diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/apparmor.html | 18 | ||||
| -rw-r--r-- | core/conf/apparmor/parser.conf | 2 | ||||
| -rw-r--r-- | core/conf/iptables/bridge.v4 | 223 | ||||
| -rw-r--r-- | core/conf/iptables/client.v4 (renamed from core/conf/iptables/open.v4) | 21 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-bridge.sh | 8 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-client.sh (renamed from core/conf/iptables/ipt-open.sh) | 5 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-conf.sh | 16 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-server.sh | 2 | ||||
| -rw-r--r-- | core/conf/rc.d/iptables | 86 | ||||
| -rw-r--r-- | core/conf/skel/.bashrc | 4 | ||||
| -rw-r--r-- | core/conf/sysctl.conf | 10 | ||||
| -rw-r--r-- | core/index.html | 27 | ||||
| -rw-r--r-- | core/network.html | 17 | ||||
| -rw-r--r-- | core/ports.html | 14 | ||||
| -rw-r--r-- | core/sysctl.html | 3 |
15 files changed, 384 insertions, 72 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 8b7a30c..c567df8 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -165,6 +165,24 @@ } </pre> + <h3>Seed up profile loading</h3> + + <p>Every time apparmor loads a profile in text it needs + to compile into binary format, this takes some time if + there is many profiles to load at boot time. To optimize + edit /etc/apparmor/parser.conf;</p> + + <pre> + ## Turn creating/updating of the cache on by default + write-cache + </pre> + + <p>To change default location add;</p> + + <pre> + chache-loc=/var/cache/apparmor + </pre> + <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. Copyright (C) 2019 diff --git a/core/conf/apparmor/parser.conf b/core/conf/apparmor/parser.conf new file mode 100644 index 0000000..673d30a --- /dev/null +++ b/core/conf/apparmor/parser.conf @@ -0,0 +1,2 @@ +## Turn creating/updating of the cache on by default +write-cache diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 new file mode 100644 index 0000000..4930262 --- /dev/null +++ b/core/conf/iptables/bridge.v4 @@ -0,0 +1,223 @@ +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 +*raw +:PREROUTING ACCEPT [2:80] +:OUTPUT ACCEPT [3:4544] +COMMIT +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 +*mangle +:PREROUTING ACCEPT [2:80] +:INPUT ACCEPT [2:80] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [3:4544] +:POSTROUTING ACCEPT [2:2292] +COMMIT +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 3030 --dport 1024:65535 -j DROP +-A INPUT -i br0 -j srv_dhcp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in +-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp +-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in +-A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT +-A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in +-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 519 -j DROP +-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 520 -j DROP +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 3030 -j DROP +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dhcp +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_ssh_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_git_out +-A OUTPUT -o br0 -j srv_icmp +-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o br0 -j cli_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_ssh_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Fri Jun 28 01:22:10 2019 diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/client.v4 index 30e476d..91b564d 100644 --- a/core/conf/iptables/open.v4 +++ b/core/conf/iptables/client.v4 @@ -1,25 +1,25 @@ -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -27,8 +27,8 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] @@ -97,6 +97,7 @@ COMMIT -A OUTPUT -o wlp9s0 -j cli_irc_out -A OUTPUT -o wlp9s0 -j cli_ftp_out -A OUTPUT -o wlp9s0 -j cli_gpg_out +-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP @@ -207,4 +208,4 @@ COMMIT -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A srv_ssh_out -j RETURN COMMIT -# Completed on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index cd93687..694c22f 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -50,8 +50,10 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10. $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in ##Less noise -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 520 --sport 520 -j DROP ######## Input Chain ###### $IPT -A INPUT -j blocker @@ -67,12 +69,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 - $IPT -A INPUT -i ${BR_IF} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in -$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in @@ -133,4 +135,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out ## log everything else and drop ipt_log -iptables-save > bridge.v4 +iptables-save > /etc/iptables/bridge.v4 diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-client.sh index 3ef1254..65df9e4 100644 --- a/core/conf/iptables/ipt-open.sh +++ b/core/conf/iptables/ipt-client.sh @@ -24,6 +24,7 @@ $IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in $IPT -A INPUT -i ${PUB_IF} -j cli_irc_in $IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in $IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j ACCEPT ####### Output Chain ###### @@ -40,8 +41,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out $IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out $IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out $IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:655335 --dport 1024:65535 -j ACCEPT ## log everything else and drop ipt_log - -iptables-save > open.v4 +iptables-save > /etc/iptables/client.v4 diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index c3dac16..dcea837 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -5,19 +5,23 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet +# bridge interface with interface facing gateway BR_IF="br0" +# bridge ip network address BR_NET="10.0.0.0/8" +# network gateway GW="10.0.0.1" -#GW="10.0.0.2" -#DNS="10.0.0.254" +# external dns DNS="212.55.154.174" -#DNS="8.8.8.8" +# static machine ip address PUB_IP="10.0.0.254" + +# public interface facing gateway PUB_IF="enp8s0" -# private interface for virtual/internal +# wifi interface WIFI_IF="wlp7s0" -#WIFI_NET="192.168.1.0/24" + +# static wifi ip network address WIFI_NET="10.0.0.0/8" diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 370db60..e557193 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -43,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out ## log everything else and drop ipt_log -iptables-save > server.v4 +iptables-save > /etc/iptables/server.v4 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index cc7c765..f8b7881 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,35 +1,31 @@ +#!/bin/bash IPT="/usr/sbin/iptables" -TYPE=bridge +#TYPE=bridge #TYPE=server -#TYPE=open +TYPE=open +#TYPE=client -echo "clear all iptables tables" +clear_ipt() { -${IPT} -F -${IPT} -X -${IPT} -t nat -F -${IPT} -t nat -X -${IPT} -t mangle -F -${IPT} -t mangle -X -${IPT} -t raw -F -${IPT} -t raw -X -${IPT} -t security -F -${IPT} -t security -X + ${IPT} -F + ${IPT} -X + ${IPT} -t nat -F + ${IPT} -t nat -X + ${IPT} -t mangle -F + ${IPT} -t mangle -X + ${IPT} -t raw -F + ${IPT} -t raw -X + ${IPT} -t security -F + ${IPT} -t security -X -# Set Default Rules -${IPT} -P INPUT DROP -${IPT} -P FORWARD DROP -${IPT} -P OUTPUT DROP - -${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +} case $1 in start) case $TYPE in bridge) - + clear_ipt echo "setting bridge network..." echo 1 > /proc/sys/net/ipv4/ip_forward @@ -38,23 +34,63 @@ case $1 in ;; server) - + clear_ipt echo "setting server network..." ## load server configuration iptables-restore /etc/iptables/server.v4 ;; - open) - + client) + clear_ipt echo "setting client network..." ## load client configuration - iptables-restore /etc/iptables/open.v4 + iptables-restore /etc/iptables/client.v4 + ;; + open) + clear_ipt + echo "setting open network..." + ## load client configuration + + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT ACCEPT + + ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + ${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + ${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + + ${IPT} -A OUTPUT -j ACCEPT + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + ;; esac ;; stop) + echo "clear all iptables tables" + clear_ipt + # Set Default Rules + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT DROP + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + ${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + + ;; + restart) + clear_ipt + $0 start + ;; + status) + ${IPT} -v ;; *) echo "Usage: $0 [start|stop]" diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 88cf24c..55d1c78 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -22,12 +22,14 @@ HISTSIZE=1000 HISTFILESIZE=2000 +alias diff='diff --color=auto' +alias grep='grep --color=auto' +alias ls='ls -ph --color=auto' alias rm='rm -i' #alias cp='cp -i' alias mv='mv -i' # Prevents accidentally clobbering files. alias mkdir='mkdir -p' - alias h='history' alias hg='history | grep' alias j='jobs -l' diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 771112a..3cc54d1 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -15,6 +15,9 @@ vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 +#Yama LSM by default +kernel.yama.ptrace_scope = 1 + # # Filesystem Protections # @@ -30,6 +33,8 @@ kernel.kptr_restrict = 2 # Network Protections # +net.core.bpf_jit_enable = 0 + # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths @@ -39,6 +44,9 @@ net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 +#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. +net.ipv4.tcp_sack = 0 + # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 @@ -91,6 +99,7 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 @@ -131,3 +140,4 @@ net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_synack_retries = 3 # End of file + diff --git a/core/index.html b/core/index.html index 20e50af..0900939 100644 --- a/core/index.html +++ b/core/index.html @@ -48,26 +48,27 @@ <li><a href="configure.html#rcconf">1.2.6. Initialization scripts</a></li> </ul> </li> - - <li><a href="ports.html">1.3. Ports</a> + <li><a href="reboot.html">1.3. Boot</a> <ul> - <li><a href="ports.html#filesystem">1.3.1. Ports layout</a></li> - <li><a href="ports.html#fakeroot">1.3.2. Build as user</a></li> - <li><a href="ports.html#pkgmk">1.3.3. Configure pkgmk</a></li> - <li><a href="ports.html#prtget">1.3.4. Configure prt-get</a></li> - <li><a href="ports.html#distcc">1.3.5. Ccache and distcc</a></li> + <li><a href="reboot.html#linux">1.3.1. Kernel</a></li> + <li><a href="reboot.html#dracut">1.3.2. Dracut</a></li> + <li><a href="reboot.html#grub">1.3.3. Grub</a></li> + <li><a href="reboot.html#recover">1.3.4. Recover</a></li> + <li><a href="reboot.html#checkup">1.3.5. Checkup</a></li> </ul> </li> - <li><a href="reboot.html">1.4. Boot</a> + <li><a href="ports.html">1.4. Ports</a> <ul> - <li><a href="reboot.html#linux">1.4.1. Kernel</a></li> - <li><a href="reboot.html#dracut">1.4.2. Dracut</a></li> - <li><a href="reboot.html#grub">1.4.3. Grub</a></li> - <li><a href="reboot.html#recover">1.4.4. Recover</a></li> - <li><a href="reboot.html#checkup">1.4.5. Checkup</a></li> + <li><a href="ports.html#filesystem">1.4.1. Ports layout</a></li> + <li><a href="ports.html#fakeroot">1.4.2. Build as user</a></li> + <li><a href="ports.html#pkgmk">1.4.3. Configure pkgmk</a></li> + <li><a href="ports.html#prtget">1.4.4. Configure prt-get</a></li> + <li><a href="ports.html#distcc">1.4.5. Ccache and distcc</a></li> </ul> </li> + + </ul> <h2>2. System Administration</h2> diff --git a/core/network.html b/core/network.html index 4a412ad..4838122 100644 --- a/core/network.html +++ b/core/network.html @@ -14,10 +14,10 @@ <dl> <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> - <dd>Configure <a href="#iptables">iptables</a>, start option - loads set of rules from file /etc/iptables/net.v4, open option + <dd>Configure <a href="#iptables">iptables</a>, "start" option + loads set of rules from file /etc/iptables/(name).v4, "open" option allows everything to outside and blocks everything from outside, - stop will block and log everything.</dd> + "stop" option will block and log everything.</dd> <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> <dd>Configure Ethernet interface with static or dynamic (dhcp) IP, set default route and add default gateway.</dd> @@ -283,7 +283,7 @@ <pre> # mkdir /etc/iptables - # cp core/conf/iptables/net.v4 /etc/iptables/ + # cp core/conf/iptables/*.sh /etc/iptables/ # cp core/conf/rc.d/iptables /etc/rc.d/ # chmod +x /etc/rc.d/iptables </pre> @@ -300,6 +300,15 @@ with your network configuration, and adjust <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a>, <a href="conf/ipt-bridge.sh">/etc/iptables/ipt-bridge.sh</a>, <a href="conf/ipt-open.sh">/etc/iptables/ipt-open.sh</a> according with host necessities.</p> + <p>When is everything configured run script to load the rules and save them on /etc/iptables. Example for bridge setup;</p> + + <pre> + # cd /etc/iptables + # bash ipt-bridge.sh + </pre> + + <p>From now on use /etc/rc.d/iptables to start and stop.<p> + <h2 id="wpa">2.2.4. Wpa and dhcpd</h2> <p>There is more information on diff --git a/core/ports.html b/core/ports.html index 9d2f989..990f6cc 100644 --- a/core/ports.html +++ b/core/ports.html @@ -2,18 +2,18 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>1.3. Ports</title> + <title>1.4. Ports</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>1.3. Ports</h1> + <h1>1.4. Ports</h1> <p>This instructions are done <a href="configure.html#chroot">inside chroot</a>.</p> - <h2 id="filesystem">1.3.1. Ports Layout</h2> + <h2 id="filesystem">1.4.1. Ports Layout</h2> <p>Make sure follow directories exist;</p> @@ -22,7 +22,7 @@ # mkdir -p /usr/ports/{distfiles,packages,work,pkgbuild} </pre> - <h2 id="fakeroot">1.3.2. Build as user</h2> + <h2 id="fakeroot">1.4.2. Build as user</h2> <p>For more information read <a href="https://crux.nu/Wiki/FakerootPorts">Fakeroot Ports</a>. @@ -61,7 +61,7 @@ pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults,mode=0750 0 0 </pre> - <h2 id="pkgmk">1.3.3. Configure pkgmk</h2> + <h2 id="pkgmk">1.4.3. Configure pkgmk</h2> <p>Read <a href="https://crux.nu/Handbook3-3#ntoc22">4.5. Adjust/Configure the Package Build Process</a> to take advantage of your specific hardware. Packages build with @@ -127,7 +127,7 @@ <p>Check <a href="toolchain.html">toolchain</a> for more options on how packages are build.</p> - <h2 id="prtget">1.3.4. Configure prt-get</h2> + <h2 id="prtget">1.4.4. Configure prt-get</h2> <p>Edit /etc/prt-get.conf;</p> @@ -186,7 +186,7 @@ runscriptcommand sudo sh </pre> - <h2 id="distcc">1.3.5. Ccache and distcc</h2> + <h2 id="distcc">1.4.5. Ccache and distcc</h2> <p>Ccache avoids same code to be compiled by saving the output from compilers and identifying same diff --git a/core/sysctl.html b/core/sysctl.html index afee463..550ae6d 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -62,6 +62,9 @@ net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 + #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. + net.ipv4.tcp_sack = 0 + # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 |