i, --in-interface name -# -o, --out-interface name -# -f, --fragment -# -m, --match options module-name -# iptables can use extended packet matching -# modules. -# -c, --set-counters packets bytes - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet -#PUB_IF="wlp7s0" -PUB_IF="enp8s0" -BR_IF="br0" -PUB_IP="10.0.0.254" -NET_ADDR="10.0.0.0/8" -GW="10.0.0.1" -# private interface for virtual/internal -PRIV_IF="wlp7s0" -PRIV_IP="192.168.1.33" - -echo "Stopping ipv4 firewall and deny everyone..." - -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -t raw -F -iptables -t raw -X -iptables -t security -F -iptables -t security -X -iptables -N blocker - -iptables -N netconf_in -iptables -N netconf_out -iptables -N server_in -iptables -N server_out -iptables -N client_in -iptables -N client_out - -# Set Default Rules -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -echo "Starting ipv4 firewall tables..." -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - -#modprobe ip_conntrack -#modprobe ip_conntrack_ftp -#echo 1 > /proc/sys/net/ipv4/ip_forward - -####### blocker Chain ###### -## Block google dns -$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " -$IPT -A blocker -s 8.8.0.0/24 -j DROP -## Block sync -$IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " -$IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP -## Block Fragments -$IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " -$IPT -A blocker -f -j DROP - -$IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - -$IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " -$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - -$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -## Return to caller -$IPT -A blocker -j RETURN - -####### server input Chain ###### -echo "server_in chain: Allow to VNC Server" -$IPT -A server_in -p tcp --dport 5900 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to DataBase Server" -$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to SSH server" -$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTPS Server" -$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTP Server" -$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to DNS Server" -$IPT -A server_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A server_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow output from GIT server" -$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_in -j RETURN - -####### server output Chain ###### -echo "server_out chain: Allow output from DNS server" -$IPT -A server_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A server_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from GIT server" -$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from https server" -$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from http server" -$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from SSH server" -$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from Data Base server" -$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "FORWARD chain: Allow output from VNC server" -$IPT -A server_out -p tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_out -j RETURN - -####### client input Chain ###### -echo "client_in chain: Allow input from IRC server" -$IPT -A client_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from FTP server" -$IPT -A client_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GIT server" -$IPT -A client_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from POP3S server" -$IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SMTPS server" -$IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTP Server" -$IPT -A client_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTPS server" -$IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from DNS Server" -$IPT -A client_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SSH Server" -$IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GPG key Server" -$IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A client_in -j RETURN - -####### client output Chain ###### -echo "client_out chain: Allow output to IRC server" -$IPT -A client_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to FTP server" -$IPT -A client_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GIT server" -$IPT -A client_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to POP3S server" -$IPT -A client_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SMTPS server" -$IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to HTTPS server" -$IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "Allow to HTTP server" -$IPT -A client_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to DNS server" -$IPT -A client_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SSH server" -$IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GPG key Server" -$IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - - -## Return to caller -$IPT -A client_out -j RETURN - - -####### netconf input Chain ###### -echo "netconf_in chain: Allow DHCP protocol" -$IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT -echo "netconf_in chain: Allow RIP protocol for ${NET_ADDR}" -$IPT -A netconf_in -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -#echo "netconf chain: Allow ICMP from ${NET_ADDR}" -#$IPT -A netconf_in -p icmp -s ${NET_ADDR} -j ACCEPT -echo "netconf_in chain: Allow ICMP from all" -$IPT -A netconf_in -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_in ICMP: " -$IPT -A netconf_in -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_in -j RETURN - - -####### netconf output Chain ###### -echo "netconf_out chain: Allow output from DHCP server" -$IPT -A netconf_out -p udp --sport 67 --dport 68 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -echo "netconf_out chain: Allow RIP protocol for ${NET_ADDR}" -$IPT -A netconf_out -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -#echo "netconf chain: Allow ICMP output to ${NET_ADDR}" -#$IPT -A netconf_out -p icmp -d ${NET_ADDR} -j ACCEPT -echo "netconf chain: Allow ICMP output to all" -$IPT -A netconf_out -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_out ICMP: " -$IPT -A netconf_out -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_out -j RETURN - -####### AP rules ###### -$IPT -A FORWARD -j blocker -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j netconf_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j netconf_out -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j client_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j client_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j server_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j server_out - -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j SNAT --to ${PUB_IP} - -####### Input Chain ###### -$IPT -A INPUT -j blocker -$IPT -A INPUT -i ${BR_IF} -s ${NET_ADDR} -d ${PUB_IP} -j server_in -$IPT -A INPUT -i ${BR_IF} -d ${NET_ADDR} -j client_in -$IPT -A INPUT -i ${BR_IF} -j netconf_in - -####### Output Chain ###### -$IPT -A OUTPUT -j blocker -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${NET_ADDR} -j server_out -$IPT -A OUTPUT -o ${BR_IF} -s ${NET_ADDR} -j client_out -$IPT -A OUTPUT -o ${BR_IF} -j netconf_out - - -## log everything else and drop -$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " -$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - -exit 0 diff --git a/tools/conf/etc/iptables/vlan.v4 b/tools/conf/etc/iptables/vlan.v4 deleted file mode 100644 index 61da499..0000000 --- a/tools/conf/etc/iptables/vlan.v4 +++ /dev/null @@ -1,136 +0,0 @@ -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:blocker - [0:0] -:client_in - [0:0] -:client_out - [0:0] -:netconf_in - [0:0] -:netconf_out - [0:0] -:server_in - [0:0] -:server_out - [0:0] --A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT --A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT --A INPUT -j blocker --A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in --A INPUT -d 10.0.0.0/8 -i br0 -j client_in --A INPUT -i br0 -j netconf_in --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j blocker --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 --A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT --A OUTPUT -j blocker --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out --A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out --A OUTPUT -o br0 -j netconf_out --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 --A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7 --A blocker -s 8.8.0.0/24 -j DROP --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A blocker -f -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP --A blocker -j RETURN --A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -j RETURN --A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -j RETURN --A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT --A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7 --A netconf_in -p icmp -j ACCEPT --A netconf_in -j RETURN --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7 --A netconf_out -p icmp -j ACCEPT --A netconf_out -j RETURN --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -j RETURN --A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -j RETURN -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 diff --git a/tools/conf/etc/rc.d/iptables b/tools/conf/etc/rc.d/iptables deleted file mode 100755 index 23f5485..0000000 --- a/tools/conf/etc/rc.d/iptables +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/sh -# -# /etc/rc.d/iptables: load/unload iptable rules -# - -#rules=rules.v4 -rules=vlan.v4 - -iptables_clear () { - echo "clear all iptables tables" - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X -} - -case $1 in - start) - iptables_clear - echo "starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/${rules} - ;; - stop) - iptables_clear - echo "stopping firewall and deny everyone..." - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT DROP - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - open) - iptables_clear - echo "outgoing Open firewall and deny everyone..." - - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT ACCEPT - - /usr/sbin/iptables -A OUTPUT -j ACCEPT - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - - restart) - $0 stop - $0 start - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; -esac - -# End of file diff --git a/tools/conf/etc/syslog-ng.conf b/tools/conf/etc/syslog-ng.conf index 5b5fc75..cfb1c08 100644 --- a/tools/conf/etc/syslog-ng.conf +++ b/tools/conf/etc/syslog-ng.conf @@ -64,6 +64,7 @@ destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); }; destination d_shorewall_info { file ("/var/log/shorewall/info.log"); }; destination d_dnsmasq { file("/var/log/dnsmasq"); }; destination d_postgres { file("/var/log/pgsql"); }; +destination d_iptables { file("/var/log/iptables"); }; destination d_sshd { file("/var/log/sshd"); }; destination d_gitolite { file("/var/log/gitolite"); }; destination d_nginx_access { file("/var/log/nginx/access.log" owner(root) group(www) perm(0644)); }; @@ -124,14 +125,19 @@ filter f_dnsmasq { program("dnsmasq"); }; filter f_postgres { facility(local0); }; filter f_sshd { facility(local1); }; +filter f_iptables { + facility(kern) + and match("iptables" value("MESSAGE")) +}; + filter f_shorewall_warn { level (warn) - and match ("iptables" value("MESSAGE")); + and match ("Shorewall" value("MESSAGE")); }; filter f_shorewall_info { level (info) - and match ("iptables" value("MESSAGE")); + and match ("Shorewall" value("MESSAGE")); }; filter f_gitolite { program("gitolite"); }; @@ -145,6 +151,7 @@ filter f_nginx_error { }; +log { source (s_kernel); filter (f_iptables); destination (d_iptables); flags(final);}; log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);}; log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);}; log { source(s_log); filter(f_dnsmasq); destination(d_dnsmasq); flags(final); }; diff --git a/tools/conf/srv/gitolite/deploy.sh b/tools/conf/srv/gitolite/deploy.sh index df11f4a..1091ea9 100755 --- a/tools/conf/srv/gitolite/deploy.sh +++ b/tools/conf/srv/gitolite/deploy.sh @@ -3,7 +3,7 @@ # origin package directory packages_dir="/srv/gitolite/deploy/packages" # temporary work directory -deploy_dir="/srv/gitolite/deploy/deploy_dir" +deploy_dir="/srv/deploy_dir" # scripts to deploy packages deploy_scripts="/srv/gitolite/deploy/scripts" diff --git a/tools/gitolite.html b/tools/gitolite.html index 1fa8e5a..e7b7067 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -163,28 +163,26 @@ repo gitolite-admin RW+ = gitolite - repo c9-doc c9-ports c9-pmwiki - config gitweb.owner = "c9 team" - config gitweb.category = "c9" + repo doc ports pmwiki assistant + config gitweb.owner = "Team" + config gitweb.category = "Projects" - repo c9-doc - config gitweb.description = "c9 documentation" + repo doc + config gitweb.description = "Documentation" option hook.post-receive = deploy-web-doc - repo c9-ports - config gitweb.description = "c9 ports" + repo ports + config gitweb.description = "System Ports" - repo c9-pmwiki - config gitweb.description = "c9 wiki" + repo pmwiki + config gitweb.description = "Wiki" option hook.post-receive = deploy-web-doc - repo c9-assistant - config gitweb.owner = "c9 team" - config gitweb.category = "c9" - config gitweb.description = "c9 open assistant" + repo assistant + config gitweb.description = "Open Assistant" @secret = gitolite-admin - @project = c9-doc c9-ports c9-pmwiki c9-assistant + @project = doc ports pmwiki assistant </pre> <p>Commit and push;</p> @@ -200,13 +198,13 @@ <pre> # cd /srv/gitolite/repositories/ - # mv void.git c9-doc.git + # mv void.git doc.git </pre> <p>On workstation edit conf/gitolite.conf;</p> <pre> - repo c9-doc + repo doc RW+ = bob </pre> @@ -221,7 +219,7 @@ <pre> # cd /srv/gitolite/repositories/ - # rm -rf c9-doc.git + # rm -rf doc.git </pre> <p>On workstation edit conf/gitolite.conf and remove c9-doc.</p> @@ -371,33 +369,6 @@ fi </pre> - <p>Activate this hook, the idea is to start with this one as a template working - and then implement the final one. Edit gitolite admin configuration file and - activate:</p> - - <pre> - repo c9-doc - config gitweb.description = "c9 documentation" - option hook.post-receive = deploy-web-doc - </pre> - - <p>Add, commit, and push the admin repo;</p> - - <pre> - $ git add local/hooks/repo-specific/hook-deployweb - $ git add -u && git commit -m "added deploy c9 hook" - </pre> - - <p>Now we can test if our script is functioning by creating a branch on c9-doc - making a random change and push;<p> - - <pre> - $ cd c9-doc - $ git checkout -b deploy_branch - </pre> - - <h4>4.3.2. Deploy Script</h4> - <p>Create <a href="conf/srv/gitolite/deploy-web.sh">/srv/gitolite/deploy/scripts/deploy-web.sh</a>;</p> @@ -479,28 +450,219 @@ rm -r ${pkg_path} </pre> - <h4>4.3.3. Debuging hooks</h4> + <p>Activate this hook, the idea is to start with this one as a template working + and then implement the final one. Edit gitolite admin configuration file and + activate:</p> - <p>Comment gitolite admin repo script "if" and uncomment debug sections, this allow to - source the file with environment of hook.</p> + <pre> + repo doc + config gitweb.description = "Documentation" + option hook.post-receive = deploy-web-doc + </pre> - <p>Later you can delete this branch locally and remote and start fresh. To test - if hook is called each time you push run;</p> + <p>Add, commit, and push the admin repo;</p> + <pre> + $ git add local/hooks/repo-specific/hook-deployweb + $ git add -u && git commit -m "added deploy c9 hook" + </pre> + + <p>Now we can test if our script is functioning by creating a branch on c9-doc + making a random change and push;<p> <pre> - $ echo $(( ( RANDOM % 10 ) +1 )) >> index.html && git add -u && git commit -m "test deploy" && git push git + $ cd c9-doc + $ git checkout -b deploy_branch </pre> - <p>See if a file was created in /srv/gitolite/deploy with name of project and - with environmental variables of gitolite script.</p> + <h4>4.3.2. Deploy Script</h4> - <p>From now on you can test changes directly on - /srv/gitolite/.gitolite/local/hooks/repo-specific/hook-deployweb - and repeat above command to see the results or create a separate script with - all variables generated by above script set so you don't have to push at all.</p> + <p>Create <a href="conf/srv/gitolite/deploy.sh">/srv/gitolite/deploy/scripts/deploy.sh</a>;</p> + + <pre> + #!/bin/bash + + # origin package directory + packages_dir="/srv/gitolite/deploy/packages" + # temporary work directory + deploy_dir="/srv/deploy_dir" + # scripts to deploy packages + deploy_scripts="/srv/gitolite/deploy/scripts" + + function get_script(){ + # receives package path return script to call + local pkg_path=$1 + echo $(head -2 ${pkg_path}/project | tail -1) + } + + function get_new(){ + # receives package path return commit hash (new) + local pkg_path=$1 + echo $(head -3 ${pkg_path}/project | tail -1) + } + + function get_dep(){ + # receives package path return previews commit hash (old) + local pkg_path=$1 + + new=$(head -3 ${pkg_path}/project | tail -1) + old=$(head -4 ${pkg_path}/project | tail -1) + + if [[ ! ${new} = ${old} ]]; then + echo ${old} | cut -c1-7 + fi + } + + function project_extract(){ + + # project directory containing extracted packages + local prj_dir=$1 + + # final extracted package + local prj_pkg="${prj_dir}/package" + + # temporary vars for swapping/iterating pkg_news + local pkg_new="" + local pkg_old="" + local pkg_dir="" + local pkg_temp="" + local pkg_next=1 + local pkg_del="" + local x=0 + local y=0 + + # array with all the news hashes + local pkg_news=($(ls ${prj_dir})) + + # total new packages + local total=${#pkg_news[@]} + + echo "Deploy: $(basename ${prj_dir}) extracting packages ${pkg_news[*]}" + + # find first package + for pkg_new in ${pkg_news[@]} + do + # get package dependency + pkg_dir="${prj_dir}/${pkg_new}" + pkg_old=$(get_dep ${pkg_dir}) + if [[ ! " ${pkg_news[@]} " =~ " ${pkg_old} " ]]; then + # pkg_news don't contain package + # we found initial package + pkg_temp=${pkg_news[0]} + pkg_news[0]=${pkg_new} + pkg_news[${x}]=${pkg_temp} + break + fi + x=$((${x}+1)) + done + + # Order packages by dependency start with first package + for (( y=0; y<${total}; y++ )) + do + pkg_next=$(($y+1)) + if [[ ${pkg_next} = ${total} ]]; then + ## we are in the last one + break + fi + + pkg_new=${pkg_news[$y]} + for (( x=pkg_next; x<${total}; x++ )) + do + pkg_dir="${prj_dir}/${pkg_news[${x}]}" + pkg_old=$(get_dep ${pkg_dir}) + # is dependent on current + if [[ ${pkg_old} = ${pkg_new} ]]; then + pkg_temp=${pkg_news[${pkg_next}]} + pkg_news[${pkg_next}]=${pkg_news[${x}]} + pkg_news[${x}]=${pkg_temp} + # we can break and pass next one + break + fi + done + done + + # create project final package directory + mkdir -p ${prj_pkg}/files + + # copy project information of last commit + cp ${prj_dir}/${pkg_news[$((${total}-1))]}/project ${prj_pkg} + + # now that packages are ordered we can start creating files + for pkg_new in ${pkg_news[@]} + do + pkg_dir=${prj_dir}/${pkg_new} + tar xf ${pkg_dir}/files.tar.xz \ + --directory ${prj_pkg}/files + + # if deleted files exists + if [ -f "${pkg_dir}/deleted" ]; then + # first collect all files/directories don't exist + while read pkg_del; do + # if file don't exist add entry to project deleted file + pkg_temp="${prj_pkg}/files/${pkg_del}" + if [ ! -f ${pkg_temp} ]; then + if [ ! -d ${pkg_temp} ]; then + # is not a file or directory from previous packages + echo ${pkg_del} >> ${prj_pkg}/deleted + fi + fi + done <${prj_dir}/${pkg_new}/deleted + + # delete directories and files + while read pkg_del; do + pkg_temp="${prj_pkg}/files/${pkg_del}" + if [ -d ${pkg_temp} ]; then + rm -r ${pkg_temp} + elif [ -f ${pkg_temp} ]; then + rm ${pkg_temp} + fi + done <${prj_dir}/${pkg_new}/deleted + fi + + #remove temporary directory + rm -r ${prj_dir}/${pkg_new} + done + + # call project deploy script + call_script=${deploy_scripts}/$(get_script $prj_pkg) + echo "Deploy: calling deploy script: ${call_script}" + /bin/bash ${call_script} ${prj_pkg} + + } + + if [[ ! $(ls ${deploy_dir}) = "" ]]; then + rm -r ${deploy_dir}/* + fi + + # first extract all packages from origin directory + for pkg_path in `find ${packages_dir} -type f -name "*.tar.gz"` + do + if [ -f ${pkg_path} ]; then + pkg_name=$(basename ${pkg_path}) + pkg_proj=$(echo ${pkg_name} | cut -d "_" -f 1) + pkg_new7=$(echo ${pkg_name} | tail -c -15 | cut -c -7) + pkg_temp=${deploy_dir}/${pkg_proj}/${pkg_new7} + mkdir -p ${pkg_temp} + tar xf ${pkg_path} --directory ${pkg_temp} + rm ${pkg_path} + fi + done + + # loop for all projects and deploy them + for prj_dir in `find ${deploy_dir} -maxdepth 1 -mindepth 1 -type d` + do + # order index of hashes based on old commit + echo "prj_dir $prj_dir" + project_extract ${prj_dir} + done + </pre> + + <p>Give permissions to access files;</p> - <h4 id="gtl-deploy">4.4. Deploy with Cron</h4> + <pre> + # mkdir /srv/deploy_dir + # chown www:www /srv/deploy_dir + </pre> <p>Add cron job to call deploy script every minute;</p> @@ -526,6 +688,28 @@ # End of file </pre> + <h4>4.3.3. Debuging hooks</h4> + + + <p>Comment gitolite admin repo script "if" and uncomment debug sections, this allow to + source the file with environment of hook. Later you can delete this branch locally and remote and start fresh. To test + if hook is called each time you push run;</p> + + <pre> + $ echo $(( ( RANDOM % 10 ) +1 )) >> index.html && git add -u && git commit -m "test deploy" && git push git + </pre> + + <p>See if a file was created in /srv/gitolite/deploy with name of project and + with environmental variables of gitolite script.</p> + + <p>From now on you can test changes directly on + /srv/gitolite/.gitolite/local/hooks/repo-specific/hook-deployweb + and repeat above command to see the results or create a separate script with + all variables generated by above script set so you don't have to push at all.</p> + + <p>Change cron to debug check root email or call deploy script directly + from command line after hook and deploy_web are working.</p> + <h2 id="gitweb">5. Gitweb</h2> <pre> @@ -626,20 +810,20 @@ <p>Edit gitolite-admin/conf/gitolite.conf;</p> <pre> - repo c9-doc - config gitweb.owner = c9 team - config gitweb.description = c9 documentation - config gitweb.category = c9 + repo doc + config gitweb.owner = team + config gitweb.description = Documentation + config gitweb.category = Projects - repo c9-ports - config gitweb.owner = c9 team - config gitweb.description = c9 ports - config gitweb.category = c9 + repo ports + config gitweb.owner = team + config gitweb.description = System ports + config gitweb.category = Projects </pre> <a href="index.html">Tools Index</a> <p>This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2018 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/tools/index.html b/tools/index.html index 1c4eb00..2b6a4d4 100644 --- a/tools/index.html +++ b/tools/index.html @@ -94,10 +94,8 @@ </li> <li><a href="syslog-ng.html">Syslog-ng</a> <ul> - <li><a href="syslog-ng.html#eventlog">Install event log</a></li> <li><a href="syslog-ng.html#install">Install syslog-ng</a></li> - <li><a href="syslog-ng.html#syslogrc">Syslog-ng RC</a></li> - <li><a href="syslog-ng.html#syslog-conf">Syslog-ng configuration</a></li> + <li><a href="syslog-ng.html#configure">Configure syslog-ng</a></li> <li><a href="logrotate.html">Logrotate</a></li> <li><a href="logwatch.html">Logwatch</a> <ul> diff --git a/tools/network.html b/tools/network.html index c4e99f6..31ca60b 100644 --- a/tools/network.html +++ b/tools/network.html @@ -53,10 +53,17 @@ # End of file </pre> - <p>Change iptables script rules from core to - <a href="conf/etc/rc.d/iptables">/etc/rc.d/iptables</a> + <p>Change iptables init script + <a href="../core/conf/rc.d/iptables">/etc/rc.d/iptables</a> to load new rules from - <a href="conf/etc/iptables/vlan.v4">/etc/iptables/vlan.v4</a></p> + <a href="../core/conf/iptables/br-lan.v4">/etc/iptables/br-lan.v4</a>. + Now change <a href="../core/scripts/iptables-br.sh">iptables-br.sh</a> + with your network configuration and run; + </p> + + <pre> + # bash core/scripts/iptables-br.sh + </pre> <a href="index.html">Tools Index</a> <p>This is part of the c9 Manual. diff --git a/tools/openssh.html b/tools/openssh.html index 96e1653..c70a5f5 100644 --- a/tools/openssh.html +++ b/tools/openssh.html @@ -128,7 +128,7 @@ <h3 id="iptables">1.2. Configure iptables</h3> <p>Iptables;</p> - <p>Example of <a href="scripts/system-iptables.sh">system-iptables.sh</a></p> + <p>Example of <a href="../core/scripts/iptables.sh">iptables.sh</a></p> <pre> $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT diff --git a/tools/syslog-ng.html b/tools/syslog-ng.html index e97b50d..f1ed95b 100644 --- a/tools/syslog-ng.html +++ b/tools/syslog-ng.html @@ -23,92 +23,17 @@ $ sudo tail -f messages kernel cron auth </pre> - <h2 id="eventlog">1.1. Install event log</h2> + <h2 id="install">1.1. Install syslog-ng</h2> <pre> - $ mkdir eventlog - $ vim Pkgfile + $ prt-get depinst syslog-ng </pre> - <pre> - # Description: replacement of the simple syslog() API - # URL: http://www.balabit.com/network-security/syslog-ng/opensource-logging-system - # Maintainer: Thomas Penteker, tek at serverop dot de - # - # Depends on: - - name=eventlog - version=0.2.12 - release=1 - source=(http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/${name}_${version}.tar.gz) - - build() { - cd $name-$version - - ./configure \ - --prefix=/usr \ - --disable-nls \ - --mandir=/usr/man - - make && make DESTDIR=$PKG install - rm -rf $PKG/usr/doc - } - </pre> - - <pre> - $ fakeroot pkgmk -d - $ sudo pkgadd /usr/ports/packages/eventlog#0.2.12-1.pkg.tar.gz - </pre> - - <h2 id="install">1.2. Install syslog-ng</h2> + <h2 id="configure">1.4. Syslog-ng configuration</h2> - <pre> - $ cd .. - $ mkdir syslog-ng - $ vim Pkgfile - </pre> - - <pre> - # Description: alternate syslogging daemon - # URL: http://www.balabit.com/network-security/syslog-ng/opensource-logging-system - # Packager: c9 team, silvino at bk dot ru - # Depends on: eventlog, glib, libwrap - - name=syslog-ng - version=3.5.6 - release=1 - source=(http://balabit.com/downloads/files/syslog-ng/sources/$version/source/${name}_${version}.tar.gz - syslog-ng.rc syslog-ng.conf) - - build() { - cd $name-$version - - ./configure \ - --prefix=/usr \ - --sysconfdir=/etc \ - --libexecdir=/var/libexec \ - --localstatedir=/var \ - --mandir=/usr/man \ - --enable-dynamic-linking \ - --sbindir=/sbin \ - --enable-tcp-wraper - - - make && make DESTDIR=$PKG install - rm -rf $PKG/usr/doc - rm -rf $PKG/usr/share/include/scl/syslogconf/README - install -D -m 644 ../syslog-ng.conf $PKG/etc/syslog-ng.conf - install -D -m 755 ../syslog-ng.rc $PKG/etc/rc.d/syslog-ng - } - </pre> - - <pre> - $ sudo prt-get depinst glib - $ pkgmk -um - $ pkgmk -uf - $ fakeroot pkgmk -d - $ sudo pkgadd /usr/ports/packages/syslog-ng#3.5.6-1.pkg.tar.gz - </pre> + <p>Example of <a href="conf/etc/syslog-ng.conf">/etc/syslog-ng.conf</a> + that configures syslog-ng matching tools already installed in the system + and some that are part of <a href="../tools/index.html">tools</a>.</p> <p>Change /etc/rc.conf, replace sysklog with syslog-ng;</p> @@ -122,48 +47,16 @@ TIMEZONE="Europe/Lisbon" HOSTNAME=box SYSLOG=syslog-ng - SERVICES=(syslog-ng lo net crond) + SERVICES=(lo net crond) # End of file </pre> - <h2 id="syslogrc">1.3. Syslog-ng RC</h2> - - <pre> - $ vim syslog-ng.rc - </pre> - <pre> - #!/bin/sh - # - # /etc/rc.d/syslog-ng: start/stop syslog-ng logging daemon - # - - case $1 in - start) - /sbin/syslog-ng -f /etc/syslog-ng.conf -p /var/run/syslog-ng.pid - ;; - stop) - killall -q /sbin/syslog-ng - rm -f /var/run/syslog-ng.pid - ;; - restart) - $0 stop - sleep 2 - $0 start - ;; - *) - echo "usage: $0 [start|stop|restart]" - ;; - esac + $ sudo sh /etc/rc.d/syslog-ng start + $ sudo sh /etc/rc.d/sysklogd stop </pre> - <h3 id="syslog-conf">1.4. Syslog-ng configuration</h3> - - <p>Example of <a href="conf/etc/syslog-ng.conf">/etc/syslog-ng.conf</a> - that configures syslog-ng matching tools already installed in the system - and some that are part of <a href="../tools/index.html">tools</a>.</p> - <p>Description off global options used;</p> <dl> @@ -249,15 +142,10 @@ latency.</dd> </dl> - <pre> - $ sudo sh /etc/rc.d/syslog-ng start - $ sudo sh /etc/rc.d/sysklogd stop - </pre> - <a href="index.html">Tools Index</a> <p>This is part of the c9-doc Manual. -Copyright (C) 2016 +Copyright (C) 2018 c9 team. See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |