Core OS Index

2. Network

Operation of the network can be handle with init scripts;

/etc/rc.d/iptables
Configure iptables, start option loads set of rules from file /etc/iptables/rules_file_name, open option allows everything to outside and blocks everything from outside, stop will block and log everything.
/etc/rc.d/net
Configure Ethernet interface with static or dynamic (dhcp) IP, set default route and add default gateway.
/etc/rc.d/wlan
Configure Wireless interface, launch wpa_supplicant to handle wireless authenticationand dynamic (dhcp) connection to router and add as default gateway.

Choose wireless or net as connection to outside world and configure /etc/rc.conf to run at startup, example connecting using wireless interface;

        #
        # /etc/rc.conf: system configuration
        #

        FONT=default
        KEYMAP=dvorak
        TIMEZONE="Europe/Lisbon"
        HOSTNAME=c9
        SYSLOG=sysklogd
        SERVICES=(lo iptables wlan crond)

        # End of file
        

If is first boot after install configure iptables and one of above described scripts then proceed to update system.

2.1.1. Resolver

This example will use Chaos Computer Club server, edit /etc/resolv.conf and make it immutable;

        # /etc/resolv.conf.head can replace this line
        nameserver 213.73.91.35
        # /etc/resolv.conf.tail can replace this line
        
        # chattr +i /etc/resolv.conf
        

2.1.2. Static IP

Current example of /etc/rc.d/net;

        Address:   192.168.0.1           11000000.10101000.00000000 .00000001
        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
        =>
        Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
        Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
        HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
        HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
        Hosts/Net: 254                   (Private Internet)
        

Other IP class that can used for private network;

        Address:   10.0.0.1              00001010.00000000.00000000 .00000001
        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
        =>
        Network:   10.0.0.0/24           00001010.00000000.00000000 .00000000 (Class A)
        Broadcast: 10.0.0.255            00001010.00000000.00000000 .11111111
        HostMin:   10.0.0.1              00001010.00000000.00000000 .00000001
        HostMax:   10.0.0.254            00001010.00000000.00000000 .11111110
        Hosts/Net: 254                   (Private Internet)
        

Manual configuring like net script;

        # DEV=enp8s0
        # ADDR=192.168.1.9
        # MASK=24
        # GW=192.168.1.254
        
        # ip addr flush dev ${DEV}
        # ip route flush dev ${DEV}
        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
        # ip link set ${DEV} up
        # ip route add default via ${GW}
        

2.1.3. Iptables

For more information about iptables read arch wiki. You can use /etc/iptables/rules.v4 as template, replace interface by the one facing the router/gateway. This configuration file is used at boot time by iptables-restore command, if you use a script or change the rules of running system you can use iptables-save command to save configuration to a file.

        # mkdir /etc/iptables
        # cp c9-doc/core/conf/iptables/rules.v4 /etc/iptables/
        # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
        # chmod +x /etc/rc.d/iptables
        

Adjust rules.v4 to your needs, then;

        # sh /etc/rc.d/iptables start
        

Copy init script, edit if you dont like to let drop when you call stop.

Re-configure your rc.conf and add iptables before (w)lan is up;

        SERVICES=(lo iptables net crond)
        

2.1.4. Wpa and dhcpd

There is more information on Wiki Wifi Start Scripts and see /etc/rc.d/wlan. Manual or first time configuration;

        # ip link
        
        # iwlist wlp2s0 scan
        
        # iwconfig wlp2s0 essid NAME key s:ABCDE12345
        

2.1.4.1. Wpa Supplicant

Configure wpa supplicant edit;

        # vim /etc/wpa_supplicant.conf
        
        ctrl_interface=/var/run/wpa_supplicant
        update_config=1
        fast_reauth=1
        ap_scan=1
        
        # wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf
        

Now start wpa_supplicant with:

        # wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
        Successfully initialized wpa_supplicant
        

Use /etc/rc.d/wlan init script to auto load wpa configuration and dhcp client.

2.1.4.2. Wpa Cli

        # wpa_cli
        > status
        
        > add_network
        3
        
        > set_network 3 ssid "Crux-Network"
        OK
        
        > set_network 3 psk "uber-secret-pass"
        OK
        
        > enable_network 3
        OK
        
        > list_networks
        
        > select_network 3
        
        > save_config
        

2.1.5. Sysctl

Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, Cyberciti Security Hardening, edit /etc/sysctl.conf;

        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 1 4 1 7

        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        # net.ipv6.conf.default.router_solicitations = 0
        # net.ipv6.conf.default.accept_ra_rtr_pref = 0
        # net.ipv6.conf.default.accept_ra_pinfo = 0
        # net.ipv6.conf.default.accept_ra_defrtr = 0
        # net.ipv6.conf.default.autoconf = 0
        # net.ipv6.conf.default.dad_transmits = 0
        # net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # No source routed packets here
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        net.ipv6.conf.default.rp_filter = 1
        net.ipv6.conf.all.rp_filter = 1

        # Make sure no one can alter the routing tables
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0

        # Don't act as a router
        net.ipv4.ip_forward = 0
        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.default.send_redirects = 0

        kernel.shmmax = 500000000
        # Turn on execshild
        kernel.exec-shield = 1
        kernel.randomize_va_space = 1

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        # End of file
        

Change to act as a router (default of conf/sysctl.conf);

        # Act as a router, necessary for Access Point
        net.ipv4.ip_forward = 1
        net.ipv4.conf.all.send_redirects = 1
        net.ipv4.conf.default.send_redirects = 1
        

Load new settings;

        # sysctl -p
        
Core OS Index

This is part of the c9-doc Manual. Copyright (C) 2016 c9 team. See the file Gnu Free Documentation License for copying conditions.