about summary refs log tree commit diff stats
path: root/tools
diff options
context:
space:
mode:
Diffstat (limited to 'tools')
-rw-r--r--tools/conf/etc/dnsmasq.conf22
-rwxr-xr-xtools/conf/etc/rc.d/blan63
-rw-r--r--tools/index.html38
-rw-r--r--tools/network.html46
-rw-r--r--tools/qemu.html70
-rw-r--r--tools/scripts/system-iptables.sh (renamed from tools/scripts/iptables.sh)48
-rw-r--r--tools/scripts/system-qemu.sh15
7 files changed, 229 insertions, 73 deletions
diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf
index 35d75c8..f09b6a6 100644
--- a/tools/conf/etc/dnsmasq.conf
+++ b/tools/conf/etc/dnsmasq.conf
@@ -8,6 +8,7 @@
 # (53). Setting this to zero completely disables DNS function,
 # leaving only DHCP and/or TFTP.
 #port=5353
+port=53
 
 # The following two options make you a better netizen, since they
 # tell dnsmasq to filter out queries which the public DNS cannot
@@ -74,7 +75,7 @@ server=127.0.0.1#40
 
 # Add local-only domains here, queries in these domains are answered
 # from /etc/hosts or DHCP only.
-#local=/localnet/
+local=/core/
 
 # Add domains which you want to force to an IP address here.
 # The example below send any host in double-click.net to a local
@@ -106,16 +107,20 @@ server=127.0.0.1#40
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
-#interface=
+interface=lo
+interface=br0
+
 # Or you can specify which interface _not_ to listen on
-#except-interface=
+except-interface=wlp7s0
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
-#listen-address=
+listen-address=127.0.0.1
+#listen-address=10.0.0.1
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
 # disable DHCP and TFTP on it.
-#no-dhcp-interface=
+no-dhcp-interface=lo
+no-dhcp-interface=wlp7s0
 
 # On systems which support it, dnsmasq binds the wildcard address,
 # even when it is listening on only some interfaces. It then discards
@@ -124,7 +129,7 @@ server=127.0.0.1#40
 # want dnsmasq to really bind only the interfaces it is listening on,
 # uncomment this option. About the only time you may need this is when
 # running another nameserver on the same machine.
-#bind-interfaces
+bind-interfaces
 
 # If you don't want dnsmasq to read /etc/hosts, uncomment the
 # following line.
@@ -136,7 +141,7 @@ addn-hosts=/etc/hosts.dnsmasq
 
 # Set this (and domain: see below) if you want to have a domain
 # automatically added to simple names in a hosts-file.
-#expand-hosts
+expand-hosts
 
 # Set the domain for dnsmasq. this is optional, but if it is set, it
 # does the following things.
@@ -145,7 +150,7 @@ addn-hosts=/etc/hosts.dnsmasq
 # 2) Sets the "domain" DHCP option thereby potentially setting the
 #    domain of all systems configured by DHCP
 # 3) Provides the domain part for "expand-hosts"
-#domain=thekelleys.org.uk
+domain=core.privat-network.net
 
 # Set a different domain for a particular subnet
 #domain=wireless.thekelleys.org.uk,192.168.2.0/24
@@ -159,6 +164,7 @@ addn-hosts=/etc/hosts.dnsmasq
 # repeat this for each network on which you want to supply DHCP
 # service.
 #dhcp-range=192.168.0.50,192.168.0.150,12h
+dhcp-range=br0,10.0.0.5,10.0.0.50,12h
 
 # This is an example of a DHCP range where the netmask is given. This
 # is needed for networks we reach the dnsmasq DHCP server via a relay
diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan
new file mode 100755
index 0000000..f75d272
--- /dev/null
+++ b/tools/conf/etc/rc.d/blan
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# /etc/rc.d/net: start/stop network interface
+#
+
+DEV="br0"
+PHY="enp8s0"
+
+ADDR=10.0.0.1
+NET=10.0.0.0
+MASK=24
+GTW=10.0.0.1
+NTAPS=$((`/usr/bin/nproc`-1))
+
+case $1 in
+	start)
+                /sbin/ip link add name ${DEV} type bridge
+                /sbin/ip link set dev ${DEV} up
+
+                /bin/sleep 0.2s
+                /sbin/ip route flush dev ${PHY}
+                /sbin/ip addr flush dev ${PHY}
+                /sbin/ip link set dev ${PHY} master ${DEV}
+
+                /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+
+                for i in `/usr/bin/seq $NTAPS`
+                do
+                    TAP="tap$i"
+                    echo $TAP
+                    /sbin/ip tuntap add ${TAP} mode tap group kvm
+                    /sbin/ip link set ${TAP} up
+                    /bin/sleep 0.2s
+                    #brctl addif $switch $1
+                    /sbin/ip link set ${TAP} master ${DEV}
+                done
+
+		exit 0
+		;;
+	stop)
+
+                for i in `/usr/bin/seq $NTAPS`
+                do
+                    TAP="tap$i"
+		    /sbin/ip link del ${TAP}
+                    echo $TAP
+                done
+
+       		/sbin/ip link set dev ${DEV} down
+		/sbin/ip route flush dev ${DEV}
+		/sbin/ip link del ${DEV}
+		exit 0
+		;;
+	restart)
+		$0 stop
+		$0 start
+		;;
+	*)
+		echo "Usage: $0 [start|stop|restart]"
+		;;
+esac
+
+# End of file
diff --git a/tools/index.html b/tools/index.html
index bf317e1..407d212 100644
--- a/tools/index.html
+++ b/tools/index.html
@@ -68,12 +68,12 @@
         <h2>System Administration</h2>
 
         <ul>
-            <li><a href="network.html">Network</a>
+            <li><a href="network.html">Network Tools</a>
                 <ul>
-                    <li><a href="dnsmasq.html">1. Dnscrypt and Dnsmasq</a></li>
-                    <li><a href="tcpdump.html">2. Tcpdump</a></li>
-                    <li><a href="wireless.html">Wireless</a></li>
+                    <li><a href="dnsmasq.html">Dnscrypt and Dnsmasq</a></li>
+                    <li><a href="tcpdump.html">Tcpdump</a></li>
                     <li><a href="nmap.html">Nmap</a></li>
+                    <li><a href="wireless.html">Wireless</a></li>
                 </ul>
             </li>
             <li><a href="storage.html">Storage</a>
@@ -120,29 +120,29 @@
             <li>
                 <a href="openssh.html">OpenSSH</a>
                 <ul>
-                    <li><a href="openssh.html#sshd">Server</a></li>
-                    <li><a href="openssh.html#sshdconf">Configure Server</a></li>
-                    <li><a href="openssh.html#ssh">Client</a></li>
-                    <li><a href="openssh.html#reverse">Reverse connection</a></li>
+                    <li><a href="openssh.html#sshd">1. Server</a></li>
+                    <li><a href="openssh.html#sshdconf">2. Configure Server</a></li>
+                    <li><a href="openssh.html#ssh">3. Client</a></li>
+                    <li><a href="openssh.html#reverse">4. Reverse connection</a></li>
                 </ul>
             </li>
             <li><a href="gitolite.html">Gitolite</a>
                 <ul>
-                    <li><a href="gitolite.html#install">Install Gitolite</a></li>
-                    <li><a href="gitolite.html#config">Configure Gitolite</a></li>
-                    <li><a href="gitolite.html#admin">Gitolite Administration</a></li>
-                    <li><a href="gitolite.html#hooks">Gitolite Hooks</a></li>
+                    <li><a href="gitolite.html#install">1. Install Gitolite</a></li>
+                    <li><a href="gitolite.html#config">2. Configure Gitolite</a></li>
+                    <li><a href="gitolite.html#admin">3. Gitolite Administration</a></li>
+                    <li><a href="gitolite.html#hooks">4. Gitolite Hooks</a></li>
                 </ul>
             </li>
             <li><a href="postgresql.html">Postgresql</a>
                 <ul>
-                    <li><a href="postgresql.html#install">Install Postgresql</a></li>
-                    <li><a href="postgresql.html#config">Configure Server</a></li>
-                    <li><a href="postgresql.html#createuser">Create User</a></li>
-                    <li><a href="postgresql.html#createdb">Create Database</a></li>
-                    <li><a href="postgresql.html#dropdb">Drop Database</a></li>
-                    <li><a href="postgresql.html#dropuser">Drop User</a></li>
-                    <li><a href="postgresql.html#psql">Psql</a></li>
+                    <li><a href="postgresql.html#install">1. Install Postgresql</a></li>
+                    <li><a href="postgresql.html#config">2. Configure Server</a></li>
+                    <li><a href="postgresql.html#createuser">3. Create User</a></li>
+                    <li><a href="postgresql.html#createdb">4. Create Database</a></li>
+                    <li><a href="postgresql.html#dropdb">5. Drop Database</a></li>
+                    <li><a href="postgresql.html#dropuser">6. Drop User</a></li>
+                    <li><a href="postgresql.html#psql">7. Psql</a></li>
                 </ul>
             </li>
             <li><a href="nginx.html">Nginx</a>
diff --git a/tools/network.html b/tools/network.html
new file mode 100644
index 0000000..5e4a481
--- /dev/null
+++ b/tools/network.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>Network Tools</title>
+    </head>
+    <body>
+
+        <a href="index.html">Tools Index</a>
+
+        <h1>Network Tools</h1>
+
+        <h2 id="bridge">Bridges</h2>
+
+        <p>See <a href="conf/etc/rc.d/blan">/etc/rc.d/blan</a> on
+        how to create interfaces at startup or as source to do it
+        in automatic way;</p>
+
+        <pre>
+        DEV="br0"
+        PHY="enp8s0"
+        </pre>
+
+        <pre>
+        # ip link add name ${DEV} type bridge
+        # ip link set dev ${DEV} up
+        </pre>
+        <pre>
+        # ip route flush dev ${PHY}
+        # ip addr flush dev ${PHY}
+        # ip link set dev ${PHY} master ${DEV}
+        </pre>
+
+        <pre>
+        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+        </pre>
+
+        <a href="index.html">Tools Index</a>
+        <p>This is part of the c9 Manual.
+        Copyright (C) 2016
+        c9 team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+
+    </body>
+</html>
diff --git a/tools/qemu.html b/tools/qemu.html
index ce1b66d..8c53ce7 100644
--- a/tools/qemu.html
+++ b/tools/qemu.html
@@ -97,45 +97,53 @@
             <dd>The VDE networking backend.</dd>
         </dl>
 
-
-        <h3>2.1. Tap interfaces</h3>
-
         <pre>
         KERNEL=="tun", GROUP="kvm", MODE="0660", OPTIONS+="static_node=net/tun"
         </pre>
 
-        <p>Automatic creation of tap interface with
-        correct permissions set for user and group,
-        you can set only user or group;</p>
 
-        <pre>
-        # tunctl -u username -g kvm -t tap0
-        </pre>
+        <h3>2.1. Public Bridge</h3>
 
-        <p>Set permissions to existing tap interface;</p>
+        <p>Create <a href="network.html#bridge">bridge</a>, create new
+        tap and add it to bridge;</p>
 
         <pre>
-        # tunctl -u username -t tap0
+        # DEV="br0"
+        # TAP="tap5"
         </pre>
 
-
-        <p>Manual creation of tap interface;</p>
+        <pre>
+        # ip tuntap add ${TAP} mode tap group kvm
+        # ip link set ${TAP} up
+        </pre>
 
         <pre>
-        # ip tuntap add name tap0 mode tap
-        # chmod 0666 /dev/tap0
-        # chown root:username /dev/tap0
+        # ip link set ${TAP} master ${DEV}
         </pre>
 
+        <p>See <a href="scripts/system-qemu.sh">scripts/system-qemu.sh</a>,
+        as template. Run virtual machine that uses above tap device;</p>
+
         <pre>
-        # ip addr add 10.0.2.1/24 dev tap0
-        # ip link set dev tap0 up
-        # ip link show
+        $ ISO=~/crux-3.2.iso
+        $ IMG=~/crux-img.qcow2
+
+        $ qemu-system-x86_64 \
+            -enable-kvm \
+            -m 1024 \
+            -boot d \
+            -cdrom ${ISO} \
+            -hda ${IMG} \
+            -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no
         </pre>
 
+        <h3>2.2. Routing</h3>
+
+        <p>Create interface with correct permissions set for kvm group.</p>
+
         <pre>
         # sysctl -w net.ipv4.ip_forward=1
-        # iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
+        # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
         </pre>
 
         <h2 id="guest">Guest System</h2>
@@ -143,22 +151,16 @@
         <p>Start qemu with 512 of ram, mydisk.img as disk and boot from iso</p>
 
         <pre>
-        $ qemu-system-x86_64 \
-        -enable-kvm \
-        -m 512 \
-        -boot d -cdrom image.iso \
-        -hda mydisk.img
-        </pre>
+        $ ISO=~/crux-3.2.iso
+        $ IMG=~/crux-img.qcow2
 
-        <p>Start qemu with 1024 of ram, network configured using tap0
-        interface device no host and boot from crux.qcow2;</p>
-
-        <pre>
         $ qemu-system-x86_64 \
-        -enable-kvm \
-        -m 1024 \
-        -hda c9/local/crux.qcow2 \
-        -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no
+            -enable-kvm \
+            -m 1024 \
+            -boot d \
+            -cdrom ${ISO} \
+            -hda ${IMG} \
+            -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no
         </pre>
 
         <a href="index.html">Tools Index</a>
diff --git a/tools/scripts/iptables.sh b/tools/scripts/system-iptables.sh
index 3215633..4ec3b79 100644
--- a/tools/scripts/iptables.sh
+++ b/tools/scripts/system-iptables.sh
@@ -146,11 +146,17 @@
 IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
+
 PUB_IF="wlp7s0"
-DHCP_SERV="192.168.1.254"
-#PUB_IP="192.168.1.65"
 #PRIV_IF="wlp3s0"
 
+BRIDGE="br0"
+BNET=10.0.0.0
+BMSK=24
+
+DHCP_IP="192.168.1.254"
+PUB_IP=$(ip addr show dev ${PUB_IF} | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
 modprobe ip_conntrack
 modprobe ip_conntrack_ftp
 
@@ -175,10 +181,14 @@ iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
+
 # Unlimited on local
 $IPT -A INPUT -i lo -j ACCEPT
 $IPT -A OUTPUT -o lo -j ACCEPT
 
+$IPT -A INPUT -i $BRIDGE -j ACCEPT
+$IPT -A OUTPUT -o $BRIDGE -j ACCEPT
+
 # Block sync
 $IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
 $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
@@ -205,6 +215,17 @@ $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
 
 $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
+##### Add your virtual rules below ######
+
+#echo 1 > /proc/sys/net/ipv4/ip_forward
+#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+##$IPT -t nat -A POSTROUTING -s 10.0.2.0/24 -o ${PUB_IF} -j MASQUERADE
+#$IPT -A FORWARD -i ${TAP_IF} -o ${PUB_IF} -j ACCEPT
+#$IPT -A FORWARD -i ${PUB_IF} -o ${TAP_IF} -j ACCEPT
+#
+#$IPT -A INPUT -i ${TAP_IF} -j ACCEPT
+#$IPT -A OUTPUT -o ${TAP_IF} -j ACCEPT
+
 ##### Add your AP rules below ######
 
 #echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -242,10 +263,14 @@ $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
 echo "Allow DNS Client"
 
-#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j LOG --log-level 7 --log-prefix "iptables: DNS TCP: "
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT -j LOG --log-level 7 --log-prefix "iptables: DNS UDP: "
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 
 echo "Allow Whois Client"
 
@@ -300,21 +325,20 @@ $IPT -A INPUT  -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j AC
 $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-
 # echo "Allow FairCoin"
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT
 # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT
-# 
+#
 # echo "Allow Dashcoin"
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT
 # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT
-# 
+#
 # echo "Allow warzone2100"
 # $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT
-# 
+#
 # echo "Allow wesnoth"
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT
 # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT
@@ -326,8 +350,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --
 $IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP
 
 # DHCP
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_SERV -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_IP -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_IP -j ACCEPT
 
 # log everything else and drop
 $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
diff --git a/tools/scripts/system-qemu.sh b/tools/scripts/system-qemu.sh
new file mode 100644
index 0000000..8c68e70
--- /dev/null
+++ b/tools/scripts/system-qemu.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+ISO=~/crux-3.2.iso
+IMG=~/crux-img.qcow2
+
+TAP=$1
+
+echo "TAP: $TAP"
+
+qemu-system-x86_64 \
+    -enable-kvm \
+    -m 1024 \
+    -boot d \
+    -cdrom ${ISO} \
+    -hda ${IMG} \
+    -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no