From 23dbb9f081630e60381bf696ef41a8e5045197ad Mon Sep 17 00:00:00 2001
From: Silvino Silva Example of ~/.profile;Window Managers
--
cgit 1.4.1-2-gfad0
From c25612b916735aba72e9efc04b0d3bfe0ad129ab Mon Sep 17 00:00:00 2001
From: Silvino Silva
- PATH=~/.composer/vendor/bin:${PATH}
-
- export GPG_AGENT_INFO # the env file does not contain the export statement
- export SSH_AUTH_SOCK # enable gpg-agent for ssh
-
+ export GPG_AGENT_INFO # the env file does not contain the export statement
+ export SSH_AUTH_SOCK # enable gpg-agent for ssh
+
+ export GPGKEY=XXXXXXXX
+
+ # ssh-agent to ask only ounce for password
+ SSH_ENV="$HOME/.ssh/environment"
+ function start_agent {
+ echo "Initialising new SSH agent..."
+ /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
+ echo succeeded
+ chmod 600 "${SSH_ENV}"
+ . "${SSH_ENV}" > /dev/null
+ /usr/bin/ssh-add;
+ }
+
+ # Source SSH settings, if applicable
+ if [ -f "${SSH_ENV}" ]; then
+ . "${SSH_ENV}" > /dev/null
+ #ps ${SSH_AGENT_PID} doesn't work under cywgin
+ ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+ start_agent;
+ }
+ else
+ start_agent;
+ fi
+
+ # Weston
+ if test -z "${XDG_RUNTIME_DIR}"; then
+ export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir
+ if ! test -d "${XDG_RUNTIME_DIR}"; then
+ mkdir "${XDG_RUNTIME_DIR}"
+ chmod 0700 "${XDG_RUNTIME_DIR}"
+ fi
+fi
2.5.2.2. Bash RC
diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile
index 71dd6f8..1c8aa8b 100644
--- a/core/conf/skel/.profile
+++ b/core/conf/skel/.profile
@@ -1,6 +1,35 @@
export GPG_AGENT_INFO # the env file does not contain the export statement
export SSH_AUTH_SOCK # enable gpg-agent for ssh
-export GPGKEY=8BF422F7
+export GPGKEY=XXXXXXXX
-#alias prodtmux="ssh srv-remote -t tmux a"
+# ssh-agent to ask only ounce for password
+SSH_ENV="$HOME/.ssh/environment"
+function start_agent {
+ echo "Initialising new SSH agent..."
+ /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
+ echo succeeded
+ chmod 600 "${SSH_ENV}"
+ . "${SSH_ENV}" > /dev/null
+ /usr/bin/ssh-add;
+}
+
+# Source SSH settings, if applicable
+if [ -f "${SSH_ENV}" ]; then
+ . "${SSH_ENV}" > /dev/null
+ #ps ${SSH_AGENT_PID} doesn't work under cywgin
+ ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+ start_agent;
+ }
+else
+ start_agent;
+fi
+
+# Weston
+if test -z "${XDG_RUNTIME_DIR}"; then
+ export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir
+ if ! test -d "${XDG_RUNTIME_DIR}"; then
+ mkdir "${XDG_RUNTIME_DIR}"
+ chmod 0700 "${XDG_RUNTIME_DIR}"
+ fi
+fi
--
cgit 1.4.1-2-gfad0
From c13879eb3fddf35d96311ddeb0a495094198c6dc Mon Sep 17 00:00:00 2001
From: Silvino Silva
- $ qemu-img create -f qcow2 crux-img.qcow2 2000M + $ qemu-img create -f qcow2 crux-img.qcow2 15G
- parted --script ${DEV} \ - mklabel gpt \ - unit mib \ - mkpart primary 2 4 \ - set 1 bios_grub on \ - name 1 grub \ - mkpart ESP fat32 4 59 \ - set 2 boot on \ - name 2 efi \ - mkpart primary ext4 103 200 \ - name 3 boot \ - mkpart primary linux-swap 200 456 \ - name 4 swap \ - mkpart primary ext4 456 3700 \ - name 5 root \ - mkpart primary ext4 3700 4000 \ - name 6 var \ - mkpart primary ext4 4000 100% \ - name 7 home + parted --script ${DEV} \ + mklabel gpt \ + unit mib \ + mkpart primary 2 4 \ + name 1 grub \ + mkpart ESP fat32 4 128 \ + name 2 efi \ + mkpart primary ext4 128 1128 \ + name 3 boot \ + mkpart primary ext4 1128 12128 \ + name 4 root \ + mkpart primary ext4 12128 14128 \ + name 5 var \ + mkpart primary ext4 14128 100% \ + name 6 lvm \ + set 1 bios_grub on \ + set 2 boot on \ + set 6 lvm on
@@ -91,30 +90,31 @@Use /dev/mapper/$(name_of_device) to assign correct blocks;
- mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2 - mkfs.ext4 /dev/mapper/${DEV_NAME}p3 - mkswap /dev/mapper/${DEV_NAME}p4 - mkfs.ext4 /dev/mapper/${DEV_NAME}p5 - mkfs.ext4 /dev/mapper/${DEV_NAME}p6 - mkfs.ext4 /dev/mapper/${DEV_NAME}p7 + mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2 + mkfs.ext4 /dev/mapper/${DEV_NAME}p3 + mkfs.ext4 /dev/mapper/${DEV_NAME}p4 + mkfs.ext4 /dev/mapper/${DEV_NAME}p5 + pvcreate /dev/mapper/${DEV_NAME}p6+Read lvm documentation on how to setup + virtual group and logic volumes.
+Mount partition;
- mount /dev/mapper/${DEV_NAME}p5 $CHROOT - mkdir -p $CHROOT/proc - mkdir -p $CHROOT/sys - mkdir -p $CHROOT/dev - - mkdir -p $CHROOT/boot - mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot - mkdir -p $CHROOT/boot/efi - mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi - mkdir -p $CHROOT/var - mount /dev/mapper/${DEV_NAME}p6 $CHROOT/var - mkdir -p $CHROOT/home - mount /dev/mapper/${DEV_NAME}p7 $CHROOT/home + mount /dev/mapper/${DEV_NAME}p4 $CHROOT + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/boot + mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot + mkdir -p $CHROOT/boot/efi + mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi + mkdir -p $CHROOT/var + mount /dev/mapper/${DEV_NAME}p5 $CHROOT/varBefore disconnecting image, clean dev mappings;
-- cgit 1.4.1-2-gfad0 From b6b79e6d960febc3f266735e4a2f807d776b5830 Mon Sep 17 00:00:00 2001 From: Silvino SilvaDate: Sat, 8 Dec 2018 02:08:20 +0000 Subject: iptables revision --- core/conf/iptables/br-lan.v4 | 136 ------------ core/conf/iptables/ipt-bridge.sh | 158 ++++++++++++++ core/conf/iptables/ipt-conf.sh | 20 ++ core/conf/iptables/ipt-firewall.sh | 258 +++++++++++++++++++++++ core/conf/iptables/ipt-server.sh | 37 ++++ core/conf/iptables/net.v4 | 111 ---------- core/conf/rc.d/iptables | 117 ++++------- core/scripts/iptables-conf.sh | 21 -- core/scripts/iptables.sh | 420 ------------------------------------- 9 files changed, 508 insertions(+), 770 deletions(-) delete mode 100644 core/conf/iptables/br-lan.v4 create mode 100644 core/conf/iptables/ipt-bridge.sh create mode 100644 core/conf/iptables/ipt-conf.sh create mode 100644 core/conf/iptables/ipt-firewall.sh create mode 100644 core/conf/iptables/ipt-server.sh delete mode 100644 core/conf/iptables/net.v4 delete mode 100644 core/scripts/iptables-conf.sh delete mode 100644 core/scripts/iptables.sh diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4 deleted file mode 100644 index 61da499..0000000 --- a/core/conf/iptables/br-lan.v4 +++ /dev/null @@ -1,136 +0,0 @@ -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:blocker - [0:0] -:client_in - [0:0] -:client_out - [0:0] -:netconf_in - [0:0] -:netconf_out - [0:0] -:server_in - [0:0] -:server_out - [0:0] --A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT --A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT --A INPUT -j blocker --A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in --A INPUT -d 10.0.0.0/8 -i br0 -j client_in --A INPUT -i br0 -j netconf_in --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j blocker --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 --A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT --A OUTPUT -j blocker --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out --A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out --A OUTPUT -o br0 -j netconf_out --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 --A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7 --A blocker -s 8.8.0.0/24 -j DROP --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A blocker -f -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP --A blocker -j RETURN --A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -j RETURN --A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -j RETURN --A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT --A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7 --A netconf_in -p icmp -j ACCEPT --A netconf_in -j RETURN --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7 --A netconf_out -p icmp -j ACCEPT --A netconf_out -j RETURN --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -j RETURN --A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -j RETURN -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh new file mode 100644 index 0000000..6f70e7c --- /dev/null +++ b/core/conf/iptables/ipt-bridge.sh @@ -0,0 +1,158 @@ +#!/bin/bash + +echo "setting bridge ${BR_IF} network..." +echo 1 > /proc/sys/net/ipv4/ip_forward + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +####### NAT Prerouting Chain ###### +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 +#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + +####### Forward Chain ###### +$IPT -A FORWARD -j blocker +$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +# Allow access from bridge to gateway wifi interface +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out + +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out + +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +# +# Tap1 +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out +# +# +## Tap3 +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in +# +# +######## Forward TAP2 ssh, http and https ###### +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + +# Tap1, Tap2 and Tap3 can access external https + +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + +# +# #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip +# +# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp +# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + +# +#Less noise +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP + +####### Input Chain ###### +$IPT -A INPUT -j blocker +#Less noise +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP +$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP +$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP + +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in +$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in + +$IPT -A INPUT -i ${BR_IF} -j srv_dhcp + +$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp + +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in +$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in + +$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +#Less noise +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out + + +$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out +$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out + +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out + +#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out + +####### PostRouting Chain ###### +#Less noise +#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE + +#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh new file mode 100644 index 0000000..3874cee --- /dev/null +++ b/core/conf/iptables/ipt-conf.sh @@ -0,0 +1,20 @@ +#!/bin/bash +TYPE=bridge +#TYPE=server + +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" + +# public interface to network/internet +BR_IF="br0" +BR_NET="10.0.0.0/8" +GW="10.0.0.1" +#DNS="10.0.0.254" +DNS="212.55.154.174" + +PUB_IP="10.0.0.254" +PUB_IF="enp8s0" + +# private interface for virtual/internal +WIFI_IF="wlp7s0" +WIFI_NET="192.168.1.0/24" diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh new file mode 100644 index 0000000..4697de0 --- /dev/null +++ b/core/conf/iptables/ipt-firewall.sh @@ -0,0 +1,258 @@ +#!/bin/bash + +IPT="/usr/sbin/iptables" + +ipt_clear () { + echo "clear all iptables tables" + + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + iptables -N blocker + + iptables -N srv_dhcp + iptables -N srv_rip + iptables -N srv_icmp + iptables -N srv_dns_in + iptables -N srv_dns_out + iptables -N srv_http_in + iptables -N srv_http_out + iptables -N srv_https_in + iptables -N srv_https_out + iptables -N srv_ssh_in + iptables -N srv_ssh_out + iptables -N srv_git_in + iptables -N srv_git_out + iptables -N srv_db_in + iptables -N srv_db_out + + + iptables -N cli_dns_in + iptables -N cli_dns_out + iptables -N cli_http_in + iptables -N cli_http_out + iptables -N cli_https_in + iptables -N cli_https_out + iptables -N cli_ssh_in + iptables -N cli_ssh_out + iptables -N cli_pops_in + iptables -N cli_pops_out + iptables -N cli_smtps_in + iptables -N cli_smtps_out + iptables -N cli_irc_in + iptables -N cli_irc_out + iptables -N cli_ftp_in + iptables -N cli_ftp_out + iptables -N cli_git_in + iptables -N cli_git_out + iptables -N cli_gpg_in + iptables -N cli_gpg_out + + # Set Default Rules + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP +} + +ipt_log () { + ## log everything else and drop + $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +} + + +ipt_tables () { + echo "start adding tables..." + + ####### blocker Chain ###### + ## Block google dns + #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " + #$IPT -A blocker -s 8.8.0.0/24 -j DROP + ## Block sync + $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " + $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP + ## Block Fragments + $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " + $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " + $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller + $IPT -A blocker -j RETURN + + ######## DNS Server + #echo "server_in chain: Allow input to DNS Server" + $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -j RETURN + #echo "srv_dns_out chain: Allow output from DNS server" + $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -j RETURN + + ####### Database Server + $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_db_in -j RETURN + $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_db_out -j RETURN + + ####### SSH Server + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_in -j RETURN + + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -j RETURN + + ####### HTTP Server + $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_http_in -j RETURN + $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_http_out -j RETURN + + ####### HTTPS Server + $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_https_in -j RETURN + $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_https_out -j RETURN + + ###### GIT server + $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_git_in -j RETURN + $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_git_out -j RETURN + + ######## DNS Client + $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT + $IPT -A cli_dns_out -j RETURN + $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT + $IPT -A cli_dns_in -j RETURN + + ######## HTTP Client + #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP + $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -j RETURN + $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -j RETURN + + ######## IRC client + $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_irc_in -j RETURN + $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_irc_out -j RETURN + + ######## FTP client + $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -j RETURN + $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPT -A cli_ftp_out -j RETURN + + ######## GIT client + $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_git_out -j RETURN + + ######## POP3S client + $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_pops_in -j RETURN + $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_pops_out -j RETURN + + ######## SMTPS client + $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_in -j RETURN + $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_out -j RETURN + + ######## HTTPS client + $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -j RETURN + $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -j RETURN + + ######## SSH client + $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -j RETURN + $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -j RETURN + + ######## GPG key client + $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_in -j RETURN + $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_out -j RETURN + + ######## DHCP Server + $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -j RETURN + + ####### RIP Server + $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT + $IPT -A srv_rip -j RETURN + + ####### ICMP Server + $IPT -A srv_icmp -p icmp -j ACCEPT + $IPT -A srv_icmp -j RETURN +} + + diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh new file mode 100644 index 0000000..225fd31 --- /dev/null +++ b/core/conf/iptables/ipt-server.sh @@ -0,0 +1,37 @@ +echo "setting server network..." + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +####### Input Chain ###### +$IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in +#$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + + +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out +#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + +$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out +$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out + +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out diff --git a/core/conf/iptables/net.v4 b/core/conf/iptables/net.v4 deleted file mode 100644 index 568455a..0000000 --- a/core/conf/iptables/net.v4 +++ /dev/null @@ -1,111 +0,0 @@ -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*security -:INPUT ACCEPT [4559:2307887] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [4459:962215] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*raw -:PREROUTING ACCEPT [18446:3412851] -:OUTPUT ACCEPT [4467:962535] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*nat -:PREROUTING ACCEPT [13936:1107904] -:INPUT ACCEPT [49:2940] -:OUTPUT ACCEPT [504:40037] -:POSTROUTING ACCEPT [504:40037] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:ACCEPTLOG - [0:0] -:DROPLOG - [0:0] -:REJECTLOG - [0:0] -:RELATED_ICMP - [0:0] -:SYN_FLOOD - [0:0] --A INPUT -i lo -j ACCEPT --A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT --A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" --A INPUT -p icmp -j DROP --A INPUT -p icmp -f -j DROPLOG --A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP --A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A INPUT -p icmp -j DROPLOG --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP --A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP --A INPUT -m state --state INVALID -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG --A INPUT -f -j DROPLOG --A INPUT -j DROPLOG --A FORWARD -p icmp -f -j DROPLOG --A FORWARD -p icmp -j DROPLOG --A FORWARD -m state --state INVALID -j DROP --A FORWARD -j REJECTLOG --A OUTPUT -o lo -j ACCEPT --A OUTPUT -p icmp -j ACCEPT --A OUTPUT -p icmp -f -j DROPLOG --A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP --A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A OUTPUT -p icmp -j DROPLOG --A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -j DROPLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset --A REJECTLOG -j REJECT --reject-with icmp-port-unreachable --A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT --A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT --A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT --A RELATED_ICMP -j DROPLOG --A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN --A SYN_FLOOD -j DROP -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index dd17b97..26a48b4 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,86 +1,39 @@ -#!/bin/sh -# -# /etc/rc.d/iptables: load/unload iptable rules -# -rules=/etc/iptables/net.v4 - -iptables_clear () { - echo "clear all iptables tables" - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X -} +source /etc/iptables/ipt-conf.sh +source /etc/iptables/ipt-firewall.sh case $1 in - start) - echo "starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore ${rules} - ;; - stop) - iptables_clear - echo "stopping firewall and deny everyone..." - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT DROP - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - open) - iptables_clear - echo "outgoing Open firewall and deny everyone..." - - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT ACCEPT - - /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT - /usr/sbin/iptables -t mangle -P INPUT ACCEPT - /usr/sbin/iptables -t mangle -P FORWARD ACCEPT - /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT - /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT - - /usr/sbin/iptables -A OUTPUT -j ACCEPT - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - - restart) - $0 stop - $0 start - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; + start) + ipt_clear + ipt_tables + case $TYPE in + bridge) + source /etc/iptables/ipt-bridge.sh + + ## log everything else and drop + ipt_log + + iptables-save > /etc/iptables/net.v4 + ;; + server) + source /etc/iptables/iptables-conf.sh + + ## log everything else and drop + iptables_log + + iptables-save > /etc/iptables/net.v4 + ;; + esac + ;; + stop) + + ipt_clear + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; esac - -# End of file diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh deleted file mode 100644 index 478ce08..0000000 --- a/core/scripts/iptables-conf.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -TYPE=bridge -#TYPE=server - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" - -# public interface to network/internet -BR_IF="br0" -BR_NET="10.0.0.0/8" -GW="10.0.0.1" -#DNS="10.0.0.254" -DNS="212.55.154.174" - -PUB_IP="10.0.0.254" -PUB_IF="enp8s0" - -# private interface for virtual/internal -#PRIV_IF="wlp7s0" -#PRIV_NET="192.168.1.0/24" diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh deleted file mode 100644 index 0516d94..0000000 --- a/core/scripts/iptables.sh +++ /dev/null @@ -1,420 +0,0 @@ -#!/bin/bash - -source /etc/iptables/iptables-conf.sh - -iptables_clear () { - echo "clear all iptables tables" - - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X - iptables -N blocker - - iptables -N srv_dhcp - iptables -N srv_rip - iptables -N srv_icmp - iptables -N srv_dns_in - iptables -N srv_dns_out - iptables -N srv_http_in - iptables -N srv_http_out - iptables -N srv_https_in - iptables -N srv_https_out - iptables -N srv_ssh_in - iptables -N srv_ssh_out - iptables -N srv_git_in - iptables -N srv_git_out - iptables -N srv_db_in - iptables -N srv_db_out - - - iptables -N cli_dns_in - iptables -N cli_dns_out - iptables -N cli_http_in - iptables -N cli_http_out - iptables -N cli_https_in - iptables -N cli_https_out - iptables -N cli_ssh_in - iptables -N cli_ssh_out - iptables -N cli_pops_in - iptables -N cli_pops_out - iptables -N cli_smtps_in - iptables -N cli_smtps_out - iptables -N cli_irc_in - iptables -N cli_irc_out - iptables -N cli_ftp_in - iptables -N cli_ftp_out - iptables -N cli_git_in - iptables -N cli_git_out - iptables -N cli_gpg_in - iptables -N cli_gpg_out - - # Set Default Rules - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP -} - -iptables_log () { - ## log everything else and drop - $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -} - - -iptables_tables () { - echo "start adding tables..." - - ####### blocker Chain ###### - ## Block google dns - $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " - $IPT -A blocker -s 8.8.0.0/24 -j DROP - ## Block sync - $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " - $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP - ## Block Fragments - $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " - $IPT -A blocker -f -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " - $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - ## Return to caller - $IPT -A blocker -j RETURN - - ######## DNS Server - #echo "server_in chain: Allow input to DNS Server" - $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -j RETURN - #echo "srv_dns_out chain: Allow output from DNS server" - $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -j RETURN - - ####### Database Server - $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_db_in -j RETURN - $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_db_out -j RETURN - - ####### SSH Server - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP - - $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - - $IPT -A srv_ssh_in -j RETURN - $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -j RETURN - - ####### HTTP Server - $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_http_in -j RETURN - $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_http_out -j RETURN - - ####### HTTPS Server - $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_https_in -j RETURN - $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_https_out -j RETURN - - ###### GIT server - $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_git_in -j RETURN - $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_git_out -j RETURN - - ######## DNS Client - $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_dns_out -j RETURN - $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_dns_in -j RETURN - - ######## HTTP Client - #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP - - $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -j RETURN - $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -j RETURN - - ######## IRC client - $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_irc_in -j RETURN - $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_irc_out -j RETURN - - ######## FTP client - - $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_in -j RETURN - $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_out -j RETURN - ######## GIT client - $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_git_in -j RETURN - $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_git_out -j RETURN - - ######## POP3S client - $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_pops_in -j RETURN - $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_pops_out -j RETURN - - ######## SMTPS client - $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_in -j RETURN - $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_out -j RETURN - - ######## HTTPS client - $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -j RETURN - $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -j RETURN - - ######## SSH client - $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -j RETURN - $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -j RETURN - - ######## GPG key client - $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_in -j RETURN - $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_out -j RETURN - - ######## DHCP Server - $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -j RETURN - - ####### RIP Server - $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT - $IPT -A srv_rip -j RETURN - - ####### ICMP Server - $IPT -A srv_icmp -p icmp -j ACCEPT - $IPT -A srv_icmp -j RETURN -} - -case $TYPE in - bridge) - iptables_clear - iptables_tables - - echo "setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### NAT Prerouting Chain ###### - - ####### Forward Chain ###### - $IPT -A FORWARD -j blocker - $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - # Tap1 and Tap3 can access external http - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out - - ####### Forward TAP2 ssh, http and https ###### - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - # - # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip - # - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp - - # Tap1, Tap2 and Tap3 can access external https - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in - - #Less noise - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - #Less noise - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - #Less noise - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out - - ####### PostRouting Chain ###### - #Less noise - #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT - - #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE - - ## log everything else and drop - iptables_log - - #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - - iptables-save > /etc/iptables/net.v4 - exit 0 - ;; - - server) - iptables_clear - iptables_tables - - echo "setting server network..." - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in - - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out - - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out - - ## log everything else and drop - iptables_log - - iptables-save > /etc/iptables/net.v4 - exit 0 - - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; -esac - -- cgit 1.4.1-2-gfad0 From 0cef8d9f3ae8a557d44c54b08a3f634bf305af78 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 8 Dec 2018 02:11:24 +0000 Subject: wlan and blan scripts revision --- core/conf/rc.d/wlan | 47 ++++++++++++++++++++++++++++++++++++----------- tools/conf/etc/rc.d/blan | 13 ++++++++----- 2 files changed, 44 insertions(+), 16 deletions(-) diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 86910bc..c9c60ec 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -3,8 +3,11 @@ # /etc/rc.d/wlan: start/stop wireless interface # -DEV=wlp7s0 +# Connection type: "DHCP" or "static" +#TYPE="DHCP" +TYPE="static" +DEV=wlp7s0 SSD=/sbin/start-stop-daemon PROG_DHCP=/sbin/dhcpcd @@ -15,6 +18,11 @@ PID_WIFI=/var/run/wpa_supplicant.pid OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" +ADDR=192.168.1.67 +MASK=24 +GW=192.168.1.254 + + print_status() { $SSD --status --pidfile $2 case $? in @@ -27,20 +35,37 @@ print_status() { case $1 in start) - $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ - $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP - RETVAL=$? + + if [ "${TYPE}" = "DHCP" ]; then + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ + $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP + RETVAL=$? + else + + /sbin/ip link set ${DEV} up + + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI + + RETVAL=$? + + /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + /sbin/ip route add default via ${GW} + fi ;; stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP - $SSD --stop --retry 10 --pidfile $PID_WIFI ) - RETVAL=$? - /sbin/ip route del default dev ${DEV} - /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + if [ "${TYPE}" = "DHCP" ]; then + ( $SSD --stop --retry 10 --pidfile $PID_DHCP + $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + else + $SSD --stop --retry 10 --pidfile $PID_WIFI + RETVAL=$? + /sbin/ip link set ${DEV} down + /sbin/ip route del default + /sbin/ip addr del ${ADDR}/${MASK} dev ${DEV} + fi ;; restart) $0 stop diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan index 56d1809..61ac2d6 100755 --- a/tools/conf/etc/rc.d/blan +++ b/tools/conf/etc/rc.d/blan @@ -1,14 +1,16 @@ #!/bin/sh # -# /etc/rc.d/net: start/stop network interface +# /etc/rc.d/blan: start/stop virtual network interfaces # DEV="br0" PHY="enp8s0" -ADDR=10.0.0.1 -NET=10.0.0.0 -MASK=24 +ADDR=10.0.0.254 +#ADDR=10.0.1.254 +MASK=8 +#GW=10.0.0.1 +GW=192.168.1.254 # one tap for each cpu core NTAPS=$((`/usr/bin/nproc`)) @@ -20,6 +22,7 @@ case $1 in /sbin/ip link set dev ${DEV} up /bin/sleep 0.2s + # Add network to virtual bridge /sbin/ip link set dev ${PHY} down /bin/sleep 0.1s /sbin/ip route flush dev ${PHY} @@ -28,7 +31,7 @@ case $1 in /bin/sleep 0.2s /sbin/ip link set dev ${PHY} master ${DEV} - #/sbin/ip route add default via ${GW} + /sbin/ip route add default via ${GW} for i in `/usr/bin/seq $NTAPS` do -- cgit 1.4.1-2-gfad0 From 2832cbc97478441927b7d4fa0b6127518d012b61 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 9 Dec 2018 00:02:52 +0000 Subject: core revision --- core/apparmor.html | 2 +- core/bash.html | 2 +- core/configure.html | 2 +- core/dash.html | 2 +- core/exim.html | 2 +- core/hardening.html | 2 +- core/index.html | 6 ++--- core/install.html | 58 +++++++++++++++++++-------------------------- core/linux.html | 2 +- core/network.html | 2 +- core/package.html | 2 +- core/ports.html | 2 +- core/reboot.html | 2 +- core/samhain.html | 2 +- core/sysctl.html | 2 +- core/tmux.html | 2 +- core/toolchain.html | 2 +- core/tty-terminal.html | 2 +- tools/scripts/pkgmk-test.sh | 2 +- 19 files changed, 45 insertions(+), 53 deletions(-) diff --git a/core/apparmor.html b/core/apparmor.html index 709f2a4..9954593 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -98,7 +98,7 @@ Core OS Index This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/bash.html b/core/bash.html index be17c71..72e746d 100644 --- a/core/bash.html +++ b/core/bash.html @@ -156,7 +156,7 @@ fi
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/configure.html b/core/configure.html index 2fadfcf..7d34bf7 100644 --- a/core/configure.html +++ b/core/configure.html @@ -272,7 +272,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
Documentation Index -c9 Core OS covers installation and configuration of basic functionality of Crux 3.4 Gnu\Linux operating system. @@ -155,7 +155,7 @@
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/install.html b/core/install.html index dfde50a..46793c9 100644 --- a/core/install.html +++ b/core/install.html @@ -75,7 +75,7 @@ installations. Partition size 128M;- (parted) mkpart ESP fat32 4 125 + (parted) mkpart ESP fat32 4 132 (parted) name 2 efi (parted) set 2 boot on@@ -83,70 +83,62 @@
Boot partition. Partition with 1G provide room for kernels - and crux iso that can be directly boot from grub (without root + and bootable iso's that can be directly boot from grub (without root partition). Partition size 1G;
- (parted) mkpart primary ext4 125 1128 + (parted) mkpart primary ext4 132 1132 (parted) name 3 boot
Normal core crux installation root partition uses - approximately 2G, without /usr 200MB-500M. Minimum 2G - is recommended to give room to root home directory with - dedicated (separated) usr and var partition. - Partition size 4G;
+Core collection installation on root partition uses + approximately 2G. Partition with 8G-20G is recommended + for a server or desktop with dedicated ports partition + or using only compiled packages. Partition size 20G;
- (parted) mkpart primary ext4 1128 5128 + (parted) mkpart primary ext4 1132 21132 (parted) name 4 root
Var partition is recommended 1G-5G depending on how - system is configured. Partition size 1G;
+ system is configured. Partition size 2G;- (parted) mkpart primary ext4 5128 6128 + (parted) mkpart primary ext4 21132 23132 (parted) name 5 var-
User partition with 4G-8G is recommended for a desktop - setup, with dedicated partition for ports. Partition size - 8G;
- -- (parted) mkpart primary ext4 6128 14128 - (parted) name 6 usr --
Swap partition general advice is to have the same size as memory ram, ports system will be configured to build on ram. - To build firefox is necessary at least 34G, swap partitions - will be added to lvm and this partition removed. - Partition size 4G;
+ To build firefox is necessary at least 34G. Partition size 4G; + +Is better to create swap partition later using + lvm.
- (parted) mkpart primary linux-swap 14128 18128 - (parted) name 3 swap + (parted) mkpart primary linux-swap 23132 27132 + (parted) name 6 swap
Home partition general advice is to fill the rest of disk - space. Home partition will be added later to lvm and this - partition removed. Fill the rest of disk space;
+Home partition on desktop fill the rest of disk + space while on server this partition can be unnecessary. + Fill the rest of disk space;
+ +Is better to create home partition later using + lvm.
- (parted) mkpart primary ext4 18128 100% - (parted) name 8 home + (parted) mkpart primary ext4 27132 100% + (parted) name 7 home
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/linux.html b/core/linux.html index f4dd14f..670d0e7 100644 --- a/core/linux.html +++ b/core/linux.html @@ -858,7 +858,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/network.html b/core/network.html index feb9765..2b94e50 100644 --- a/core/network.html +++ b/core/network.html @@ -445,7 +445,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/package.html b/core/package.html index 4aa649d..bedb132 100644 --- a/core/package.html +++ b/core/package.html @@ -184,7 +184,7 @@ Core OS IndexThis is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/ports.html b/core/ports.html index 7f1cd54..32e5095 100644 --- a/core/ports.html +++ b/core/ports.html @@ -191,7 +191,7 @@This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/dash.html b/core/dash.html index 134616d..a273107 100644 --- a/core/dash.html +++ b/core/dash.html @@ -21,7 +21,7 @@ Core OS Index
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/exim.html b/core/exim.html index 2f93af8..23708d2 100644 --- a/core/exim.html +++ b/core/exim.html @@ -226,7 +226,7 @@
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/hardening.html b/core/hardening.html index 60fea58..1455398 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -45,7 +45,7 @@ Core OS Index
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/index.html b/core/index.html index 9145f3e..8be7606 100644 --- a/core/index.html +++ b/core/index.html @@ -2,13 +2,13 @@
-
+
diff --git a/core/reboot.html b/core/reboot.html index 1fae99b..505a889 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -225,7 +225,7 @@ Core OS Index
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/samhain.html b/core/samhain.html index f161a16..d28a6d2 100644 --- a/core/samhain.html +++ b/core/samhain.html @@ -257,7 +257,7 @@
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/sysctl.html b/core/sysctl.html index b871158..525a6cf 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -618,7 +618,7 @@ Core OS Index
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/tmux.html b/core/tmux.html index d6bc2c5..b94253d 100644 --- a/core/tmux.html +++ b/core/tmux.html @@ -110,7 +110,7 @@
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/toolchain.html b/core/toolchain.html index 0ed64bc..57113fd 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -176,7 +176,7 @@ Core OS Index
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 2696119..6eb08d3 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -74,7 +74,7 @@ Core OS Index
This is part of the Hive System Documentation. Copyright (C) 2018 - c9 team. + Hive Team. See the file Gnu Free Documentation License for copying conditions.
diff --git a/tools/scripts/pkgmk-test.sh b/tools/scripts/pkgmk-test.sh
index a279967..4cfe2c3 100644
--- a/tools/scripts/pkgmk-test.sh
+++ b/tools/scripts/pkgmk-test.sh
@@ -1,5 +1,5 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
CONF=${DIR}/pkgmk-test.conf
-
+echo "pkgmk -cf $CONF -d -is $1"
fakeroot pkgmk -cf $CONF -d -is $1
--
cgit 1.4.1-2-gfad0
From 6844eee3fbbdc834f22fd0667a41d80d66d307c0 Mon Sep 17 00:00:00 2001
From: Silvino Silva
This is part of the Hive System Documentation.
Copyright (C) 2018
- c9 team.
+ Hive Team.
See the file Gnu Free Documentation License for copying conditions.