From 3ebe80fbdcd6bdf1d9d228bd64e18a33b58b11f3 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 5 Dec 2018 22:44:46 +0000 Subject: core script backup-system revison --- core/scripts/backup-system.sh | 331 +++++++++++++++++++----------------------- 1 file changed, 151 insertions(+), 180 deletions(-) (limited to 'core/scripts') diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 9e1ed2f..ad037ef 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -2,8 +2,9 @@ ROOT_DIR= DEST_DIR=/root/backup -PORT_PKG="${DEST_DIR}/crux" -PORT_PRT="${DEST_DIR}/ports" +DEST_SYS="${DEST_DIR}/system" +PORT_PKG="${DEST_SYS}/packages" +PORT_PRT="${DEST_SYS}/ports" DATA_CNF="${DEST_DIR}/conf" DATA_USR="${DEST_DIR}/user" DATA_SRV="${DEST_DIR}/srv" @@ -20,164 +21,16 @@ ConfirmOrExit () echo "Aborting - you entered $CONFIRM" exit ;; - *) echo "Please enter only y or n" - esac - done - echo "You entered $CONFIRM. Continuing ..." -} - -mkbk_coll_pkg() { - # backup binary packages per collection - col=$1 - # make backup collection directory - mkdir ${PORT_PKG}/${col} - # for each package listed in col_name.pkg - while read line; do - # if binary package don't exist try to build - if [ ! -f /usr/ports/packages/${line} ]; then - echo "Building package: ${line};\n" - name=$(echo ${line} | cut -d "#" -f 1) - $sudo prt-get update -fr ${name} - fi - - # if binary package exist copy to destination - if [ -f /usr/ports/packages/${line} ]; then - echo "Backing up package: ${line}" - echo ${line} >> ${DEST_DIR}/backup.pkg - cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ - else - echo "Package not found: ${line}" - echo ${line} >> ${DEST_DIR}/${col}-notfound.pkg - fi - done < $DEST_DIR/${col}.pkg -} - -mkbk_coll_ports() { - # backup collection ports - col=$1 - - tar --xattrs -zcpf $PORT_PRT/${col}.tar.gz \ - --directory=$ROOT_DIR/usr/ports/${col} \ - --exclude=.git/ \ -} - -mkbk_metadata() { - - # archive pkgutils data - tar --xattrs -zcpf $DATA_CNF/pkg-db.tar.gz \ - /var/lib/pkg/db - - # must be using gwak instead of sed, xargs and echo - prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${DEST_DIR}/installed.pkg - - # make list and copy installed core packages - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/core" | cut -d " " -f 3 > ${DEST_DIR}/core.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/opt" | cut -d " " -f 3 > $DEST_DIR/opt.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/contrib" | cut -d " " -f 3 > $DEST_DIR/contrib.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/xorg" | cut -d " " -f 3 > $DEST_DIR/xorg.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep -v "yes /usr/ports/core" | grep -v "yes /usr/ports/opt" | grep -v "yes /usr/ports/contrib" | grep -v "yes /usr/ports/xorg" | grep "yes " | cut -d " " -f 3 > $DEST_DIR/other.pkg - -} - -mkbk_etc_conf() { - - tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \ - --directory=$ROOT_DIR/etc \ - . - - tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \ - --directory=$ROOT_DIR/usr/etc \ - . -} - -mkbk_srv_www() { - - # backup web data first stop php and nginx - - for pkg_www in ${ROOT_DIR}/srv/www/*; do - if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then - pkg_back="${DATA_SRV}/www" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz" - exc="${pkg_www}/backup_deploy" - tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www} - fi - done -} - -mkbk_srv_pgsql() { - - # backup database data first dump all databases - - pkg_back="${DATA_SRV}/pgsql" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz - - tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \ - ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \ - ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \ - ${ROOT_DIR}/srv/pgsql/data/postgresql.conf -} - -mkbk_srv_gitolite() { - - # backup gitolite repositories - - pkg_back="${DATA_SRV}/gitolite" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - - tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \ - --directory=${ROOT_DIR}/srv/gitolite \ - . -} - -mkbk_user_metadata() { - - for dir in /home/*; do - if [ "${dir}" != "/home/lost+found" ]; then - user=$(basename $dir) - tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \ - $dir/.bash_profile \ - $dir/.bashrc \ - $dir/.config \ - $dir/.gitconfig \ - $dir/.gnupg \ - $dir/.irssi \ - $dir/.lynxrc \ - $dir/.mutt \ - $dir/.netrc \ - $dir/.profile \ - $dir/.spectrwm.conf \ - $dir/.ssh \ - $dir/.tmux.conf \ - $dir/.vim \ - $dir/.vimrc \ - $dir/.xinitrc - - # encript data - #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ - # --encrypt --recipient user@host \ - # "${DATA_USR}/meta-${user}.tar.gz" - - tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ - $dir/gitolite-admin - fi - done + *) echo "Please enter only y or n" +esac +done +echo "You entered $CONFIRM. Continuing ..." } print_data () { echo "ROOT_DIR=${ROOT_DIR}" echo "DEST_DIR=${DEST_DIR}" + echo "DEST_SYS=${DEST_SYS}" echo "PORT_PKG=${PORT_PKG}" echo "PORT_PRT=${PORT_PRT}" echo "DATA_CNF=${DATA_CNF}" @@ -205,11 +58,13 @@ while [ "$1" ]; do DEST_DIR=$2 # Destination directory - PORT_PKG="${DEST_DIR}/crux" - PORT_PRT="${DEST_DIR}/ports" - DATA_CNF="${DEST_DIR}/conf" - DATA_USR="${DEST_DIR}/user" - DATA_SRV="${DEST_DIR}/srv" + DEST_SYS="${DEST_DIR}/system" + PORT_PKG="${DEST_SYS}/packages" + PORT_PRT="${DEST_SYS}/ports" + DATA_CNF="${DEST_DIR}/conf" + DATA_USR="${DEST_DIR}/user" + DATA_SRV="${DEST_DIR}/srv" + shift ;; -h|--help) print_help @@ -231,60 +86,176 @@ mkdir -p ${DATA_CNF} mkdir -p ${DATA_USR} mkdir -p ${DATA_SRV} -# Light backup data -mkbk_metadata -mkbk_etc_conf +# Backup system settings +tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \ + --directory=$ROOT_DIR/etc \ + . +tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \ + --directory=$ROOT_DIR/usr/etc \ + . + +# User Meta Data while true do - echo -n "Backup user metadata ? Please confirm (y or n) :" + echo "Backup User Metadata ?" + echo "Please confirm (y or n): " read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_user_metadata + for dir in /home/*; do + if [ "${dir}" != "/home/lost+found" ]; then + user=$(basename $dir) + tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \ + $dir/.bash_profile \ + $dir/.bashrc \ + $dir/.config \ + $dir/.gitconfig \ + $dir/.gnupg \ + $dir/.irssi \ + $dir/.lynxrc \ + $dir/.mutt \ + $dir/.netrc \ + $dir/.profile \ + $dir/.spectrwm.conf \ + $dir/.ssh \ + $dir/.tmux.conf \ + $dir/.vim \ + $dir/.vimrc \ + $dir/.xinitrc + + # encript data + #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ + # --encrypt --recipient user@host \ + # "${DATA_USR}/meta-${user}.tar.gz" + + tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ + $dir/gitolite-admin + fi + done break ;; *) echo "Please enter only y or n" esac done +# Server Data while true do - echo -n "Backup web services data (/srv) ? Please confirm (y or n) :" + echo "Backup Server Data ?" + echo "Please confirm (y or n): " read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_srv_www - mkbk_srv_pgsql - mkbk_srv_gitolite + + # backup web data first stop php and nginx + for pkg_www in ${ROOT_DIR}/srv/www/*; do + if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then + pkg_back="${DATA_SRV}/www" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz" + exc="${pkg_www}/backup_deploy" + tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www} + fi + done + + # backup database data first dump all databases + pkg_back="${DATA_SRV}/pgsql" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz + + tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \ + ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \ + ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \ + ${ROOT_DIR}/srv/pgsql/data/postgresql.conf + + + # backup gitolite repositories + pkg_back="${DATA_SRV}/gitolite" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + + tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \ + --directory=${ROOT_DIR}/srv/gitolite \ + . + break ;; *) echo "Please enter only y or n" esac done - +# Port System while true do - echo -n "Backup port system ? Please confirm (y or n) :" + echo "Backup Port System ?" + echo "Please confirm (y or n) :" read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_coll_ports "core" - mkbk_coll_pkg "core" - mkbk_coll_ports "opt" - mkbk_coll_pkg "opt" - mkbk_coll_ports "contrib" - mkbk_coll_pkg "contrib" - mkbk_coll_ports "xorg" - mkbk_coll_pkg "xorg" - mkbk_coll_pkg "other" + + # archive pkgutils data + tar --xattrs -zcpf $DEST_SYS/pkg-db.tar.gz \ + /var/lib/pkg/db + + # archive ports data + tar --xattrs -zcpf $DEST_SYS/etc_ports.tar.gz \ + --directory=/etc/ports \ + . + + METADATA=${DEST_SYS}/meta-data + mkdir -p $METADATA + + # must be using gwak instead of sed, xargs and echo + prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${METADATA}/all_installed.pkg + + for filename in /etc/ports/*.git; do + source $filename + + echo "Backing up collection: $NAME" + # create list of installed packages + prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg + + # backup collection ports + tar --xattrs -zcpf $PORT_PRT/${NAME}-ports.tar.gz \ + --directory=$ROOT_DIR/usr/ports/${NAME} \ + --exclude=.git/ \ + . + + # backup collection packages + while read line; do + if [ ! -f /usr/ports/packages/${line} ]; then + echo "Building package: ${line};\n" + PORT_NAME=$(echo ${line} | cut -d "#" -f 1) + sudo prt-get update -fr -if -is ${PORT_NAME} + (cd /usr/ports/${NAME}/${PORT_NAME} \ + && sudo pkgmk -uf) + fi + + if [ -f /usr/ports/packages/${line} ]; then + echo "Backing up package: ${NAME}/${line}" + echo ${line} >> ${METADATA}/backup.pkg + #cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ + tar rvf ${PORT_PKG}/${NAME}.tar \ + --directory=/usr/ports/packages \ + ${line} + else + echo "Package $PORT_NAME not found: ${line}" + echo ${line} >> ${METADATA}/${NAME}-notfound.pkg + fi + done < ${METADATA}/${NAME}-installed.pkg + done break ;; *) echo "Please enter only y or n" -- cgit 1.4.1-2-gfad0 From 480cf4044595b0ebe3f56a7eea1541a274fbbf48 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 8 Dec 2018 02:00:25 +0000 Subject: core scripts revision --- core/scripts/install-core.sh | 5 ++-- core/scripts/setup-iso.sh | 4 +++- core/scripts/setup-virtual.sh | 56 ++++++++++++++++++++++--------------------- 3 files changed, 35 insertions(+), 30 deletions(-) (limited to 'core/scripts') diff --git a/core/scripts/install-core.sh b/core/scripts/install-core.sh index d4d6983..d889c8b 100644 --- a/core/scripts/install-core.sh +++ b/core/scripts/install-core.sh @@ -55,7 +55,8 @@ install_core() { while read line; do pkg=${PORT_PKG}/core/${line} echo "Installing ${pkg};\n" - ${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg} + #${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg} + pkgadd -f -r ${CHROOT} ${pkg} done < ${CORE_LS} rm ${CHROOT}/pkgadd @@ -67,7 +68,7 @@ install_core() { install_packages() { echo "Installing $CHROOT/media/crux/opt/fakeroot" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/fakeroot#* + $CHROOT/usr/bin/pkgadd -f -r $CHROOT ${CHROOT}/media/crux/opt/fakeroot#* echo "Installing $CHROOT/media/crux/opt/dbus" $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/dbus#* echo "Installing $CHROOT/media/crux/opt/expat" diff --git a/core/scripts/setup-iso.sh b/core/scripts/setup-iso.sh index ddad787..ebcd043 100644 --- a/core/scripts/setup-iso.sh +++ b/core/scripts/setup-iso.sh @@ -2,6 +2,7 @@ # location of iso and md5 file ISO_DIR="/usr/ports/iso" +MOUNT_POINT="/mnt/media" ISO_FILE="${ISO_DIR}/crux-3.4.iso" MD5_FILE="${ISO_DIR}/crux-3.4.md5" @@ -70,7 +71,7 @@ mount_iso() { modprobe isofs modprobe loop - mount -o loop $ISO_FILE /media + mount -o loop $ISO_FILE $MOUNT_POINT } print_data() { @@ -80,6 +81,7 @@ print_data() { echo "md5 file: ${MD5_FILE}" echo "iso url: ${ISO_URL}" echo "md5 url: ${MD5_URL}" + echo "mount point: ${MOUNT_POINT}" } print_help() { diff --git a/core/scripts/setup-virtual.sh b/core/scripts/setup-virtual.sh index 2b27a9f..3583bb6 100644 --- a/core/scripts/setup-virtual.sh +++ b/core/scripts/setup-virtual.sh @@ -20,45 +20,51 @@ ConfirmOrExit () } DEV_NAME=${1} +IMG=${2}.qcow2 +SIZE=${3} CHROOT="/mnt" DEV="/dev/${DEV_NAME}" +echo "/srv/qemu/img/${IMG}" +echo "${SIZE}" echo "DEV_NAME=${DEV_NAME}" echo "DEV=${DEV}" echo "CHROOT=${CHROOT}" ConfirmOrExit +#qemu-img create -f qcow2 example.qcow2 20G +qemu-img create -f qcow2 /srv/qemu/img/${IMG} ${SIZE} +qemu-nbd -c ${DEV} /srv/qemu/img/${IMG} + parted --script ${DEV} \ - mklabel gpt \ - unit mib \ - mkpart primary 1 3 \ - set 1 bios_grub on \ - name 1 grub \ - mkpart ESP fat32 3 59 \ - set 2 boot on \ - name 2 efi \ - mkpart primary ext4 103 200 \ - name 3 boot \ - mkpart primary linux-swap 200 456 \ - name 4 swap \ - mkpart primary ext4 456 3700 \ - name 5 root \ - mkpart primary ext4 3700 4000 \ - name 6 var \ - mkpart primary ext4 4000 100% \ - name 7 home + mklabel gpt \ + unit mib \ + mkpart primary 2 4 \ + name 1 grub \ + mkpart ESP fat32 4 128 \ + name 2 efi \ + mkpart primary ext4 128 1128 \ + name 3 boot \ + mkpart primary ext4 1128 12128 \ + name 4 root \ + mkpart primary ext4 12128 14128 \ + name 5 var \ + mkpart primary ext4 14128 100% \ + name 6 lvm \ + set 1 bios_grub on \ + set 2 boot on \ + set 6 lvm on kpartx -a -s -l -u ${DEV} mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2 mkfs.ext4 /dev/mapper/${DEV_NAME}p3 -mkswap /dev/mapper/${DEV_NAME}p4 +mkfs.ext4 /dev/mapper/${DEV_NAME}p4 mkfs.ext4 /dev/mapper/${DEV_NAME}p5 -mkfs.ext4 /dev/mapper/${DEV_NAME}p6 -mkfs.ext4 /dev/mapper/${DEV_NAME}p7 +pvcreate /dev/mapper/${DEV_NAME}p6 -mount /dev/mapper/${DEV_NAME}p5 $CHROOT +mount /dev/mapper/${DEV_NAME}p4 $CHROOT mkdir -p $CHROOT/proc mkdir -p $CHROOT/sys mkdir -p $CHROOT/dev @@ -69,8 +75,4 @@ mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot mkdir -p $CHROOT/boot/efi mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi mkdir -p $CHROOT/var -mount /dev/mapper/${DEV_NAME}p6 $CHROOT/var -mkdir -p $CHROOT/home -mount /dev/mapper/${DEV_NAME}p7 $CHROOT/home - - +mount /dev/mapper/${DEV_NAME}p5 $CHROOT/var -- cgit 1.4.1-2-gfad0 From b6b79e6d960febc3f266735e4a2f807d776b5830 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 8 Dec 2018 02:08:20 +0000 Subject: iptables revision --- core/conf/iptables/br-lan.v4 | 136 ------------ core/conf/iptables/ipt-bridge.sh | 158 ++++++++++++++ core/conf/iptables/ipt-conf.sh | 20 ++ core/conf/iptables/ipt-firewall.sh | 258 +++++++++++++++++++++++ core/conf/iptables/ipt-server.sh | 37 ++++ core/conf/iptables/net.v4 | 111 ---------- core/conf/rc.d/iptables | 117 ++++------- core/scripts/iptables-conf.sh | 21 -- core/scripts/iptables.sh | 420 ------------------------------------- 9 files changed, 508 insertions(+), 770 deletions(-) delete mode 100644 core/conf/iptables/br-lan.v4 create mode 100644 core/conf/iptables/ipt-bridge.sh create mode 100644 core/conf/iptables/ipt-conf.sh create mode 100644 core/conf/iptables/ipt-firewall.sh create mode 100644 core/conf/iptables/ipt-server.sh delete mode 100644 core/conf/iptables/net.v4 delete mode 100644 core/scripts/iptables-conf.sh delete mode 100644 core/scripts/iptables.sh (limited to 'core/scripts') diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4 deleted file mode 100644 index 61da499..0000000 --- a/core/conf/iptables/br-lan.v4 +++ /dev/null @@ -1,136 +0,0 @@ -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:blocker - [0:0] -:client_in - [0:0] -:client_out - [0:0] -:netconf_in - [0:0] -:netconf_out - [0:0] -:server_in - [0:0] -:server_out - [0:0] --A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT --A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT --A INPUT -j blocker --A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in --A INPUT -d 10.0.0.0/8 -i br0 -j client_in --A INPUT -i br0 -j netconf_in --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j blocker --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 --A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT --A OUTPUT -j blocker --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out --A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out --A OUTPUT -o br0 -j netconf_out --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 --A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7 --A blocker -s 8.8.0.0/24 -j DROP --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A blocker -f -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP --A blocker -j RETURN --A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -j RETURN --A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -j RETURN --A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT --A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7 --A netconf_in -p icmp -j ACCEPT --A netconf_in -j RETURN --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7 --A netconf_out -p icmp -j ACCEPT --A netconf_out -j RETURN --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -j RETURN --A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -j RETURN -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh new file mode 100644 index 0000000..6f70e7c --- /dev/null +++ b/core/conf/iptables/ipt-bridge.sh @@ -0,0 +1,158 @@ +#!/bin/bash + +echo "setting bridge ${BR_IF} network..." +echo 1 > /proc/sys/net/ipv4/ip_forward + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +####### NAT Prerouting Chain ###### +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 +#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + +####### Forward Chain ###### +$IPT -A FORWARD -j blocker +$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +# Allow access from bridge to gateway wifi interface +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out + +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out + +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +# +# Tap1 +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out +# +# +## Tap3 +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in +# +# +######## Forward TAP2 ssh, http and https ###### +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + +# Tap1, Tap2 and Tap3 can access external https + +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + +# +# #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip +# +# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp +# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + +# +#Less noise +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP + +####### Input Chain ###### +$IPT -A INPUT -j blocker +#Less noise +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP +$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP +$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP + +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in +$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in + +$IPT -A INPUT -i ${BR_IF} -j srv_dhcp + +$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp + +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in +$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in + +$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +#Less noise +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out + + +$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out +$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out + +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out + +#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out + +####### PostRouting Chain ###### +#Less noise +#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE + +#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh new file mode 100644 index 0000000..3874cee --- /dev/null +++ b/core/conf/iptables/ipt-conf.sh @@ -0,0 +1,20 @@ +#!/bin/bash +TYPE=bridge +#TYPE=server + +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" + +# public interface to network/internet +BR_IF="br0" +BR_NET="10.0.0.0/8" +GW="10.0.0.1" +#DNS="10.0.0.254" +DNS="212.55.154.174" + +PUB_IP="10.0.0.254" +PUB_IF="enp8s0" + +# private interface for virtual/internal +WIFI_IF="wlp7s0" +WIFI_NET="192.168.1.0/24" diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh new file mode 100644 index 0000000..4697de0 --- /dev/null +++ b/core/conf/iptables/ipt-firewall.sh @@ -0,0 +1,258 @@ +#!/bin/bash + +IPT="/usr/sbin/iptables" + +ipt_clear () { + echo "clear all iptables tables" + + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + iptables -N blocker + + iptables -N srv_dhcp + iptables -N srv_rip + iptables -N srv_icmp + iptables -N srv_dns_in + iptables -N srv_dns_out + iptables -N srv_http_in + iptables -N srv_http_out + iptables -N srv_https_in + iptables -N srv_https_out + iptables -N srv_ssh_in + iptables -N srv_ssh_out + iptables -N srv_git_in + iptables -N srv_git_out + iptables -N srv_db_in + iptables -N srv_db_out + + + iptables -N cli_dns_in + iptables -N cli_dns_out + iptables -N cli_http_in + iptables -N cli_http_out + iptables -N cli_https_in + iptables -N cli_https_out + iptables -N cli_ssh_in + iptables -N cli_ssh_out + iptables -N cli_pops_in + iptables -N cli_pops_out + iptables -N cli_smtps_in + iptables -N cli_smtps_out + iptables -N cli_irc_in + iptables -N cli_irc_out + iptables -N cli_ftp_in + iptables -N cli_ftp_out + iptables -N cli_git_in + iptables -N cli_git_out + iptables -N cli_gpg_in + iptables -N cli_gpg_out + + # Set Default Rules + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP +} + +ipt_log () { + ## log everything else and drop + $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +} + + +ipt_tables () { + echo "start adding tables..." + + ####### blocker Chain ###### + ## Block google dns + #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " + #$IPT -A blocker -s 8.8.0.0/24 -j DROP + ## Block sync + $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " + $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP + ## Block Fragments + $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " + $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " + $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller + $IPT -A blocker -j RETURN + + ######## DNS Server + #echo "server_in chain: Allow input to DNS Server" + $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -j RETURN + #echo "srv_dns_out chain: Allow output from DNS server" + $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -j RETURN + + ####### Database Server + $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_db_in -j RETURN + $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_db_out -j RETURN + + ####### SSH Server + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_in -j RETURN + + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -j RETURN + + ####### HTTP Server + $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_http_in -j RETURN + $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_http_out -j RETURN + + ####### HTTPS Server + $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_https_in -j RETURN + $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_https_out -j RETURN + + ###### GIT server + $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_git_in -j RETURN + $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_git_out -j RETURN + + ######## DNS Client + $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT + $IPT -A cli_dns_out -j RETURN + $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT + $IPT -A cli_dns_in -j RETURN + + ######## HTTP Client + #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP + $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -j RETURN + $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -j RETURN + + ######## IRC client + $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_irc_in -j RETURN + $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_irc_out -j RETURN + + ######## FTP client + $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -j RETURN + $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPT -A cli_ftp_out -j RETURN + + ######## GIT client + $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_git_out -j RETURN + + ######## POP3S client + $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_pops_in -j RETURN + $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_pops_out -j RETURN + + ######## SMTPS client + $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_in -j RETURN + $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_out -j RETURN + + ######## HTTPS client + $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -j RETURN + $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -j RETURN + + ######## SSH client + $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -j RETURN + $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -j RETURN + + ######## GPG key client + $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_in -j RETURN + $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_out -j RETURN + + ######## DHCP Server + $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -j RETURN + + ####### RIP Server + $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT + $IPT -A srv_rip -j RETURN + + ####### ICMP Server + $IPT -A srv_icmp -p icmp -j ACCEPT + $IPT -A srv_icmp -j RETURN +} + + diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh new file mode 100644 index 0000000..225fd31 --- /dev/null +++ b/core/conf/iptables/ipt-server.sh @@ -0,0 +1,37 @@ +echo "setting server network..." + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +####### Input Chain ###### +$IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in +#$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + + +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out +#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + +$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out +$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out + +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out diff --git a/core/conf/iptables/net.v4 b/core/conf/iptables/net.v4 deleted file mode 100644 index 568455a..0000000 --- a/core/conf/iptables/net.v4 +++ /dev/null @@ -1,111 +0,0 @@ -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*security -:INPUT ACCEPT [4559:2307887] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [4459:962215] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*raw -:PREROUTING ACCEPT [18446:3412851] -:OUTPUT ACCEPT [4467:962535] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*nat -:PREROUTING ACCEPT [13936:1107904] -:INPUT ACCEPT [49:2940] -:OUTPUT ACCEPT [504:40037] -:POSTROUTING ACCEPT [504:40037] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:ACCEPTLOG - [0:0] -:DROPLOG - [0:0] -:REJECTLOG - [0:0] -:RELATED_ICMP - [0:0] -:SYN_FLOOD - [0:0] --A INPUT -i lo -j ACCEPT --A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT --A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" --A INPUT -p icmp -j DROP --A INPUT -p icmp -f -j DROPLOG --A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP --A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A INPUT -p icmp -j DROPLOG --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP --A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP --A INPUT -m state --state INVALID -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG --A INPUT -f -j DROPLOG --A INPUT -j DROPLOG --A FORWARD -p icmp -f -j DROPLOG --A FORWARD -p icmp -j DROPLOG --A FORWARD -m state --state INVALID -j DROP --A FORWARD -j REJECTLOG --A OUTPUT -o lo -j ACCEPT --A OUTPUT -p icmp -j ACCEPT --A OUTPUT -p icmp -f -j DROPLOG --A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP --A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A OUTPUT -p icmp -j DROPLOG --A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -j DROPLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset --A REJECTLOG -j REJECT --reject-with icmp-port-unreachable --A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT --A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT --A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT --A RELATED_ICMP -j DROPLOG --A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN --A SYN_FLOOD -j DROP -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index dd17b97..26a48b4 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,86 +1,39 @@ -#!/bin/sh -# -# /etc/rc.d/iptables: load/unload iptable rules -# -rules=/etc/iptables/net.v4 - -iptables_clear () { - echo "clear all iptables tables" - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X -} +source /etc/iptables/ipt-conf.sh +source /etc/iptables/ipt-firewall.sh case $1 in - start) - echo "starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore ${rules} - ;; - stop) - iptables_clear - echo "stopping firewall and deny everyone..." - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT DROP - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - open) - iptables_clear - echo "outgoing Open firewall and deny everyone..." - - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT ACCEPT - - /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT - /usr/sbin/iptables -t mangle -P INPUT ACCEPT - /usr/sbin/iptables -t mangle -P FORWARD ACCEPT - /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT - /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT - - /usr/sbin/iptables -A OUTPUT -j ACCEPT - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - - restart) - $0 stop - $0 start - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; + start) + ipt_clear + ipt_tables + case $TYPE in + bridge) + source /etc/iptables/ipt-bridge.sh + + ## log everything else and drop + ipt_log + + iptables-save > /etc/iptables/net.v4 + ;; + server) + source /etc/iptables/iptables-conf.sh + + ## log everything else and drop + iptables_log + + iptables-save > /etc/iptables/net.v4 + ;; + esac + ;; + stop) + + ipt_clear + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; esac - -# End of file diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh deleted file mode 100644 index 478ce08..0000000 --- a/core/scripts/iptables-conf.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -TYPE=bridge -#TYPE=server - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" - -# public interface to network/internet -BR_IF="br0" -BR_NET="10.0.0.0/8" -GW="10.0.0.1" -#DNS="10.0.0.254" -DNS="212.55.154.174" - -PUB_IP="10.0.0.254" -PUB_IF="enp8s0" - -# private interface for virtual/internal -#PRIV_IF="wlp7s0" -#PRIV_NET="192.168.1.0/24" diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh deleted file mode 100644 index 0516d94..0000000 --- a/core/scripts/iptables.sh +++ /dev/null @@ -1,420 +0,0 @@ -#!/bin/bash - -source /etc/iptables/iptables-conf.sh - -iptables_clear () { - echo "clear all iptables tables" - - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X - iptables -N blocker - - iptables -N srv_dhcp - iptables -N srv_rip - iptables -N srv_icmp - iptables -N srv_dns_in - iptables -N srv_dns_out - iptables -N srv_http_in - iptables -N srv_http_out - iptables -N srv_https_in - iptables -N srv_https_out - iptables -N srv_ssh_in - iptables -N srv_ssh_out - iptables -N srv_git_in - iptables -N srv_git_out - iptables -N srv_db_in - iptables -N srv_db_out - - - iptables -N cli_dns_in - iptables -N cli_dns_out - iptables -N cli_http_in - iptables -N cli_http_out - iptables -N cli_https_in - iptables -N cli_https_out - iptables -N cli_ssh_in - iptables -N cli_ssh_out - iptables -N cli_pops_in - iptables -N cli_pops_out - iptables -N cli_smtps_in - iptables -N cli_smtps_out - iptables -N cli_irc_in - iptables -N cli_irc_out - iptables -N cli_ftp_in - iptables -N cli_ftp_out - iptables -N cli_git_in - iptables -N cli_git_out - iptables -N cli_gpg_in - iptables -N cli_gpg_out - - # Set Default Rules - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP -} - -iptables_log () { - ## log everything else and drop - $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -} - - -iptables_tables () { - echo "start adding tables..." - - ####### blocker Chain ###### - ## Block google dns - $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " - $IPT -A blocker -s 8.8.0.0/24 -j DROP - ## Block sync - $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " - $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP - ## Block Fragments - $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " - $IPT -A blocker -f -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " - $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - ## Return to caller - $IPT -A blocker -j RETURN - - ######## DNS Server - #echo "server_in chain: Allow input to DNS Server" - $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -j RETURN - #echo "srv_dns_out chain: Allow output from DNS server" - $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -j RETURN - - ####### Database Server - $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_db_in -j RETURN - $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_db_out -j RETURN - - ####### SSH Server - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP - - $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - - $IPT -A srv_ssh_in -j RETURN - $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -j RETURN - - ####### HTTP Server - $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_http_in -j RETURN - $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_http_out -j RETURN - - ####### HTTPS Server - $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_https_in -j RETURN - $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_https_out -j RETURN - - ###### GIT server - $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_git_in -j RETURN - $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_git_out -j RETURN - - ######## DNS Client - $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_dns_out -j RETURN - $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_dns_in -j RETURN - - ######## HTTP Client - #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP - - $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -j RETURN - $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -j RETURN - - ######## IRC client - $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_irc_in -j RETURN - $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_irc_out -j RETURN - - ######## FTP client - - $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_in -j RETURN - $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_out -j RETURN - ######## GIT client - $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_git_in -j RETURN - $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_git_out -j RETURN - - ######## POP3S client - $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_pops_in -j RETURN - $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_pops_out -j RETURN - - ######## SMTPS client - $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_in -j RETURN - $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_out -j RETURN - - ######## HTTPS client - $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -j RETURN - $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -j RETURN - - ######## SSH client - $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -j RETURN - $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -j RETURN - - ######## GPG key client - $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_in -j RETURN - $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_out -j RETURN - - ######## DHCP Server - $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -j RETURN - - ####### RIP Server - $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT - $IPT -A srv_rip -j RETURN - - ####### ICMP Server - $IPT -A srv_icmp -p icmp -j ACCEPT - $IPT -A srv_icmp -j RETURN -} - -case $TYPE in - bridge) - iptables_clear - iptables_tables - - echo "setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### NAT Prerouting Chain ###### - - ####### Forward Chain ###### - $IPT -A FORWARD -j blocker - $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - # Tap1 and Tap3 can access external http - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out - - ####### Forward TAP2 ssh, http and https ###### - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - # - # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip - # - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp - - # Tap1, Tap2 and Tap3 can access external https - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in - - #Less noise - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - #Less noise - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - #Less noise - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out - - ####### PostRouting Chain ###### - #Less noise - #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT - - #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE - - ## log everything else and drop - iptables_log - - #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - - iptables-save > /etc/iptables/net.v4 - exit 0 - ;; - - server) - iptables_clear - iptables_tables - - echo "setting server network..." - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in - - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out - - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out - - ## log everything else and drop - iptables_log - - iptables-save > /etc/iptables/net.v4 - exit 0 - - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; -esac - -- cgit 1.4.1-2-gfad0 From 88bd69c5b7456221e4260b74c2783a660084aaa4 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 9 Dec 2018 00:08:15 +0000 Subject: core backup script revision --- core/scripts/backup-system.sh | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) (limited to 'core/scripts') diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index ad037ef..c28c706 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -217,42 +217,44 @@ do METADATA=${DEST_SYS}/meta-data mkdir -p $METADATA - # must be using gwak instead of sed, xargs and echo - prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${METADATA}/all_installed.pkg + # must be using gwak instead of sed + prt-get listinst -v | sed 's/ /#/g' | sed 's/$/.pkg.tar.gz/g' > ${METADATA}/all-installed.pkg for filename in /etc/ports/*.git; do source $filename + # backup ports collection echo "Backing up collection: $NAME" - # create list of installed packages - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg - - # backup collection ports tar --xattrs -zcpf $PORT_PRT/${NAME}-ports.tar.gz \ --directory=$ROOT_DIR/usr/ports/${NAME} \ --exclude=.git/ \ . + + # create list of installed packages + prt-get printf "%i %p %n\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg + # backup collection packages while read line; do - if [ ! -f /usr/ports/packages/${line} ]; then - echo "Building package: ${line};\n" - PORT_NAME=$(echo ${line} | cut -d "#" -f 1) - sudo prt-get update -fr -if -is ${PORT_NAME} - (cd /usr/ports/${NAME}/${PORT_NAME} \ + echo "Backing up package: ${NAME}/${line}" + # get installed version not version on ports + PACKAGE="$(cat ${METADATA}/all-installed.pkg | grep "^${line}#")" + if [ ! -f /usr/ports/packages/${PACKAGE} ]; then + echo "Building package: ${PACKAGE};\n" + sudo prt-get update -fr -if -is ${line} + (cd /usr/ports/${NAME}/${line} \ && sudo pkgmk -uf) fi - if [ -f /usr/ports/packages/${line} ]; then - echo "Backing up package: ${NAME}/${line}" - echo ${line} >> ${METADATA}/backup.pkg - #cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ + if [ -f /usr/ports/packages/${PACKAGE} ]; then + echo ${PACKAGE} >> ${METADATA}/${NAME}-backup.pkg + #cp /usr/ports/packages/${PACKAGE} ${PORT_PKG}/${NAME}/ tar rvf ${PORT_PKG}/${NAME}.tar \ --directory=/usr/ports/packages \ - ${line} + ${PACKAGE} else echo "Package $PORT_NAME not found: ${line}" - echo ${line} >> ${METADATA}/${NAME}-notfound.pkg + echo ${PACKAGE} >> ${METADATA}/${NAME}-notfound.pkg fi done < ${METADATA}/${NAME}-installed.pkg done @@ -261,3 +263,7 @@ do *) echo "Please enter only y or n" esac done + +RELEASE_NAME=$(basename ${DEST_DIR}) +tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ +rm -rf ${DEST_DIR} -- cgit 1.4.1-2-gfad0 From a4f712e1969ad4c479ea4c1efc38b9c92d748ad8 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 10 Dec 2018 14:28:54 +0000 Subject: fix core backup-system script --- core/scripts/backup-system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/scripts') diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index c28c706..7faf676 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -265,5 +265,5 @@ do done RELEASE_NAME=$(basename ${DEST_DIR}) -tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ +cd $(dirname ${DEST_DIR}) && tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ rm -rf ${DEST_DIR} -- cgit 1.4.1-2-gfad0 From 22715960a28e32473d247fc96d391d244eba67ed Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 15 Dec 2018 07:04:46 +0000 Subject: pkgutils updated on install core script --- core/scripts/install-core.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/scripts') diff --git a/core/scripts/install-core.sh b/core/scripts/install-core.sh index d889c8b..9edd966 100644 --- a/core/scripts/install-core.sh +++ b/core/scripts/install-core.sh @@ -41,7 +41,7 @@ install_core() { done fi - tar xf "${PORT_PKG}/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd + tar xf "${PORT_PKG}/core/pkgutils#5.40-7.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd chmod +x ${CHROOT}/pkgadd -- cgit 1.4.1-2-gfad0