diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/conf/rc.d/iptables | 50 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 2 | ||||
| -rw-r--r-- | core/network.html | 33 |
3 files changed, 74 insertions, 11 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 2d77722..3f29928 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,12 +1,12 @@ #!/bin/sh # -# /etc/rc.d/iptables: load/unload iptable rules +# /etc/rc.d/iptables: load/unload iptable rules # case $1 in start) echo "Starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/rules.v4 + /usr/sbin/iptables-restore < /etc/iptables/rules.v4 ;; stop) echo "Stopping firewall and deny everyone..." @@ -21,16 +21,60 @@ stop) iptables -t security -F iptables -t security -X - /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + + ;; +open) + echo "Outgoing Open firewall and deny everyone..." + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD DROP + /usr/sbin/iptables -P OUTPUT ACCEPT + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ;; + restart) $0 stop $0 start ;; *) + echo "usage: $0 [start|stop|restart]" ;; esac diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 2b94af0..d46583b 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -31,8 +31,6 @@ case $1 in /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid else - # /sbin/ip route del default - /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down /sbin/ip addr flush dev ${DEV} fi diff --git a/core/network.html b/core/network.html index 39fc9c2..ce4643b 100644 --- a/core/network.html +++ b/core/network.html @@ -23,9 +23,9 @@ connection to router and add as default gateway.</dd> </dl> - <p>If is first boot after install configure iptables and - one of above described scripts then proceed to upgrade your - system.</p> + <p>If is first boot after install configure iptables and + one of above described scripts then proceed to upgrade your + system.</p> <h2 id="resolv">2.1.1. Resolver</h2> @@ -113,8 +113,16 @@ configure nat and filtering;</p> <pre> +<<<<<<< HEAD # mkdir /etc/iptables # cp c9-doc/core/scripts/iptables.sh /etc/iptables/ +======= + DEV=tap0 + ADDR=10.0.0.1 + NET=10.0.0.0 + MASK=24 + GW=10.0.0.1 +>>>>>>> core network revision </pre> <p>Adjust iptables to your needs, then;</p> @@ -129,9 +137,22 @@ let drop when you call stop.</p> <pre> +<<<<<<< HEAD # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/ # vim /etc/rc.d/iptables # chmod +x /etc/rc.d/iptables +======= + # ip link add name ${DEV} type bridge + # ip link set dev ${DEV} up + + # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast 10.0.0.255 + # ip addr add 0.0.0.0/${MASK} dev ${DEV} broadcast + + + # ip tuntap add ${TAP} mode tap group kvm + # ip link set dev ${TAP} up + + # ip link set dev ${TAP} master ${DEV} +>>>>>>> core network revision </pre> <p>Re-configure your rc.conf and add iptables before (w)lan is up;</p> @@ -187,10 +208,10 @@ </pre> <p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a> - init script to auto load wpa configuration and dhcp + init script to auto load wpa configuration and dhcp client.</p> - <h3>2.1.4.2. Wpa Cli</h3> + <h3>2.1.4.2. Wpa Cli</h3> <pre> # wpa_cli @@ -345,7 +366,7 @@ <p>Change to act as a router (default of conf/sysctl.conf);</p> <pre> - # Act as a router, necessary for Access Point + # Act as a router, necessary for Access Point net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.default.send_redirects = 1 |