about summary refs log tree commit diff stats
path: root/core/conf
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf')
-rw-r--r--core/conf/iptables/iptables-lan.sh143
-rw-r--r--core/conf/iptables/rules.v476
-rw-r--r--core/conf/sysctl.conf148
3 files changed, 217 insertions, 150 deletions
diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh
index fae7345..58d92c3 100644
--- a/core/conf/iptables/iptables-lan.sh
+++ b/core/conf/iptables/iptables-lan.sh
@@ -26,8 +26,7 @@ NIC_NAME="enp8s0 wlp7s0"
 
 # Logging options.
 #------------------------------------------------------------------------------
-LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
-LOG="$LOG --log-ip-options"
+LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options"
 
 
 # Defaults for rate limiting
@@ -59,9 +58,9 @@ $MODPROBE ip_conntrack_irc
 # Drop everything by default.
 $IPTABLES -P INPUT DROP
 $IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT ACCEPT
+$IPTABLES -P OUTPUT DROP
 
-# Set the nat/mangle/raw tables' chains to ACCEPT
+# Set the nat/mangle/raw tables' chains to DROP
 
 $IPTABLES -t mangle -P PREROUTING ACCEPT
 $IPTABLES -t mangle -P INPUT ACCEPT
@@ -89,53 +88,58 @@ $IPTABLES -t mangle -Z
 
 # Block all IPv6 traffic
 # If the ip6tables command is available, try to block all IPv6 traffic.
-if test -x $IP6TABLES; then
+#if test -x $IP6TABLES; then
 # Set the default policies
 # drop everything
-$IP6TABLES -P INPUT DROP 2>/dev/null
-$IP6TABLES -P FORWARD DROP 2>/dev/null
-$IP6TABLES -P OUTPUT DROP 2>/dev/null
-
-# The mangle table can pass everything
-$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
-$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
+#$IP6TABLES -P INPUT DROP
+#$IP6TABLES -P FORWARD DROP
+#$IP6TABLES -P OUTPUT DROP
+#
+## The mangle table can pass everything
+#$IP6TABLES -t mangle -P PREROUTING ACCEPT
+#$IP6TABLES -t mangle -P INPUT ACCEPT
+#$IP6TABLES -t mangle -P FORWARD ACCEPT
+#$IP6TABLES -t mangle -P OUTPUT ACCEPT
+#$IP6TABLES -t mangle -P POSTROUTING ACCEPT
 
 # Delete all rules.
-$IP6TABLES -F 2>/dev/null
-$IP6TABLES -t mangle -F 2>/dev/null
-
-# Delete all chains.
-$IP6TABLES -X 2>/dev/null
-$IP6TABLES -t mangle -X 2>/dev/null
-
-# Zero all packets and counters.
-$IP6TABLES -Z 2>/dev/null
-$IP6TABLES -t mangle -Z 2>/dev/null
-fi
+#$IP6TABLES -F 2>/dev/null
+#$IP6TABLES -t mangle -F 2>/dev/null
+#
+## Delete all chains.
+#$IP6TABLES -X 2>/dev/null
+#$IP6TABLES -t mangle -X 2>/dev/null
+#
+## Zero all packets and counters.
+#$IP6TABLES -Z 2>/dev/null
+#$IP6TABLES -t mangle -Z 2>/dev/null
+#fi
 
 # Custom user-defined chains.
 #------------------------------------------------------------------------------
 
 # LOG packets, then ACCEPT.
 $IPTABLES -N ACCEPTLOG
-$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
+$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT "
 $IPTABLES -A ACCEPTLOG -j ACCEPT
 
 # LOG packets, then DROP.
 $IPTABLES -N DROPLOG
-$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
+$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP "
 $IPTABLES -A DROPLOG -j DROP
 
 # LOG packets, then REJECT.
 # TCP packets are rejected with a TCP reset.
 $IPTABLES -N REJECTLOG
-$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
+$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT "
 $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
 $IPTABLES -A REJECTLOG -j REJECT
 
+# Allow loopback interface to do anything.
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+
 # Only allows RELATED ICMP types
 # (destination-unreachable, time-exceeded, and parameter-problem).
 # TODO: Rate-limit this traffic?
@@ -185,10 +189,6 @@ $IPTABLES -A FORWARD -p icmp -j DROPLOG
 # Selectively allow certain special types of traffic.
 #------------------------------------------------------------------------------
 
-# Allow loopback interface to do anything.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
 # Allow incoming connections related to existing allowed connections.
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
@@ -199,7 +199,7 @@ $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 #------------------------------------------------------------------------------
 
 # We don't care about Milkosoft, Drop SMB/CIFS/etc..
-#                     ^ person before me; my label = psychogreedyevilsoft
+#                     ^ greedyevilsoft
 $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
 $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
 
@@ -234,12 +234,13 @@ $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
 
 $IPTABLES -A SYN_FLOOD -j DROP
 
-$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
-$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-
-$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
-$IPTABLES -A INPUT -f -j DROP
+#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7
+#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
 
+#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+#$IPTABLES -A INPUT -f -j DROP
+$IPTABLES -A INPUT -f -j DROPLOG
 
 # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
 
@@ -247,22 +248,67 @@ $IPTABLES -A INPUT -f -j DROP
 #------------------------------------------------------------------------------
 
 # Allow incoming SSH requests.
-$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+
+# Allow incoming https server
+#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT
+
+
+# Selectively allow certain outbound connections, block the rest.
+#------------------------------------------------------------------------------
+#
+
+# Allow ping
+$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+# Allow to ssh clients
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+# Allow to dns
+$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow irc
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to xmmp
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+# Allow to rsync server
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to pop3s server
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to smtps server
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to ntp server
+$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to ftp server
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to https server
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+# Allow to http server
+$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+# Selectively allow certain outbound server connections, block the rest.
+#------------------------------------------------------------------------------
+
+# Allow from https server
+#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT
+
+# Allow from dns server
+#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT
 
 # Explicitly log and reject everything else.
 #------------------------------------------------------------------------------
 # Use REJECT instead of REJECTLOG if you don't need/want logging.
-$IPTABLES -A INPUT -j REJECTLOG
-$IPTABLES -A OUTPUT -j REJECTLOG
+$IPTABLES -A INPUT -j DROPLOG
+$IPTABLES -A OUTPUT -j DROPLOG
 $IPTABLES -A FORWARD -j REJECTLOG
 
 # Counter hits
 
-for i in $NIC_NAME
-do
-	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set
-	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP
-done
+#for i in $NIC_NAME
+#do
+#	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set
+#	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP
+#done
 
 #------------------------------------------------------------------------------
 # Testing the firewall.
@@ -273,5 +319,4 @@ done
 
 # Exit gracefully.
 #------------------------------------------------------------------------------
-
-    exit 0
+exit 0
diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4
index 5a2ffe8..568455a 100644
--- a/core/conf/iptables/rules.v4
+++ b/core/conf/iptables/rules.v4
@@ -1,25 +1,25 @@
-# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
+# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
 *security
-:INPUT ACCEPT [3624:2121853]
+:INPUT ACCEPT [4559:2307887]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [3590:999020]
+:OUTPUT ACCEPT [4459:962215]
 COMMIT
-# Completed on Tue Feb 21 13:55:04 2017
-# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
+# Completed on Sat Feb 25 18:34:17 2017
+# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
 *raw
-:PREROUTING ACCEPT [5432:2268406]
-:OUTPUT ACCEPT [3623:1011362]
+:PREROUTING ACCEPT [18446:3412851]
+:OUTPUT ACCEPT [4467:962535]
 COMMIT
-# Completed on Tue Feb 21 13:55:04 2017
-# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
+# Completed on Sat Feb 25 18:34:17 2017
+# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
 *nat
-:PREROUTING ACCEPT [1808:146553]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [322:28410]
-:POSTROUTING ACCEPT [289:16068]
+:PREROUTING ACCEPT [13936:1107904]
+:INPUT ACCEPT [49:2940]
+:OUTPUT ACCEPT [504:40037]
+:POSTROUTING ACCEPT [504:40037]
 COMMIT
-# Completed on Tue Feb 21 13:55:04 2017
-# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
+# Completed on Sat Feb 25 18:34:17 2017
+# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
 *mangle
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
@@ -27,21 +27,18 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Tue Feb 21 13:55:04 2017
-# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017
+# Completed on Sat Feb 25 18:34:17 2017
+# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
+:OUTPUT DROP [0:0]
 :ACCEPTLOG - [0:0]
 :DROPLOG - [0:0]
 :REJECTLOG - [0:0]
 :RELATED_ICMP - [0:0]
 :SYN_FLOOD - [0:0]
--A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
--A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
--A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
--A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
+-A INPUT -i lo -j ACCEPT
 -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
 -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
 -A INPUT -p icmp -j DROP
@@ -50,7 +47,6 @@ COMMIT
 -A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
 -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
 -A INPUT -p icmp -j DROPLOG
--A INPUT -i lo -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
 -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
@@ -68,31 +64,41 @@ COMMIT
 -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
--A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
--A INPUT -f -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
--A INPUT -j REJECTLOG
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
+-A INPUT -f -j DROPLOG
+-A INPUT -j DROPLOG
 -A FORWARD -p icmp -f -j DROPLOG
 -A FORWARD -p icmp -j DROPLOG
 -A FORWARD -m state --state INVALID -j DROP
 -A FORWARD -j REJECTLOG
+-A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -p icmp -j ACCEPT
 -A OUTPUT -p icmp -f -j DROPLOG
 -A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
 -A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
 -A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
 -A OUTPUT -p icmp -j DROPLOG
--A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state INVALID -j DROP
--A OUTPUT -j REJECTLOG
--A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -j DROPLOG
+-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
 -A ACCEPTLOG -j ACCEPT
--A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
 -A DROPLOG -j DROP
--A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
 -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
 -A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
 -A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
@@ -102,4 +108,4 @@ COMMIT
 -A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
 -A SYN_FLOOD -j DROP
 COMMIT
-# Completed on Tue Feb 21 13:55:04 2017
+# Completed on Sat Feb 25 18:34:17 2017
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index b60d3e6..d17c0c6 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -2,9 +2,13 @@
 # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
 #
 
-kernel.printk = 15 1 1 4
-kernel.randomize_va_space = 1
-kernel.shmmax = 500000000
+kernel.printk = 7 1 1 4
+kernel.randomize_va_space = 2
+# Shared Memory
+#kernel.shmmax = 500000000
+# Total allocated file handlers that can be allocated
+# fs.file-nr=
+vm.mmap_min_addr=65536
 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
 kernel.pid_max = 65536
 
@@ -16,14 +20,13 @@ kernel.pid_max = 65536
 #  Ioperm and iopl can be used to modify the running kernel.
 #  Unfortunately, some programs need this access to operate properly,
 #  the most notable of which are XFree86 and hwclock.  hwclock can be
-#  remedied by having RTC support in the kernel, so real-time 
-#  clock support is enabled if this option is enabled, to ensure 
+#  remedied by having RTC support in the kernel, so real-time
+#  clock support is enabled if this option is enabled, to ensure
 #  that hwclock operates correctly.
-#  
+#
 #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
 #  you may not be able to boot into a graphical environment with this
 #  option enabled.  In this case, you should use the RBAC system instead.
-#kernel.grsecurity.disable_priv_io = 1
 kernel.grsecurity.disable_priv_io = 0
 
 #  If you say Y here, attempts to bruteforce exploits against forking
@@ -36,13 +39,13 @@ kernel.grsecurity.disable_priv_io = 0
 #  In the suid/sgid case, the attempt is logged, the user has all their
 #  existing instances of the suid/sgid binary terminated and will
 #  be unable to execute any suid/sgid binaries for 15 minutes.
-#  
+#
 #  It is recommended that you also enable signal logging in the auditing
 #  section so that logs are generated when a process triggers a suspicious
 #  signal.
 #  If the sysctl option is enabled, a sysctl option with name
 #  "deter_bruteforce" is created.
-#kernel.grsecurity.deter_bruteforce = 1
+kernel.grsecurity.deter_bruteforce = 1
 
 #
 # Filesystem Protections
@@ -58,7 +61,7 @@ fs.file-max = 65535
 #  symlink is the owner of the directory. users will also not be
 #  able to hardlink to files they do not own.  If the sysctl option is
 #  enabled, a sysctl option with name "linking_restrictions" is created.
-kernel.grsecurity.linking_restrictions = 1
+kernel.grsecurity.linking_restrictions = 0
 
 
 #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -72,7 +75,7 @@ kernel.grsecurity.linking_restrictions = 1
 #  will be in place for the group you specify. If the sysctl option
 #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
 #  created.
-#kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.enforce_symlinksifowner = 0
 #kernel.grsecurity.symlinkown_gid = 33
 
 #  if you say Y here, users will not be able to write to FIFOs they don't
@@ -80,7 +83,7 @@ kernel.grsecurity.linking_restrictions = 1
 #  the FIFO is the same owner of the directory it's held in.  If the sysctl
 #  option is enabled, a sysctl option with name "fifo_restrictions" is
 #  created.
-#kernel.grsecurity.fifo_restrictions = 1
+kernel.grsecurity.fifo_restrictions = 0
 
 #  If you say Y here, a sysctl option with name "romount_protect" will
 #  be created.  By setting this option to 1 at runtime, filesystems
@@ -115,14 +118,14 @@ kernel.grsecurity.chroot_caps = 1
 #  against another published method of breaking a chroot.  If the sysctl
 #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
 #  created.
-kernel.grsecurity.chroot_deny_chmod     = 1
+kernel.grsecurity.chroot_deny_chmod = 1
 
 #  If you say Y here, processes inside a chroot will not be able to chroot
 #  again outside the chroot.  This is a widely used method of breaking
-#  out of a chroot jail and should not be allowed.  If the sysctl 
-#  option is enabled, a sysctl option with name 
+#  out of a chroot jail and should not be allowed.  If the sysctl
+#  option is enabled, a sysctl option with name
 #  "chroot_deny_chroot" is created.
-kernel.grsecurity.chroot_deny_chroot    = 1
+kernel.grsecurity.chroot_deny_chroot = 1
 
 #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
 #  to a file descriptor of the chrooting process that points to a directory
@@ -182,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1
 #  directory,  so  that `.' can be outside the tree rooted at
 #  `/'.  In particular, the  super-user  can  escape  from  a
 #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-#  
+#
 #  It is recommended that you say Y here, since it's not known to break
 #  any software.  If the sysctl option is enabled, a sysctl option with
 #  name "chroot_enforce_chdir" is created.
 kernel.grsecurity.chroot_enforce_chdir  = 1
 
 #  If you say Y here, processes inside a chroot will not be able to
-#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
+#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
 #  getsid, or view any process outside of the chroot.  If the sysctl
 #  option is enabled, a sysctl option with name "chroot_findtask" is
 #  created.
@@ -212,7 +215,7 @@ kernel.grsecurity.chroot_restrict_nice = 1
 #  watch certain users instead of having a large amount of logs from the
 #  entire system.  If the sysctl option is enabled, a sysctl option with
 #  name "audit_group" is created.
-kernel.grsecurity.audit_group = 0		
+kernel.grsecurity.audit_group = 0
 
 #  If you say Y here, the exec and chdir logging features will only operate
 #  on a group you specify.  This option is recommended if you only want to
@@ -228,67 +231,64 @@ kernel.grsecurity.audit_group = 0
 #  name "exec_logging" is created.
 #  WARNING: This option when enabled will produce a LOT of logs, especially
 #  on an active system.
-kernel.grsecurity.exec_logging = 0				
+kernel.grsecurity.exec_logging = 0
 
 #  If you say Y here, all attempts to overstep resource limits will
 #  be logged with the resource name, the requested size, and the current
 #  limit.  It is highly recommended that you say Y here.  If the sysctl
 #  option is enabled, a sysctl option with name "resource_logging" is
 #  created.  If the RBAC system is enabled, the sysctl value is ignored.
-#kernel.grsecurity.resource_logging = 1
-kernel.grsecurity.resource_logging = 0
+kernel.grsecurity.resource_logging = 1
 
 #  If you say Y here, all executions inside a chroot jail will be logged
 #  to syslog.  This can cause a large amount of logs if certain
 #  applications (eg. djb's daemontools) are installed on the system, and
 #  is therefore left as an option.  If the sysctl option is enabled, a
 #  sysctl option with name "chroot_execlog" is created.
-kernel.grsecurity.chroot_execlog = 0	
+kernel.grsecurity.chroot_execlog = 0
 
 #  If you say Y here, all attempts to attach to a process via ptrace
 #  will be logged.  If the sysctl option is enabled, a sysctl option
 #  with name "audit_ptrace" is created.
-#kernel.grsecurity.audit_ptrace = 1
-kernel.grsecurity.audit_ptrace = 0
+kernel.grsecurity.audit_ptrace = 1
 
 #  If you say Y here, all attempts to attach to a process via ptrace
 #  will be logged.  If the sysctl option is enabled, a sysctl option
 #  with name "audit_ptrace" is created.
-kernel.grsecurity.audit_chdir = 0				
+kernel.grsecurity.audit_chdir = 0
 
 #  If you say Y here, all mounts and unmounts will be logged.  If the
 #  sysctl option is enabled, a sysctl option with name "audit_mount" is
 #  created.
-#kernel.grsecurity.audit_mount = 1
-kernel.grsecurity.audit_mount = 0
+kernel.grsecurity.audit_mount = 1
 
 #  If you say Y here, certain important signals will be logged, such as
 #  SIGSEGV, which will as a result inform you of when a error in a program
 #  occurred, which in some cases could mean a possible exploit attempt.
 #  If the sysctl option is enabled, a sysctl option with name
 #  "signal_logging" is created.
-kernel.grsecurity.signal_logging = 0
+kernel.grsecurity.signal_logging = 1
 
 #  If you say Y here, all failed fork() attempts will be logged.
 #  This could suggest a fork bomb, or someone attempting to overstep
 #  their process limit.  If the sysctl option is enabled, a sysctl option
 #  with name "forkfail_logging" is created.
 #kernel.grsecurity.forkfail_logging = 1
-kernel.grsecurity.forkfail_logging = 0
+kernel.grsecurity.forkfail_logging = 1
 
 #  If you say Y here, any changes of the system clock will be logged.
 #  If the sysctl option is enabled, a sysctl option with name
 #  "timechange_logging" is created.
-#kernel.grsecurity.timechange_logging = 1
+kernel.grsecurity.timechange_logging = 1
 
 #  if you say Y here, calls to mmap() and mprotect() with explicit
 #  usage of PROT_WRITE and PROT_EXEC together will be logged when
 #  denied by the PAX_MPROTECT feature.  This feature will also
 #  log other problematic scenarios that can occur when PAX_MPROTECT
-#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
+#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
 #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
 #  is created.
-#kernel.grsecurity.rwxmap_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
 
 #
 # Executable Protections
@@ -305,14 +305,14 @@ kernel.grsecurity.forkfail_logging = 0
 kernel.grsecurity.dmesg = 1
 
 # Hide symbol addresses in /proc/kallsyms
-kernel.kptr_restrict = 1
+#kernel.kptr_restrict = 2
 
 #  If you say Y here, TTY sniffers and other malicious monitoring
 #  programs implemented through ptrace will be defeated.  If you
 #  have been using the RBAC system, this option has already been
 #  enabled for several years for all users, with the ability to make
 #  fine-grained exceptions.
-#  
+#
 #  This option only affects the ability of non-root users to ptrace
 #  processes that are not a descendent of the ptracing process.
 #  This means that strace ./binary and gdb ./binary will still work,
@@ -327,7 +327,7 @@ kernel.grsecurity.harden_ptrace = 1
 #  prevent infoleaking of their contents.  This option adds
 #  consistency to the use of that file mode, as the binary could normally
 #  be read out when run without privileges while ptracing.
-#  
+#
 #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
 #  is created.
 kernel.grsecurity.ptrace_readexec = 1
@@ -341,7 +341,7 @@ kernel.grsecurity.ptrace_readexec = 1
 #  same way, allowing the other threads of the process to continue
 #  running with root privileges.  If the sysctl option is enabled,
 #  a sysctl option with name "consistent_setxid" is created.
-#kernel.grsecurity.consistent_setxid = 1
+kernel.grsecurity.consistent_setxid = 0
 
 #  If you say Y here, access to overly-permissive IPC objects (shared
 #  memory, message queues, and semaphores) will be denied for processes
@@ -359,7 +359,7 @@ kernel.grsecurity.ptrace_readexec = 1
 #  CAP_IPC_OWNER are still permitted to access these IPC objects.
 #  If the sysctl option is enabled, a sysctl option with name
 #  "harden_ipc" is created.
-kernel.grsecurity.harden_ipc = 1
+kernel.grsecurity.harden_ipc = 0
 
 #  If you say Y here, you will be able to choose a gid to add to the
 #  supplementary groups of users you want to mark as "untrusted."
@@ -367,7 +367,7 @@ kernel.grsecurity.harden_ipc = 1
 #  root-owned directories writable only by root.  If the sysctl option
 #  is enabled, a sysctl option with name "tpe" is created.
 kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 101
+kernel.grsecurity.tpe_gid = 4
 
 #  If you say Y here, the group you specify in the TPE configuration will
 #  decide what group TPE restrictions will be *disabled* for.  This
@@ -386,10 +386,11 @@ kernel.grsecurity.tpe_invert = 1
 #  world-writable, or in directories owned by root and writable only by
 #  root.  If the sysctl option is enabled, a sysctl option with name
 #  "tpe_restrict_all" is created.
-kernel.grsecurity.tpe_restrict_all = 0
+kernel.grsecurity.tpe_restrict_all = 1
+
 
+kernel.grsecurity.harden_tty = 1
 
-#kernel.grsecurity.harden_tty = 1
 #
 # Network Protections
 #
@@ -418,7 +419,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1
 #net.ipv6.conf.default.dad_transmits = 0
 #net.ipv6.conf.default.max_addresses = 0
 
-# Avoid a smurf attack
+# Avoid a smurf attack, ping scanning
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 
 # Turn on protection for bad icmp error messages
@@ -447,10 +448,6 @@ net.ipv4.conf.default.log_martians = 1
 ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 
-# No source routed packets here
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv4.conf.default.accept_source_route = 0
-
 ## sets the kernels reverse path filtering mechanism to value 1(on)
 ## will do source validation of the packet's recieved from all the interfaces on the machine
 ## protects from attackers that are using ip spoofing methods to do harm
@@ -459,16 +456,23 @@ net.ipv4.conf.default.rp_filter = 1
 #net.ipv6.conf.default.rp_filter = 1
 #net.ipv6.conf.all.rp_filter = 1
 
+
 # Make sure no one can alter the routing tables
+# Act as a router, necessary for Access Point
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
+# No source routed packets here
+# Discard packets with source routes, ip spoofing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
 
-# Act as a router, necessary for Access Point
-net.ipv4.ip_forward = 1
-net.ipv4.conf.all.send_redirects = 1
-net.ipv4.conf.default.send_redirects = 1
+
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+net.ipv4.ip_forward = 0
 
 # Increase system IP port limits
 net.ipv4.ip_local_port_range = 2000 65000
@@ -477,15 +481,29 @@ net.ipv4.ip_local_port_range = 2000 65000
 net.ipv4.tcp_rmem = 4096 87380 8388608
 net.ipv4.tcp_wmem = 4096 87380 8388608
 
+# Disable proxy_arp
+net.ipv4.conf.default.proxy_arp = 0
+net.ipv4.conf.all.proxy_arp = 0
+
+# Disable bootp_relay
+net.ipv4.conf.default.bootp_relay = 0
+net.ipv4.conf.all.bootp_relay = 0
+
+# Decrease TCP fin timeout
+net.ipv4.tcp_fin_timeout = 30
+# Decrease TCP keep alive time
+net.ipv4.tcp_keepalive_time = 1800
+# Sen SynAck retries to 3
+net.ipv4.tcp_synack_retries = 3
 
 #  If you say Y here, neither TCP resets nor ICMP
 #  destination-unreachable packets will be sent in response to packets
 #  sent to ports for which no associated listening process exists.
-#  This feature supports both IPV4 and IPV6 and exempts the 
-#  loopback interface from blackholing.  Enabling this feature 
+#  This feature supports both IPV4 and IPV6 and exempts the
+#  loopback interface from blackholing.  Enabling this feature
 #  makes a host more resilient to DoS attacks and reduces network
 #  visibility against scanners.
-#  
+#
 #  The blackhole feature as-implemented is equivalent to the FreeBSD
 #  blackhole feature, as it prevents RST responses to all packets, not
 #  just SYNs.  Under most application behavior this causes no
@@ -498,7 +516,7 @@ net.ipv4.tcp_wmem = 4096 87380 8388608
 #  can spend in LAST_ACK state.  If you're using haproxy and not
 #  all servers it connects to have this option enabled, consider
 #  disabling this feature on the haproxy host.
-#  
+#
 #  If the sysctl option is enabled, two sysctl options with names
 #  "ip_blackhole" and "lastack_retries" will be created.
 #  While "ip_blackhole" takes the standard zero/non-zero on/off
@@ -506,14 +524,14 @@ net.ipv4.tcp_wmem = 4096 87380 8388608
 #  "tcp_retries1" and "tcp_retries2".  The default value of 4
 #  prevents a socket from lasting more than 45 seconds in LAST_ACK
 #  state.
-#kernel.grsecurity.ip_blackhole = 1
-#kernel.grsecurity.lastack_retries = 4
+kernel.grsecurity.ip_blackhole = 1
+kernel.grsecurity.lastack_retries = 4
 
 #  If you say Y here, you will be able to choose a GID of whose users will
 #  be unable to connect to other hosts from your machine or run server
 #  applications from your machine.  If the sysctl option is enabled, a
 #  sysctl option with name "socket_all" is created.
-#kernel.grsecurity.socket_all = 1
+kernel.grsecurity.socket_all = 0
 
 #  Here you can choose the GID to disable socket access for. Remember to
 #  add the users you want socket access disabled for to the GID
@@ -527,13 +545,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608
 #  you specify will have to use passive mode when initiating ftp transfers
 #  from the shell on your machine.  If the sysctl option is enabled, a
 #  sysctl option with name "socket_client" is created.
-#kernel.grsecurity.socket_client = 1
+kernel.grsecurity.socket_client = 1
 
 #  Here you can choose the GID to disable client socket access for.
 #  Remember to add the users you want client socket access disabled for to
 #  the GID specified here.  If the sysctl option is enabled, a sysctl
 #  option with name "socket_client_gid" is created.
-#kernel.grsecurity.socket_client_gid = 203
+kernel.grsecurity.socket_client_gid = 15
 
 #  If you say Y here, you will be able to choose a GID of whose users will
 #  be unable to connect to other hosts from your machine, but will be
@@ -541,13 +559,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608
 #  you specify will have to use passive mode when initiating ftp transfers
 #  from the shell on your machine.  If the sysctl option is enabled, a
 #  sysctl option with name "socket_client" is created.
-#kernel.grsecurity.socket_server = 1
+kernel.grsecurity.socket_server = 1
 
 #  Here you can choose the GID to disable server socket access for.
 #  Remember to add the users you want server socket access disabled for to
 #  the GID specified here.  If the sysctl option is enabled, a sysctl
 #  option with name "socket_server_gid" is created.
-#kernel.grsecurity.socket_server_gid = 204
+kernel.grsecurity.socket_server_gid = 99
 
 #
 # Physical Protections
@@ -559,17 +577,15 @@ net.ipv4.tcp_wmem = 4096 87380 8388608
 #  device insertion will be logged.  This option is intended to be
 #  used against custom USB devices designed to exploit vulnerabilities
 #  in various USB device drivers.
-#  
+#
 #  For greatest effectiveness, this sysctl should be set after any
 #  relevant init scripts.  This option is safe to enable in distros
 #  as each user can choose whether or not to toggle the sysctl.
-#kernel.grsecurity.deny_new_usb = 0
+kernel.grsecurity.deny_new_usb = 0
 
 #
 # Restrict grsec sysctl changes after this was set
 #
-#kernel.grsecurity.grsec_lock = 1
-
-
+kernel.grsecurity.grsec_lock = 0
 
 # End of file
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-15 18:43:28 +0000