about summary refs log tree commit diff stats
path: root/core/conf
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf')
-rw-r--r--core/conf/apparmor/parser.conf2
-rw-r--r--core/conf/iptables/bridge.v4223
-rw-r--r--core/conf/iptables/client.v4 (renamed from core/conf/iptables/open.v4)21
-rw-r--r--core/conf/iptables/ipt-bridge.sh8
-rw-r--r--core/conf/iptables/ipt-client.sh (renamed from core/conf/iptables/ipt-open.sh)5
-rw-r--r--core/conf/iptables/ipt-conf.sh16
-rw-r--r--core/conf/iptables/ipt-server.sh2
-rw-r--r--core/conf/rc.d/iptables86
-rw-r--r--core/conf/skel/.bashrc4
-rw-r--r--core/conf/sysctl.conf10
10 files changed, 329 insertions, 48 deletions
diff --git a/core/conf/apparmor/parser.conf b/core/conf/apparmor/parser.conf
new file mode 100644
index 0000000..673d30a
--- /dev/null
+++ b/core/conf/apparmor/parser.conf
@@ -0,0 +1,2 @@
+## Turn creating/updating of the cache on by default
+write-cache
diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4
new file mode 100644
index 0000000..4930262
--- /dev/null
+++ b/core/conf/iptables/bridge.v4
@@ -0,0 +1,223 @@
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
+*raw
+:PREROUTING ACCEPT [2:80]
+:OUTPUT ACCEPT [3:4544]
+COMMIT
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
+*mangle
+:PREROUTING ACCEPT [2:80]
+:INPUT ACCEPT [2:80]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3:4544]
+:POSTROUTING ACCEPT [2:2292]
+COMMIT
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:cli_dns_in - [0:0]
+:cli_dns_out - [0:0]
+:cli_ftp_in - [0:0]
+:cli_ftp_out - [0:0]
+:cli_git_in - [0:0]
+:cli_git_out - [0:0]
+:cli_gpg_in - [0:0]
+:cli_gpg_out - [0:0]
+:cli_http_in - [0:0]
+:cli_http_out - [0:0]
+:cli_https_in - [0:0]
+:cli_https_out - [0:0]
+:cli_irc_in - [0:0]
+:cli_irc_out - [0:0]
+:cli_pops_in - [0:0]
+:cli_pops_out - [0:0]
+:cli_smtps_in - [0:0]
+:cli_smtps_out - [0:0]
+:cli_ssh_in - [0:0]
+:cli_ssh_out - [0:0]
+:srv_db_in - [0:0]
+:srv_db_out - [0:0]
+:srv_dhcp - [0:0]
+:srv_dns_in - [0:0]
+:srv_dns_out - [0:0]
+:srv_git_in - [0:0]
+:srv_git_out - [0:0]
+:srv_http_in - [0:0]
+:srv_http_out - [0:0]
+:srv_https_in - [0:0]
+:srv_https_out - [0:0]
+:srv_icmp - [0:0]
+:srv_rip - [0:0]
+:srv_ssh_in - [0:0]
+:srv_ssh_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 3030 --dport 1024:65535 -j DROP
+-A INPUT -i br0 -j srv_dhcp
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in
+-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in
+-A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in
+-A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in
+-A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT
+-A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp
+-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT
+-A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in
+-A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT
+-A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in
+-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 519 -j DROP
+-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 520 -j DROP
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
+-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 3030 -j DROP
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dhcp
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dns_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_ssh_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_git_out
+-A OUTPUT -o br0 -j srv_icmp
+-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o br0 -j cli_dns_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_ssh_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_git_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A cli_dns_in -j RETURN
+-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A cli_dns_out -j RETURN
+-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -j RETURN
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -j RETURN
+-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_git_in -j RETURN
+-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_git_out -j RETURN
+-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_gpg_in -j RETURN
+-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_gpg_out -j RETURN
+-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -j RETURN
+-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -j RETURN
+-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -j RETURN
+-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -j RETURN
+-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_irc_in -j RETURN
+-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_irc_out -j RETURN
+-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_pops_in -j RETURN
+-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_pops_out -j RETURN
+-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_smtps_in -j RETURN
+-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_smtps_out -j RETURN
+-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -j RETURN
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -j RETURN
+-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_db_in -j RETURN
+-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_db_out -j RETURN
+-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
+-A srv_dhcp -j RETURN
+-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -j RETURN
+-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -j RETURN
+-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_git_in -j RETURN
+-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_git_out -j RETURN
+-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_http_in -j RETURN
+-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_http_out -j RETURN
+-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_https_in -j RETURN
+-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_https_out -j RETURN
+-A srv_icmp -p icmp -j ACCEPT
+-A srv_icmp -j RETURN
+-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A srv_rip -j RETURN
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -j RETURN
+-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -j RETURN
+COMMIT
+# Completed on Fri Jun 28 01:22:10 2019
diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/client.v4
index 30e476d..91b564d 100644
--- a/core/conf/iptables/open.v4
+++ b/core/conf/iptables/client.v4
@@ -1,25 +1,25 @@
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *security
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *raw
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *mangle
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
@@ -27,8 +27,8 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
@@ -97,6 +97,7 @@ COMMIT
 -A OUTPUT -o wlp9s0 -j cli_irc_out
 -A OUTPUT -o wlp9s0 -j cli_ftp_out
 -A OUTPUT -o wlp9s0 -j cli_gpg_out
+-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT
 -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
@@ -207,4 +208,4 @@ COMMIT
 -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A srv_ssh_out -j RETURN
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index cd93687..694c22f 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -50,8 +50,10 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in
 ##Less noise
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 520 --sport 520 -j DROP
 
 ######## Input Chain ######
 $IPT -A INPUT -j blocker
@@ -67,12 +69,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
-$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
 
 #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
 #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
@@ -133,4 +135,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 ## log everything else and drop
 ipt_log
 
-iptables-save > bridge.v4
+iptables-save > /etc/iptables/bridge.v4
diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-client.sh
index 3ef1254..65df9e4 100644
--- a/core/conf/iptables/ipt-open.sh
+++ b/core/conf/iptables/ipt-client.sh
@@ -24,6 +24,7 @@ $IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in
 $IPT -A INPUT -i ${PUB_IF} -j cli_irc_in
 $IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in
 $IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j ACCEPT
 
 
 ####### Output Chain ######
@@ -40,8 +41,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out
 $IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out
 $IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out
 $IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:655335 --dport 1024:65535 -j ACCEPT
 
 ## log everything else and drop
 ipt_log
-
-iptables-save > open.v4
+iptables-save > /etc/iptables/client.v4
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index c3dac16..dcea837 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -5,19 +5,23 @@ IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
 
-# public interface to network/internet
+# bridge interface with interface facing gateway
 BR_IF="br0"
+# bridge ip network address
 BR_NET="10.0.0.0/8"
+# network gateway
 GW="10.0.0.1"
-#GW="10.0.0.2"
-#DNS="10.0.0.254"
+# external dns
 DNS="212.55.154.174"
-#DNS="8.8.8.8"
 
+# static machine ip address
 PUB_IP="10.0.0.254"
+
+# public interface facing gateway
 PUB_IF="enp8s0"
 
-# private interface for virtual/internal
+# wifi interface
 WIFI_IF="wlp7s0"
-#WIFI_NET="192.168.1.0/24"
+
+# static wifi ip network address
 WIFI_NET="10.0.0.0/8"
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
index 370db60..e557193 100644
--- a/core/conf/iptables/ipt-server.sh
+++ b/core/conf/iptables/ipt-server.sh
@@ -43,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
 ## log everything else and drop
 ipt_log
 
-iptables-save > server.v4
+iptables-save > /etc/iptables/server.v4
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index cc7c765..f8b7881 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,35 +1,31 @@
+#!/bin/bash
 
 IPT="/usr/sbin/iptables"
-TYPE=bridge
+#TYPE=bridge
 #TYPE=server
-#TYPE=open
+TYPE=open
+#TYPE=client
 
-echo "clear all iptables tables"
+clear_ipt() {
 
-${IPT} -F
-${IPT} -X
-${IPT} -t nat -F
-${IPT} -t nat -X
-${IPT} -t mangle -F
-${IPT} -t mangle -X
-${IPT} -t raw -F
-${IPT} -t raw -X
-${IPT} -t security -F
-${IPT} -t security -X
+	${IPT} -F
+	${IPT} -X
+	${IPT} -t nat -F
+	${IPT} -t nat -X
+	${IPT} -t mangle -F
+	${IPT} -t mangle -X
+	${IPT} -t raw -F
+	${IPT} -t raw -X
+	${IPT} -t security -F
+	${IPT} -t security -X
 
-# Set Default Rules
-${IPT} -P INPUT DROP
-${IPT} -P FORWARD DROP
-${IPT} -P OUTPUT DROP
-
-${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+}
 
 case $1 in
 	start)
             case $TYPE in
                 bridge)
-
+		    clear_ipt
                     echo "setting bridge network..."
                     echo 1 > /proc/sys/net/ipv4/ip_forward
 
@@ -38,23 +34,63 @@ case $1 in
 
    		;;
 		server)
-
+		    clear_ipt
                     echo "setting server network..."
                     ## load server configuration
                     iptables-restore /etc/iptables/server.v4
 
 		;;
-		open)
-
+		client)
+		    clear_ipt
                     echo "setting client network..."
                     ## load client configuration
-                    iptables-restore /etc/iptables/open.v4
+                    iptables-restore /etc/iptables/client.v4
+		;;
+		open)
+		    clear_ipt
+                    echo "setting open network..."
+                    ## load client configuration
+
+			${IPT} -P INPUT DROP
+			${IPT} -P FORWARD DROP
+			${IPT} -P OUTPUT ACCEPT
+
+			${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+			${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+			${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+			${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+			${IPT} -A OUTPUT  -j ACCEPT
+
+			${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+			${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+			#${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+
 
 		;;
 	    esac
 	;;
         stop)
+		echo "clear all iptables tables"
+		clear_ipt
+		# Set Default Rules
+		${IPT} -P INPUT DROP
+		${IPT} -P FORWARD DROP
+		${IPT} -P OUTPUT DROP
+
+		${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+		${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+		${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
 
+
+	;;
+	restart)
+		clear_ipt
+        	$0 start
+        ;;
+	status)
+		${IPT} -v
 	;;
 	*)
 	    echo "Usage: $0 [start|stop]"
diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc
index 88cf24c..55d1c78 100644
--- a/core/conf/skel/.bashrc
+++ b/core/conf/skel/.bashrc
@@ -22,12 +22,14 @@ HISTSIZE=1000
 HISTFILESIZE=2000
 
 
+alias diff='diff --color=auto'
+alias grep='grep --color=auto'
+alias ls='ls -ph --color=auto'
 alias rm='rm -i'
 #alias cp='cp -i'
 alias mv='mv -i'
 # Prevents accidentally clobbering files.
 alias mkdir='mkdir -p'
-
 alias h='history'
 alias hg='history | grep'
 alias j='jobs -l'
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index 771112a..3cc54d1 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -15,6 +15,9 @@ vm.mmap_min_addr=65536
 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
 kernel.pid_max = 65536
 
+#Yama LSM by default
+kernel.yama.ptrace_scope = 1
+
 #
 # Filesystem Protections
 #
@@ -30,6 +33,8 @@ kernel.kptr_restrict = 2
 # Network Protections
 #
 
+net.core.bpf_jit_enable = 0
+
 # Increase Linux auto tuning TCP buffer limits
 # min, default, and max number of bytes to use
 # set max to at least 4MB, or higher if you use very high BDP paths
@@ -39,6 +44,9 @@ net.core.wmem_max = 8388608
 net.core.netdev_max_backlog = 5000
 net.ipv4.tcp_window_scaling = 1
 
+#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
+net.ipv4.tcp_sack = 0
+
 # Both ports linux-blob and linux-libre don't build with ipv6
 # Disable ipv6
 net.ipv6.conf.all.disable_ipv6 = 1
@@ -91,6 +99,7 @@ net.ipv4.conf.default.rp_filter = 1
 #net.ipv6.conf.default.rp_filter = 1
 #net.ipv6.conf.all.rp_filter = 1
 
+
 # Make sure no one can alter the routing tables
 # Act as a router, necessary for Access Point
 net.ipv4.conf.all.accept_redirects = 0
@@ -131,3 +140,4 @@ net.ipv4.tcp_keepalive_time = 1800
 net.ipv4.tcp_synack_retries = 3
 
 # End of file
+
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-16 16:52:41 +0000