diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/conf/hosts | 18 | ||||
| -rw-r--r-- | core/conf/iptables/rules.v4 | 88 | ||||
| -rw-r--r-- | core/conf/rc.conf | 2 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 7 | ||||
| -rwxr-xr-x | core/conf/rc.d/wlan | 67 | ||||
| -rw-r--r-- | core/configure.html | 21 | ||||
| -rw-r--r-- | core/network.html | 44 |
7 files changed, 140 insertions, 107 deletions
diff --git a/core/conf/hosts b/core/conf/hosts index 449949b..4069af5 100644 --- a/core/conf/hosts +++ b/core/conf/hosts @@ -3,25 +3,11 @@ # # IPv4 LocalHosts 127.0.0.1 localhost.localdomain localhost -127.0.0.1 c9.core c9 - -127.0.0.1 wiki.localhost -127.0.0.1 git.localhost -127.0.0.1 doc.localhost -127.0.0.1 ports.localhost - -# IPv4 Intranet -#<ip-address> <hostname.domain.org> <aliases> - -10.0.0.254 c9.core -10.0.0.254 wiki.c9.core -10.0.0.254 git.c9.core -10.0.0.254 doc.c9.core -10.0.0.254 ports.c9.core +127.0.0.1 c9.core c9 # IPv4 Internet #<ip-address> <hostname.domain.org> <aliases> -10.0.0.254 core.privat-network.net +10.0.0.1 c9.core.cx # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 848603c..419962f 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -48,43 +48,49 @@ COMMIT # # Allow established from dns server -#-A INPUT -i wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - +#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # INPUT accept passive --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT -# Allow established from http server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT + + +# Allow irc +-A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow xmmp +-A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established from https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow established from http server +-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from rsync server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from pop3s server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from smtps server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ntp server --A INPUT -i wlp7s0 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from whois server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # Allow established from ftp server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT ################################################################################## # INPUT # New and established connections to local servers # # INPUT accept from wlp7s0 to dns server --A INPUT -i wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # INPUT accept from wlp7s0 to ssh server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT -A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 @@ -97,35 +103,47 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -# Allow dns -#-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ssh clients +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow from dns server +#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow irc +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow xmmp +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + # Allow to rsync server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to pop3s server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to smtps server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ntp server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to ftp server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to https server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow to http server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ################################################################################## # Output # Connections from local servers # -# Allow from ssh server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT + -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 COMMIT diff --git a/core/conf/rc.conf b/core/conf/rc.conf index a9fffb8..661500c 100644 --- a/core/conf/rc.conf +++ b/core/conf/rc.conf @@ -7,6 +7,6 @@ KEYMAP=dvorak TIMEZONE="Europe/Lisbon" HOSTNAME=c9 SYSLOG=sysklogd -SERVICES=(lo net crond) +SERVICES=(lo iptables wlan crond) # End of file diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 53224af..e512dc7 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -4,7 +4,8 @@ # # Connection type: "DHCP" or "static" -TYPE="static" +#TYPE="static" +TYPE="DHCP" # For "static" connections, specify your settings here: # To see your available devices run "ip link". @@ -33,8 +34,8 @@ case $1 in else /sbin/ip route del default dev ${DEV} /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} fi ;; restart) diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 894a69c..d009c1c 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -2,53 +2,52 @@ # # /etc/rc.d/wlan: start/stop wireless interface # + DEV=wlp7s0 + SSD=/sbin/start-stop-daemon PROG_DHCP=/sbin/dhcpcd PROG_WIFI=/usr/sbin/wpa_supplicant -PID_DHCP=/var/run/dhcpcd-${DEV}.pid +PID_DHCP=/var/run/dhcpcd.pid PID_WIFI=/var/run/wpa_supplicant.pid -OPTS_DHCP="-h $(/bin/hostname) -C resolv.conf $DEV" +OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" + print_status() { - $SSD --status --pidfile $2 - case $? in - 0) echo "$1 is running with pid $(cat $2)" ;; - 1) echo "$1 is not running but the pid file $2 exists" ;; - 3) echo "$1 is not running" ;; - 4) echo "Unable to determine the program status" ;; - esac + $SSD --status --pidfile $2 + case $? in + 0) echo "$1 is running with pid $(cat $2)" ;; + 1) echo "$1 is not running but the pid file $2 exists" ;; + 3) echo "$1 is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac } case $1 in - start) - $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ - $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP - RETVAL=$? - ;; - stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP - $SSD --stop --retry 10 --pidfile $PID_WIFI ) - RETVAL=$? - /sbin/ip route del default dev ${DEV} - /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} - ;; - restart) - $0 stop - $0 start - ;; - status) - print_status $PROG_WIFI $PID_WIFI - print_status $PROG_DHCP $PID_DHCP - ;; - *) - echo "Usage: $0 [start|stop|restart|status]" - ;; + start) + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ + $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP + RETVAL=$? + ;; + stop) + ( $SSD --stop --retry 10 --pidfile $PID_DHCP + $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + ;; + restart) + $0 stop + $0 start + ;; + status) + print_status $PROG_WIFI $PID_WIFI + print_status $PROG_DHCP $PID_DHCP + ;; + *) + echo "Usage: $0 [start|stop|restart|status]" + ;; esac exit $RETVAL diff --git a/core/configure.html b/core/configure.html index 66ed69c..d025de8 100644 --- a/core/configure.html +++ b/core/configure.html @@ -52,19 +52,17 @@ </pre> <p>Edit /etc/hosts to contain your hostname and FQDN, - this example also uses core.privat-server.net. If you wish get a - subdomain from - <a href="http://freedns.afraid.org">afraid.org</a> - pointing to your public ip, example of static 192.168.1.9 ip - with core.privat-server.net pointing to c9 host;</p> + this example uses c9.core and c9.root.cx sub-domain from + <a href="http://freedns.afraid.org">afraid.org</a> pointing + to 10.0.0.1 ip;</p> <pre> # IPv4 127.0.0.1 localhost.localdomain localhost - 127.0.0.1 c9.localdomain c9 + 127.0.0.1 c9.core c9 #<ip-address> <hostname.domain.org> <aliases> - 192.168.1.9 core.privat-network.net c9.core + 10.0.0.1 c9.root.cx # IPv6 #::1 ip6-localhost ip6-loopback @@ -77,6 +75,15 @@ # End of file </pre> + <p>Checkup;</p> + + <pre> + $ hostname + c9 + $ hostname -f + c9.core + </pre> + <h2 id="time">1.2.2. Set timezone</h2> <p>Setup timezone;</p> diff --git a/core/network.html b/core/network.html index e1b590d..c14f3db 100644 --- a/core/network.html +++ b/core/network.html @@ -9,23 +9,45 @@ <h1>2. Network</h1> - <p>Examples describe a network that will be configured with - two interfaces Ethernet and Wireless. Ethernet interface will - be configured as default route, wireless interface covered here - is simple alternative to Ethernet connection.</p> + <p>Operation of the network can be handle with init scripts;</p> <dl> + <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> + <dd>Configure iptables, start option loads set of rules from + file /etc/iptables/rules_file_name, open option allows everything + to outside and blocks everything from outside, stop will block + and log everything.</dd> <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> - <dd>Configure Ethernet interface and static or dynamic (dhcp) - connection to the router and add as default gateway.</dd> + <dd>Configure Ethernet interface with static or dynamic (dhcp) + IP, set default route and add default gateway.</dd> <dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt> - <dd>Configure Wireless interface, wpa_supplicant and dynamic (dhcp) + <dd>Configure Wireless interface, launch wpa_supplicant to handle + wireless authenticationand dynamic (dhcp) connection to router and add as default gateway.</dd> </dl> - <p>If is first boot after install configure iptables and - one of above described scripts then proceed to upgrade your - system.</p> + <p>Choose wireless or net as connection to outside world and configure + <a href="conf/rc.conf">/etc/rc.conf</a> to run at startup, example + connecting using wireless interface;</p> + + <pre> + # + # /etc/rc.conf: system configuration + # + + FONT=default + KEYMAP=dvorak + TIMEZONE="Europe/Lisbon" + HOSTNAME=c9 + SYSLOG=sysklogd + SERVICES=(lo iptables wlan crond) + + # End of file + </pre> + + <p>If is first boot after install configure iptables and one of above + described scripts then proceed to + <a href="package.html#sysup">update system.</a></p> <h2 id="resolv">2.1.1. Resolver</h2> @@ -90,7 +112,7 @@ # ip route add default via ${GW} </pre> - <h2 id="iptables">2.1.3. Iptables</h2> + <h2 id="iptables">2.1.3. Iptables</h2> <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. |