From e4551d6b59317bb27df5d2bd9c3f1ea6469e089b Mon Sep 17 00:00:00 2001
From: Silvino Silva <silvino@bk.ru>
Date: Mon, 12 Sep 2016 23:50:54 +0100
Subject: network revision

---
 core/conf/rc.d/iptables  | 19 ++++++++++------
 core/index.html          | 10 ++++-----
 core/network.html        | 56 ++++++++++++++++++++++++------------------------
 core/scripts/iptables.sh | 19 ++++++++++------
 4 files changed, 58 insertions(+), 46 deletions(-)

(limited to 'core')

diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index d3bbc9b..2d77722 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -10,12 +10,19 @@ start)
 	;;
 stop)
 	echo "Stopping firewall and deny everyone..."
- 	/usr/sbin/iptables -F
-        /usr/sbin/iptables -X
-        /usr/sbin/iptables -t nat -F
-        /usr/sbin/iptables -t nat -X
-        /usr/sbin/iptables -t mangle -F
-        /usr/sbin/iptables -t mangle -X
+        iptables -F
+        iptables -X
+        iptables -t nat -F
+        iptables -t nat -X
+        iptables -t mangle -F
+        iptables -t mangle -X
+        iptables -t raw -F
+        iptables -t raw -X
+        iptables -t security -F
+        iptables -t security -X
+
+
+        /usr/sbin/iptables -P INPUT DROP
         /usr/sbin/iptables -P FORWARD DROP
         /usr/sbin/iptables -P OUTPUT DROP
 	;;
diff --git a/core/index.html b/core/index.html
index a3013f5..fb43ac6 100644
--- a/core/index.html
+++ b/core/index.html
@@ -20,7 +20,7 @@
         folder the install process is automated and <a href="ports/">ports</a>
         for extra ports used during the installation.</p>
 
-        <h2>Install Crux 3.2 Gnu/Linux</h2>
+        <h2>1. Install Crux 3.2 Gnu/Linux</h2>
 
         <ul>
             <li><a href="install.html">1.1. Install Crux 3.2</a>
@@ -67,15 +67,15 @@
             </li>
         </ul>
 
-        <h2>System Administration</h2>
+        <h2>2. System Administration</h2>
 
         <ul>
             <li><a href="network.html">2.1. Network</a>
                 <ul>
                     <li><a href="network.html#iptables">2.1.1. Iptables</a></li>
                     <li><a href="network.html#resolv">2.1.2. Resolver</a></li>
-                    <li><a href="network.html#wpa">2.1.3. Wpa and dhcpd</a></li>
-                    <li><a href="network.html#static">2.1.4. Static ip</a></li>
+                    <li><a href="network.html#static">2.1.3. Static ip</a></li>
+                    <li><a href="network.html#wpa">2.1.4. Wpa and dhcpd</a></li>
                     <li><a href="network.html#sysctl">2.1.5. Sysctl</a></li>
                 </ul>
             </li>
@@ -108,7 +108,7 @@
             </li>
         </ul>
 
-        <h2>System Tools</h2>
+        <h2>3. System Tools</h2>
 
         <ul>
             <li><a href="tar.html">3.1. Tar</a>
diff --git a/core/network.html b/core/network.html
index e463ac5..8ca5aef 100644
--- a/core/network.html
+++ b/core/network.html
@@ -29,7 +29,9 @@
 
 	<h2 id="iptables">2.1.1. Iptables</h2>
 
-        <p>You can use
+        <p>For more information about iptables read
+        <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
+        You can use
         <a href="scripts/iptables.sh">iptables script</a>
         at boot time and iptables-save and iptables-restore tools to
         configure nat and filtering;</p>
@@ -62,6 +64,7 @@
         SERVICES=(lo iptables net crond)
         </pre>
 
+        <p>
         <h2 id="resolv">2.1.2. Resolver</h2>
 
         <p>Configure your resolver with a server that don't censorship there for
@@ -81,7 +84,22 @@
         # chattr +i /etc/resolv.conf
         </pre>
 
-        <h2 id="wpa">4.3. Wpa and dhcpd</h2>
+        <h2 id="static">2.1.3. Static IP</h2>
+
+        <pre>
+        # ip link
+        # ip addr flush dev ${DEV}
+        # ip route flush dev ${DEV}
+        </pre>
+
+        <pre>
+        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+        # ip link set ${DEV} up
+        # ip route add default via ${GW}
+        </pre>
+
+
+        <h2 id="wpa">2.1.4. Wpa and dhcpd</h2>
 
         <p>There is more information on
         <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
@@ -99,11 +117,7 @@
         # iwconfig wlp2s0 essid NAME key s:ABCDE12345
         </pre>
 
-        <pre>
-        # ip addr add 192.168.1.65 dev wlp2s0
-        </pre>
-
-        <h3>4.3.1. Wpa Supplicant</h3>
+        <h3>2.1.4.1. Wpa Supplicant</h3>
 
         <p>Configure wpa supplicant edit;</p>
 
@@ -133,7 +147,7 @@
 	init script to auto load wpa configuration and dhcp
         client.</p>
 
-	<h3>4.3.2. Wpa Cli</h3>
+	<h3>2.1.4.2. Wpa Cli</h3>
 
         <pre>
         # wpa_cli
@@ -146,7 +160,7 @@
         </pre>
 
         <pre>
-        &gt; set_network 3 ssid "Valcovo-Network"
+        &gt; set_network 3 ssid "Crux-Network"
         OK
         </pre>
 
@@ -173,21 +187,7 @@
         </pre>
 
 
-        <h2 id="static">4.4. Static IP</h2>
-
-        <pre>
-        # ip link
-        # ip addr flush dev ${DEV}
-        # ip route flush dev ${DEV}
-        </pre>
-
-        <pre>
-        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
-        # ip link set ${DEV} up
-        # ip route add default via ${GW}
-        </pre>
-
-        <h2 id="sysctl">4.5. Sysctl</h2>
+        <h2 id="sysctl">2.1.5. Sysctl</h2>
 
         <p>Sysctl references
         <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
@@ -203,9 +203,9 @@
         kernel.printk = 1 4 1 7
 
         # Disable ipv6
-    net.ipv6.conf.all.disable_ipv6 = 1
-    net.ipv6.conf.default.disable_ipv6 = 1
-    net.ipv6.conf.lo.disable_ipv6 = 1
+        net.ipv6.conf.all.disable_ipv6 = 1
+        net.ipv6.conf.default.disable_ipv6 = 1
+        net.ipv6.conf.lo.disable_ipv6 = 1
 
         # Tuen IPv6
         # net.ipv6.conf.default.router_solicitations = 0
@@ -263,7 +263,7 @@
         net.ipv4.conf.all.secure_redirects = 0
         net.ipv4.conf.default.secure_redirects = 0
 
-        # Act as a router, necessary for Access Point
+        # Don't act as a router
         net.ipv4.ip_forward = 0
         net.ipv4.conf.all.send_redirects = 0
         net.ipv4.conf.default.send_redirects = 0
diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh
index b450bb3..9fb2872 100644
--- a/core/scripts/iptables.sh
+++ b/core/scripts/iptables.sh
@@ -1,9 +1,9 @@
 #!/bin/sh
 
 #
-#                                XXXXXXXXXXXXXXXXXX
-#                              XXX     Network    XXX
-#                                XXXXXXXXXXXXXXXXXX
+#                                XXXXXXXXXXXXXXXXX
+#                                XXXX Network XXXX
+#                                XXXXXXXXXXXXXXXXX
 #                                        +
 #                                        |
 #                                        v
@@ -32,9 +32,9 @@
 # |chain: OUTPUT |             +--------+----------+
 # +--------------+                      |
 #                                       v
-#                               XXXXXXXXXXXXXXXXXX
-#                             XXX    Network     XXX
-#                               XXXXXXXXXXXXXXXXXX
+#                               XXXXXXXXXXXXXXXXX
+#                               XXXX Network XXXX
+#                               XXXXXXXXXXXXXXXXX
 #
 # iptables [-t table] {-A|-C|-D} chain rule-specification
 #
@@ -161,6 +161,11 @@ iptables -t nat -F
 iptables -t nat -X
 iptables -t mangle -F
 iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+
 
 echo "Starting ipv4 firewall filter table..."
 
@@ -169,7 +174,7 @@ iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
-#unlimited
+# Unlimited on local
 $IPT -A INPUT -i lo -j ACCEPT
 $IPT -A OUTPUT -o lo -j ACCEPT
 
-- 
cgit 1.4.1-2-gfad0