diff options
| -rw-r--r-- | core/conf/skel/.bashrc | 19 | ||||
| -rw-r--r-- | core/conf/skel/.profile | 4 | ||||
| -rw-r--r-- | core/conf/skel/.tmux.conf | 2 | ||||
| -rw-r--r-- | host.html | 103 | ||||
| -rw-r--r-- | tools/conf/etc/skel/.mutt/muttrc | 34 | ||||
| -rw-r--r-- | tools/conf/etc/skel/.vimrc | 207 | ||||
| -rw-r--r-- | tools/gnupg.html | 5 | ||||
| -rw-r--r-- | tools/index.html | 2 | ||||
| -rw-r--r-- | tools/mutt.html | 74 | ||||
| -rw-r--r-- | tools/scipts/iptables.sh | 337 | ||||
| -rw-r--r-- | tools/vim.html | 15 |
11 files changed, 615 insertions, 187 deletions
diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 38f4b24..9a7498e 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -21,7 +21,6 @@ shopt -s histappend HISTSIZE=1000 HISTFILESIZE=2000 -alias tmux="tmux -2" alias rm='rm -i' #alias cp='cp -i' @@ -46,12 +45,14 @@ glog () { git log --graph --abbrev-commit --decorate --date=relative --all } -if [[ -z "$TMUX" ]] ;then - ID="`tmux ls | grep -vm1 attached | cut -d: -f1`" # get the id of a deattached session - if [[ -z "$ID" ]] ;then # if not available create a new one - tmux new-session - else - tmux attach-session -t "$ID" # if available attach to it - fi -fi +#alias tmux="tmux -2" +#if [[ -z "$TMUX" ]] ;then +# ID="`tmux ls | grep -vm1 attached | cut -d: -f1`" # get the id of a deattached session +# if [[ -z "$ID" ]] ;then # if not available create a new one +# tmux new-session +# else +# tmux attach-session -t "$ID" # if available attach to it +# fi +#fi +# diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile index 58f821e..71dd6f8 100644 --- a/core/conf/skel/.profile +++ b/core/conf/skel/.profile @@ -1,6 +1,6 @@ export GPG_AGENT_INFO # the env file does not contain the export statement export SSH_AUTH_SOCK # enable gpg-agent for ssh -export GPGKEY=EE29B7D3 +export GPGKEY=8BF422F7 -alias prodtmux="ssh prod -t tmux a" +#alias prodtmux="ssh srv-remote -t tmux a" diff --git a/core/conf/skel/.tmux.conf b/core/conf/skel/.tmux.conf index 795aff6..a68ccb2 100644 --- a/core/conf/skel/.tmux.conf +++ b/core/conf/skel/.tmux.conf @@ -23,3 +23,5 @@ set -g bell-action any bind-key j command-prompt -p "join pane from:" "join-pane -s '%%'" bind-key s command-prompt -p "send pane to:" "join-pane -t '%%'" +# Torn on mouse +set -g mouse on diff --git a/host.html b/host.html new file mode 100644 index 0000000..9a2ca1c --- /dev/null +++ b/host.html @@ -0,0 +1,103 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Host Description</title> + </head> + <body> + <a href="index.html">Documentation Index</a> + <h1>Host Description</h1> + + <h2>Core</h2> + <dl> + <dt>Base OS</dt> + <dd>Gnu/Linux Crux 3.2<dd> + <dd><a href="core/install.html#step1">Download</a></dd> + + <dt>Package Management</dt> + <dd><a href="core/ports.html">Ports</a></dd> + <dd><a href="core/package.html">Package Management</a></dd> + + <dt>Storage</dt> + <dd>Ext4, Btrfs</dd> + <dd><a href="core/install.html#step2">Partitions</a></dd> + <dd><a href="core/configure.html#fstab">Fstab</a></dd> + + <dt>Hostname</dt> + <dd>c9</dd> + <dd><a href="core/configure.html#hostname">Hostname</a></dd> + </dl> + + <h2>Network</h2> + + <dl> + <dt>Network</dt> + + <dd>Network is + <a href="core/network.html">configured</a> via init + scripts, <a href="core/conf/rc.d/net">/etc/rc.d/net</a> + script is targeted to configure ethernet interface while + <a href="core/conf/rc.d/wlan">/etc/rc.d/wlan</a> + for handling wireless interface. Wlan script always call + dhcpd to listen on wireless interface. + Both scripts setup default gateway route.</dd> + + <dt>Firewall</dt> + + <dd>Firewall is configured using + <a href="core/network.html#iptables">iptables</a> with help + of <a href="core/script/iptables.sh">iptables.sh</a> script.</dd> + + <dt>Access Point/Router</dt> + + <dd>Wireless interface <a href="tools/wireless.html">handle access point</a>. + </dd> + <dd><a href="tools/hostapd.html">Access Point</a></dd> + + <dt>FQDN</dt> + + <dd>core.privat-server.net</dd> + <dd><a href="core/configure.html#hostname">Hostname</a></dd> + <dd><a href="core/exim.html#cert">Exim certificates</a></dd> + <dd><a href="tools/network.html#dnsmasq">Dnsmasq</a></dd> + <dd><a href="tools/gpg.html#genkey">Exim certificates</a></dd> + + <dt>DNS</dt> + <dd><a href="tools/network.html#dnscrypt">Dns encryption</a></dd> + <dd><a href="tools/network.html#dnsmasq">Dns cache</a></dd> + </dl> + + <h2>DevOps</h2> + <dl> + <dt>Dns</dt> + <dd><a href="tools/network.html#dnsmasq">Dns Server</a></dd> + + <dt>SSH</dt> + <dd><a href="tools/openssh.html">SSH Server</a></dd> + <dd><a href="tools/openssh.html#sshid">Local Identities</a></dd> + + <dt>Git</dt> + <dd><a href="tools/gitolite.html">Gitolite</a></dd> + + <dt>Database</dt> + <dd><a href="tools/postgresql.html">Postgresql</a></dd> + + <dt>Web Server</dt> + <dd><a href="tools/nginx.html">Nginx</a></dd> + + </dl> + + <h2>Services</h2> + <dl> + <dt>Main Web Portal</dt> + <dd><a href="dev/laravel-app.html">Web Application</a></dd> + </dl> + + <a href="index.html">Documentation Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2016 + c9 team. + See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + </body> +</html> diff --git a/tools/conf/etc/skel/.mutt/muttrc b/tools/conf/etc/skel/.mutt/muttrc index aa41d50..6ec1da4 100644 --- a/tools/conf/etc/skel/.mutt/muttrc +++ b/tools/conf/etc/skel/.mutt/muttrc @@ -13,32 +13,22 @@ set duplicate_threads=yes set crypt_use_gpgme=yes -set pgp_timeout=1800 +## automatically sign all outgoing messages +set crypt_autosign=yes -## sign only replies to signed messages -set crypt_replysign=yes +## automatically encrypt outgoing messages +set crypt_autoencrypt=yes -## encrypt and sign replies to encrypted messages -set crypt_replysignencrypted=yes +## automatically verify the sign of a message when opened +set crypt_verify_sig=yes -#source ~/.mutt/gpg.rc -# -#set pgp_autosign=yes -#set pgp_sign_as=0xEE29B7D3 +set pgp_sign_as=0x8BF422F79FC7C975BDF07828E88440BC35095A74 +#set pgp_sign_as=0x8BF422F7 +set pgp_timeout=1800 +set pgp_autosign=yes #set pgp_replyencrypt=yes -# -## automatically sign all outgoing messages -#set crypt_autosign -# -## automatically encrypt outgoing messages -##set crypt_autoencrypt=yes -# -## encrypt only replies to signed messages -#set crypt_replyencrypt=yes -# -## automatically verify the sign of a message when opened -#set crypt_verify_sig=yes -# + +source ~/.mutt/gpg.rc source "~/.mutt/mail_alias" set alias_file=~/.mutt/mail_alias diff --git a/tools/conf/etc/skel/.vimrc b/tools/conf/etc/skel/.vimrc index cf143fd..9958538 100644 --- a/tools/conf/etc/skel/.vimrc +++ b/tools/conf/etc/skel/.vimrc @@ -1,26 +1,10 @@ -" An example for a vimrc file. -" -" Maintainer: Bram Moolenaar <Bram@vim.org> -" Last change: 2015 Mar 24 -" -" To use it, copy it to -" for Unix and OS/2: ~/.vimrc -" for Amiga: s:.vimrc -" for MS-DOS and Win32: $VIM\_vimrc -" for OpenVMS: sys$login:.vimrc - -" When started as "evim", evim.vim will already have done these settings. -if v:progname =~? "evim" - finish -endif - " Use Vim settings, rather than Vi settings (much better!). " This must be first, because it changes other options as a side effect. set nocompatible -" allow backspacing over everything in insert mode -set backspace=indent,eol,start - +"" allow backspacing over everything in insert mode +"set backspace=indent,eol,start +" if has("vms") set nobackup " do not keep a backup file, use versions instead else @@ -33,118 +17,119 @@ set ruler " show the cursor position all the time set showcmd " display incomplete commands set incsearch " do incremental searching -" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries -" let &guioptions = substitute(&guioptions, "t", "", "g") - -" Don't use Ex mode, use Q for formatting -map Q gq - -" CTRL-U in insert mode deletes a lot. Use CTRL-G u to first break undo, -" so that you can undo CTRL-U after inserting a line break. -inoremap <C-U> <C-G>u<C-U> - -" In many terminal emulators the mouse works just fine, thus enable it. -if has('mouse') - set mouse=a -endif - -" Switch syntax highlighting on, when the terminal has colors -" Also switch on highlighting the last used search pattern. +"" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries +"" let &guioptions = substitute(&guioptions, "t", "", "g") +" +"" Don't use Ex mode, use Q for formatting +"map Q gq +" +"" CTRL-U in insert mode deletes a lot. Use CTRL-G u to first break undo, +"" so that you can undo CTRL-U after inserting a line break. +"inoremap <C-U> <C-G>u<C-U> +" +"" In many terminal emulators the mouse works just fine, thus enable it. +"if has('mouse') +" set mouse=a +"endif +" +"" Switch syntax highlighting on, when the terminal has colors +"" Also switch on highlighting the last used search pattern. if &t_Co > 2 || has("gui_running") syntax on set hlsearch colorscheme wombat256mod endif -" Only do this part when compiled with support for autocommands. -if has("autocmd") - - " Enable file type detection. - " Use the default filetype settings, so that mail gets 'tw' set to 72, - " 'cindent' is on in C files, etc. - " Also load indent files, to automatically do language-dependent indenting. - filetype plugin indent on - - " Put these in an autocmd group, so that we can delete them easily. - augroup vimrcEx - au! - - " For all text files set 'textwidth' to 78 characters. - autocmd FileType text setlocal textwidth=78 - - " When editing a file, always jump to the last known cursor position. - " Don't do it when the position is invalid or when inside an event handler - " (happens when dropping a file on gvim). - autocmd BufReadPost * - \ if line("'\"") >= 1 && line("'\"") <= line("$") | - \ exe "normal! g`\"" | - \ endif - - augroup END - -else - - set autoindent " always set autoindenting on - -endif " has("autocmd") - -" Convenient command to see the difference between the current buffer and the -" file it was loaded from, thus the changes you made. -" Only define it when not defined already. -if !exists(":DiffOrig") - command DiffOrig vert new | set bt=nofile | r ++edit # | 0d_ | diffthis - \ | wincmd p | diffthis -endif - -if has('langmap') && exists('+langnoremap') - " Prevent that the langmap option applies to characters that result from a - " mapping. If unset (default), this may break plugins (but it's backward - " compatible). - set langnoremap -endif - +" +"" Only do this part when compiled with support for autocommands. +"if has("autocmd") +" +" " Enable file type detection. +" " Use the default filetype settings, so that mail gets 'tw' set to 72, +" " 'cindent' is on in C files, etc. +" " Also load indent files, to automatically do language-dependent indenting. +" filetype plugin indent on +" +" " Put these in an autocmd group, so that we can delete them easily. +" augroup vimrcEx +" au! +" +" " For all text files set 'textwidth' to 78 characters. +" autocmd FileType text setlocal textwidth=78 +" +" " When editing a file, always jump to the last known cursor position. +" " Don't do it when the position is invalid or when inside an event handler +" " (happens when dropping a file on gvim). +" autocmd BufReadPost * +" \ if line("'\"") >= 1 && line("'\"") <= line("$") | +" \ exe "normal! g`\"" | +" \ endif +" +" augroup END +" +"else +" +" set autoindent " always set autoindenting on +" +"endif " has("autocmd") +" +"" Convenient command to see the difference between the current buffer and the +"" file it was loaded from, thus the changes you made. +"" Only define it when not defined already. +"if !exists(":DiffOrig") +" command DiffOrig vert new | set bt=nofile | r ++edit # | 0d_ | diffthis +" \ | wincmd p | diffthis +"endif +" +"if has('langmap') && exists('+langnoremap') +" " Prevent that the langmap option applies to characters that result from a +" " mapping. If unset (default), this may break plugins (but it's backward +" " compatible). +" set langnoremap +"endif +" map <F2> :tabnew map <F3> :tabprevious<CR> map <F4> :tabnext<CR> - -" Show Line Numbers +" +"" Show Line Numbers set nu -set complete=.,b,u,] -set wildmode=longest,list:longest -set completeopt=menu,preview - -" Directories +"set complete=.,b,u,] +"set wildmode=longest,list:longest +"set completeopt=menu,preview +" +"" Directories set backupdir=~/.vim/backup set undodir=~/.vim/undodir set viewdir=~/.vim/views set directory=~/.vim/swap - -" Spell Check +" +"" Spell Check set spell spelllang=en_us - -" Strips whitespace +" +"" Strips whitespace nnoremap <leader>W :%s/\s\+$//<cr>:let @/=''<CR> - -" Whitespace fixes +" +"" Whitespace fixes highlight ExtraWhitespace ctermbg=red guibg=red + match ExtraWhitespace /\s\+$/ autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/ autocmd InsertLeave * match ExtraWhitespace /\s\+$/ autocmd BufWinLeave * call clearmatches() - - -" For tab characters that appear 4-spaces-wide -set tabstop=4 -" If you're using actual tab character in your source code you probably also -" want these settings (these are actually the defaults,set them defensively): -set softtabstop=0 noexpandtab -" Finally, if you want an indent to correspond to a single tab, you should also use: -set shiftwidth=4 -" For indents that consist of 4 space characters but are entered with the tab key: +" +" +"" For tab characters that appear 4-spaces-wide +"set tabstop=4 +"" If you're using actual tab character in your source code you probably also +"" want these settings (these are actually the defaults,set them defensively): +"set softtabstop=0 noexpandtab +"" Finally, if you want an indent to correspond to a single tab, you should also use: +""set shiftwidth=4 +"" For indents that consist of 4 space characters but are entered with the tab key: set tabstop=8 softtabstop=0 expandtab shiftwidth=4 smarttab -set list -" set past gives problems with tabs -" set paste - - +"set list +"" set past gives problems with tabs +"" set paste +"" diff --git a/tools/gnupg.html b/tools/gnupg.html index f3feed1..53ca088 100644 --- a/tools/gnupg.html +++ b/tools/gnupg.html @@ -25,6 +25,11 @@ $ sudo cp /usr/share/gnupg/gpg-conf.skel /etc/skel/.gnupg/gpg.conf </pre> + <pre> + $ chmod 700 ~/.gnupg + $ chmod -R 600 ~/.gnupg/* + </pre> + <h2 id="genkey">2. Generate keys</h2> <p>Options for creating a DSA and ElGamal key;</p> diff --git a/tools/index.html b/tools/index.html index 55cf6c4..e5adac6 100644 --- a/tools/index.html +++ b/tools/index.html @@ -27,7 +27,7 @@ <ul> <li><a href="vim.html#vimrc">1. Vim RC</a></li> <li><a href="vim.html#color">2. Color schemes</a></li> - <li><a href="vim.html#spacetab">3. Spaces and tabs</a></li> + <li><a href="vim.html#spacetab">3. Split and tab</a></li> <li><a href="vim.html#block">4. Editing Files</a></li> <li><a href="vim.html#spellcheck">5. Spell check</a></li> <li><a href="vim.html#plugin">6. Plugins</a></li> diff --git a/tools/mutt.html b/tools/mutt.html index 276fb51..ef7cdbd 100644 --- a/tools/mutt.html +++ b/tools/mutt.html @@ -90,7 +90,7 @@ <p>Lets start configuring the two accounts, one for host system email and another for external email account. Change pgp_sign_as according to your specific sub key for signing. Change - <a href="../conf/etc/skel/.mutt/muttrc">muttrc</a> with your + <a href="conf/etc/skel/.mutt/muttrc">muttrc</a> with your preferences;</p> <pre> @@ -111,30 +111,24 @@ set sort_aux=reverse-last-date-received set duplicate_threads=yes - source ~/.mutt/gpg.rc - - set pgp_autosign=yes - set pgp_sign_as=0x1D327CA1 - set pgp_replyencrypt=yes - set pgp_timeout=1800 + set crypt_use_gpgme=yes - # automatically sign all outgoing messages - set crypt_autosign + ## automatically sign all outgoing messages + set crypt_autosign=yes - # sign only replies to signed messages - set crypt_replysign + ## automatically encrypt outgoing messages + set crypt_autoencrypt=yes - # automatically encrypt outgoing messages - #set crypt_autoencrypt=yes - - # encrypt only replies to signed messages - set crypt_replyencrypt=yes + ## automatically verify the sign of a message when opened + set crypt_verify_sig=yes - # encrypt and sign replies to encrypted messages - set crypt_replysignencrypted=yes + set pgp_sign_as=0x8BF422F79FC7C975BDF07828E88440BC35095A74 + #set pgp_sign_as=0x8BF422F7 + set pgp_timeout=1800 + set pgp_autosign=yes + #set pgp_replyencrypt=yes - # automatically verify the sign of a message when opened - set crypt_verify_sig=yes + source ~/.mutt/gpg.rc source "~/.mutt/mail_alias" set alias_file=~/.mutt/mail_alias @@ -144,37 +138,38 @@ set message_cachedir =~/.mutt/cache/bodies set certificate_file =~/.mutt/certificates - set timeout=10 # mutt 'presses' (like) a key for you - #(while you're idle) each x sec to trigger + set timeout=10 # mutt 'presses' (like) a key for you + #(while you're idle) each x sec to trigger #the thing below set mail_check=5 # mutt checks for new mails on every keystroke # but not more often then once in 5 seconds set beep_new # beep on new messages in the mailboxes ## Local system account - folder-hook 'Mail' 'source ~/.mutt/system' + folder-hook '.mail' 'source ~/.mutt/system' ## Remote account - folder-hook 'MailExt' 'source ~/.mutt/external' + folder-hook '.mailext' 'source ~/.mutt/external' ## Default account - source "~/.mutt/system" + source ~/.mutt/system ## Shortcuts + macro index,pager <f3> '<sync-mailbox><enter-command>source ~/.mutt/external<enter><change-folder>!<enter>' + macro index,pager <f2> '<sync-mailbox><enter-command>source ~/.mutt/system<enter><change-folder>!<enter>' - macro index,pager <f3> '<sync-mailbox><enter-command<>source ~/.mutt/external<enter><change-folder>!<enter>' </pre> - <h3 id="system">9.2.1. System Email</h3> + <h3 id="system">2.1. System Email</h3> - <p>Content of <a href="../conf/etc/skel/.mutt/system">.mutt/system</a>;</p> + <p>Content of <a href="conf/etc/skel/.mutt/system">.mutt/system</a>;</p> <pre> color status green default set folder="~/.mail" set mbox_type=Maildir - set spoolfile=/var/spool/mail/c1admin + set spoolfile=/var/spool/mail/c9admin set keep_flagged=yes set mbox="~/.mail" # ~/.mailext/read_inbox @@ -193,8 +188,8 @@ unset pop_host unset smtp_url - set realname='droid' - set from=droid@c13 + set realname='c9admin' + set from=c9admin@localhost </pre> <p>Create folder;</p> @@ -203,9 +198,9 @@ $ mkdir -p ~/.mail/{cur,new,tmp} </pre> - <h3 id="external">9.2.2. External Email</h3> + <h3 id="external">2.2. External Email</h3> - <p>Edit <a href="../conf/etc/skel/.mutt/external">.mutt/external</a>;</p> + <p>Edit <a href="conf/etc/skel/.mutt/external">.mutt/external</a>;</p> <pre> color status blue default @@ -242,7 +237,7 @@ $ mkdir -p ~/.mailext/{cur,new,tmp} </pre> - <h2 id="usemutt">9.3. Using Mutt</h2> + <h2 id="usemutt">3. Using Mutt</h2> <p>When listing messages the status flag mean;</p> @@ -275,7 +270,7 @@ <p>If you need to manually create a folder;</p> - <h3 id="tagmail">9.3.1. Tag Email</h3> + <h3 id="tagmail">3.1. Tag Email</h3> <p>Just press shift-T and then read @@ -284,7 +279,7 @@ mark all taged for deletion.<p> - <h3 id="alias">9.3.2. Address alias</h3> + <h3 id="alias">3.2. Address alias</h3> <p><a href="http://dev.mutt.org/trac/wiki/MuttGuide/Aliases">Alias</a> makes easy to manage email addresses. Add this to your muttrc;</p> @@ -296,7 +291,7 @@ <p>While on index or page press "a" to add address to alias file.</p> - <h3 id="gpgkeys">9.3.3. GPG Keys</h3> + <h3 id="gpgkeys">3.3. GPG Keys</h3> <p>Import a public key from email;</p> @@ -306,15 +301,12 @@ <p>^K is CTRL+K</p> - <a href="index.html">Systools Index</a> + <a href="index.html">Tools Index</a> <p> This is part of the SysDoc Manual. Copyright (C) 2016 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> - - - </body> </html> diff --git a/tools/scipts/iptables.sh b/tools/scipts/iptables.sh new file mode 100644 index 0000000..3215633 --- /dev/null +++ b/tools/scipts/iptables.sh @@ -0,0 +1,337 @@ +#!/bin/sh + +# +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] -I chain [rulenum] rule-specification +# +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum +# +# iptables [-t table] -S [chain [rulenum]] +# +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] +# +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.254" +#PUB_IP="192.168.1.65" +#PRIV_IF="wlp3s0" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Unlimited on local +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +##### Add your AP rules below ###### + +#echo 1 > /proc/sys/net/ipv4/ip_forward +#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +#$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +#$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT + +#$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +#$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +##### Server rules below ###### + +#echo "Allow ICMP" +#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT + +#echo "Allow DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT + +#echo "Allow HTTP and HTTPS server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT + +#echo "Allow ssh server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT + +##### Add your rules below ###### + +echo "Allow DNS Client" + +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow Whois Client" + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow HTTP Client" + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + + +echo "Allow Rsync Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow POP3S Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow SMTPS Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow NTP Client" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow IRC Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT + +echo "Allow Active FTP Client" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow Git" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT + +echo "Allow ssh client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT + +#echo "Allow Passive Connections" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + +# echo "Allow FairCoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow Dashcoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow warzone2100" +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT +# +# echo "Allow wesnoth" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT + +##### END your rules ############ +# Less log of known traffic + +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP + +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_SERV -j ACCEPT + +# log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + +exit 0 diff --git a/tools/vim.html b/tools/vim.html index 03ba767..d483e29 100644 --- a/tools/vim.html +++ b/tools/vim.html @@ -46,7 +46,20 @@ <h2 id="spacetab">5.3. Split and tab</h2> - <p>:sp</p> + <p>Horizontal split;</p> + <pre> + :sp + </pre> + + <p>Vertical split;</p> + <pre> + :sp + </pre> + + <p>Move between window splits;</p> + <pre> + ctrl+w (k,j,l,h) + </pre> <h2 id="edit">5.4. Editing files</h2> |