Example of ~/.profile;
- PATH=~/.composer/vendor/bin:${PATH}
-
- export GPG_AGENT_INFO # the env file does not contain the export statement
- export SSH_AUTH_SOCK # enable gpg-agent for ssh
-
+ export GPG_AGENT_INFO # the env file does not contain the export statement
+ export SSH_AUTH_SOCK # enable gpg-agent for ssh
+
+ export GPGKEY=XXXXXXXX
+
+ # ssh-agent to ask only ounce for password
+ SSH_ENV="$HOME/.ssh/environment"
+ function start_agent {
+ echo "Initialising new SSH agent..."
+ /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
+ echo succeeded
+ chmod 600 "${SSH_ENV}"
+ . "${SSH_ENV}" > /dev/null
+ /usr/bin/ssh-add;
+ }
+
+ # Source SSH settings, if applicable
+ if [ -f "${SSH_ENV}" ]; then
+ . "${SSH_ENV}" > /dev/null
+ #ps ${SSH_AGENT_PID} doesn't work under cywgin
+ ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+ start_agent;
+ }
+ else
+ start_agent;
+ fi
+
+ # Weston
+ if test -z "${XDG_RUNTIME_DIR}"; then
+ export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir
+ if ! test -d "${XDG_RUNTIME_DIR}"; then
+ mkdir "${XDG_RUNTIME_DIR}"
+ chmod 0700 "${XDG_RUNTIME_DIR}"
+ fi
+fi
- $ qemu-img create -f qcow2 crux-img.qcow2 2000M
+ $ qemu-img create -f qcow2 crux-img.qcow2 15G
- parted --script ${DEV} \
- mklabel gpt \
- unit mib \
- mkpart primary 2 4 \
- set 1 bios_grub on \
- name 1 grub \
- mkpart ESP fat32 4 59 \
- set 2 boot on \
- name 2 efi \
- mkpart primary ext4 103 200 \
- name 3 boot \
- mkpart primary linux-swap 200 456 \
- name 4 swap \
- mkpart primary ext4 456 3700 \
- name 5 root \
- mkpart primary ext4 3700 4000 \
- name 6 var \
- mkpart primary ext4 4000 100% \
- name 7 home
+ parted --script ${DEV} \
+ mklabel gpt \
+ unit mib \
+ mkpart primary 2 4 \
+ name 1 grub \
+ mkpart ESP fat32 4 128 \
+ name 2 efi \
+ mkpart primary ext4 128 1128 \
+ name 3 boot \
+ mkpart primary ext4 1128 12128 \
+ name 4 root \
+ mkpart primary ext4 12128 14128 \
+ name 5 var \
+ mkpart primary ext4 14128 100% \
+ name 6 lvm \
+ set 1 bios_grub on \
+ set 2 boot on \
+ set 6 lvm on
@@ -91,30 +90,31 @@
Use /dev/mapper/$(name_of_device) to assign correct blocks;
- mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2
- mkfs.ext4 /dev/mapper/${DEV_NAME}p3
- mkswap /dev/mapper/${DEV_NAME}p4
- mkfs.ext4 /dev/mapper/${DEV_NAME}p5
- mkfs.ext4 /dev/mapper/${DEV_NAME}p6
- mkfs.ext4 /dev/mapper/${DEV_NAME}p7
+ mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2
+ mkfs.ext4 /dev/mapper/${DEV_NAME}p3
+ mkfs.ext4 /dev/mapper/${DEV_NAME}p4
+ mkfs.ext4 /dev/mapper/${DEV_NAME}p5
+ pvcreate /dev/mapper/${DEV_NAME}p6
+ Read lvm documentation on how to setup
+ virtual group and logic volumes.
+
Mount partition;
- mount /dev/mapper/${DEV_NAME}p5 $CHROOT
- mkdir -p $CHROOT/proc
- mkdir -p $CHROOT/sys
- mkdir -p $CHROOT/dev
-
- mkdir -p $CHROOT/boot
- mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot
- mkdir -p $CHROOT/boot/efi
- mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi
- mkdir -p $CHROOT/var
- mount /dev/mapper/${DEV_NAME}p6 $CHROOT/var
- mkdir -p $CHROOT/home
- mount /dev/mapper/${DEV_NAME}p7 $CHROOT/home
+ mount /dev/mapper/${DEV_NAME}p4 $CHROOT
+ mkdir -p $CHROOT/proc
+ mkdir -p $CHROOT/sys
+ mkdir -p $CHROOT/dev
+ mkdir -p $CHROOT/media
+
+ mkdir -p $CHROOT/boot
+ mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot
+ mkdir -p $CHROOT/boot/efi
+ mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi
+ mkdir -p $CHROOT/var
+ mount /dev/mapper/${DEV_NAME}p5 $CHROOT/var
Before disconnecting image, clean dev mappings;
--
cgit 1.4.1-2-gfad0
From b6b79e6d960febc3f266735e4a2f807d776b5830 Mon Sep 17 00:00:00 2001
From: Silvino Silva
Date: Sat, 8 Dec 2018 02:08:20 +0000
Subject: iptables revision
---
core/conf/iptables/br-lan.v4 | 136 ------------
core/conf/iptables/ipt-bridge.sh | 158 ++++++++++++++
core/conf/iptables/ipt-conf.sh | 20 ++
core/conf/iptables/ipt-firewall.sh | 258 +++++++++++++++++++++++
core/conf/iptables/ipt-server.sh | 37 ++++
core/conf/iptables/net.v4 | 111 ----------
core/conf/rc.d/iptables | 117 ++++-------
core/scripts/iptables-conf.sh | 21 --
core/scripts/iptables.sh | 420 -------------------------------------
9 files changed, 508 insertions(+), 770 deletions(-)
delete mode 100644 core/conf/iptables/br-lan.v4
create mode 100644 core/conf/iptables/ipt-bridge.sh
create mode 100644 core/conf/iptables/ipt-conf.sh
create mode 100644 core/conf/iptables/ipt-firewall.sh
create mode 100644 core/conf/iptables/ipt-server.sh
delete mode 100644 core/conf/iptables/net.v4
delete mode 100644 core/scripts/iptables-conf.sh
delete mode 100644 core/scripts/iptables.sh
diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4
deleted file mode 100644
index 61da499..0000000
--- a/core/conf/iptables/br-lan.v4
+++ /dev/null
@@ -1,136 +0,0 @@
-# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018
-*security
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr 3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018
-*raw
-:PREROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr 3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr 3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr 3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-:blocker - [0:0]
-:client_in - [0:0]
-:client_out - [0:0]
-:netconf_in - [0:0]
-:netconf_out - [0:0]
-:server_in - [0:0]
-:server_out - [0:0]
--A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
--A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
--A INPUT -j blocker
--A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in
--A INPUT -d 10.0.0.0/8 -i br0 -j client_in
--A INPUT -i br0 -j netconf_in
--A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
--A FORWARD -j blocker
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in
--A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out
--A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out
--A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
--A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
--A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
--A OUTPUT -j blocker
--A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out
--A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out
--A OUTPUT -o br0 -j netconf_out
--A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
--A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7
--A blocker -s 8.8.0.0/24 -j DROP
--A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
--A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
--A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
--A blocker -f -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
--A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
--A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
--A blocker -j RETURN
--A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -j RETURN
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -j RETURN
--A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT
--A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
--A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7
--A netconf_in -p icmp -j ACCEPT
--A netconf_in -j RETURN
--A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
--A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
--A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7
--A netconf_out -p icmp -j ACCEPT
--A netconf_out -j RETURN
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -j RETURN
--A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -j RETURN
-COMMIT
-# Completed on Tue Apr 3 02:25:27 2018
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
new file mode 100644
index 0000000..6f70e7c
--- /dev/null
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -0,0 +1,158 @@
+#!/bin/bash
+
+echo "setting bridge ${BR_IF} network..."
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### NAT Prerouting Chain ######
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
+####### Forward Chain ######
+$IPT -A FORWARD -j blocker
+$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+# Allow access from bridge to gateway wifi interface
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#
+# Tap1
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
+#
+#
+## Tap3
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
+#
+#
+######## Forward TAP2 ssh, http and https ######
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+
+# Tap1, Tap2 and Tap3 can access external https
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+
+
+#
+# #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
+#
+# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
+# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+
+#
+#Less noise
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+#Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+
+$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
+
+$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
+
+$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+#Less noise
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+
+
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
+
+####### PostRouting Chain ######
+#Less noise
+#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+
+$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+
+#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
new file mode 100644
index 0000000..3874cee
--- /dev/null
+++ b/core/conf/iptables/ipt-conf.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+TYPE=bridge
+#TYPE=server
+
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+
+# public interface to network/internet
+BR_IF="br0"
+BR_NET="10.0.0.0/8"
+GW="10.0.0.1"
+#DNS="10.0.0.254"
+DNS="212.55.154.174"
+
+PUB_IP="10.0.0.254"
+PUB_IF="enp8s0"
+
+# private interface for virtual/internal
+WIFI_IF="wlp7s0"
+WIFI_NET="192.168.1.0/24"
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
new file mode 100644
index 0000000..4697de0
--- /dev/null
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -0,0 +1,258 @@
+#!/bin/bash
+
+IPT="/usr/sbin/iptables"
+
+ipt_clear () {
+ echo "clear all iptables tables"
+
+ iptables -F
+ iptables -X
+ iptables -t nat -F
+ iptables -t nat -X
+ iptables -t mangle -F
+ iptables -t mangle -X
+ iptables -t raw -F
+ iptables -t raw -X
+ iptables -t security -F
+ iptables -t security -X
+ iptables -N blocker
+
+ iptables -N srv_dhcp
+ iptables -N srv_rip
+ iptables -N srv_icmp
+ iptables -N srv_dns_in
+ iptables -N srv_dns_out
+ iptables -N srv_http_in
+ iptables -N srv_http_out
+ iptables -N srv_https_in
+ iptables -N srv_https_out
+ iptables -N srv_ssh_in
+ iptables -N srv_ssh_out
+ iptables -N srv_git_in
+ iptables -N srv_git_out
+ iptables -N srv_db_in
+ iptables -N srv_db_out
+
+
+ iptables -N cli_dns_in
+ iptables -N cli_dns_out
+ iptables -N cli_http_in
+ iptables -N cli_http_out
+ iptables -N cli_https_in
+ iptables -N cli_https_out
+ iptables -N cli_ssh_in
+ iptables -N cli_ssh_out
+ iptables -N cli_pops_in
+ iptables -N cli_pops_out
+ iptables -N cli_smtps_in
+ iptables -N cli_smtps_out
+ iptables -N cli_irc_in
+ iptables -N cli_irc_out
+ iptables -N cli_ftp_in
+ iptables -N cli_ftp_out
+ iptables -N cli_git_in
+ iptables -N cli_git_out
+ iptables -N cli_gpg_in
+ iptables -N cli_gpg_out
+
+ # Set Default Rules
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ iptables -P OUTPUT DROP
+}
+
+ipt_log () {
+ ## log everything else and drop
+ $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+ $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+ $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+}
+
+
+ipt_tables () {
+ echo "start adding tables..."
+
+ ####### blocker Chain ######
+ ## Block google dns
+ #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
+ #$IPT -A blocker -s 8.8.0.0/24 -j DROP
+ ## Block sync
+ $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+ $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
+ ## Block Fragments
+ $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+ $IPT -A blocker -f -j DROP
+ $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+ $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+ $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+ $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+ $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+ $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+ $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+ $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+ $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+ $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
+ #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+ ## Return to caller
+ $IPT -A blocker -j RETURN
+
+ ######## DNS Server
+ #echo "server_in chain: Allow input to DNS Server"
+ $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A srv_dns_in -j RETURN
+ #echo "srv_dns_out chain: Allow output from DNS server"
+ $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $IPT -A srv_dns_out -j RETURN
+
+ ####### Database Server
+ $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A srv_db_in -j RETURN
+ $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A srv_db_out -j RETURN
+
+ ####### SSH Server
+ $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+
+ $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl \
+ --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+
+ $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \
+ --hitcount 4 --rttl --name SSH -j DROP
+
+ $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+ $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+
+ $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl \
+ --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+
+ $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \
+ --hitcount 4 --rttl --name SSH -j DROP
+
+ $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A srv_ssh_in -j RETURN
+
+ $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A srv_ssh_out -j RETURN
+
+ ####### HTTP Server
+ $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A srv_http_in -j RETURN
+ $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $IPT -A srv_http_out -j RETURN
+
+ ####### HTTPS Server
+ $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A srv_https_in -j RETURN
+ $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $IPT -A srv_https_out -j RETURN
+
+ ###### GIT server
+ $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A srv_git_in -j RETURN
+ $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $IPT -A srv_git_out -j RETURN
+
+ ######## DNS Client
+ $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+ $IPT -A cli_dns_out -j RETURN
+ $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT
+ $IPT -A cli_dns_in -j RETURN
+
+ ######## HTTP Client
+ #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP
+ $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_http_in -j RETURN
+ $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_http_out -j RETURN
+
+ ######## IRC client
+ $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_irc_in -j RETURN
+ $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_irc_out -j RETURN
+
+ ######## FTP client
+ $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_ftp_in -j RETURN
+ $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ $IPT -A cli_ftp_out -j RETURN
+
+ ######## GIT client
+ $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_git_in -j RETURN
+ $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_git_out -j RETURN
+
+ ######## POP3S client
+ $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_pops_in -j RETURN
+ $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_pops_out -j RETURN
+
+ ######## SMTPS client
+ $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_smtps_in -j RETURN
+ $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_smtps_out -j RETURN
+
+ ######## HTTPS client
+ $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_https_in -j RETURN
+ $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_https_out -j RETURN
+
+ ######## SSH client
+ $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_ssh_in -j RETURN
+ $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_ssh_out -j RETURN
+
+ ######## GPG key client
+ $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+ $IPT -A cli_gpg_in -j RETURN
+ $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPT -A cli_gpg_out -j RETURN
+
+ ######## DHCP Server
+ $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT
+ $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT
+ $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT
+ $IPT -A srv_dhcp -j RETURN
+
+ ####### RIP Server
+ $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT
+ $IPT -A srv_rip -j RETURN
+
+ ####### ICMP Server
+ $IPT -A srv_icmp -p icmp -j ACCEPT
+ $IPT -A srv_icmp -j RETURN
+}
+
+
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
new file mode 100644
index 0000000..225fd31
--- /dev/null
+++ b/core/conf/iptables/ipt-server.sh
@@ -0,0 +1,37 @@
+echo "setting server network..."
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
+#$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
+
+
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
+#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
+
+$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
+
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
diff --git a/core/conf/iptables/net.v4 b/core/conf/iptables/net.v4
deleted file mode 100644
index 568455a..0000000
--- a/core/conf/iptables/net.v4
+++ /dev/null
@@ -1,111 +0,0 @@
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*security
-:INPUT ACCEPT [4559:2307887]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [4459:962215]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*raw
-:PREROUTING ACCEPT [18446:3412851]
-:OUTPUT ACCEPT [4467:962535]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*nat
-:PREROUTING ACCEPT [13936:1107904]
-:INPUT ACCEPT [49:2940]
-:OUTPUT ACCEPT [504:40037]
-:POSTROUTING ACCEPT [504:40037]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-:ACCEPTLOG - [0:0]
-:DROPLOG - [0:0]
-:REJECTLOG - [0:0]
-:RELATED_ICMP - [0:0]
-:SYN_FLOOD - [0:0]
--A INPUT -i lo -j ACCEPT
--A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
--A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
--A INPUT -p icmp -j DROP
--A INPUT -p icmp -f -j DROPLOG
--A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
--A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A INPUT -p icmp -j DROPLOG
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--A INPUT -m state --state INVALID -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
--A INPUT -f -j DROPLOG
--A INPUT -j DROPLOG
--A FORWARD -p icmp -f -j DROPLOG
--A FORWARD -p icmp -j DROPLOG
--A FORWARD -m state --state INVALID -j DROP
--A FORWARD -j REJECTLOG
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -p icmp -j ACCEPT
--A OUTPUT -p icmp -f -j DROPLOG
--A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
--A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A OUTPUT -p icmp -j DROPLOG
--A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state INVALID -j DROP
--A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -j DROPLOG
--A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A ACCEPTLOG -j ACCEPT
--A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A DROPLOG -j DROP
--A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
--A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
--A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
--A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
--A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
--A RELATED_ICMP -j DROPLOG
--A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
--A SYN_FLOOD -j DROP
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index dd17b97..26a48b4 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,86 +1,39 @@
-#!/bin/sh
-#
-# /etc/rc.d/iptables: load/unload iptable rules
-#
-rules=/etc/iptables/net.v4
-
-iptables_clear () {
- echo "clear all iptables tables"
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t raw -F
- iptables -t raw -X
- iptables -t security -F
- iptables -t security -X
-}
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
case $1 in
- start)
- echo "starting IPv4 firewall filter table..."
- /usr/sbin/iptables-restore ${rules}
- ;;
- stop)
- iptables_clear
- echo "stopping firewall and deny everyone..."
- /usr/sbin/iptables -P INPUT DROP
- /usr/sbin/iptables -P FORWARD DROP
- /usr/sbin/iptables -P OUTPUT DROP
-
- # Unlimited on local
- /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
- /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
-
- # log everything else and drop
- /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
- /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
- /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
- ;;
- open)
- iptables_clear
- echo "outgoing Open firewall and deny everyone..."
-
- /usr/sbin/iptables -P INPUT DROP
- /usr/sbin/iptables -P FORWARD DROP
- /usr/sbin/iptables -P OUTPUT ACCEPT
-
- /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
- /usr/sbin/iptables -t mangle -P INPUT ACCEPT
- /usr/sbin/iptables -t mangle -P FORWARD ACCEPT
- /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
- /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-
- /usr/sbin/iptables -A OUTPUT -j ACCEPT
-
- # Unlimited on local
- /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
- /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
-
- # Accept passive
- /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
- /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
- /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-
- # log everything else and drop
- /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
- /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
- /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
- ;;
-
- restart)
- $0 stop
- $0 start
- ;;
- *)
-
- echo "usage: $0 [start|stop|restart]"
- ;;
+ start)
+ ipt_clear
+ ipt_tables
+ case $TYPE in
+ bridge)
+ source /etc/iptables/ipt-bridge.sh
+
+ ## log everything else and drop
+ ipt_log
+
+ iptables-save > /etc/iptables/net.v4
+ ;;
+ server)
+ source /etc/iptables/iptables-conf.sh
+
+ ## log everything else and drop
+ iptables_log
+
+ iptables-save > /etc/iptables/net.v4
+ ;;
+ esac
+ ;;
+ stop)
+
+ ipt_clear
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ *)
+ echo "Usage: $0 [start|stop|restart]"
+ ;;
esac
-
-# End of file
diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh
deleted file mode 100644
index 478ce08..0000000
--- a/core/scripts/iptables-conf.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-TYPE=bridge
-#TYPE=server
-
-IPT="/usr/sbin/iptables"
-SPAMLIST="blockedip"
-SPAMDROPMSG="BLOCKED IP DROP"
-
-# public interface to network/internet
-BR_IF="br0"
-BR_NET="10.0.0.0/8"
-GW="10.0.0.1"
-#DNS="10.0.0.254"
-DNS="212.55.154.174"
-
-PUB_IP="10.0.0.254"
-PUB_IF="enp8s0"
-
-# private interface for virtual/internal
-#PRIV_IF="wlp7s0"
-#PRIV_NET="192.168.1.0/24"
diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh
deleted file mode 100644
index 0516d94..0000000
--- a/core/scripts/iptables.sh
+++ /dev/null
@@ -1,420 +0,0 @@
-#!/bin/bash
-
-source /etc/iptables/iptables-conf.sh
-
-iptables_clear () {
- echo "clear all iptables tables"
-
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t raw -F
- iptables -t raw -X
- iptables -t security -F
- iptables -t security -X
- iptables -N blocker
-
- iptables -N srv_dhcp
- iptables -N srv_rip
- iptables -N srv_icmp
- iptables -N srv_dns_in
- iptables -N srv_dns_out
- iptables -N srv_http_in
- iptables -N srv_http_out
- iptables -N srv_https_in
- iptables -N srv_https_out
- iptables -N srv_ssh_in
- iptables -N srv_ssh_out
- iptables -N srv_git_in
- iptables -N srv_git_out
- iptables -N srv_db_in
- iptables -N srv_db_out
-
-
- iptables -N cli_dns_in
- iptables -N cli_dns_out
- iptables -N cli_http_in
- iptables -N cli_http_out
- iptables -N cli_https_in
- iptables -N cli_https_out
- iptables -N cli_ssh_in
- iptables -N cli_ssh_out
- iptables -N cli_pops_in
- iptables -N cli_pops_out
- iptables -N cli_smtps_in
- iptables -N cli_smtps_out
- iptables -N cli_irc_in
- iptables -N cli_irc_out
- iptables -N cli_ftp_in
- iptables -N cli_ftp_out
- iptables -N cli_git_in
- iptables -N cli_git_out
- iptables -N cli_gpg_in
- iptables -N cli_gpg_out
-
- # Set Default Rules
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
-}
-
-iptables_log () {
- ## log everything else and drop
- $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
- $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
- $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-}
-
-
-iptables_tables () {
- echo "start adding tables..."
-
- ####### blocker Chain ######
- ## Block google dns
- $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
- $IPT -A blocker -s 8.8.0.0/24 -j DROP
- ## Block sync
- $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
- $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
- ## Block Fragments
- $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
- $IPT -A blocker -f -j DROP
- $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
- $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
- $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
- $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
- $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
- $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
- $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
- $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
- $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP
- #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
- #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- ## Return to caller
- $IPT -A blocker -j RETURN
-
- ######## DNS Server
- #echo "server_in chain: Allow input to DNS Server"
- $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A srv_dns_in -j RETURN
- #echo "srv_dns_out chain: Allow output from DNS server"
- $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPT -A srv_dns_out -j RETURN
-
- ####### Database Server
- $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A srv_db_in -j RETURN
- $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A srv_db_out -j RETURN
-
- ####### SSH Server
-
- $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT
-
- $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
- --update --seconds 60 --hitcount 4 --rttl \
- --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
-
- $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \
- --hitcount 4 --rttl --name SSH -j DROP
-
- $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
- $IPT -A srv_ssh_in -j RETURN
- $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A srv_ssh_out -j RETURN
-
- ####### HTTP Server
- $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A srv_http_in -j RETURN
- $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPT -A srv_http_out -j RETURN
-
- ####### HTTPS Server
- $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A srv_https_in -j RETURN
- $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPT -A srv_https_out -j RETURN
-
- ###### GIT server
- $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A srv_git_in -j RETURN
- $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPT -A srv_git_out -j RETURN
-
- ######## DNS Client
- $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_dns_out -j RETURN
- $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_dns_in -j RETURN
-
- ######## HTTP Client
- #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP
-
- $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_http_in -j RETURN
- $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_http_out -j RETURN
-
- ######## IRC client
- $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_irc_in -j RETURN
- $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_irc_out -j RETURN
-
- ######## FTP client
-
- $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_ftp_in -j RETURN
- $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_ftp_out -j RETURN
- ######## GIT client
- $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_git_in -j RETURN
- $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_git_out -j RETURN
-
- ######## POP3S client
- $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_pops_in -j RETURN
- $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_pops_out -j RETURN
-
- ######## SMTPS client
- $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_smtps_in -j RETURN
- $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_smtps_out -j RETURN
-
- ######## HTTPS client
- $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_https_in -j RETURN
- $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_https_out -j RETURN
-
- ######## SSH client
- $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_ssh_in -j RETURN
- $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_ssh_out -j RETURN
-
- ######## GPG key client
- $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- $IPT -A cli_gpg_in -j RETURN
- $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPT -A cli_gpg_out -j RETURN
-
- ######## DHCP Server
- $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT
- $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT
- $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT
- $IPT -A srv_dhcp -j RETURN
-
- ####### RIP Server
- $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT
- $IPT -A srv_rip -j RETURN
-
- ####### ICMP Server
- $IPT -A srv_icmp -p icmp -j ACCEPT
- $IPT -A srv_icmp -j RETURN
-}
-
-case $TYPE in
- bridge)
- iptables_clear
- iptables_tables
-
- echo "setting bridge network..."
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # Unlimited on loopback
- $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
- $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-
- ####### NAT Prerouting Chain ######
-
- ####### Forward Chain ######
- $IPT -A FORWARD -j blocker
- $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
- # Tap1 and Tap3 can access external http
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
-
- ####### Forward TAP2 ssh, http and https ######
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
- #
- # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
- #
- # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
- # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
-
- # Tap1, Tap2 and Tap3 can access external https
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
-
- #Less noise
- $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP
-
- ####### Input Chain ######
- $IPT -A INPUT -j blocker
- #Less noise
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP
-
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in
-
- $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp
- $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp
- $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp
-
- $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp
-
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
- $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
-
- ####### Output Chain ######
- $IPT -A OUTPUT -j blocker
-
- #Less noise
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
-
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
-
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
-
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
- #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
- $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
- #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
-
- ####### PostRouting Chain ######
- #Less noise
- #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
- #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
-
- #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE
-
- ## log everything else and drop
- iptables_log
-
- #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
- # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
-
- iptables-save > /etc/iptables/net.v4
- exit 0
- ;;
-
- server)
- iptables_clear
- iptables_tables
-
- echo "setting server network..."
-
- # Unlimited on loopback
- $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
- $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
- $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-
- ####### Input Chain ######
- $IPT -A INPUT -j blocker
-
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
- #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
-
-
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
- $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
-
- ####### Output Chain ######
- $IPT -A OUTPUT -j blocker
-
- $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
- #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
- $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
- $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
- $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
-
- $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
- $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
-
- $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
- $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
-
- ## log everything else and drop
- iptables_log
-
- iptables-save > /etc/iptables/net.v4
- exit 0
-
- ;;
- *)
-
- echo "usage: $0 [start|stop|restart]"
- ;;
-esac
-
--
cgit 1.4.1-2-gfad0
From 0cef8d9f3ae8a557d44c54b08a3f634bf305af78 Mon Sep 17 00:00:00 2001
From: Silvino Silva
Date: Sat, 8 Dec 2018 02:11:24 +0000
Subject: wlan and blan scripts revision
---
core/conf/rc.d/wlan | 47 ++++++++++++++++++++++++++++++++++++-----------
tools/conf/etc/rc.d/blan | 13 ++++++++-----
2 files changed, 44 insertions(+), 16 deletions(-)
diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan
index 86910bc..c9c60ec 100755
--- a/core/conf/rc.d/wlan
+++ b/core/conf/rc.d/wlan
@@ -3,8 +3,11 @@
# /etc/rc.d/wlan: start/stop wireless interface
#
-DEV=wlp7s0
+# Connection type: "DHCP" or "static"
+#TYPE="DHCP"
+TYPE="static"
+DEV=wlp7s0
SSD=/sbin/start-stop-daemon
PROG_DHCP=/sbin/dhcpcd
@@ -15,6 +18,11 @@ PID_WIFI=/var/run/wpa_supplicant.pid
OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV"
OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV"
+ADDR=192.168.1.67
+MASK=24
+GW=192.168.1.254
+
+
print_status() {
$SSD --status --pidfile $2
case $? in
@@ -27,20 +35,37 @@ print_status() {
case $1 in
start)
- $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \
- $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP
- RETVAL=$?
+
+ if [ "${TYPE}" = "DHCP" ]; then
+ $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \
+ $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP
+ RETVAL=$?
+ else
+
+ /sbin/ip link set ${DEV} up
+
+ $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI
+
+ RETVAL=$?
+
+ /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+ /sbin/ip route add default via ${GW}
+ fi
;;
stop)
- ( $SSD --stop --retry 10 --pidfile $PID_DHCP
- $SSD --stop --retry 10 --pidfile $PID_WIFI )
- RETVAL=$?
- /sbin/ip route del default dev ${DEV}
- /sbin/ip route flush dev ${DEV}
- /sbin/ip link set ${DEV} down
- /sbin/ip addr flush dev ${DEV}
+ if [ "${TYPE}" = "DHCP" ]; then
+ ( $SSD --stop --retry 10 --pidfile $PID_DHCP
+ $SSD --stop --retry 10 --pidfile $PID_WIFI )
+ RETVAL=$?
+ else
+ $SSD --stop --retry 10 --pidfile $PID_WIFI
+ RETVAL=$?
+ /sbin/ip link set ${DEV} down
+ /sbin/ip route del default
+ /sbin/ip addr del ${ADDR}/${MASK} dev ${DEV}
+ fi
;;
restart)
$0 stop
diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan
index 56d1809..61ac2d6 100755
--- a/tools/conf/etc/rc.d/blan
+++ b/tools/conf/etc/rc.d/blan
@@ -1,14 +1,16 @@
#!/bin/sh
#
-# /etc/rc.d/net: start/stop network interface
+# /etc/rc.d/blan: start/stop virtual network interfaces
#
DEV="br0"
PHY="enp8s0"
-ADDR=10.0.0.1
-NET=10.0.0.0
-MASK=24
+ADDR=10.0.0.254
+#ADDR=10.0.1.254
+MASK=8
+#GW=10.0.0.1
+GW=192.168.1.254
# one tap for each cpu core
NTAPS=$((`/usr/bin/nproc`))
@@ -20,6 +22,7 @@ case $1 in
/sbin/ip link set dev ${DEV} up
/bin/sleep 0.2s
+ # Add network to virtual bridge
/sbin/ip link set dev ${PHY} down
/bin/sleep 0.1s
/sbin/ip route flush dev ${PHY}
@@ -28,7 +31,7 @@ case $1 in
/bin/sleep 0.2s
/sbin/ip link set dev ${PHY} master ${DEV}
- #/sbin/ip route add default via ${GW}
+ /sbin/ip route add default via ${GW}
for i in `/usr/bin/seq $NTAPS`
do
--
cgit 1.4.1-2-gfad0
From 2832cbc97478441927b7d4fa0b6127518d012b61 Mon Sep 17 00:00:00 2001
From: Silvino Silva
Date: Sun, 9 Dec 2018 00:02:52 +0000
Subject: core revision
---
core/apparmor.html | 2 +-
core/bash.html | 2 +-
core/configure.html | 2 +-
core/dash.html | 2 +-
core/exim.html | 2 +-
core/hardening.html | 2 +-
core/index.html | 6 ++---
core/install.html | 58 +++++++++++++++++++--------------------------
core/linux.html | 2 +-
core/network.html | 2 +-
core/package.html | 2 +-
core/ports.html | 2 +-
core/reboot.html | 2 +-
core/samhain.html | 2 +-
core/sysctl.html | 2 +-
core/tmux.html | 2 +-
core/toolchain.html | 2 +-
core/tty-terminal.html | 2 +-
tools/scripts/pkgmk-test.sh | 2 +-
19 files changed, 45 insertions(+), 53 deletions(-)
diff --git a/core/apparmor.html b/core/apparmor.html
index 709f2a4..9954593 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -98,7 +98,7 @@
Core OS Index
This is part of the Hive System Documentation.
Copyright (C) 2018
- c9 team.
+ Hive Team.
See the file Gnu Free Documentation License
for copying conditions.
diff --git a/core/bash.html b/core/bash.html
index be17c71..72e746d 100644
--- a/core/bash.html
+++ b/core/bash.html
@@ -156,7 +156,7 @@ fi
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/configure.html b/core/configure.html index 2fadfcf..7d34bf7 100644 --- a/core/configure.html +++ b/core/configure.html @@ -272,7 +272,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/exim.html b/core/exim.html index 2f93af8..23708d2 100644 --- a/core/exim.html +++ b/core/exim.html @@ -226,7 +226,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/hardening.html b/core/hardening.html index 60fea58..1455398 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -45,7 +45,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/index.html b/core/index.html index 9145f3e..8be7606 100644 --- a/core/index.html +++ b/core/index.html @@ -2,13 +2,13 @@ -c9 Core OS covers installation and configuration of basic functionality of Crux 3.4 Gnu\Linux operating system. @@ -155,7 +155,7 @@
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/install.html b/core/install.html index dfde50a..46793c9 100644 --- a/core/install.html +++ b/core/install.html @@ -75,7 +75,7 @@ installations. Partition size 128M;
- (parted) mkpart ESP fat32 4 125
+ (parted) mkpart ESP fat32 4 132
(parted) name 2 efi
(parted) set 2 boot on
@@ -83,70 +83,62 @@
Boot partition. Partition with 1G provide room for kernels - and crux iso that can be directly boot from grub (without root + and bootable iso's that can be directly boot from grub (without root partition). Partition size 1G;
- (parted) mkpart primary ext4 125 1128
+ (parted) mkpart primary ext4 132 1132
(parted) name 3 boot
Normal core crux installation root partition uses - approximately 2G, without /usr 200MB-500M. Minimum 2G - is recommended to give room to root home directory with - dedicated (separated) usr and var partition. - Partition size 4G;
+Core collection installation on root partition uses + approximately 2G. Partition with 8G-20G is recommended + for a server or desktop with dedicated ports partition + or using only compiled packages. Partition size 20G;
- (parted) mkpart primary ext4 1128 5128
+ (parted) mkpart primary ext4 1132 21132
(parted) name 4 root
Var partition is recommended 1G-5G depending on how - system is configured. Partition size 1G;
+ system is configured. Partition size 2G;
- (parted) mkpart primary ext4 5128 6128
+ (parted) mkpart primary ext4 21132 23132
(parted) name 5 var
- User partition with 4G-8G is recommended for a desktop - setup, with dedicated partition for ports. Partition size - 8G;
- -- (parted) mkpart primary ext4 6128 14128 - (parted) name 6 usr --
Swap partition general advice is to have the same size as memory ram, ports system will be configured to build on ram. - To build firefox is necessary at least 34G, swap partitions - will be added to lvm and this partition removed. - Partition size 4G;
+ To build firefox is necessary at least 34G. Partition size 4G; + +Is better to create swap partition later using + lvm.
- (parted) mkpart primary linux-swap 14128 18128
- (parted) name 3 swap
+ (parted) mkpart primary linux-swap 23132 27132
+ (parted) name 6 swap
Home partition general advice is to fill the rest of disk - space. Home partition will be added later to lvm and this - partition removed. Fill the rest of disk space;
+Home partition on desktop fill the rest of disk + space while on server this partition can be unnecessary. + Fill the rest of disk space;
+ +Is better to create home partition later using + lvm.
- (parted) mkpart primary ext4 18128 100%
- (parted) name 8 home
+ (parted) mkpart primary ext4 27132 100%
+ (parted) name 7 home
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/linux.html b/core/linux.html index f4dd14f..670d0e7 100644 --- a/core/linux.html +++ b/core/linux.html @@ -858,7 +858,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/network.html b/core/network.html index feb9765..2b94e50 100644 --- a/core/network.html +++ b/core/network.html @@ -445,7 +445,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/package.html b/core/package.html index 4aa649d..bedb132 100644 --- a/core/package.html +++ b/core/package.html @@ -184,7 +184,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/ports.html b/core/ports.html index 7f1cd54..32e5095 100644 --- a/core/ports.html +++ b/core/ports.html @@ -191,7 +191,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/samhain.html b/core/samhain.html index f161a16..d28a6d2 100644 --- a/core/samhain.html +++ b/core/samhain.html @@ -257,7 +257,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/sysctl.html b/core/sysctl.html index b871158..525a6cf 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -618,7 +618,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/tmux.html b/core/tmux.html index d6bc2c5..b94253d 100644 --- a/core/tmux.html +++ b/core/tmux.html @@ -110,7 +110,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/toolchain.html b/core/toolchain.html index 0ed64bc..57113fd 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -176,7 +176,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 2696119..6eb08d3 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -74,7 +74,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/tools/scripts/pkgmk-test.sh b/tools/scripts/pkgmk-test.sh index a279967..4cfe2c3 100644 --- a/tools/scripts/pkgmk-test.sh +++ b/tools/scripts/pkgmk-test.sh @@ -1,5 +1,5 @@ #!/bin/bash DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" CONF=${DIR}/pkgmk-test.conf - +echo "pkgmk -cf $CONF -d -is $1" fakeroot pkgmk -cf $CONF -d -is $1 -- cgit 1.4.1-2-gfad0 From 6844eee3fbbdc834f22fd0667a41d80d66d307c0 Mon Sep 17 00:00:00 2001 From: Silvino SilvaThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.