diff options
Diffstat (limited to 'core/network.html')
| -rw-r--r-- | core/network.html | 304 |
1 files changed, 304 insertions, 0 deletions
diff --git a/core/network.html b/core/network.html new file mode 100644 index 0000000..e8813e2 --- /dev/null +++ b/core/network.html @@ -0,0 +1,304 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2. Network</title> + </head> + <body> + <a href="index.html">Core Doc Index</a> + + <h1>4. Network</h1> + + <p>Examples describe a network that will be configured with + two interfaces Ethernet and Wireless. Ethernet interface will + be configured as default route, wireless interface covered here + is simple alternative to Ethernet connection.</p> + + <dl> + <dt><a href="conf/etc/rc.d/net">/etc/rc.d/net</a></dt> + <dd>Configure Ethernet interface and static or dynamic (dhcp) + connection to the router and add as default gateway.</dd> + <dt><a href="conf/etc/rc.d/wlan">/etc/rc.d/wlan</a></dt> + <dd>Configure Wireless interface, wpa_supplicant and dynamic (dhcp) + connection to router and add as default gateway.</dd> + </dl> + + <p>If is first boot after install configure iptables and + one of above described scripts then proceed to upgrade your + system.</p> + + <h2 id="iptables">4.1. Iptables</h2> + + <p>You can use + <a href="scripts/iptables.sh">iptables script</a> + at boot time and iptables-save and iptables-restore tools to + configure nat and filtering;</p> + + <pre> + # mkdir /etc/iptables + # cp conf/iptables.sh /etc/iptables/ + </pre> + + <p>Adjust iptables to your needs, then;</p> + + <pre> + # cd /etc/iptables + # sh iptables.sh + # iptables-save > rules.v4 + </pre> + + <p>Copy init script, edit if you dont like to + let drop when you call stop.</p> + + <pre> + # cp /home/user/sysdoc/conf/etc/rc.d/iptables /etc/rc.d/ + # vim /etc/rc.d/iptables + # chmod +x /etc/rc.d/iptables + </pre> + + <h2 id="resolv">4.2. Resolver</h2> + + <h2 id="wpa">4.3. Wpa and dhcpd</h2> + + <p>There is more information on + <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a>.</p> + + <pre> + # ip link + </pre> + + <pre> + # iwlist wlp2s0 scan + </pre> + + <pre> + # iwconfig wlp2s0 essid NAME key s:ABCDE12345 + </pre> + + <pre> + # ip addr add 192.168.1.65 dev wlp2s0 + </pre> + + <h3>4.3.1. Wpa Supplicant</h3> + + <p>Configure wpa supplicant edit;</p> + + <pre> + # vim /etc/wpa_supplicant.conf + </pre> + + <pre> + ctrl_interface=/var/run/wpa_supplicant + update_config=1 + fast_reauth=1 + ap_scan=1 + </pre> + + <pre> + # wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf + </pre> + + <p>Now start wpa_supplicant with:</p> + + <pre> + # wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf + Successfully initialized wpa_supplicant + </pre> + + <p>Use <a href="conf/etc/rc.d/wlan">/etc/rc.d/wlan</a> + init script to auto load wpa configuration and dhcp + client.</p> + + <h3>4.3.2. Wpa Cli</h3> + + <pre> + # wpa_cli + > status + </pre> + + <pre> + > add_network + 3 + </pre> + + <pre> + > set_network 3 ssid "Valcovo-Network" + OK + </pre> + + <pre> + > set_network 3 psk "uber-secret-pass" + OK + </pre> + + <pre> + > enable_network 3 + OK + </pre> + + <pre> + > list_networks + </pre> + + <pre> + > select_network 3 + </pre> + + <pre> + > save_config + </pre> + + + <h2 id="static">4.4. Static IP</h2> + + <pre> + # ip link + # ip addr flush dev ${DEV} + # ip route flush dev ${DEV} + </pre> + + <pre> + # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + # ip link set ${DEV} up + # ip route add default via ${GW} + </pre> + + <h2 id="sysctl">4.5. Sysctl</h2> + + <p>Sysctl references + <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, + <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, + <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, + edit /etc/sysctl.conf;</p> + + <pre> + # + # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) + # + + kernel.printk = 1 4 1 7 + + # Disable ipv6 + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + net.ipv6.conf.lo.disable_ipv6 = 1 + + # Tuen IPv6 + # net.ipv6.conf.default.router_solicitations = 0 + # net.ipv6.conf.default.accept_ra_rtr_pref = 0 + # net.ipv6.conf.default.accept_ra_pinfo = 0 + # net.ipv6.conf.default.accept_ra_defrtr = 0 + # net.ipv6.conf.default.autoconf = 0 + # net.ipv6.conf.default.dad_transmits = 0 + # net.ipv6.conf.default.max_addresses = 0 + + # Avoid a smurf attack + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + # Turn on protection for bad icmp error messages + net.ipv4.icmp_ignore_bogus_error_responses = 1 + + # Turn on syncookies for SYN flood attack protection + net.ipv4.tcp_syncookies = 1 + + ## protect against tcp time-wait assassination hazards + ## drop RST packets for sockets in the time-wait state + ## (not widely supported outside of linux, but conforms to RFC) + net.ipv4.tcp_rfc1337 = 1 + + ## tcp timestamps + ## + protect against wrapping sequence numbers (at gigabit speeds) + ## + round trip time calculation implemented in TCP + ## - causes extra overhead and allows uptime detection by scanners like nmap + ## enable @ gigabit speeds + net.ipv4.tcp_timestamps = 0 + #net.ipv4.tcp_timestamps = 1 + + # Turn on and log spoofed, source routed, and redirect packets + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + ## ignore echo broadcast requests to prevent being part of smurf attacks (default) + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + # No source routed packets here + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + ## sets the kernels reverse path filtering mechanism to value 1(on) + ## will do source validation of the packet's recieved from all the interfaces on the machine + ## protects from attackers that are using ip spoofing methods to do harm + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + net.ipv6.conf.default.rp_filter = 1 + net.ipv6.conf.all.rp_filter = 1 + + # Make sure no one can alter the routing tables + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + # Act as a router, necessary for Access Point + net.ipv4.ip_forward = 0 + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + kernel.shmmax = 500000000 + # Turn on execshild + kernel.exec-shield = 1 + kernel.randomize_va_space = 1 + + # Optimization for port usefor LBs + # Increase system file descriptor limit + fs.file-max = 65535 + + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 + kernel.pid_max = 65536 + + # Increase system IP port limits + net.ipv4.ip_local_port_range = 2000 65000 + + # Increase TCP max buffer size setable using setsockopt() + net.ipv4.tcp_rmem = 4096 87380 8388608 + net.ipv4.tcp_wmem = 4096 87380 8388608 + + # Increase Linux auto tuning TCP buffer limits + # min, default, and max number of bytes to use + # set max to at least 4MB, or higher if you use very high BDP paths + # Tcp Windows etc + net.core.rmem_max = 8388608 + net.core.wmem_max = 8388608 + net.core.netdev_max_backlog = 5000 + net.ipv4.tcp_window_scaling = 1 + + # End of file + </pre> + + <p>Change to act as a router;</p> + + <pre> + # Act as a router, necessary for Access Point + net.ipv4.ip_forward = 1 + net.ipv4.conf.all.send_redirects = 1 + net.ipv4.conf.default.send_redirects = 1 + </pre> + + + <p>Load new settings;</p> + + <pre> + # sysctl -p + </pre> + + <a href="index.html">Systools Index</a> + <p> + This is part of the SysDoc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + + </body> +</html> |