From c25612b916735aba72e9efc04b0d3bfe0ad129ab Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 20 Jul 2018 19:00:00 +0100 Subject: review core bash profile --- core/bash.html | 40 +++++++++++++++++++++++++++++++++++----- core/conf/skel/.profile | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 66 insertions(+), 7 deletions(-) (limited to 'core') diff --git a/core/bash.html b/core/bash.html index 8e0c95e..be17c71 100644 --- a/core/bash.html +++ b/core/bash.html @@ -37,11 +37,41 @@

Example of ~/.profile;

-        PATH=~/.composer/vendor/bin:${PATH}
-
-        export GPG_AGENT_INFO  # the env file does not contain the export statement
-        export SSH_AUTH_SOCK   # enable gpg-agent for ssh
-

+ export GPG_AGENT_INFO # the env file does not contain the export statement + export SSH_AUTH_SOCK # enable gpg-agent for ssh + + export GPGKEY=XXXXXXXX + + # ssh-agent to ask only ounce for password + SSH_ENV="$HOME/.ssh/environment" + function start_agent { + echo "Initialising new SSH agent..." + /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}" + echo succeeded + chmod 600 "${SSH_ENV}" + . "${SSH_ENV}" > /dev/null + /usr/bin/ssh-add; + } + + # Source SSH settings, if applicable + if [ -f "${SSH_ENV}" ]; then + . "${SSH_ENV}" > /dev/null + #ps ${SSH_AGENT_PID} doesn't work under cywgin + ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || { + start_agent; + } + else + start_agent; + fi + + # Weston + if test -z "${XDG_RUNTIME_DIR}"; then + export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir + if ! test -d "${XDG_RUNTIME_DIR}"; then + mkdir "${XDG_RUNTIME_DIR}" + chmod 0700 "${XDG_RUNTIME_DIR}" + fi +fi

2.5.2.2. Bash RC

diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile index 71dd6f8..1c8aa8b 100644 --- a/core/conf/skel/.profile +++ b/core/conf/skel/.profile @@ -1,6 +1,35 @@ export GPG_AGENT_INFO # the env file does not contain the export statement export SSH_AUTH_SOCK # enable gpg-agent for ssh -export GPGKEY=8BF422F7 +export GPGKEY=XXXXXXXX -#alias prodtmux="ssh srv-remote -t tmux a" +# ssh-agent to ask only ounce for password +SSH_ENV="$HOME/.ssh/environment" +function start_agent { + echo "Initialising new SSH agent..." + /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}" + echo succeeded + chmod 600 "${SSH_ENV}" + . "${SSH_ENV}" > /dev/null + /usr/bin/ssh-add; +} + +# Source SSH settings, if applicable +if [ -f "${SSH_ENV}" ]; then + . "${SSH_ENV}" > /dev/null + #ps ${SSH_AGENT_PID} doesn't work under cywgin + ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || { + start_agent; + } +else + start_agent; +fi + +# Weston +if test -z "${XDG_RUNTIME_DIR}"; then + export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir + if ! test -d "${XDG_RUNTIME_DIR}"; then + mkdir "${XDG_RUNTIME_DIR}" + chmod 0700 "${XDG_RUNTIME_DIR}" + fi +fi -- cgit 1.4.1-2-gfad0 From c13879eb3fddf35d96311ddeb0a495094198c6dc Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Thu, 2 Aug 2018 17:30:44 +0100 Subject: added mate git ports collection --- core/conf/ports/mate.git | 7 +++++++ core/conf/ports/mate.httpup | 5 ----- core/conf/ports/mate.httpup.inactive | 5 +++++ 3 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 core/conf/ports/mate.git delete mode 100644 core/conf/ports/mate.httpup create mode 100644 core/conf/ports/mate.httpup.inactive (limited to 'core') diff --git a/core/conf/ports/mate.git b/core/conf/ports/mate.git new file mode 100644 index 0000000..0c4e057 --- /dev/null +++ b/core/conf/ports/mate.git @@ -0,0 +1,7 @@ +# Collection mate +# +NAME=mate +URL=git://c2.ank/mate.git +BRANCH=develop-c34 +destination=/usr/ports/mate +PORTS_DIR="/usr/ports" diff --git a/core/conf/ports/mate.httpup b/core/conf/ports/mate.httpup deleted file mode 100644 index 93ad84f..0000000 --- a/core/conf/ports/mate.httpup +++ /dev/null @@ -1,5 +0,0 @@ -# Collection mate, by jaeger at crux dot ninja -# File generated by the CRUX portdb https://crux.nu/portdb/ - -ROOT_DIR=/usr/ports/mate -URL=https://raw.githubusercontent.com/mhoush/crux-mate/master/ diff --git a/core/conf/ports/mate.httpup.inactive b/core/conf/ports/mate.httpup.inactive new file mode 100644 index 0000000..93ad84f --- /dev/null +++ b/core/conf/ports/mate.httpup.inactive @@ -0,0 +1,5 @@ +# Collection mate, by jaeger at crux dot ninja +# File generated by the CRUX portdb https://crux.nu/portdb/ + +ROOT_DIR=/usr/ports/mate +URL=https://raw.githubusercontent.com/mhoush/crux-mate/master/ -- cgit 1.4.1-2-gfad0 From 3ebe80fbdcd6bdf1d9d228bd64e18a33b58b11f3 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 5 Dec 2018 22:44:46 +0000 Subject: core script backup-system revison --- core/scripts/backup-system.sh | 331 +++++++++++++++++++----------------------- 1 file changed, 151 insertions(+), 180 deletions(-) (limited to 'core') diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 9e1ed2f..ad037ef 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -2,8 +2,9 @@ ROOT_DIR= DEST_DIR=/root/backup -PORT_PKG="${DEST_DIR}/crux" -PORT_PRT="${DEST_DIR}/ports" +DEST_SYS="${DEST_DIR}/system" +PORT_PKG="${DEST_SYS}/packages" +PORT_PRT="${DEST_SYS}/ports" DATA_CNF="${DEST_DIR}/conf" DATA_USR="${DEST_DIR}/user" DATA_SRV="${DEST_DIR}/srv" @@ -20,164 +21,16 @@ ConfirmOrExit () echo "Aborting - you entered $CONFIRM" exit ;; - *) echo "Please enter only y or n" - esac - done - echo "You entered $CONFIRM. Continuing ..." -} - -mkbk_coll_pkg() { - # backup binary packages per collection - col=$1 - # make backup collection directory - mkdir ${PORT_PKG}/${col} - # for each package listed in col_name.pkg - while read line; do - # if binary package don't exist try to build - if [ ! -f /usr/ports/packages/${line} ]; then - echo "Building package: ${line};\n" - name=$(echo ${line} | cut -d "#" -f 1) - $sudo prt-get update -fr ${name} - fi - - # if binary package exist copy to destination - if [ -f /usr/ports/packages/${line} ]; then - echo "Backing up package: ${line}" - echo ${line} >> ${DEST_DIR}/backup.pkg - cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ - else - echo "Package not found: ${line}" - echo ${line} >> ${DEST_DIR}/${col}-notfound.pkg - fi - done < $DEST_DIR/${col}.pkg -} - -mkbk_coll_ports() { - # backup collection ports - col=$1 - - tar --xattrs -zcpf $PORT_PRT/${col}.tar.gz \ - --directory=$ROOT_DIR/usr/ports/${col} \ - --exclude=.git/ \ -} - -mkbk_metadata() { - - # archive pkgutils data - tar --xattrs -zcpf $DATA_CNF/pkg-db.tar.gz \ - /var/lib/pkg/db - - # must be using gwak instead of sed, xargs and echo - prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${DEST_DIR}/installed.pkg - - # make list and copy installed core packages - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/core" | cut -d " " -f 3 > ${DEST_DIR}/core.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/opt" | cut -d " " -f 3 > $DEST_DIR/opt.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/contrib" | cut -d " " -f 3 > $DEST_DIR/contrib.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/xorg" | cut -d " " -f 3 > $DEST_DIR/xorg.pkg - - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep -v "yes /usr/ports/core" | grep -v "yes /usr/ports/opt" | grep -v "yes /usr/ports/contrib" | grep -v "yes /usr/ports/xorg" | grep "yes " | cut -d " " -f 3 > $DEST_DIR/other.pkg - -} - -mkbk_etc_conf() { - - tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \ - --directory=$ROOT_DIR/etc \ - . - - tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \ - --directory=$ROOT_DIR/usr/etc \ - . -} - -mkbk_srv_www() { - - # backup web data first stop php and nginx - - for pkg_www in ${ROOT_DIR}/srv/www/*; do - if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then - pkg_back="${DATA_SRV}/www" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz" - exc="${pkg_www}/backup_deploy" - tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www} - fi - done -} - -mkbk_srv_pgsql() { - - # backup database data first dump all databases - - pkg_back="${DATA_SRV}/pgsql" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz - - tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \ - ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \ - ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \ - ${ROOT_DIR}/srv/pgsql/data/postgresql.conf -} - -mkbk_srv_gitolite() { - - # backup gitolite repositories - - pkg_back="${DATA_SRV}/gitolite" - if [ ! -d ${pkg_back} ]; then - mkdir -p ${pkg_back} - fi - - tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \ - --directory=${ROOT_DIR}/srv/gitolite \ - . -} - -mkbk_user_metadata() { - - for dir in /home/*; do - if [ "${dir}" != "/home/lost+found" ]; then - user=$(basename $dir) - tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \ - $dir/.bash_profile \ - $dir/.bashrc \ - $dir/.config \ - $dir/.gitconfig \ - $dir/.gnupg \ - $dir/.irssi \ - $dir/.lynxrc \ - $dir/.mutt \ - $dir/.netrc \ - $dir/.profile \ - $dir/.spectrwm.conf \ - $dir/.ssh \ - $dir/.tmux.conf \ - $dir/.vim \ - $dir/.vimrc \ - $dir/.xinitrc - - # encript data - #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ - # --encrypt --recipient user@host \ - # "${DATA_USR}/meta-${user}.tar.gz" - - tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ - $dir/gitolite-admin - fi - done + *) echo "Please enter only y or n" +esac +done +echo "You entered $CONFIRM. Continuing ..." } print_data () { echo "ROOT_DIR=${ROOT_DIR}" echo "DEST_DIR=${DEST_DIR}" + echo "DEST_SYS=${DEST_SYS}" echo "PORT_PKG=${PORT_PKG}" echo "PORT_PRT=${PORT_PRT}" echo "DATA_CNF=${DATA_CNF}" @@ -205,11 +58,13 @@ while [ "$1" ]; do DEST_DIR=$2 # Destination directory - PORT_PKG="${DEST_DIR}/crux" - PORT_PRT="${DEST_DIR}/ports" - DATA_CNF="${DEST_DIR}/conf" - DATA_USR="${DEST_DIR}/user" - DATA_SRV="${DEST_DIR}/srv" + DEST_SYS="${DEST_DIR}/system" + PORT_PKG="${DEST_SYS}/packages" + PORT_PRT="${DEST_SYS}/ports" + DATA_CNF="${DEST_DIR}/conf" + DATA_USR="${DEST_DIR}/user" + DATA_SRV="${DEST_DIR}/srv" + shift ;; -h|--help) print_help @@ -231,60 +86,176 @@ mkdir -p ${DATA_CNF} mkdir -p ${DATA_USR} mkdir -p ${DATA_SRV} -# Light backup data -mkbk_metadata -mkbk_etc_conf +# Backup system settings +tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \ + --directory=$ROOT_DIR/etc \ + . +tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \ + --directory=$ROOT_DIR/usr/etc \ + . + +# User Meta Data while true do - echo -n "Backup user metadata ? Please confirm (y or n) :" + echo "Backup User Metadata ?" + echo "Please confirm (y or n): " read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_user_metadata + for dir in /home/*; do + if [ "${dir}" != "/home/lost+found" ]; then + user=$(basename $dir) + tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \ + $dir/.bash_profile \ + $dir/.bashrc \ + $dir/.config \ + $dir/.gitconfig \ + $dir/.gnupg \ + $dir/.irssi \ + $dir/.lynxrc \ + $dir/.mutt \ + $dir/.netrc \ + $dir/.profile \ + $dir/.spectrwm.conf \ + $dir/.ssh \ + $dir/.tmux.conf \ + $dir/.vim \ + $dir/.vimrc \ + $dir/.xinitrc + + # encript data + #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \ + # --encrypt --recipient user@host \ + # "${DATA_USR}/meta-${user}.tar.gz" + + tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \ + $dir/gitolite-admin + fi + done break ;; *) echo "Please enter only y or n" esac done +# Server Data while true do - echo -n "Backup web services data (/srv) ? Please confirm (y or n) :" + echo "Backup Server Data ?" + echo "Please confirm (y or n): " read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_srv_www - mkbk_srv_pgsql - mkbk_srv_gitolite + + # backup web data first stop php and nginx + for pkg_www in ${ROOT_DIR}/srv/www/*; do + if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then + pkg_back="${DATA_SRV}/www" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz" + exc="${pkg_www}/backup_deploy" + tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www} + fi + done + + # backup database data first dump all databases + pkg_back="${DATA_SRV}/pgsql" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz + + tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \ + ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \ + ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \ + ${ROOT_DIR}/srv/pgsql/data/postgresql.conf + + + # backup gitolite repositories + pkg_back="${DATA_SRV}/gitolite" + if [ ! -d ${pkg_back} ]; then + mkdir -p ${pkg_back} + fi + + tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \ + --directory=${ROOT_DIR}/srv/gitolite \ + . + break ;; *) echo "Please enter only y or n" esac done - +# Port System while true do - echo -n "Backup port system ? Please confirm (y or n) :" + echo "Backup Port System ?" + echo "Please confirm (y or n) :" read CONFIRM case $CONFIRM in n|N|no|NO|No) break ;; y|Y|YES|yes|Yes) echo "Accept - you entered $CONFIRM" - mkbk_coll_ports "core" - mkbk_coll_pkg "core" - mkbk_coll_ports "opt" - mkbk_coll_pkg "opt" - mkbk_coll_ports "contrib" - mkbk_coll_pkg "contrib" - mkbk_coll_ports "xorg" - mkbk_coll_pkg "xorg" - mkbk_coll_pkg "other" + + # archive pkgutils data + tar --xattrs -zcpf $DEST_SYS/pkg-db.tar.gz \ + /var/lib/pkg/db + + # archive ports data + tar --xattrs -zcpf $DEST_SYS/etc_ports.tar.gz \ + --directory=/etc/ports \ + . + + METADATA=${DEST_SYS}/meta-data + mkdir -p $METADATA + + # must be using gwak instead of sed, xargs and echo + prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${METADATA}/all_installed.pkg + + for filename in /etc/ports/*.git; do + source $filename + + echo "Backing up collection: $NAME" + # create list of installed packages + prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg + + # backup collection ports + tar --xattrs -zcpf $PORT_PRT/${NAME}-ports.tar.gz \ + --directory=$ROOT_DIR/usr/ports/${NAME} \ + --exclude=.git/ \ + . + + # backup collection packages + while read line; do + if [ ! -f /usr/ports/packages/${line} ]; then + echo "Building package: ${line};\n" + PORT_NAME=$(echo ${line} | cut -d "#" -f 1) + sudo prt-get update -fr -if -is ${PORT_NAME} + (cd /usr/ports/${NAME}/${PORT_NAME} \ + && sudo pkgmk -uf) + fi + + if [ -f /usr/ports/packages/${line} ]; then + echo "Backing up package: ${NAME}/${line}" + echo ${line} >> ${METADATA}/backup.pkg + #cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ + tar rvf ${PORT_PKG}/${NAME}.tar \ + --directory=/usr/ports/packages \ + ${line} + else + echo "Package $PORT_NAME not found: ${line}" + echo ${line} >> ${METADATA}/${NAME}-notfound.pkg + fi + done < ${METADATA}/${NAME}-installed.pkg + done break ;; *) echo "Please enter only y or n" -- cgit 1.4.1-2-gfad0 From 480cf4044595b0ebe3f56a7eea1541a274fbbf48 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 8 Dec 2018 02:00:25 +0000 Subject: core scripts revision --- core/scripts/install-core.sh | 5 ++-- core/scripts/setup-iso.sh | 4 +++- core/scripts/setup-virtual.sh | 56 ++++++++++++++++++++++--------------------- 3 files changed, 35 insertions(+), 30 deletions(-) (limited to 'core') diff --git a/core/scripts/install-core.sh b/core/scripts/install-core.sh index d4d6983..d889c8b 100644 --- a/core/scripts/install-core.sh +++ b/core/scripts/install-core.sh @@ -55,7 +55,8 @@ install_core() { while read line; do pkg=${PORT_PKG}/core/${line} echo "Installing ${pkg};\n" - ${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg} + #${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg} + pkgadd -f -r ${CHROOT} ${pkg} done < ${CORE_LS} rm ${CHROOT}/pkgadd @@ -67,7 +68,7 @@ install_core() { install_packages() { echo "Installing $CHROOT/media/crux/opt/fakeroot" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/fakeroot#* + $CHROOT/usr/bin/pkgadd -f -r $CHROOT ${CHROOT}/media/crux/opt/fakeroot#* echo "Installing $CHROOT/media/crux/opt/dbus" $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/dbus#* echo "Installing $CHROOT/media/crux/opt/expat" diff --git a/core/scripts/setup-iso.sh b/core/scripts/setup-iso.sh index ddad787..ebcd043 100644 --- a/core/scripts/setup-iso.sh +++ b/core/scripts/setup-iso.sh @@ -2,6 +2,7 @@ # location of iso and md5 file ISO_DIR="/usr/ports/iso" +MOUNT_POINT="/mnt/media" ISO_FILE="${ISO_DIR}/crux-3.4.iso" MD5_FILE="${ISO_DIR}/crux-3.4.md5" @@ -70,7 +71,7 @@ mount_iso() { modprobe isofs modprobe loop - mount -o loop $ISO_FILE /media + mount -o loop $ISO_FILE $MOUNT_POINT } print_data() { @@ -80,6 +81,7 @@ print_data() { echo "md5 file: ${MD5_FILE}" echo "iso url: ${ISO_URL}" echo "md5 url: ${MD5_URL}" + echo "mount point: ${MOUNT_POINT}" } print_help() { diff --git a/core/scripts/setup-virtual.sh b/core/scripts/setup-virtual.sh index 2b27a9f..3583bb6 100644 --- a/core/scripts/setup-virtual.sh +++ b/core/scripts/setup-virtual.sh @@ -20,45 +20,51 @@ ConfirmOrExit () } DEV_NAME=${1} +IMG=${2}.qcow2 +SIZE=${3} CHROOT="/mnt" DEV="/dev/${DEV_NAME}" +echo "/srv/qemu/img/${IMG}" +echo "${SIZE}" echo "DEV_NAME=${DEV_NAME}" echo "DEV=${DEV}" echo "CHROOT=${CHROOT}" ConfirmOrExit +#qemu-img create -f qcow2 example.qcow2 20G +qemu-img create -f qcow2 /srv/qemu/img/${IMG} ${SIZE} +qemu-nbd -c ${DEV} /srv/qemu/img/${IMG} + parted --script ${DEV} \ - mklabel gpt \ - unit mib \ - mkpart primary 1 3 \ - set 1 bios_grub on \ - name 1 grub \ - mkpart ESP fat32 3 59 \ - set 2 boot on \ - name 2 efi \ - mkpart primary ext4 103 200 \ - name 3 boot \ - mkpart primary linux-swap 200 456 \ - name 4 swap \ - mkpart primary ext4 456 3700 \ - name 5 root \ - mkpart primary ext4 3700 4000 \ - name 6 var \ - mkpart primary ext4 4000 100% \ - name 7 home + mklabel gpt \ + unit mib \ + mkpart primary 2 4 \ + name 1 grub \ + mkpart ESP fat32 4 128 \ + name 2 efi \ + mkpart primary ext4 128 1128 \ + name 3 boot \ + mkpart primary ext4 1128 12128 \ + name 4 root \ + mkpart primary ext4 12128 14128 \ + name 5 var \ + mkpart primary ext4 14128 100% \ + name 6 lvm \ + set 1 bios_grub on \ + set 2 boot on \ + set 6 lvm on kpartx -a -s -l -u ${DEV} mkfs.fat -F 32 /dev/mapper/${DEV_NAME}p2 mkfs.ext4 /dev/mapper/${DEV_NAME}p3 -mkswap /dev/mapper/${DEV_NAME}p4 +mkfs.ext4 /dev/mapper/${DEV_NAME}p4 mkfs.ext4 /dev/mapper/${DEV_NAME}p5 -mkfs.ext4 /dev/mapper/${DEV_NAME}p6 -mkfs.ext4 /dev/mapper/${DEV_NAME}p7 +pvcreate /dev/mapper/${DEV_NAME}p6 -mount /dev/mapper/${DEV_NAME}p5 $CHROOT +mount /dev/mapper/${DEV_NAME}p4 $CHROOT mkdir -p $CHROOT/proc mkdir -p $CHROOT/sys mkdir -p $CHROOT/dev @@ -69,8 +75,4 @@ mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot mkdir -p $CHROOT/boot/efi mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi mkdir -p $CHROOT/var -mount /dev/mapper/${DEV_NAME}p6 $CHROOT/var -mkdir -p $CHROOT/home -mount /dev/mapper/${DEV_NAME}p7 $CHROOT/home - - +mount /dev/mapper/${DEV_NAME}p5 $CHROOT/var -- cgit 1.4.1-2-gfad0 From b6b79e6d960febc3f266735e4a2f807d776b5830 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 8 Dec 2018 02:08:20 +0000 Subject: iptables revision --- core/conf/iptables/br-lan.v4 | 136 ------------ core/conf/iptables/ipt-bridge.sh | 158 ++++++++++++++ core/conf/iptables/ipt-conf.sh | 20 ++ core/conf/iptables/ipt-firewall.sh | 258 +++++++++++++++++++++++ core/conf/iptables/ipt-server.sh | 37 ++++ core/conf/iptables/net.v4 | 111 ---------- core/conf/rc.d/iptables | 117 ++++------- core/scripts/iptables-conf.sh | 21 -- core/scripts/iptables.sh | 420 ------------------------------------- 9 files changed, 508 insertions(+), 770 deletions(-) delete mode 100644 core/conf/iptables/br-lan.v4 create mode 100644 core/conf/iptables/ipt-bridge.sh create mode 100644 core/conf/iptables/ipt-conf.sh create mode 100644 core/conf/iptables/ipt-firewall.sh create mode 100644 core/conf/iptables/ipt-server.sh delete mode 100644 core/conf/iptables/net.v4 delete mode 100644 core/scripts/iptables-conf.sh delete mode 100644 core/scripts/iptables.sh (limited to 'core') diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4 deleted file mode 100644 index 61da499..0000000 --- a/core/conf/iptables/br-lan.v4 +++ /dev/null @@ -1,136 +0,0 @@ -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 -# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:blocker - [0:0] -:client_in - [0:0] -:client_out - [0:0] -:netconf_in - [0:0] -:netconf_out - [0:0] -:server_in - [0:0] -:server_out - [0:0] --A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT --A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT --A INPUT -j blocker --A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in --A INPUT -d 10.0.0.0/8 -i br0 -j client_in --A INPUT -i br0 -j netconf_in --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j blocker --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out --A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out --A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 --A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT --A OUTPUT -j blocker --A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out --A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out --A OUTPUT -o br0 -j netconf_out --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 --A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7 --A blocker -s 8.8.0.0/24 -j DROP --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A blocker -f -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP --A blocker -j RETURN --A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A client_in -j RETURN --A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT --A client_out -j RETURN --A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT --A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7 --A netconf_in -p icmp -j ACCEPT --A netconf_in -j RETURN --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT --A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7 --A netconf_out -p icmp -j ACCEPT --A netconf_out -j RETURN --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A server_in -j RETURN --A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A server_out -j RETURN -COMMIT -# Completed on Tue Apr 3 02:25:27 2018 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh new file mode 100644 index 0000000..6f70e7c --- /dev/null +++ b/core/conf/iptables/ipt-bridge.sh @@ -0,0 +1,158 @@ +#!/bin/bash + +echo "setting bridge ${BR_IF} network..." +echo 1 > /proc/sys/net/ipv4/ip_forward + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +####### NAT Prerouting Chain ###### +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 +#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + +####### Forward Chain ###### +$IPT -A FORWARD -j blocker +$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +# Allow access from bridge to gateway wifi interface +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out + +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out +$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out + +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT +# +# +# Tap1 +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out +# +# +## Tap3 +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in +# +# +######## Forward TAP2 ssh, http and https ###### +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out +# +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + +# Tap1, Tap2 and Tap3 can access external https + +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + +# +# #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip +# +# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp +# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + +# +#Less noise +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP + +####### Input Chain ###### +$IPT -A INPUT -j blocker +#Less noise +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP +$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP +$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP + +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in +$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in + +$IPT -A INPUT -i ${BR_IF} -j srv_dhcp + +$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp + +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in +$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in + +$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in +$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +#Less noise +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out + +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out + + +$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out +$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out + +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out +$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out + +#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out + +####### PostRouting Chain ###### +#Less noise +#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE + +#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh new file mode 100644 index 0000000..3874cee --- /dev/null +++ b/core/conf/iptables/ipt-conf.sh @@ -0,0 +1,20 @@ +#!/bin/bash +TYPE=bridge +#TYPE=server + +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" + +# public interface to network/internet +BR_IF="br0" +BR_NET="10.0.0.0/8" +GW="10.0.0.1" +#DNS="10.0.0.254" +DNS="212.55.154.174" + +PUB_IP="10.0.0.254" +PUB_IF="enp8s0" + +# private interface for virtual/internal +WIFI_IF="wlp7s0" +WIFI_NET="192.168.1.0/24" diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh new file mode 100644 index 0000000..4697de0 --- /dev/null +++ b/core/conf/iptables/ipt-firewall.sh @@ -0,0 +1,258 @@ +#!/bin/bash + +IPT="/usr/sbin/iptables" + +ipt_clear () { + echo "clear all iptables tables" + + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + iptables -N blocker + + iptables -N srv_dhcp + iptables -N srv_rip + iptables -N srv_icmp + iptables -N srv_dns_in + iptables -N srv_dns_out + iptables -N srv_http_in + iptables -N srv_http_out + iptables -N srv_https_in + iptables -N srv_https_out + iptables -N srv_ssh_in + iptables -N srv_ssh_out + iptables -N srv_git_in + iptables -N srv_git_out + iptables -N srv_db_in + iptables -N srv_db_out + + + iptables -N cli_dns_in + iptables -N cli_dns_out + iptables -N cli_http_in + iptables -N cli_http_out + iptables -N cli_https_in + iptables -N cli_https_out + iptables -N cli_ssh_in + iptables -N cli_ssh_out + iptables -N cli_pops_in + iptables -N cli_pops_out + iptables -N cli_smtps_in + iptables -N cli_smtps_out + iptables -N cli_irc_in + iptables -N cli_irc_out + iptables -N cli_ftp_in + iptables -N cli_ftp_out + iptables -N cli_git_in + iptables -N cli_git_out + iptables -N cli_gpg_in + iptables -N cli_gpg_out + + # Set Default Rules + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP +} + +ipt_log () { + ## log everything else and drop + $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +} + + +ipt_tables () { + echo "start adding tables..." + + ####### blocker Chain ###### + ## Block google dns + #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " + #$IPT -A blocker -s 8.8.0.0/24 -j DROP + ## Block sync + $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " + $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP + ## Block Fragments + $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " + $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " + $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller + $IPT -A blocker -j RETURN + + ######## DNS Server + #echo "server_in chain: Allow input to DNS Server" + $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -j RETURN + #echo "srv_dns_out chain: Allow output from DNS server" + $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -j RETURN + + ####### Database Server + $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_db_in -j RETURN + $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_db_out -j RETURN + + ####### SSH Server + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_in -j RETURN + + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -j RETURN + + ####### HTTP Server + $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_http_in -j RETURN + $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_http_out -j RETURN + + ####### HTTPS Server + $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_https_in -j RETURN + $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_https_out -j RETURN + + ###### GIT server + $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_git_in -j RETURN + $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_git_out -j RETURN + + ######## DNS Client + $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT + $IPT -A cli_dns_out -j RETURN + $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT + $IPT -A cli_dns_in -j RETURN + + ######## HTTP Client + #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP + $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -j RETURN + $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -j RETURN + + ######## IRC client + $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_irc_in -j RETURN + $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_irc_out -j RETURN + + ######## FTP client + $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -j RETURN + $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPT -A cli_ftp_out -j RETURN + + ######## GIT client + $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_git_out -j RETURN + + ######## POP3S client + $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_pops_in -j RETURN + $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_pops_out -j RETURN + + ######## SMTPS client + $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_in -j RETURN + $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_out -j RETURN + + ######## HTTPS client + $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -j RETURN + $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -j RETURN + + ######## SSH client + $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -j RETURN + $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -j RETURN + + ######## GPG key client + $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_in -j RETURN + $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_out -j RETURN + + ######## DHCP Server + $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -j RETURN + + ####### RIP Server + $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT + $IPT -A srv_rip -j RETURN + + ####### ICMP Server + $IPT -A srv_icmp -p icmp -j ACCEPT + $IPT -A srv_icmp -j RETURN +} + + diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh new file mode 100644 index 0000000..225fd31 --- /dev/null +++ b/core/conf/iptables/ipt-server.sh @@ -0,0 +1,37 @@ +echo "setting server network..." + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +####### Input Chain ###### +$IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in +#$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + + +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out +#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + +$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out +$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out + +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out diff --git a/core/conf/iptables/net.v4 b/core/conf/iptables/net.v4 deleted file mode 100644 index 568455a..0000000 --- a/core/conf/iptables/net.v4 +++ /dev/null @@ -1,111 +0,0 @@ -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*security -:INPUT ACCEPT [4559:2307887] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [4459:962215] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*raw -:PREROUTING ACCEPT [18446:3412851] -:OUTPUT ACCEPT [4467:962535] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*nat -:PREROUTING ACCEPT [13936:1107904] -:INPUT ACCEPT [49:2940] -:OUTPUT ACCEPT [504:40037] -:POSTROUTING ACCEPT [504:40037] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 -# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:ACCEPTLOG - [0:0] -:DROPLOG - [0:0] -:REJECTLOG - [0:0] -:RELATED_ICMP - [0:0] -:SYN_FLOOD - [0:0] --A INPUT -i lo -j ACCEPT --A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT --A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" --A INPUT -p icmp -j DROP --A INPUT -p icmp -f -j DROPLOG --A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP --A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A INPUT -p icmp -j DROPLOG --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP --A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP --A INPUT -m state --state INVALID -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG --A INPUT -f -j DROPLOG --A INPUT -j DROPLOG --A FORWARD -p icmp -f -j DROPLOG --A FORWARD -p icmp -j DROPLOG --A FORWARD -m state --state INVALID -j DROP --A FORWARD -j REJECTLOG --A OUTPUT -o lo -j ACCEPT --A OUTPUT -p icmp -j ACCEPT --A OUTPUT -p icmp -f -j DROPLOG --A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP --A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT --A OUTPUT -p icmp -j DROPLOG --A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -j DROPLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset --A REJECTLOG -j REJECT --reject-with icmp-port-unreachable --A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT --A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT --A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT --A RELATED_ICMP -j DROPLOG --A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN --A SYN_FLOOD -j DROP -COMMIT -# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index dd17b97..26a48b4 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,86 +1,39 @@ -#!/bin/sh -# -# /etc/rc.d/iptables: load/unload iptable rules -# -rules=/etc/iptables/net.v4 - -iptables_clear () { - echo "clear all iptables tables" - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X -} +source /etc/iptables/ipt-conf.sh +source /etc/iptables/ipt-firewall.sh case $1 in - start) - echo "starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore ${rules} - ;; - stop) - iptables_clear - echo "stopping firewall and deny everyone..." - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT DROP - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - open) - iptables_clear - echo "outgoing Open firewall and deny everyone..." - - /usr/sbin/iptables -P INPUT DROP - /usr/sbin/iptables -P FORWARD DROP - /usr/sbin/iptables -P OUTPUT ACCEPT - - /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT - /usr/sbin/iptables -t mangle -P INPUT ACCEPT - /usr/sbin/iptables -t mangle -P FORWARD ACCEPT - /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT - /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT - - /usr/sbin/iptables -A OUTPUT -j ACCEPT - - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT - - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - - ;; - - restart) - $0 stop - $0 start - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; + start) + ipt_clear + ipt_tables + case $TYPE in + bridge) + source /etc/iptables/ipt-bridge.sh + + ## log everything else and drop + ipt_log + + iptables-save > /etc/iptables/net.v4 + ;; + server) + source /etc/iptables/iptables-conf.sh + + ## log everything else and drop + iptables_log + + iptables-save > /etc/iptables/net.v4 + ;; + esac + ;; + stop) + + ipt_clear + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; esac - -# End of file diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh deleted file mode 100644 index 478ce08..0000000 --- a/core/scripts/iptables-conf.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -TYPE=bridge -#TYPE=server - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" - -# public interface to network/internet -BR_IF="br0" -BR_NET="10.0.0.0/8" -GW="10.0.0.1" -#DNS="10.0.0.254" -DNS="212.55.154.174" - -PUB_IP="10.0.0.254" -PUB_IF="enp8s0" - -# private interface for virtual/internal -#PRIV_IF="wlp7s0" -#PRIV_NET="192.168.1.0/24" diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh deleted file mode 100644 index 0516d94..0000000 --- a/core/scripts/iptables.sh +++ /dev/null @@ -1,420 +0,0 @@ -#!/bin/bash - -source /etc/iptables/iptables-conf.sh - -iptables_clear () { - echo "clear all iptables tables" - - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X - iptables -N blocker - - iptables -N srv_dhcp - iptables -N srv_rip - iptables -N srv_icmp - iptables -N srv_dns_in - iptables -N srv_dns_out - iptables -N srv_http_in - iptables -N srv_http_out - iptables -N srv_https_in - iptables -N srv_https_out - iptables -N srv_ssh_in - iptables -N srv_ssh_out - iptables -N srv_git_in - iptables -N srv_git_out - iptables -N srv_db_in - iptables -N srv_db_out - - - iptables -N cli_dns_in - iptables -N cli_dns_out - iptables -N cli_http_in - iptables -N cli_http_out - iptables -N cli_https_in - iptables -N cli_https_out - iptables -N cli_ssh_in - iptables -N cli_ssh_out - iptables -N cli_pops_in - iptables -N cli_pops_out - iptables -N cli_smtps_in - iptables -N cli_smtps_out - iptables -N cli_irc_in - iptables -N cli_irc_out - iptables -N cli_ftp_in - iptables -N cli_ftp_out - iptables -N cli_git_in - iptables -N cli_git_out - iptables -N cli_gpg_in - iptables -N cli_gpg_out - - # Set Default Rules - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP -} - -iptables_log () { - ## log everything else and drop - $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -} - - -iptables_tables () { - echo "start adding tables..." - - ####### blocker Chain ###### - ## Block google dns - $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " - $IPT -A blocker -s 8.8.0.0/24 -j DROP - ## Block sync - $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " - $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP - ## Block Fragments - $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " - $IPT -A blocker -f -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " - $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP - #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP - #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - ## Return to caller - $IPT -A blocker -j RETURN - - ######## DNS Server - #echo "server_in chain: Allow input to DNS Server" - $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -j RETURN - #echo "srv_dns_out chain: Allow output from DNS server" - $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -j RETURN - - ####### Database Server - $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_db_in -j RETURN - $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_db_out -j RETURN - - ####### SSH Server - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP - - $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - - $IPT -A srv_ssh_in -j RETURN - $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -j RETURN - - ####### HTTP Server - $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_http_in -j RETURN - $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_http_out -j RETURN - - ####### HTTPS Server - $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_https_in -j RETURN - $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_https_out -j RETURN - - ###### GIT server - $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_git_in -j RETURN - $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_git_out -j RETURN - - ######## DNS Client - $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_dns_out -j RETURN - $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_dns_in -j RETURN - - ######## HTTP Client - #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP - - $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -j RETURN - $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -j RETURN - - ######## IRC client - $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_irc_in -j RETURN - $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_irc_out -j RETURN - - ######## FTP client - - $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_in -j RETURN - $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_out -j RETURN - ######## GIT client - $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_git_in -j RETURN - $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_git_out -j RETURN - - ######## POP3S client - $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_pops_in -j RETURN - $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_pops_out -j RETURN - - ######## SMTPS client - $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_in -j RETURN - $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_out -j RETURN - - ######## HTTPS client - $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -j RETURN - $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -j RETURN - - ######## SSH client - $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -j RETURN - $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -j RETURN - - ######## GPG key client - $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_in -j RETURN - $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_out -j RETURN - - ######## DHCP Server - $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -j RETURN - - ####### RIP Server - $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT - $IPT -A srv_rip -j RETURN - - ####### ICMP Server - $IPT -A srv_icmp -p icmp -j ACCEPT - $IPT -A srv_icmp -j RETURN -} - -case $TYPE in - bridge) - iptables_clear - iptables_tables - - echo "setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### NAT Prerouting Chain ###### - - ####### Forward Chain ###### - $IPT -A FORWARD -j blocker - $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT - - # Tap1 and Tap3 can access external http - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out - - ####### Forward TAP2 ssh, http and https ###### - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - # - # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip - # - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp - - # Tap1, Tap2 and Tap3 can access external https - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in - - #Less noise - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - #Less noise - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - #Less noise - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out - - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out - #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out - - ####### PostRouting Chain ###### - #Less noise - #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT - - #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE - - ## log everything else and drop - iptables_log - - #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - - iptables-save > /etc/iptables/net.v4 - exit 0 - ;; - - server) - iptables_clear - iptables_tables - - echo "setting server network..." - - # Unlimited on loopback - $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - - ####### Input Chain ###### - $IPT -A INPUT -j blocker - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in - - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out - - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out - - ## log everything else and drop - iptables_log - - iptables-save > /etc/iptables/net.v4 - exit 0 - - ;; - *) - - echo "usage: $0 [start|stop|restart]" - ;; -esac - -- cgit 1.4.1-2-gfad0 From 0cef8d9f3ae8a557d44c54b08a3f634bf305af78 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 8 Dec 2018 02:11:24 +0000 Subject: wlan and blan scripts revision --- core/conf/rc.d/wlan | 47 ++++++++++++++++++++++++++++++++++++----------- tools/conf/etc/rc.d/blan | 13 ++++++++----- 2 files changed, 44 insertions(+), 16 deletions(-) (limited to 'core') diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 86910bc..c9c60ec 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -3,8 +3,11 @@ # /etc/rc.d/wlan: start/stop wireless interface # -DEV=wlp7s0 +# Connection type: "DHCP" or "static" +#TYPE="DHCP" +TYPE="static" +DEV=wlp7s0 SSD=/sbin/start-stop-daemon PROG_DHCP=/sbin/dhcpcd @@ -15,6 +18,11 @@ PID_WIFI=/var/run/wpa_supplicant.pid OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" +ADDR=192.168.1.67 +MASK=24 +GW=192.168.1.254 + + print_status() { $SSD --status --pidfile $2 case $? in @@ -27,20 +35,37 @@ print_status() { case $1 in start) - $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ - $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP - RETVAL=$? + + if [ "${TYPE}" = "DHCP" ]; then + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \ + $SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP + RETVAL=$? + else + + /sbin/ip link set ${DEV} up + + $SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI + + RETVAL=$? + + /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + /sbin/ip route add default via ${GW} + fi ;; stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP - $SSD --stop --retry 10 --pidfile $PID_WIFI ) - RETVAL=$? - /sbin/ip route del default dev ${DEV} - /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + if [ "${TYPE}" = "DHCP" ]; then + ( $SSD --stop --retry 10 --pidfile $PID_DHCP + $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + else + $SSD --stop --retry 10 --pidfile $PID_WIFI + RETVAL=$? + /sbin/ip link set ${DEV} down + /sbin/ip route del default + /sbin/ip addr del ${ADDR}/${MASK} dev ${DEV} + fi ;; restart) $0 stop diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan index 56d1809..61ac2d6 100755 --- a/tools/conf/etc/rc.d/blan +++ b/tools/conf/etc/rc.d/blan @@ -1,14 +1,16 @@ #!/bin/sh # -# /etc/rc.d/net: start/stop network interface +# /etc/rc.d/blan: start/stop virtual network interfaces # DEV="br0" PHY="enp8s0" -ADDR=10.0.0.1 -NET=10.0.0.0 -MASK=24 +ADDR=10.0.0.254 +#ADDR=10.0.1.254 +MASK=8 +#GW=10.0.0.1 +GW=192.168.1.254 # one tap for each cpu core NTAPS=$((`/usr/bin/nproc`)) @@ -20,6 +22,7 @@ case $1 in /sbin/ip link set dev ${DEV} up /bin/sleep 0.2s + # Add network to virtual bridge /sbin/ip link set dev ${PHY} down /bin/sleep 0.1s /sbin/ip route flush dev ${PHY} @@ -28,7 +31,7 @@ case $1 in /bin/sleep 0.2s /sbin/ip link set dev ${PHY} master ${DEV} - #/sbin/ip route add default via ${GW} + /sbin/ip route add default via ${GW} for i in `/usr/bin/seq $NTAPS` do -- cgit 1.4.1-2-gfad0 From 2832cbc97478441927b7d4fa0b6127518d012b61 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 9 Dec 2018 00:02:52 +0000 Subject: core revision --- core/apparmor.html | 2 +- core/bash.html | 2 +- core/configure.html | 2 +- core/dash.html | 2 +- core/exim.html | 2 +- core/hardening.html | 2 +- core/index.html | 6 ++--- core/install.html | 58 +++++++++++++++++++-------------------------- core/linux.html | 2 +- core/network.html | 2 +- core/package.html | 2 +- core/ports.html | 2 +- core/reboot.html | 2 +- core/samhain.html | 2 +- core/sysctl.html | 2 +- core/tmux.html | 2 +- core/toolchain.html | 2 +- core/tty-terminal.html | 2 +- tools/scripts/pkgmk-test.sh | 2 +- 19 files changed, 45 insertions(+), 53 deletions(-) (limited to 'core') diff --git a/core/apparmor.html b/core/apparmor.html index 709f2a4..9954593 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -98,7 +98,7 @@ Core OS Index

diff --git a/core/bash.html b/core/bash.html index be17c71..72e746d 100644 --- a/core/bash.html +++ b/core/bash.html @@ -156,7 +156,7 @@ fi

diff --git a/core/configure.html b/core/configure.html index 2fadfcf..7d34bf7 100644 --- a/core/configure.html +++ b/core/configure.html @@ -272,7 +272,7 @@ Core OS Index

diff --git a/core/dash.html b/core/dash.html index 134616d..a273107 100644 --- a/core/dash.html +++ b/core/dash.html @@ -21,7 +21,7 @@ Core OS Index

diff --git a/core/exim.html b/core/exim.html index 2f93af8..23708d2 100644 --- a/core/exim.html +++ b/core/exim.html @@ -226,7 +226,7 @@

diff --git a/core/hardening.html b/core/hardening.html index 60fea58..1455398 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -45,7 +45,7 @@ Core OS Index

diff --git a/core/index.html b/core/index.html index 9145f3e..8be7606 100644 --- a/core/index.html +++ b/core/index.html @@ -2,13 +2,13 @@ - c9 Core OS + Core OS Documentation Index -

c9 Core OS

Core OS

c9 Core OS covers installation and configuration of basic functionality of Crux 3.4 Gnu\Linux operating system. @@ -155,7 +155,7 @@

diff --git a/core/install.html b/core/install.html index dfde50a..46793c9 100644 --- a/core/install.html +++ b/core/install.html @@ -75,7 +75,7 @@ installations. Partition size 128M;

-        (parted) mkpart ESP fat32 4 125
+        (parted) mkpart ESP fat32 4 132
         (parted) name 2 efi
         (parted) set 2 boot on

@@ -83,70 +83,62 @@

/boot

Boot partition. Partition with 1G provide room for kernels - and crux iso that can be directly boot from grub (without root + and bootable iso's that can be directly boot from grub (without root partition). Partition size 1G;

-        (parted) mkpart primary ext4 125 1128
+        (parted) mkpart primary ext4 132 1132
         (parted) name 3 boot

/

Normal core crux installation root partition uses - approximately 2G, without /usr 200MB-500M. Minimum 2G - is recommended to give room to root home directory with - dedicated (separated) usr and var partition. - Partition size 4G;

Core collection installation on root partition uses + approximately 2G. Partition with 8G-20G is recommended + for a server or desktop with dedicated ports partition + or using only compiled packages. Partition size 20G;

-        (parted) mkpart primary ext4 1128 5128
+        (parted) mkpart primary ext4 1132 21132
         (parted) name 4 root

/var

Var partition is recommended 1G-5G depending on how - system is configured. Partition size 1G;

+ system is configured. Partition size 2G;

-        (parted) mkpart primary ext4 5128 6128
+        (parted) mkpart primary ext4 21132 23132
         (parted) name 5 var

/usr

- -

User partition with 4G-8G is recommended for a desktop - setup, with dedicated partition for ports. Partition size - 8G;

- -

-        (parted) mkpart primary ext4 6128 14128
-        (parted) name 6 usr
-

Swap (ram)

Swap partition general advice is to have the same size as memory ram, ports system will be configured to build on ram. - To build firefox is necessary at least 34G, swap partitions - will be added to lvm and this partition removed. - Partition size 4G;

+ To build firefox is necessary at least 34G. Partition size 4G;

+ +

Is better to create swap partition later using + lvm.

-        (parted) mkpart primary linux-swap 14128 18128
-        (parted) name 3 swap
+        (parted) mkpart primary linux-swap 23132 27132
+        (parted) name 6 swap

/home

Home partition general advice is to fill the rest of disk - space. Home partition will be added later to lvm and this - partition removed. Fill the rest of disk space;

Home partition on desktop fill the rest of disk + space while on server this partition can be unnecessary. + Fill the rest of disk space;

+ +

Is better to create home partition later using + lvm.

-        (parted) mkpart primary ext4 18128 100%
-        (parted) name 8 home
+        (parted) mkpart primary ext4 27132 100%
+        (parted) name 7 home

1.1.3. Prepare Install

@@ -354,7 +346,7 @@ Core OS Index

diff --git a/core/linux.html b/core/linux.html index f4dd14f..670d0e7 100644 --- a/core/linux.html +++ b/core/linux.html @@ -858,7 +858,7 @@ Core OS Index

diff --git a/core/network.html b/core/network.html index feb9765..2b94e50 100644 --- a/core/network.html +++ b/core/network.html @@ -445,7 +445,7 @@

diff --git a/core/package.html b/core/package.html index 4aa649d..bedb132 100644 --- a/core/package.html +++ b/core/package.html @@ -184,7 +184,7 @@ Core OS Index

diff --git a/core/ports.html b/core/ports.html index 7f1cd54..32e5095 100644 --- a/core/ports.html +++ b/core/ports.html @@ -191,7 +191,7 @@

diff --git a/core/reboot.html b/core/reboot.html index 1fae99b..505a889 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -225,7 +225,7 @@ Core OS Index

diff --git a/core/samhain.html b/core/samhain.html index f161a16..d28a6d2 100644 --- a/core/samhain.html +++ b/core/samhain.html @@ -257,7 +257,7 @@

diff --git a/core/sysctl.html b/core/sysctl.html index b871158..525a6cf 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -618,7 +618,7 @@ Core OS Index

diff --git a/core/tmux.html b/core/tmux.html index d6bc2c5..b94253d 100644 --- a/core/tmux.html +++ b/core/tmux.html @@ -110,7 +110,7 @@

diff --git a/core/toolchain.html b/core/toolchain.html index 0ed64bc..57113fd 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -176,7 +176,7 @@ Core OS Index

diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 2696119..6eb08d3 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -74,7 +74,7 @@ Core OS Index

diff --git a/tools/scripts/pkgmk-test.sh b/tools/scripts/pkgmk-test.sh index a279967..4cfe2c3 100644 --- a/tools/scripts/pkgmk-test.sh +++ b/tools/scripts/pkgmk-test.sh @@ -1,5 +1,5 @@ #!/bin/bash DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" CONF=${DIR}/pkgmk-test.conf - +echo "pkgmk -cf $CONF -d -is $1" fakeroot pkgmk -cf $CONF -d -is $1 -- cgit 1.4.1-2-gfad0 From 88bd69c5b7456221e4260b74c2783a660084aaa4 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 9 Dec 2018 00:08:15 +0000 Subject: core backup script revision --- core/scripts/backup-system.sh | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) (limited to 'core') diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index ad037ef..c28c706 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -217,42 +217,44 @@ do METADATA=${DEST_SYS}/meta-data mkdir -p $METADATA - # must be using gwak instead of sed, xargs and echo - prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${METADATA}/all_installed.pkg + # must be using gwak instead of sed + prt-get listinst -v | sed 's/ /#/g' | sed 's/$/.pkg.tar.gz/g' > ${METADATA}/all-installed.pkg for filename in /etc/ports/*.git; do source $filename + # backup ports collection echo "Backing up collection: $NAME" - # create list of installed packages - prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg - - # backup collection ports tar --xattrs -zcpf $PORT_PRT/${NAME}-ports.tar.gz \ --directory=$ROOT_DIR/usr/ports/${NAME} \ --exclude=.git/ \ . + + # create list of installed packages + prt-get printf "%i %p %n\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg + # backup collection packages while read line; do - if [ ! -f /usr/ports/packages/${line} ]; then - echo "Building package: ${line};\n" - PORT_NAME=$(echo ${line} | cut -d "#" -f 1) - sudo prt-get update -fr -if -is ${PORT_NAME} - (cd /usr/ports/${NAME}/${PORT_NAME} \ + echo "Backing up package: ${NAME}/${line}" + # get installed version not version on ports + PACKAGE="$(cat ${METADATA}/all-installed.pkg | grep "^${line}#")" + if [ ! -f /usr/ports/packages/${PACKAGE} ]; then + echo "Building package: ${PACKAGE};\n" + sudo prt-get update -fr -if -is ${line} + (cd /usr/ports/${NAME}/${line} \ && sudo pkgmk -uf) fi - if [ -f /usr/ports/packages/${line} ]; then - echo "Backing up package: ${NAME}/${line}" - echo ${line} >> ${METADATA}/backup.pkg - #cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/ + if [ -f /usr/ports/packages/${PACKAGE} ]; then + echo ${PACKAGE} >> ${METADATA}/${NAME}-backup.pkg + #cp /usr/ports/packages/${PACKAGE} ${PORT_PKG}/${NAME}/ tar rvf ${PORT_PKG}/${NAME}.tar \ --directory=/usr/ports/packages \ - ${line} + ${PACKAGE} else echo "Package $PORT_NAME not found: ${line}" - echo ${line} >> ${METADATA}/${NAME}-notfound.pkg + echo ${PACKAGE} >> ${METADATA}/${NAME}-notfound.pkg fi done < ${METADATA}/${NAME}-installed.pkg done @@ -261,3 +263,7 @@ do *) echo "Please enter only y or n" esac done + +RELEASE_NAME=$(basename ${DEST_DIR}) +tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ +rm -rf ${DEST_DIR} -- cgit 1.4.1-2-gfad0 From a4f712e1969ad4c479ea4c1efc38b9c92d748ad8 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 10 Dec 2018 14:28:54 +0000 Subject: fix core backup-system script --- core/scripts/backup-system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core') diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index c28c706..7faf676 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -265,5 +265,5 @@ do done RELEASE_NAME=$(basename ${DEST_DIR}) -tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ +cd $(dirname ${DEST_DIR}) && tar -zcpf ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/ rm -rf ${DEST_DIR} -- cgit 1.4.1-2-gfad0 From 48b937054671a1807a6cb32d77eabf834666d98b Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 15 Dec 2018 03:27:38 +0000 Subject: core iptables script revision --- core/conf/iptables/ipt-bridge.sh | 44 ++++++++++++++++++++++++++-------------- core/conf/iptables/ipt-conf.sh | 1 + 2 files changed, 30 insertions(+), 15 deletions(-) (limited to 'core') diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index 6f70e7c..6ad26fa 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -20,6 +20,8 @@ $IPT -A FORWARD -j blocker $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT + # Allow access from bridge to gateway wifi interface $IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out @@ -33,6 +35,30 @@ $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out $IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out +# allow output from BR_NET to external +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT + +# allow input from public bridged interface facing Internet +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in + +######## Forward TAP2 ssh, http and https ###### +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out +# +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out + +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + + +#Less noise +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP + + #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT # @@ -61,22 +87,11 @@ $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in # # -######## Forward TAP2 ssh, http and https ###### -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out -# -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out -# -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - # Tap1, Tap2 and Tap3 can access external https #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT # @@ -86,9 +101,6 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp # -#Less noise -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP - ####### Input Chain ###### $IPT -A INPUT -j blocker #Less noise @@ -96,11 +108,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 - $IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP $IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -j srv_dhcp - $IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in @@ -125,6 +138,7 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index 3874cee..eef0b52 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -9,6 +9,7 @@ SPAMDROPMSG="BLOCKED IP DROP" BR_IF="br0" BR_NET="10.0.0.0/8" GW="10.0.0.1" +#GW="10.0.0.2" #DNS="10.0.0.254" DNS="212.55.154.174" -- cgit 1.4.1-2-gfad0 From 68c8048b2ef871cb18c5c6b58f586519c9f13f22 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 15 Dec 2018 06:20:43 +0000 Subject: core install target partition fix --- core/install.html | 48 ++++++++++++++++++------------------------------ 1 file changed, 18 insertions(+), 30 deletions(-) (limited to 'core') diff --git a/core/install.html b/core/install.html index 46793c9..0005873 100644 --- a/core/install.html +++ b/core/install.html @@ -127,6 +127,7 @@ (parted) name 6 swap +

/home

Home partition on desktop fill the rest of disk @@ -141,6 +142,17 @@ (parted) name 7 home +

Create filesystems

+ +

+        $ sudo mkfs.fat -F 32 /dev/sda2
+        $ sudo mkfs.ext4      /dev/sda3
+        $ sudo mkfs.ext4      /dev/sda4
+        $ sudo mkfs.ext4      /dev/sda5
+        $ sudo mkswap	      /dev/sda6
+        $ sudo mkfs.ext4      /dev/sda7
+

1.1.3. Prepare Install

From now on script @@ -152,37 +164,11 @@ $ export CHROOT=/mnt -

Create filesystems

- -

-        $ export DEV=/dev/sda
-

- -

-        $ export BLK_EFI="${DEV}2"
-        $ export BLK_BOOT="${DEV}3"
-        $ export BLK_ROOT="${DEV}4"
-        $ export BLK_VAR="${DEV}5"
-        $ export BLK_USR="${DEV}6"
-        $ export BLK_SWP="${DEV}7"
-        $ export BLK_HOME="${DEV}8"
-

- -

-        $ sudo mkfs.fat -F 32  $BLK_EFI
-        $ sudo mkfs.ext4 $BLK_BOOT
-        $ sudo mkfs.ext4 $BLK_ROOT
-        $ sudo mkfs.ext4 $BKL_VAR
-        $ sudo mkfs.ext4 $BKL_USR
-        $ sudo mkswap $BLK_SWAP
-        $ sudo mkfs.ext4 $BKL_HOME
-

         $ sudo mount $BLK_ROOT $CHROOT

Create directories and mount target partitions;

Create follow directories;

         $ sudo mkdir -p $CHROOT/boot
@@ -195,7 +181,11 @@
         $ sudo mkdir -p $CHROOT/tmp
         $ sudo mkdir -p $CHROOT/proc
         $ sudo mkdir -p $CHROOT/sys
+

If partition layout is different or target is a directory is not necessary to mount, create only the directories;

+ +

         $ sudo mount $BLK_BOOT $CHROOT/boot
         $ sudo mkdir -p $CHROOT/boot/efi
         $ sudo mount $BLK_EFI $CHROOT/boot/efi
@@ -203,8 +193,6 @@
         $ sudo mount $BLK_VAR $CHROOT/var
         $ sudo mkdir -p $CHROOT/var/lib/pkg
 
-        $ sudo mount $BLK_USR $CHROOT/usr
-
         $ sudo mount $BLK_HOME $CHROOT/home

@@ -218,7 +206,7 @@ $ sudo mount -vt sysfs sysfs $CHROOT/sys -

Mount iso on target partition;

Mount iso or copy packages to target /mnt directory;

         # modprobe isofs
-- 
cgit 1.4.1-2-gfad0


From 440f91f7895197575e33dc50bbd6f32a60a98dbf Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sat, 15 Dec 2018 06:26:33 +0000
Subject: core install directory instructions

---
 core/install.html | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'core')

diff --git a/core/install.html b/core/install.html
index 0005873..4a07d46 100644
--- a/core/install.html
+++ b/core/install.html
@@ -160,10 +160,14 @@
         create file systems, install packages, configure host
         metadata and setup ports;
 
+	Export target root directory you want to install;
+
                  $ export CHROOT=/mnt
         
 
+	If you are installing to a directory and not partitions you don't need to mount;
+
                  $ sudo mount $BLK_ROOT $CHROOT
         
-- 
cgit 1.4.1-2-gfad0


From 22715960a28e32473d247fc96d391d244eba67ed Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sat, 15 Dec 2018 07:04:46 +0000
Subject: pkgutils updated on install core script

---
 core/scripts/install-core.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core')

diff --git a/core/scripts/install-core.sh b/core/scripts/install-core.sh
index d889c8b..9edd966 100644
--- a/core/scripts/install-core.sh
+++ b/core/scripts/install-core.sh
@@ -41,7 +41,7 @@ install_core() {
         done
     fi
 
-    tar xf "${PORT_PKG}/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd
+    tar xf "${PORT_PKG}/core/pkgutils#5.40-7.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd
 
     chmod +x ${CHROOT}/pkgadd
 
-- 
cgit 1.4.1-2-gfad0


From 8233dafb72ff5a1e36b22dda1764fc68097d6ca3 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sat, 15 Dec 2018 19:02:40 +0000
Subject: fix core install prepare install

---
 core/install.html | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'core')

diff --git a/core/install.html b/core/install.html
index 4a07d46..fb1a546 100644
--- a/core/install.html
+++ b/core/install.html
@@ -160,6 +160,12 @@
         create file systems, install packages, configure host
         metadata and setup ports;
 
+	Export target root partition;
+
+	+	$ export BLK_ROOT=/dev/sda
+	
+
 	Export target root directory you want to install;
 
         -- 
cgit 1.4.1-2-gfad0


From d29168d07293ffd1c8c1a186c42fc70f5461e928 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sat, 15 Dec 2018 19:06:03 +0000
Subject: removed reference to c9 from core index

---
 core/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core')

diff --git a/core/index.html b/core/index.html
index 8be7606..87330b1 100644
--- a/core/index.html
+++ b/core/index.html
@@ -10,7 +10,7 @@
 
 	Core OS
 
-	c9 Core OS covers installation and configuration of
+	
Core OS covers installation and configuration of
 	basic functionality of Crux 3.4 Gnu\Linux operating system.
 	This documentation try's to follow Crux HandBook installation
 	method diverges, for example, by only installing and
-- 
cgit 1.4.1-2-gfad0