diff options
Diffstat (limited to 'core/scripts')
-rw-r--r-- | core/scripts/backup-system.sh | 337 | ||||
-rw-r--r-- | core/scripts/install-core.sh | 7 | ||||
-rw-r--r-- | core/scripts/iptables-conf.sh | 21 | ||||
-rw-r--r-- | core/scripts/iptables.sh | 420 | ||||
-rw-r--r-- | core/scripts/setup-iso.sh | 4 | ||||
-rw-r--r-- | core/scripts/setup-virtual.sh | 56 |
6 files changed, 193 insertions, 652 deletions
diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 9e1ed2f..7faf676 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -2,8 +2,9 @@ ROOT_DIR= DEST_DIR=/root/backup -PORT_PKG="${DEST_DIR}/crux" -PORT_PRT="${DEST_DIR}/ports" +DEST_SYS="${DEST_DIR}/system" +PORT_PKG="${DEST_SYS}/packages" +PORT_PRT="${DEST_SYS}/ports" DATA_CNF="${DEST_DIR}/conf" DATA_USR="${DEST_DIR}/user" DATA_SRV="${DEST_DIR}/srv" @@ -20,164 +21,16 @@ ConfirmOrExit () echo "Aborting - you entered $CONFIRM" exit ;; - *) echo "Please enter only y or n" - esac - done - echo "You entered $CONFIRM. Continuing ..." -} - -mkbk_coll_pkg() { - # backup binary packages per collection - col=$1 - # make backup collection directory - mkdir ${PORT_PKG}/${col} - # for each package listed in col_name.pkg - while read line; do - # if binary package don't exist try to build - if [ ! -f /usr/ports/packages/${line} ]; then - echo "Building package: ${line};\n" - name=$(echo ${line} | cut -d "#" -f 1) - $sudo prt-get update -fr ${name} - fi - - # if binary package exist copy to destination - if [ -f /usr/ports/packages/${line} ]; then - echo "Backing up package: ${line}" - echo ${line} >> ${DEST_DIR}/backup.pkg - cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ - else - echo "Package not found: ${line}" - echo ${line} >> ${DEST_DIR}/${col}-notfound.pkg - fi - done < $DEST_DIR/${col}.pkg -} - -mkbk_coll_ports() { - # backup collection ports - col=$1 - - tar --xattrs -zcpf $PORT_PRT/${col}.tar.gz \ - --directory=$ROOT_DIR/usr/ports/${col} \ - --exclude=.git/ \ -} - -mkbk_metadata() { - - # archive pkgutils data - tar --xattrs -zcpf $DATA_CNF/pkg-db.tar.gz \ - /var/lib/pkg/db - - # must be using gwak instead of sed, xargs and echo - prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${DEST_DIR}/installed.pkg - - # make list and copy installed core packages - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/core" | cut -d " " -f 3 > ${DEST_DIR}/core.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/opt" | cut -d " " -f 3 > $DEST_DIR/opt.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/contrib" | cut -d " " -f 3 > $DEST_DIR/contrib.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/xorg" | cut -d " " -f 3 > $DEST_DIR/xorg.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep -v "yes /usr/ports/core" | grep -v "yes /usr/ports/opt" | grep -v "yes /usr/ports/contrib" | grep -v "yes /usr/ports/xorg" | grep "yes " | cut -d " " -f 3 > $DEST_DIR/other.pkg - -} - -mkbk_etc_conf() { - - tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \ - --directory=$ROOT_DIR/etc \ - . - - tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \ - --directory=$ROOT_DIR/usr/etc \ - . -} - -mkbk_srv_www() { - - # backup web data first stop php and nginx - - for pkg_www in ${ROOT_DIR}/srv/www/*; do - if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then - pkg_back="${DATA_SRV}/www" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz" - exc="${pkg_www}/backup_deploy" - tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www} - fi - done -} - -mkbk_srv_pgsql() { - - # backup database data first dump all databases - - pkg_back="${DATA_SRV}/pgsql" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz - - tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \ - ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \ - ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \ - ${ROOT_DIR}/srv/pgsql/data/postgresql.conf -} - -mkbk_srv_gitolite() { - - # backup gitolite repositories - - pkg_back="${DATA_SRV}/gitolite" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - - tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \ - --directory=${ROOT_DIR}/srv/gitolite \ - . -} - -mkbk_user_metadata() { - - for dir in /home/*; do - if [ "${dir}" != "/home/lost+found" ]; then - user=$(basename $dir) - tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \ - $dir/.bash_profile \ - $dir/.bashrc \ - $dir/.config \ - $dir/.gitconfig \ - $dir/.gnupg \ - $dir/.irssi \ - $dir/.lynxrc \ - $dir/.mutt \ - $dir/.netrc \ - $dir/.profile \ - $dir/.spectrwm.conf \ - $dir/.ssh \ - $dir/.tmux.conf \ - $dir/.vim \ - $dir/.vimrc \ - $dir/.xinitrc - - # encript data - #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ - # --encrypt --recipient user@host \ - # "${DATA_USR}/meta-${user}.tar.gz" - - tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ - $dir/gitolite-admin - fi - done + *) echo "Please enter only y or n" +esac +done +echo "You entered $CONFIRM. Continuing ..." } print_data () { echo "ROOT_DIR=${ROOT_DIR}" echo "DEST_DIR=${DEST_DIR}" + echo "DEST_SYS=${DEST_SYS}" echo "PORT_PKG=${PORT_PKG}" echo "PORT_PRT=${PORT_PRT}" echo "DATA_CNF=${DATA_CNF}" @@ -205,11 +58,13 @@ while [ "$1" ]; do DEST_DIR=$2 # Destination directory - PORT_PKG="${DEST_DIR}/crux" - PORT_PRT="${DEST_DIR}/ports" - DATA_CNF="${DEST_DIR}/conf" - DATA_USR="${DEST_DIR}/user" - DATA_SRV="${DEST_DIR}/srv" + DEST_SYS="${DEST_DIR}/system" + PORT_PKG="${DEST_SYS}/packages" + PORT_PRT="${DEST_SYS}/ports" + DATA_CNF="${DEST_DIR}/conf" + DATA_USR="${DEST_DIR}/user" + DATA_SRV="${DEST_DIR}/srv" + shift ;; -h|--help) print_help @@ -231,62 +86,184 @@ mkdir -p ${DATA_CNF} mkdir -p ${DATA_USR} mkdir -p ${DATA_SRV} -# Light backup data -mkbk_metadata -mkbk_etc_conf +# Backup system settings +tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \ + --directory=$ROOT_DIR/etc \ + . + +tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \ + --directory=$ROOT_DIR/usr/etc \ + . +# User Meta Data while true do - echo -n "Backup user metadata ? Please confirm (y or n) :" + echo "Backup User Metadata ?" + echo "Please confirm (y or n): " read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_user_metadata + for dir in /home/*; do + if [ "${dir}" != "/home/lost+found" ]; then + user=$(basename $dir) + tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \ + $dir/.bash_profile \ + $dir/.bashrc \ + $dir/.config \ + $dir/.gitconfig \ + $dir/.gnupg \ + $dir/.irssi \ + $dir/.lynxrc \ + $dir/.mutt \ + $dir/.netrc \ + $dir/.profile \ + $dir/.spectrwm.conf \ + $dir/.ssh \ + $dir/.tmux.conf \ + $dir/.vim \ + $dir/.vimrc \ + $dir/.xinitrc + + # encript data + #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ + # --encrypt --recipient user@host \ + # "${DATA_USR}/meta-${user}.tar.gz" + + tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ + $dir/gitolite-admin + fi + done break ;; *) echo "Please enter only y or n" esac done +# Server Data while true do - echo -n "Backup web services data (/srv) ? Please confirm (y or n) :" + echo "Backup Server Data ?" + echo "Please confirm (y or n): " read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_srv_www - mkbk_srv_pgsql - mkbk_srv_gitolite + + # backup web data first stop php and nginx + for pkg_www in ${ROOT_DIR}/srv/www/*; do + if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then + pkg_back="${DATA_SRV}/www" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz" + exc="${pkg_www}/backup_deploy" + tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www} + fi + done + + # backup database data first dump all databases + pkg_back="${DATA_SRV}/pgsql" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz + + tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \ + ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \ + ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \ + ${ROOT_DIR}/srv/pgsql/data/postgresql.conf + + + # backup gitolite repositories + pkg_back="${DATA_SRV}/gitolite" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + + tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \ + --directory=${ROOT_DIR}/srv/gitolite \ + . + break ;; *) echo "Please enter only y or n" esac done - +# Port System while true do - echo -n "Backup port system ? Please confirm (y or n) :" + echo "Backup Port System ?" + echo "Please confirm (y or n) :" read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_coll_ports "core" - mkbk_coll_pkg "core" - mkbk_coll_ports "opt" - mkbk_coll_pkg "opt" - mkbk_coll_ports "contrib" - mkbk_coll_pkg "contrib" - mkbk_coll_ports "xorg" - mkbk_coll_pkg "xorg" - mkbk_coll_pkg "other" + + # archive pkgutils data + tar --xattrs -zcpf $DEST_SYS/pkg-db.tar.gz \ + /var/lib/pkg/db + + # archive ports data + tar --xattrs -zcpf $DEST_SYS/etc_ports.tar.gz \ + --directory=/etc/ports \ + . + + METADATA=${DEST_SYS}/meta-data + mkdir -p $METADATA + + # must be using gwak instead of sed + prt-get listinst -v | sed 's/ /#/g' | sed 's/$/.pkg.tar.gz/g' > ${METADATA}/all-installed.pkg + + for filename in /etc/ports/*.git; do + source $filename + + # backup ports collection + echo "Backing up collection: $NAME" + tar --xattrs -zcpf $PORT_PRT/${NAME}-ports.tar.gz \ + --directory=$ROOT_DIR/usr/ports/${NAME} \ + --exclude=.git/ \ + . + + + # create list of installed packages + prt-get printf "%i %p %n\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg + + # backup collection packages + while read line; do + echo "Backing up package: ${NAME}/${line}" + # get installed version not version on ports + PACKAGE="$(cat ${METADATA}/all-installed.pkg | grep "^${line}#")" + if [ ! -f /usr/ports/packages/${PACKAGE} ]; then + echo "Building package: ${PACKAGE};\n" + sudo prt-get update -fr -if -is ${line} + (cd /usr/ports/${NAME}/${line} \ + && sudo pkgmk -uf) + fi + + if [ -f /usr/ports/packages/${PACKAGE} ]; then + echo ${PACKAGE} >> ${METADATA}/${NAME}-backup.pkg + #cp /usr/ports/packages/${PACKAGE} ${PORT_PKG}/${NAME}/ + tar rvf ${PORT_PKG}/${NAME}.tar \ + --directory=/usr/ports/packages \ + ${PACKAGE} + else + echo "Package $PORT_NAME not found: ${line}" + echo ${PACKAGE} >> ${METADATA}/${NAME}-notfound.pkg + fi + done < ${METADATA}/${NAME}-installed.pkg + done break ;; *) echo "Please enter only y or n" esac done + +RELEASE_NAME=$(basename ${DEST_DIR}) +cd $(dirname ${DEST_DIR}) && tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ +rm -rf ${DEST_DIR} diff --git a/core/scripts/install-core.sh b/core/scripts/install-core.sh index d4d6983..9edd966 100644 --- a/core/scripts/install-core.sh +++ b/core/scripts/install-core.sh @@ -41,7 +41,7 @@ install_core() { done fi - tar xf "${PORT_PKG}/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd + tar xf "${PORT_PKG}/core/pkgutils#5.40-7.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd chmod +x ${CHROOT}/pkgadd @@ -55,7 +55,8 @@ install_core() { while read line; do pkg=${PORT_PKG}/core/${line} echo "Installing ${pkg};\n" - ${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg} + #${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg} + pkgadd -f -r ${CHROOT} ${pkg} done < ${CORE_LS} rm ${CHROOT}/pkgadd @@ -67,7 +68,7 @@ install_core() { install_packages() { echo "Installing $CHROOT/media/crux/opt/fakeroot" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/fakeroot#* + $CHROOT/usr/bin/pkgadd -f -r $CHROOT ${CHROOT}/media/crux/opt/fakeroot#* echo "Installing $CHROOT/media/crux/opt/dbus" $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/dbus#* echo "Installing $CHROOT/media/crux/opt/expat" diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh deleted file mode 100644 index 478ce08..0000000 --- a/core/scripts/iptables-conf.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -TYPE=bridge -#TYPE=server - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" - -# public interface to network/internet -BR_IF="br0" -BR_NET="10.0.0.0/8" -GW="10.0.0.1" -#DNS="10.0.0.254" -DNS="212.55.154.174" - -PUB_IP="10.0.0.254" -PUB_IF="enp8s0" - -# private interface for virtual/internal -#PRIV_IF="wlp7s0" -#PRIV_NET="192.168.1.0/24" diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh deleted file mode 100644 index 0516d94..0000000 --- a/core/scripts/iptables.sh +++ /dev/null @@ -1,420 +0,0 @@ -#!/bin/bash - -source /etc/iptables/iptables-conf.sh - -iptables_clear () { - echo "clear all iptables tables" - - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X - iptables -N blocker - - iptables -N srv_dhcp - iptables -N srv_rip - iptables -N srv_icmp - iptables -N srv_dns_in - iptables -N srv_dns_out - iptables -N srv_http_in - iptables -N srv_http_out - iptables -N srv_https_in - iptables -N srv_https_out - iptables -N srv_ssh_in - iptables -N srv_ssh_out - iptables -N srv_git_in - iptables -N srv_git_out - iptables -N srv_db_in - iptables -N srv_db_out - - - iptables -N cli_dns_in - iptables -N cli_dns_out - iptables -N cli_http_in - iptables -N cli_http_out - iptables -N cli_https_in - iptables -N cli_https_out - iptables -N cli_ssh_in - iptables -N cli_ssh_out - iptables -N cli_pops_in - iptables -N cli_pops_out - iptables -N cli_smtps_in - iptables -N cli_smtps_out - iptables -N cli_irc_in - iptables -N cli_irc_out - iptables -N cli_ftp_in - iptables -N cli_ftp_out - iptables -N cli_git_in - iptables -N cli_git_out - iptables -N cli_gpg_in - iptables -N cli_gpg_out - - # Set Default Rules - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP -} - -iptables_log () { - ## log everything else and drop - $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -} - - -iptables_tables () { - echo "start adding tables..." - - ####### blocker Chain ###### - ## Block google dns - $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " - $IPT -A blocker -s 8.8.0.0/24 -j DROP - ## Block sync - $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " - $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP - ## Block Fragments - $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " - $IPT -A blocker -f -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " - $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - ## Return to caller - $IPT -A blocker -j RETURN - - ######## DNS Server - #echo "server_in chain: Allow input to DNS Server" - $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -j RETURN - #echo "srv_dns_out chain: Allow output from DNS server" - $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -j RETURN - - ####### Database Server - $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_db_in -j RETURN - $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_db_out -j RETURN - - ####### SSH Server - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP - - $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - - $IPT -A srv_ssh_in -j RETURN - $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -j RETURN - - ####### HTTP Server - $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_http_in -j RETURN - $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_http_out -j RETURN - - ####### HTTPS Server - $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_https_in -j RETURN - $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_https_out -j RETURN - - ###### GIT server - $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_git_in -j RETURN - $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_git_out -j RETURN - - ######## DNS Client - $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_dns_out -j RETURN - $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_dns_in -j RETURN - - ######## HTTP Client - #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP - - $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -j RETURN - $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -j RETURN - - ######## IRC client - $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_irc_in -j RETURN - $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_irc_out -j RETURN - - ######## FTP client - - $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_in -j RETURN - $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_out -j RETURN - ######## GIT client - $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_git_in -j RETURN - $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_git_out -j RETURN - - ######## POP3S client - $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_pops_in -j RETURN - $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_pops_out -j RETURN - - ######## SMTPS client - $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_in -j RETURN - $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_out -j RETURN - - ######## HTTPS client - $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -j RETURN - $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -j RETURN - - ######## SSH client - $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -j RETURN - $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -j RETURN - - ######## GPG key client - $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_in -j RETURN - $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_out -j RETURN - - ######## DHCP Server - $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -j RETURN - - ####### RIP Server - $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT - $IPT -A srv_rip -j RETURN - - ####### ICMP Server - $IPT -A srv_icmp -p icmp -j ACCEPT - $IPT -A srv_icmp -j RETURN -} - -case $TYPE in - bridge) - iptables_clear - iptables_tables - - echo "setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### NAT Prerouting Chain ###### - - ####### Forward Chain ###### - $IPT -A FORWARD -j blocker - $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - # Tap1 and Tap3 can access external http - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out - - ####### Forward TAP2 ssh, http and https ###### - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - # - # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip - # - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp - - # Tap1, Tap2 and Tap3 can access external https - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in - - #Less noise - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - #Less noise - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - #Less noise - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out - - ####### PostRouting Chain ###### - #Less noise - #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT - - #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE - - ## log everything else and drop - iptables_log - - #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - - iptables-save > /etc/iptables/net.v4 - exit 0 - ;; - - server) - iptables_clear - iptables_tables - - echo "setting server network..." - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in - - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out - - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out - - ## log everything else and drop - iptables_log - - iptables-save > /etc/iptables/net.v4 - exit 0 - - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; -esac - diff --git a/core/scripts/setup-iso.sh b/core/scripts/setup-iso.sh index ddad787..ebcd043 100644 --- a/core/scripts/setup-iso.sh +++ b/core/scripts/setup-iso.sh @@ -2,6 +2,7 @@ # location of iso and md5 file ISO_DIR="/usr/ports/iso" +MOUNT_POINT="/mnt/media" ISO_FILE="${ISO_DIR}/crux-3.4.iso" MD5_FILE="${ISO_DIR}/crux-3.4.md5" @@ -70,7 +71,7 @@ mount_iso() { modprobe isofs modprobe loop - mount -o loop $ISO_FILE /media + mount -o loop $ISO_FILE $MOUNT_POINT } print_data() { @@ -80,6 +81,7 @@ print_data() { echo "md5 file: ${MD5_FILE}" echo "iso url: ${ISO_URL}" echo "md5 url: ${MD5_URL}" + echo "mount point: ${MOUNT_POINT}" } print_help() { diff --git a/core/scripts/setup-virtual.sh b/core/scripts/setup-virtual.sh index 2b27a9f..3583bb6 100644 --- a/core/scripts/setup-virtual.sh +++ b/core/scripts/setup-virtual.sh @@ -20,45 +20,51 @@ ConfirmOrExit () } DEV_NAME=${1} +IMG=${2}.qcow2 +SIZE=${3} CHROOT="/mnt" DEV="/dev/${DEV_NAME}" +echo "/srv/qemu/img/${IMG}" +echo "${SIZE}" echo "DEV_NAME=${DEV_NAME}" echo "DEV=${DEV}" echo "CHROOT=${CHROOT}" ConfirmOrExit +#qemu-img create -f qcow2 example.qcow2 20G +qemu-img create -f qcow2 /srv/qemu/img/${IMG} ${SIZE} +qemu-nbd -c ${DEV} /srv/qemu/img/${IMG} + parted --script ${DEV} \ - mklabel gpt \ - unit mib \ - mkpart primary 1 3 \ - set 1 bios_grub on \ - name 1 grub \ - mkpart ESP fat32 3 59 \ - set 2 boot on \ - name 2 efi \ - mkpart primary ext4 103 200 \ - name 3 boot \ - mkpart primary linux-swap 200 456 \ - name 4 swap \ - mkpart primary ext4 456 3700 \ - name 5 root \ - mkpart primary ext4 3700 4000 \ - name 6 var \ - mkpart primary ext4 4000 100% \ - name 7 home + mklabel gpt \ + unit mib \ + mkpart primary 2 4 \ + name 1 grub \ + mkpart ESP fat32 4 128 \ + name 2 efi \ + mkpart primary ext4 128 1128 \ + name 3 boot \ + mkpart primary ext4 1128 12128 \ + name 4 root \ + mkpart primary ext4 12128 14128 \ + name 5 var \ + mkpart primary ext4 14128 100% \ + name 6 lvm \ + set 1 bios_grub on \ + set 2 boot on \ + set 6 lvm on kpartx -a -s -l -u ${DEV} mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2 mkfs.ext4 /dev/mapper/${DEV_NAME}p3 -mkswap /dev/mapper/${DEV_NAME}p4 +mkfs.ext4 /dev/mapper/${DEV_NAME}p4 mkfs.ext4 /dev/mapper/${DEV_NAME}p5 -mkfs.ext4 /dev/mapper/${DEV_NAME}p6 -mkfs.ext4 /dev/mapper/${DEV_NAME}p7 +pvcreate /dev/mapper/${DEV_NAME}p6 -mount /dev/mapper/${DEV_NAME}p5 $CHROOT +mount /dev/mapper/${DEV_NAME}p4 $CHROOT mkdir -p $CHROOT/proc mkdir -p $CHROOT/sys mkdir -p $CHROOT/dev @@ -69,8 +75,4 @@ mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot mkdir -p $CHROOT/boot/efi mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi mkdir -p $CHROOT/var -mount /dev/mapper/${DEV_NAME}p6 $CHROOT/var -mkdir -p $CHROOT/home -mount /dev/mapper/${DEV_NAME}p7 $CHROOT/home - - +mount /dev/mapper/${DEV_NAME}p5 $CHROOT/var |