Operation of the network can be handle with init scripts;
Choose wireless or net as connection to outside world and configure /etc/rc.conf to run at startup, example connecting using wireless interface;
# # /etc/rc.conf: system configuration # FONT=default KEYMAP=dvorak TIMEZONE="Europe/Lisbon" HOSTNAME=c9 SYSLOG=sysklogd SERVICES=(lo iptables wlan crond) # End of file
If is first boot after install configure iptables and one of above described scripts then proceed to update system.
This example will use Chaos Computer Club server, edit /etc/resolv.conf and make it immutable;
# /etc/resolv.conf.head can replace this line nameserver 213.73.91.35 # /etc/resolv.conf.tail can replace this line
# chattr +i /etc/resolv.conf
Current example of /etc/rc.d/net;
Address: 192.168.0.1 11000000.10101000.00000000 .00000001 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 => Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 Hosts/Net: 254 (Private Internet)
Other IP class that can used for private network;
Address: 10.0.0.1 00001010.00000000.00000000 .00000001 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 => Network: 10.0.0.0/24 00001010.00000000.00000000 .00000000 (Class A) Broadcast: 10.0.0.255 00001010.00000000.00000000 .11111111 HostMin: 10.0.0.1 00001010.00000000.00000000 .00000001 HostMax: 10.0.0.254 00001010.00000000.00000000 .11111110 Hosts/Net: 254 (Private Internet)
Manual configuring like net script;
# DEV=enp8s0 # ADDR=192.168.1.9 # MASK=24 # GW=192.168.1.254
# ip addr flush dev ${DEV} # ip route flush dev ${DEV} # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + # ip link set ${DEV} up # ip route add default via ${GW}
For more information about firewall systems read arch wiki iptables an nftables.
To setup iptables rules a set of scripts is used, init script /etc/rc.d/iptables loads set of rules from file /etc/iptables/net.v4 at boot time. Start option "open" option allows everything to outside and blocks everything from outside, "stop" will block and log everything. Setup init script and rules ;
# mkdir /etc/iptables # cp core/conf/iptables/net.v4 /etc/iptables/ # cp core/conf/rc.d/iptables /etc/rc.d/ # chmod +x /etc/rc.d/iptables
Change /etc/rc.conf and add iptables;
SERVICES=(iptables lo net crond)
See current rules and packets counts;
# iptables -L -n -v | less
Diagram of a package route throw iptables;
XXXXXXXXXXXXXXXXX XXXX Network XXXX XXXXXXXXXXXXXXXXX + | v +-------------+ +------------------+ |table: filter| >---+ | table: nat | |chain: INPUT | | | chain: PREROUTING| +-----+-------+ | +--------+---------+ | | | v | v [local process] | **************** +--------------+ | +---------+ Routing decision +------< |table: filter | v **************** |chain: FORWARD| **************** +------+-------+ Routing decision | **************** | | | v **************** | +-------------+ +------< Routing decision >---------------+ |table: nat | | **************** |chain: OUTPUT| | + +-----+-------+ | | | | v v | +-------------------+ +--------------+ | | table: nat | |table: filter | +----+ | chain: POSTROUTING| |chain: OUTPUT | +--------+----------+ +--------------+ | v XXXXXXXXXXXXXXXXX XXXX Network XXXX XXXXXXXXXXXXXXXXX
Command line usage;
iptables [-t table] {-A|-C|-D} chain rule-specification iptables [-t table] {-A|-C|-D} chain rule-specification iptables [-t table] -I chain [rulenum] rule-specification iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum iptables [-t table] -S [chain [rulenum]] iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain target iptables [-t table] -E old-chain-name new-chain-name rule-specification = [matches...] [target] match = -m matchname [per-match-options]
Targets, can be a user defined chain;
ACCEPT - accepts the packet DROP - drop the packet on the floor QUEUE - packet will be stent to queue RETURN - stop traversing this chain and resume ate the next rule in the previeus (calling) chain. if packet reach the end of the chain or a target RETURN, default policy for that chain is applayed.
Target Extensions
AUDIT CHECKSUM CLASSIFY DNAT DSCP LOG Torn on kernel logging, will print some some information on all matching packets. Log data can be read with dmesg or syslogd. This is a non-terminating target and a rule should be created with matching criteria. --log-level level Level of logging (numeric or see sys- log.conf(5) --log-prefix prefix Prefix log messages with specified prefix up to 29 chars log --log-uid Log the userid of the process with gener- ated the packet NFLOG This target pass the packet to loaded logging backend to log the packet. One or more userspace processes may subscribe to the group to receive the packets. ULOG This target provides userspace logging of maching packets. One or more userspace processes may then then subscribe to various multicast groups and then receive the packets.
Commands
-A, --append chain rule-specification -C, --check chain rule-specification -D, --delete chain rule-specification -D, --delete chain rulenum -I, --insert chain [rulenum] rule-specification -R, --replace chain rulenum rule-specification -L, --list [chain] -P, --policy chain target
Parameters
-p, --protocol protocol tcp, udp, udplite, icmp, esp, ah, sctp, all -s, --source address[/mask][,...] -d, --destination address[/mask][,...] -j, --jump target -g, --goto chain -i, --in-interface name -o, --out-interface name -f, --fragment -m, --match options module-name iptables can use extended packet matching modules. -c, --set-counters packets bytes
Adjust iptables.sh with your network configuration then run it;
Default configuration;
server) echo "Setting server network..." ####### Input Chain ###### $IPT -A INPUT -j blocker $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in ####### Output Chain ###### $IPT -A OUTPUT -j blocker $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out ## log everything else and drop iptables_log iptables-save > /etc/iptables/net.v4 exit 0 ;;
# bash core/scripts/iptables.sh
$IPT -A FORWARD -j blocker $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in2.3.4. Wpa and dhcpd
There is more information on Wiki Wifi Start Scripts and see /etc/rc.d/wlan. Manual or first time configuration;
# ip link# iwlist wlp2s0 scan# iwconfig wlp2s0 essid NAME key s:ABCDE123452.3.4.1. Wpa Supplicant
Configure wpa supplicant edit;
# vim /etc/wpa_supplicant.confctrl_interface=/var/run/wpa_supplicant update_config=1 fast_reauth=1 ap_scan=1# wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.confNow start wpa_supplicant with:
# wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf Successfully initialized wpa_supplicantUse /etc/rc.d/wlan init script to auto load wpa configuration and dhcp client.
2.3.4.2. Wpa Cli
# wpa_cli > status> add_network 3> set_network 3 ssid "Crux-Network" OK> set_network 3 psk "uber-secret-pass" OK> enable_network 3 OK> list_networks> select_network 3> save_configCore OS IndexThis is part of the c9-doc Manual. Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.