diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/conf/hosts | 4 | ||||
| -rw-r--r-- | core/conf/rc.d/iptables | 50 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 9 | ||||
| -rw-r--r-- | core/configure.html | 21 | ||||
| -rw-r--r-- | core/exim.html | 2 | ||||
| -rw-r--r-- | core/index.html | 6 | ||||
| -rw-r--r-- | core/network.html | 123 |
7 files changed, 153 insertions, 62 deletions
diff --git a/core/conf/hosts b/core/conf/hosts index 2fb89fb..5c64924 100644 --- a/core/conf/hosts +++ b/core/conf/hosts @@ -3,10 +3,10 @@ # # IPv4 -127.0.0.1 localhost c9 +127.0.0.1 localhost.localdomain localhost c9 #<ip-address> <hostname.domain.org> <aliases> -#192.168.1.9 c9.example.org +10.0.0.1 core.privat-network.net c9.core # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 2d77722..3f29928 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,12 +1,12 @@ #!/bin/sh # -# /etc/rc.d/iptables: load/unload iptable rules +# /etc/rc.d/iptables: load/unload iptable rules # case $1 in start) echo "Starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/rules.v4 + /usr/sbin/iptables-restore < /etc/iptables/rules.v4 ;; stop) echo "Stopping firewall and deny everyone..." @@ -21,16 +21,60 @@ stop) iptables -t security -F iptables -t security -X - /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + + ;; +open) + echo "Outgoing Open firewall and deny everyone..." + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD DROP + /usr/sbin/iptables -P OUTPUT ACCEPT + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ;; + restart) $0 stop $0 start ;; *) + echo "usage: $0 [start|stop|restart]" ;; esac diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index d111a25..d46583b 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -9,9 +9,9 @@ TYPE="static" # For "static" connections, specify your settings here: # To see your available devices run "ip link". DEV=enp8s0 -ADDR=192.168.1.33 +ADDR=10.0.0.1 MASK=24 -GW=192.168.1.1 +GW=10.0.0.1 # Optional settings: DHCPOPTS="-h $(/bin/hostname) -C resolv.conf $DEV" @@ -23,7 +23,7 @@ case $1 in else /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + /sbin/ip link set ${DEV} up - /sbin/ip route add default via ${GW} + #/sbin/ip route add default via ${GW} fi ;; stop) @@ -31,10 +31,7 @@ case $1 in /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid else - # /sbin/ip route del default - /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down - # /sbin/ip addr del ${ADDR}/${MASK} dev ${DEV} /sbin/ip addr flush dev ${DEV} fi ;; diff --git a/core/configure.html b/core/configure.html index 724b12f..f604f9c 100644 --- a/core/configure.html +++ b/core/configure.html @@ -59,14 +59,21 @@ with core.privat-server.net pointing to c9 host;</p> <pre> - # - # /etc/hosts: static lookup table for host names - # - # IPv4 - 127.0.0.1 localhost c9 - #<ip-address> <hostname.domain.org> <aliases> - # 192.168.1.9 core.privat-server.net + 127.0.0.1 localhost.localdomain localhost c9 + + #<ip-address> <hostname.domain.org> <aliases> + 10.0.0.1 core.privat-network.net c9.core + + # IPv6 + #::1 ip6-localhost ip6-loopback + #fe00::0 ip6-localnet + #ff00::0 ip6-mcastprefix + #ff02::1 ip6-allnodes + #ff02::2 ip6-allrouters + #ff02::3 ip6-allhosts + + # End of file </pre> <h2 id="time">1.2.2. Set timezone</h2> diff --git a/core/exim.html b/core/exim.html index c2a5a63..c4b3c95 100644 --- a/core/exim.html +++ b/core/exim.html @@ -51,7 +51,7 @@ <pre> # chown mail:mail /etc/ssl/keys/exim.key - # chmod 644 /etc/ssl/keys/exim.key + # chmod 0600 /etc/ssl/keys/exim.key # chmod 644 /etc/ssl/certs/exim.cert </pre> diff --git a/core/index.html b/core/index.html index 1200ca6..d3eff38 100644 --- a/core/index.html +++ b/core/index.html @@ -72,9 +72,9 @@ <ul> <li><a href="network.html">2.1. Network</a> <ul> - <li><a href="network.html#iptables">2.1.1. Iptables</a></li> - <li><a href="network.html#resolv">2.1.2. Resolver</a></li> - <li><a href="network.html#static">2.1.3. Static ip</a></li> + <li><a href="network.html#resolv">2.1.1. Resolver</a></li> + <li><a href="network.html#static">2.1.2. Static ip</a></li> + <li><a href="network.html#iptables">2.1.3. Iptables</a></li> <li><a href="network.html#wpa">2.1.4. Wpa and dhcpd</a></li> <li><a href="network.html#sysctl">2.1.5. Sysctl</a></li> </ul> diff --git a/core/network.html b/core/network.html index 04f1266..b8b7617 100644 --- a/core/network.html +++ b/core/network.html @@ -23,11 +23,87 @@ connection to router and add as default gateway.</dd> </dl> - <p>If is first boot after install configure iptables and - one of above described scripts then proceed to upgrade your - system.</p> + <p>If is first boot after install configure iptables and + one of above described scripts then proceed to upgrade your + system.</p> - <h2 id="iptables">2.1.1. Iptables</h2> + <h2 id="resolv">2.1.1. Resolver</h2> + + <p>Configure your resolver with a server that don't censorship there for + respect your freedom and privacy. Read + <a href="https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers#PublicDNSServers">Tor Dns Resolver</a> + for more information. This example will use + <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> + server, edit /etc/resolv.conf and make it immutable;</p> + + <pre> + # /etc/resolv.conf.head can replace this line + nameserver 213.73.91.35 + # /etc/resolv.conf.tail can replace this line + </pre> + + <pre> + # chattr +i /etc/resolv.conf + </pre> + + <h2 id="static">2.1.2. Static IP</h2> + + <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> + + <pre> + Address: 10.0.0.1 00001010.00000000.00000000 .00000001 + Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 + Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 + => + Network: 10.0.0.0/24 00001010.00000000.00000000 .00000000 (Class A) + Broadcast: 10.0.0.255 00001010.00000000.00000000 .11111111 + HostMin: 10.0.0.1 00001010.00000000.00000000 .00000001 + HostMax: 10.0.0.254 00001010.00000000.00000000 .11111110 + Hosts/Net: 254 (Private Internet) + </pre> + + <pre> + # DEV=enp8s0 + # ADDR=10.0.0.1 + # MASK=24 + # GW=10.0.0.1 + # ip addr flush dev ${DEV} + # ip route flush dev ${DEV} + </pre> + + <pre> + # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + # ip link set ${DEV} up + </pre> + + <p>Script don't add above network as gateway;</p> + + <pre> + # ip route add default via ${GW} + </pre> + + <p>Other IP class used in home setups;</p> + + <pre> + Address: 192.168.0.1 11000000.10101000.00000000 .00000001 + Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 + Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 + => + Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) + Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 + HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 + HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 + Hosts/Net: 254 (Private Internet) + </pre> + + <pre> + # DEV=enp8s0 + # ADDR=192.168.1.1 + # MASK=24 + # GW=192.168.1.254 + </pre> + + <h2 id="iptables">2.1.3. Iptables</h2> <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. @@ -65,39 +141,6 @@ </pre> <p> - <h2 id="resolv">2.1.2. Resolver</h2> - - <p>Configure your resolver with a server that don't censorship there for - respect your freedom and privacy. Read - <a href="https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers#PublicDNSServers">Tor Dns Resolver</a> - for more information. This example will use - <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> - server, edit /etc/resolv.conf and make it immutable;</p> - - <pre> - # /etc/resolv.conf.head can replace this line - nameserver 213.73.91.35 - # /etc/resolv.conf.tail can replace this line - </pre> - - <pre> - # chattr +i /etc/resolv.conf - </pre> - - <h2 id="static">2.1.3. Static IP</h2> - - <pre> - # ip link - # ip addr flush dev ${DEV} - # ip route flush dev ${DEV} - </pre> - - <pre> - # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + - # ip link set ${DEV} up - # ip route add default via ${GW} - </pre> - <h2 id="wpa">2.1.4. Wpa and dhcpd</h2> @@ -144,10 +187,10 @@ </pre> <p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a> - init script to auto load wpa configuration and dhcp + init script to auto load wpa configuration and dhcp client.</p> - <h3>2.1.4.2. Wpa Cli</h3> + <h3>2.1.4.2. Wpa Cli</h3> <pre> # wpa_cli @@ -302,7 +345,7 @@ <p>Change to act as a router (default of conf/sysctl.conf);</p> <pre> - # Act as a router, necessary for Access Point + # Act as a router, necessary for Access Point net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.default.send_redirects = 1 |