Examples describe a network that will be configured with two interfaces Ethernet and Wireless. Ethernet interface will be configured as default route, wireless interface covered here is simple alternative to Ethernet connection.
If is first boot after install configure iptables and one of above described scripts then proceed to upgrade your system.
You can use iptables script at boot time and iptables-save and iptables-restore tools to configure nat and filtering;
# mkdir /etc/iptables
# cp conf/iptables.sh /etc/iptables/
Adjust iptables to your needs, then;
# cd /etc/iptables
# sh iptables.sh
# iptables-save > rules.v4
Copy init script, edit if you dont like to let drop when you call stop.
# cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
# vim /etc/rc.d/iptables
# chmod +x /etc/rc.d/iptables
Re-configure your rc.conf and add iptables before (w)lan is up;
SERVICES=(lo iptables net crond)
Configure your resolver with a server that don't censorship there for respect your freedom and privacy. Read Tor Dns Resolver for more information. This example will use Chaos Computer Club server, edit /etc/resolv.conf and make it immutable;
# /etc/resolv.conf.head can replace this line
nameserver 213.73.91.35
# /etc/resolv.conf.tail can replace this line
# chattr +i /etc/resolv.conf
There is more information on Wiki Wifi Start Scripts and see conf/rc.d/wlan. Manual or first time configuration;
# ip link
# iwlist wlp2s0 scan
# iwconfig wlp2s0 essid NAME key s:ABCDE12345
# ip addr add 192.168.1.65 dev wlp2s0
Configure wpa supplicant edit;
# vim /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1
fast_reauth=1
ap_scan=1
# wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf
Now start wpa_supplicant with:
# wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
Use /etc/rc.d/wlan init script to auto load wpa configuration and dhcp client.
# wpa_cli
> status
> add_network
3
> set_network 3 ssid "Valcovo-Network"
OK
> set_network 3 psk "uber-secret-pass"
OK
> enable_network 3
OK
> list_networks
> select_network 3
> save_config
# ip link
# ip addr flush dev ${DEV}
# ip route flush dev ${DEV}
# ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
# ip link set ${DEV} up
# ip route add default via ${GW}
Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, Cyberciti Security Hardening, edit /etc/sysctl.conf;
#
# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
#
kernel.printk = 1 4 1 7
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# Tuen IPv6
# net.ipv6.conf.default.router_solicitations = 0
# net.ipv6.conf.default.accept_ra_rtr_pref = 0
# net.ipv6.conf.default.accept_ra_pinfo = 0
# net.ipv6.conf.default.accept_ra_defrtr = 0
# net.ipv6.conf.default.autoconf = 0
# net.ipv6.conf.default.dad_transmits = 0
# net.ipv6.conf.default.max_addresses = 0
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
## sets the kernels reverse path filtering mechanism to value 1(on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv6.conf.default.rp_filter = 1
net.ipv6.conf.all.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Act as a router, necessary for Access Point
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.shmmax = 500000000
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
# End of file
Change to act as a router;
# Act as a router, necessary for Access Point
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
Load new settings;
# sysctl -p
Systools Index
This is part of the c9-doc Manual. Copyright (C) 2016 Silvino Silva. See the file Gnu Free Documentation License for copying conditions.