diff options
Diffstat (limited to 'tools')
-rw-r--r-- | tools/conf/etc/dnsmasq.conf | 22 | ||||
-rwxr-xr-x | tools/conf/etc/rc.d/blan | 63 | ||||
-rw-r--r-- | tools/index.html | 38 | ||||
-rw-r--r-- | tools/network.html | 46 | ||||
-rw-r--r-- | tools/qemu.html | 70 | ||||
-rw-r--r-- | tools/scripts/system-iptables.sh (renamed from tools/scripts/iptables.sh) | 48 | ||||
-rw-r--r-- | tools/scripts/system-qemu.sh | 15 |
7 files changed, 229 insertions, 73 deletions
diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf index 35d75c8..f09b6a6 100644 --- a/tools/conf/etc/dnsmasq.conf +++ b/tools/conf/etc/dnsmasq.conf @@ -8,6 +8,7 @@ # (53). Setting this to zero completely disables DNS function, # leaving only DHCP and/or TFTP. #port=5353 +port=53 # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot @@ -74,7 +75,7 @@ server=127.0.0.1#40 # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. -#local=/localnet/ +local=/core/ # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local @@ -106,16 +107,20 @@ server=127.0.0.1#40 # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. -#interface= +interface=lo +interface=br0 + # Or you can specify which interface _not_ to listen on -#except-interface= +except-interface=wlp7s0 # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) -#listen-address= +listen-address=127.0.0.1 +#listen-address=10.0.0.1 # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. -#no-dhcp-interface= +no-dhcp-interface=lo +no-dhcp-interface=wlp7s0 # On systems which support it, dnsmasq binds the wildcard address, # even when it is listening on only some interfaces. It then discards @@ -124,7 +129,7 @@ server=127.0.0.1#40 # want dnsmasq to really bind only the interfaces it is listening on, # uncomment this option. About the only time you may need this is when # running another nameserver on the same machine. -#bind-interfaces +bind-interfaces # If you don't want dnsmasq to read /etc/hosts, uncomment the # following line. @@ -136,7 +141,7 @@ addn-hosts=/etc/hosts.dnsmasq # Set this (and domain: see below) if you want to have a domain # automatically added to simple names in a hosts-file. -#expand-hosts +expand-hosts # Set the domain for dnsmasq. this is optional, but if it is set, it # does the following things. @@ -145,7 +150,7 @@ addn-hosts=/etc/hosts.dnsmasq # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" -#domain=thekelleys.org.uk +domain=core.privat-network.net # Set a different domain for a particular subnet #domain=wireless.thekelleys.org.uk,192.168.2.0/24 @@ -159,6 +164,7 @@ addn-hosts=/etc/hosts.dnsmasq # repeat this for each network on which you want to supply DHCP # service. #dhcp-range=192.168.0.50,192.168.0.150,12h +dhcp-range=br0,10.0.0.5,10.0.0.50,12h # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan new file mode 100755 index 0000000..f75d272 --- /dev/null +++ b/tools/conf/etc/rc.d/blan @@ -0,0 +1,63 @@ +#!/bin/sh +# +# /etc/rc.d/net: start/stop network interface +# + +DEV="br0" +PHY="enp8s0" + +ADDR=10.0.0.1 +NET=10.0.0.0 +MASK=24 +GTW=10.0.0.1 +NTAPS=$((`/usr/bin/nproc`-1)) + +case $1 in + start) + /sbin/ip link add name ${DEV} type bridge + /sbin/ip link set dev ${DEV} up + + /bin/sleep 0.2s + /sbin/ip route flush dev ${PHY} + /sbin/ip addr flush dev ${PHY} + /sbin/ip link set dev ${PHY} master ${DEV} + + /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + + for i in `/usr/bin/seq $NTAPS` + do + TAP="tap$i" + echo $TAP + /sbin/ip tuntap add ${TAP} mode tap group kvm + /sbin/ip link set ${TAP} up + /bin/sleep 0.2s + #brctl addif $switch $1 + /sbin/ip link set ${TAP} master ${DEV} + done + + exit 0 + ;; + stop) + + for i in `/usr/bin/seq $NTAPS` + do + TAP="tap$i" + /sbin/ip link del ${TAP} + echo $TAP + done + + /sbin/ip link set dev ${DEV} down + /sbin/ip route flush dev ${DEV} + /sbin/ip link del ${DEV} + exit 0 + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; +esac + +# End of file diff --git a/tools/index.html b/tools/index.html index bf317e1..407d212 100644 --- a/tools/index.html +++ b/tools/index.html @@ -68,12 +68,12 @@ <h2>System Administration</h2> <ul> - <li><a href="network.html">Network</a> + <li><a href="network.html">Network Tools</a> <ul> - <li><a href="dnsmasq.html">1. Dnscrypt and Dnsmasq</a></li> - <li><a href="tcpdump.html">2. Tcpdump</a></li> - <li><a href="wireless.html">Wireless</a></li> + <li><a href="dnsmasq.html">Dnscrypt and Dnsmasq</a></li> + <li><a href="tcpdump.html">Tcpdump</a></li> <li><a href="nmap.html">Nmap</a></li> + <li><a href="wireless.html">Wireless</a></li> </ul> </li> <li><a href="storage.html">Storage</a> @@ -120,29 +120,29 @@ <li> <a href="openssh.html">OpenSSH</a> <ul> - <li><a href="openssh.html#sshd">Server</a></li> - <li><a href="openssh.html#sshdconf">Configure Server</a></li> - <li><a href="openssh.html#ssh">Client</a></li> - <li><a href="openssh.html#reverse">Reverse connection</a></li> + <li><a href="openssh.html#sshd">1. Server</a></li> + <li><a href="openssh.html#sshdconf">2. Configure Server</a></li> + <li><a href="openssh.html#ssh">3. Client</a></li> + <li><a href="openssh.html#reverse">4. Reverse connection</a></li> </ul> </li> <li><a href="gitolite.html">Gitolite</a> <ul> - <li><a href="gitolite.html#install">Install Gitolite</a></li> - <li><a href="gitolite.html#config">Configure Gitolite</a></li> - <li><a href="gitolite.html#admin">Gitolite Administration</a></li> - <li><a href="gitolite.html#hooks">Gitolite Hooks</a></li> + <li><a href="gitolite.html#install">1. Install Gitolite</a></li> + <li><a href="gitolite.html#config">2. Configure Gitolite</a></li> + <li><a href="gitolite.html#admin">3. Gitolite Administration</a></li> + <li><a href="gitolite.html#hooks">4. Gitolite Hooks</a></li> </ul> </li> <li><a href="postgresql.html">Postgresql</a> <ul> - <li><a href="postgresql.html#install">Install Postgresql</a></li> - <li><a href="postgresql.html#config">Configure Server</a></li> - <li><a href="postgresql.html#createuser">Create User</a></li> - <li><a href="postgresql.html#createdb">Create Database</a></li> - <li><a href="postgresql.html#dropdb">Drop Database</a></li> - <li><a href="postgresql.html#dropuser">Drop User</a></li> - <li><a href="postgresql.html#psql">Psql</a></li> + <li><a href="postgresql.html#install">1. Install Postgresql</a></li> + <li><a href="postgresql.html#config">2. Configure Server</a></li> + <li><a href="postgresql.html#createuser">3. Create User</a></li> + <li><a href="postgresql.html#createdb">4. Create Database</a></li> + <li><a href="postgresql.html#dropdb">5. Drop Database</a></li> + <li><a href="postgresql.html#dropuser">6. Drop User</a></li> + <li><a href="postgresql.html#psql">7. Psql</a></li> </ul> </li> <li><a href="nginx.html">Nginx</a> diff --git a/tools/network.html b/tools/network.html new file mode 100644 index 0000000..5e4a481 --- /dev/null +++ b/tools/network.html @@ -0,0 +1,46 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Network Tools</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + + <h1>Network Tools</h1> + + <h2 id="bridge">Bridges</h2> + + <p>See <a href="conf/etc/rc.d/blan">/etc/rc.d/blan</a> on + how to create interfaces at startup or as source to do it + in automatic way;</p> + + <pre> + DEV="br0" + PHY="enp8s0" + </pre> + + <pre> + # ip link add name ${DEV} type bridge + # ip link set dev ${DEV} up + </pre> + <pre> + # ip route flush dev ${PHY} + # ip addr flush dev ${PHY} + # ip link set dev ${PHY} master ${DEV} + </pre> + + <pre> + # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2016 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/tools/qemu.html b/tools/qemu.html index ce1b66d..8c53ce7 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -97,45 +97,53 @@ <dd>The VDE networking backend.</dd> </dl> - - <h3>2.1. Tap interfaces</h3> - <pre> KERNEL=="tun", GROUP="kvm", MODE="0660", OPTIONS+="static_node=net/tun" </pre> - <p>Automatic creation of tap interface with - correct permissions set for user and group, - you can set only user or group;</p> - <pre> - # tunctl -u username -g kvm -t tap0 - </pre> + <h3>2.1. Public Bridge</h3> - <p>Set permissions to existing tap interface;</p> + <p>Create <a href="network.html#bridge">bridge</a>, create new + tap and add it to bridge;</p> <pre> - # tunctl -u username -t tap0 + # DEV="br0" + # TAP="tap5" </pre> - - <p>Manual creation of tap interface;</p> + <pre> + # ip tuntap add ${TAP} mode tap group kvm + # ip link set ${TAP} up + </pre> <pre> - # ip tuntap add name tap0 mode tap - # chmod 0666 /dev/tap0 - # chown root:username /dev/tap0 + # ip link set ${TAP} master ${DEV} </pre> + <p>See <a href="scripts/system-qemu.sh">scripts/system-qemu.sh</a>, + as template. Run virtual machine that uses above tap device;</p> + <pre> - # ip addr add 10.0.2.1/24 dev tap0 - # ip link set dev tap0 up - # ip link show + $ ISO=~/crux-3.2.iso + $ IMG=~/crux-img.qcow2 + + $ qemu-system-x86_64 \ + -enable-kvm \ + -m 1024 \ + -boot d \ + -cdrom ${ISO} \ + -hda ${IMG} \ + -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no </pre> + <h3>2.2. Routing</h3> + + <p>Create interface with correct permissions set for kvm group.</p> + <pre> # sysctl -w net.ipv4.ip_forward=1 - # iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE + # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE </pre> <h2 id="guest">Guest System</h2> @@ -143,22 +151,16 @@ <p>Start qemu with 512 of ram, mydisk.img as disk and boot from iso</p> <pre> - $ qemu-system-x86_64 \ - -enable-kvm \ - -m 512 \ - -boot d -cdrom image.iso \ - -hda mydisk.img - </pre> + $ ISO=~/crux-3.2.iso + $ IMG=~/crux-img.qcow2 - <p>Start qemu with 1024 of ram, network configured using tap0 - interface device no host and boot from crux.qcow2;</p> - - <pre> $ qemu-system-x86_64 \ - -enable-kvm \ - -m 1024 \ - -hda c9/local/crux.qcow2 \ - -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no + -enable-kvm \ + -m 1024 \ + -boot d \ + -cdrom ${ISO} \ + -hda ${IMG} \ + -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no </pre> <a href="index.html">Tools Index</a> diff --git a/tools/scripts/iptables.sh b/tools/scripts/system-iptables.sh index 3215633..4ec3b79 100644 --- a/tools/scripts/iptables.sh +++ b/tools/scripts/system-iptables.sh @@ -146,11 +146,17 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" + PUB_IF="wlp7s0" -DHCP_SERV="192.168.1.254" -#PUB_IP="192.168.1.65" #PRIV_IF="wlp3s0" +BRIDGE="br0" +BNET=10.0.0.0 +BMSK=24 + +DHCP_IP="192.168.1.254" +PUB_IP=$(ip addr show dev ${PUB_IF} | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') + modprobe ip_conntrack modprobe ip_conntrack_ftp @@ -175,10 +181,14 @@ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP + # Unlimited on local $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT +$IPT -A INPUT -i $BRIDGE -j ACCEPT +$IPT -A OUTPUT -o $BRIDGE -j ACCEPT + # Block sync $IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP @@ -205,6 +215,17 @@ $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +##### Add your virtual rules below ###### + +#echo 1 > /proc/sys/net/ipv4/ip_forward +#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +##$IPT -t nat -A POSTROUTING -s 10.0.2.0/24 -o ${PUB_IF} -j MASQUERADE +#$IPT -A FORWARD -i ${TAP_IF} -o ${PUB_IF} -j ACCEPT +#$IPT -A FORWARD -i ${PUB_IF} -o ${TAP_IF} -j ACCEPT +# +#$IPT -A INPUT -i ${TAP_IF} -j ACCEPT +#$IPT -A OUTPUT -o ${TAP_IF} -j ACCEPT + ##### Add your AP rules below ###### #echo 1 > /proc/sys/net/ipv4/ip_forward @@ -242,10 +263,14 @@ $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP echo "Allow DNS Client" -#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j LOG --log-level 7 --log-prefix "iptables: DNS TCP: " +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT -j LOG --log-level 7 --log-prefix "iptables: DNS UDP: " +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT echo "Allow Whois Client" @@ -300,21 +325,20 @@ $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j AC $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - # echo "Allow FairCoin" # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT -# +# # echo "Allow Dashcoin" # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT -# +# # echo "Allow warzone2100" # $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT -# +# # echo "Allow wesnoth" # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT @@ -326,8 +350,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state -- $IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP # DHCP -$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_SERV -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_IP -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_IP -j ACCEPT # log everything else and drop $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " diff --git a/tools/scripts/system-qemu.sh b/tools/scripts/system-qemu.sh new file mode 100644 index 0000000..8c68e70 --- /dev/null +++ b/tools/scripts/system-qemu.sh @@ -0,0 +1,15 @@ +#!/bin/sh +ISO=~/crux-3.2.iso +IMG=~/crux-img.qcow2 + +TAP=$1 + +echo "TAP: $TAP" + +qemu-system-x86_64 \ + -enable-kvm \ + -m 1024 \ + -boot d \ + -cdrom ${ISO} \ + -hda ${IMG} \ + -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no |