diff options
Diffstat (limited to 'core/network.html')
| -rw-r--r-- | core/network.html | 197 |
1 files changed, 50 insertions, 147 deletions
diff --git a/core/network.html b/core/network.html index e1b590d..92f0e1e 100644 --- a/core/network.html +++ b/core/network.html @@ -2,32 +2,54 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2. Network</title> + <title>2.3. Network</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2. Network</h1> + <h1>2.3. Network</h1> - <p>Examples describe a network that will be configured with - two interfaces Ethernet and Wireless. Ethernet interface will - be configured as default route, wireless interface covered here - is simple alternative to Ethernet connection.</p> + <p>Operation of the network can be handle with init scripts;</p> <dl> + <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> + <dd>Configure iptables, start option loads set of rules from + file /etc/iptables/rules_file_name, open option allows everything + to outside and blocks everything from outside, stop will block + and log everything.</dd> <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> - <dd>Configure Ethernet interface and static or dynamic (dhcp) - connection to the router and add as default gateway.</dd> + <dd>Configure Ethernet interface with static or dynamic (dhcp) + IP, set default route and add default gateway.</dd> <dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt> - <dd>Configure Wireless interface, wpa_supplicant and dynamic (dhcp) + <dd>Configure Wireless interface, launch wpa_supplicant to handle + wireless authenticationand dynamic (dhcp) connection to router and add as default gateway.</dd> </dl> - <p>If is first boot after install configure iptables and - one of above described scripts then proceed to upgrade your - system.</p> + <p>Choose wireless or net as connection to outside world and configure + <a href="conf/rc.conf">/etc/rc.conf</a> to run at startup, example + connecting using wireless interface;</p> - <h2 id="resolv">2.1.1. Resolver</h2> + <pre> + # + # /etc/rc.conf: system configuration + # + + FONT=default + KEYMAP=dvorak + TIMEZONE="Europe/Lisbon" + HOSTNAME=c9 + SYSLOG=sysklogd + SERVICES=(lo iptables wlan crond) + + # End of file + </pre> + + <p>If is first boot after install configure iptables and one of above + described scripts then proceed to + <a href="package.html#sysup">update system.</a></p> + + <h2 id="resolv">2.3.1. Resolver</h2> <p>This example will use <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> @@ -43,7 +65,7 @@ # chattr +i /etc/resolv.conf </pre> - <h2 id="static">2.1.2. Static IP</h2> + <h2 id="static">2.3.2. Static IP</h2> <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> @@ -90,13 +112,15 @@ # ip route add default via ${GW} </pre> - <h2 id="iptables">2.1.3. Iptables</h2> + <h2 id="iptables">2.3.3. Iptables</h2> <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. You can use <a href="conf/iptables/rules.v4">/etc/iptables/rules.v4</a> - as template, replace interface by the one facing the router/gateway. + or + <a href="conf/iptables/iptables-lan.sh">/etc/iptables/iptables-lan.sh</a> + as a template, replace interfaces by correct ones. This configuration file is used at boot time by iptables-restore command, if you use a script or change the rules of running system you can use iptables-save command to save configuration to a file.</p> @@ -114,6 +138,12 @@ # sh /etc/rc.d/iptables start </pre> + <p>See current rules and packets;</p> + + <pre> + # iptables -L -n -v | less + </pre> + <p>Copy init script, edit if you dont like to let drop when you call stop.</p> @@ -125,7 +155,7 @@ <p> - <h2 id="wpa">2.1.4. Wpa and dhcpd</h2> + <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> <p>There is more information on <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and @@ -143,7 +173,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 </pre> - <h3>2.1.4.1. Wpa Supplicant</h3> + <h3>2.3.4.1. Wpa Supplicant</h3> <p>Configure wpa supplicant edit;</p> @@ -173,7 +203,7 @@ init script to auto load wpa configuration and dhcp client.</p> - <h3>2.1.4.2. Wpa Cli</h3> + <h3>2.3.4.2. Wpa Cli</h3> <pre> # wpa_cli @@ -213,137 +243,10 @@ </pre> - <h2 id="sysctl">2.1.5. Sysctl</h2> - - <p>Sysctl references - <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, - <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, - <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, - edit /etc/sysctl.conf;</p> - - <pre> - # - # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) - # - - kernel.printk = 1 4 1 7 - - # Disable ipv6 - net.ipv6.conf.all.disable_ipv6 = 1 - net.ipv6.conf.default.disable_ipv6 = 1 - net.ipv6.conf.lo.disable_ipv6 = 1 - - # Tuen IPv6 - # net.ipv6.conf.default.router_solicitations = 0 - # net.ipv6.conf.default.accept_ra_rtr_pref = 0 - # net.ipv6.conf.default.accept_ra_pinfo = 0 - # net.ipv6.conf.default.accept_ra_defrtr = 0 - # net.ipv6.conf.default.autoconf = 0 - # net.ipv6.conf.default.dad_transmits = 0 - # net.ipv6.conf.default.max_addresses = 0 - - # Avoid a smurf attack - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - # Turn on protection for bad icmp error messages - net.ipv4.icmp_ignore_bogus_error_responses = 1 - - # Turn on syncookies for SYN flood attack protection - net.ipv4.tcp_syncookies = 1 - - ## protect against tcp time-wait assassination hazards - ## drop RST packets for sockets in the time-wait state - ## (not widely supported outside of linux, but conforms to RFC) - net.ipv4.tcp_rfc1337 = 1 - - ## tcp timestamps - ## + protect against wrapping sequence numbers (at gigabit speeds) - ## + round trip time calculation implemented in TCP - ## - causes extra overhead and allows uptime detection by scanners like nmap - ## enable @ gigabit speeds - net.ipv4.tcp_timestamps = 0 - #net.ipv4.tcp_timestamps = 1 - - # Turn on and log spoofed, source routed, and redirect packets - net.ipv4.conf.all.log_martians = 1 - net.ipv4.conf.default.log_martians = 1 - - ## ignore echo broadcast requests to prevent being part of smurf attacks (default) - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - # No source routed packets here - net.ipv4.conf.all.accept_source_route = 0 - net.ipv4.conf.default.accept_source_route = 0 - - ## sets the kernels reverse path filtering mechanism to value 1(on) - ## will do source validation of the packet's recieved from all the interfaces on the machine - ## protects from attackers that are using ip spoofing methods to do harm - net.ipv4.conf.all.rp_filter = 1 - net.ipv4.conf.default.rp_filter = 1 - net.ipv6.conf.default.rp_filter = 1 - net.ipv6.conf.all.rp_filter = 1 - - # Make sure no one can alter the routing tables - net.ipv4.conf.all.accept_redirects = 0 - net.ipv4.conf.default.accept_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 - net.ipv4.conf.default.secure_redirects = 0 - - # Don't act as a router - net.ipv4.ip_forward = 0 - net.ipv4.conf.all.send_redirects = 0 - net.ipv4.conf.default.send_redirects = 0 - - kernel.shmmax = 500000000 - # Turn on execshild - kernel.exec-shield = 1 - kernel.randomize_va_space = 1 - - # Optimization for port usefor LBs - # Increase system file descriptor limit - fs.file-max = 65535 - - # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 - kernel.pid_max = 65536 - - # Increase system IP port limits - net.ipv4.ip_local_port_range = 2000 65000 - - # Increase TCP max buffer size setable using setsockopt() - net.ipv4.tcp_rmem = 4096 87380 8388608 - net.ipv4.tcp_wmem = 4096 87380 8388608 - - # Increase Linux auto tuning TCP buffer limits - # min, default, and max number of bytes to use - # set max to at least 4MB, or higher if you use very high BDP paths - # Tcp Windows etc - net.core.rmem_max = 8388608 - net.core.wmem_max = 8388608 - net.core.netdev_max_backlog = 5000 - net.ipv4.tcp_window_scaling = 1 - - # End of file - </pre> - - <p>Change to act as a router (default of conf/sysctl.conf);</p> - - <pre> - # Act as a router, necessary for Access Point - net.ipv4.ip_forward = 1 - net.ipv4.conf.all.send_redirects = 1 - net.ipv4.conf.default.send_redirects = 1 - </pre> - - <p>Load new settings;</p> - - <pre> - # sysctl -p - </pre> - <a href="index.html">Core OS Index</a> <p> This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |