Slackware/bootstrap
1
0
Fork 0
Code Releases Wiki Activity

Renamed sample-rc.d -> rc.d. Update netdata cert/key. Add msmtp cert/key.

Browse source
This commit is contained in:
Darren 'Tadgy' Austin 2022-08-16 15:05:07 +01:00
commit 831c0eafd3
17 changed files with 29 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

193
rc.d/rc.firewall-float Executable file
View file

@ -0,0 +1,193 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth0"
# IP addresses.
PRIMARYIP="216.119.155.FIXME"
PRIMARYIP6="2a02:2498:e004:2a::FIXME"
FLOATINGIP="216.119.155.FIXME"
FLOATINGIP6="2a02:2498:e004:2a::FIXME"
# The IP ranges from where to accept unfiltered connections.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Service: DNS.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Service: HTTP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
# Service: FTP{,S}.
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
# modprobe nf_conntrack_ftp
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Service: rsync.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
# Service: SMTP and submission.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
# Service: IMAP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
# Service: POP3{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
# Service: Bittorrent.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac

187
rc.d/rc.firewall-guests Executable file
View file

@ -0,0 +1,187 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth0"
# The IP ranges from where to accept unfiltered connections.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Service: DNS.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Service: HTTP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
# Service: FTP{,S}.
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
modprobe nf_conntrack_ftp
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Service: rsync.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
# Service: SMTP and submission.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
# Service: IMAP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
# Service: POP3{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
# Service: Bittorrent.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac

187
rc.d/rc.firewall-hosts Executable file
View file

@ -0,0 +1,187 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth0"
# The IP ranges from where to accept unfiltered connections.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Service: DNS.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Service: HTTP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
# Service: FTP{,S}.
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
modprobe nf_conntrack_ftp
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Service: rsync.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
# Service: SMTP and submission.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
# Service: IMAP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
# Service: POP3{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
# Service: Bittorrent.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac

157
rc.d/rc.firewall-hypervisor-fry Executable file
View file

@ -0,0 +1,157 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth1"
# The name of the VM network bridge interface.
BR_IF="br0"
# The IP ranges to accept unfiltered connections from.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Proxy ARP is required for the VMs to use the network.
echo 1 >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Drop the IPs that we've usurped.
iptables -A FORWARD -o "$EX_IF" -s 216.119.155.56/31 -j DROP
iptables -A FORWARD -o "$EX_IF" -s 216.119.155.62/31 -j DROP
iptables -A FORWARD -i "$EX_IF" -d 216.119.155.56/31 -j DROP
iptables -A FORWARD -i "$EX_IF" -d 216.119.155.62/31 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow all traffic from the bridged network.
iptables -A INPUT -i "$BR_IF" -j ACCEPT
ip6tables -A INPUT -i "$BR_IF" -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Disable proxy ARP.
cat /proc/sys/net/ipv4/conf/default/proxy_arp >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac

139
rc.d/rc.firewall-hypervisors Executable file
View file

@ -0,0 +1,139 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="br0"
# The IP ranges from where to accept unfiltered connections.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac

66
rc.d/rc.local Executable file
View file

@ -0,0 +1,66 @@
#!/bin/bash
# /etc/rc.d/rc.local - Local system startup script.
# This script will be run when the system is first booted.
# Start the MCE daemon.
[ -x /etc/rc.d/rc.mcelog ] && /etc/rc.d/rc.mcelog start
# Start the qemu guest additions agent.
[ -x /etc/rc.d/rc.qemu-ga ] && /etc/rc.d/rc.qemu-ga start
# Start GlusterFS daemon.
[ -x /etc/rc.d/rc.glusterd ] && /etc/rc.d/rc.glusterd start
# Start the vnstat daemon.
[ -x /etc/rc.d/rc.vnstat ] && /etc/rc.d/rc.vnstat start
# Start netdata.
[ -x /etc/rc.d/rc.netdata ] && /etc/rc.d/rc.netdata start
# Start fail2ban.
[ -x /etc/rc.d/rc.fail2ban ] && /etc/rc.d/rc.fail2ban start
# Start the php-fpm FastCGI daemon.
[ -x /etc/rc.d/rc.php-fpm ] && /etc/rc.d/rc.php-fpm start
# Start SpamAssassin.
[ -x /etc/rc.d/rc.spamd ] && /etc/rc.d/rc.spamd start
# Start greylistd.
[ -x /etc/rc.d/rc.greylistd ] && /etc/rc.d/rc.greylistd start
# Start proftpd.
[ -x /etc/rc.d/rc.proftpd ] && {
/opt/bin/lumberjack -u logger -z -r -i /run/slackware.uk-ftpd.log -o logger:ftp -mp 006 -l logs/ftpd-transfers.log \
/data/sites/slackware.uk logs/%Y/%m/ftpd-transfers.log &
/etc/rc.d/rc.proftpd start
}
# Start the rsync daemon.
[ -x /etc/rc.d/rc.rsyncd ] && {
/opt/bin/lumberjack -u logger -z -r -i /run/rsyncd.log -o logger:mirror -mp 006 -l logs/rsyncd-transfers.log \
/data/sites/slackware.uk logs/%Y/%m/rsyncd-transfers.log &
/etc/rc.d/rc.rsyncd start
}
# Start the bandwidth bar generator.
[ -x /opt/bin/bwbar ] && sudo -b /opt/bin/bwbar -f /run/bwbar.txt -p /run/bwbar.png -t 1 -x 800 -y 8 -b 2 eth0 1000
# Start seeding the torrents.
grep "^seeder:" /etc/passwd >/dev/null 2>&1 && su - seeder -c /home/seeder/start-seeding
# Start libvirt.
[ -x /etc/rc.d/rc.libvirt ] && /etc/rc.d/rc.libvirt start
# Start the lxcfs fuse module.
[ -x /etc/rc.d/rc.lxcfs ] && /etc/rc.d/rc.lxcfs start
# Start containers.
[ -x /etc/rc.d/rc.lxc ] && {
# Proxy ARP is required for the LXC bridge to function correctly.
echo 1 >/proc/sys/net/ipv4/conf/br0/proxy_arp
/etc/rc.d/rc.lxc start
}
# Notify that the server has booted.
CONFIG_FILE="server" /opt/bin/pushover -T "Successful boot up: ${HOSTNAME%%.*}" -p 1 -m "$(printf '%(%d %b %Y - %H:%M:%S)T')"

73
rc.d/rc.local_shutdown Executable file
View file

@ -0,0 +1,73 @@
#!/bin/bash
# /etc/rc.d/rc.local_shutdown - Local system shutdown script.
# This script will be run when the system is shutdown or rebooted.
# Notify that the server is shutting down.
CONFIG_FILE="server" /opt/bin/pushover -T "Shutting down: ${HOSTNAME%%.*}" -p 1 -m "$(printf '%(%d %b %Y - %H:%M:%S)T')"
# Stop containers.
[ -x /etc/rc.d/rc.lxc ] && /etc/rc.d/rc.lxc stop
# Stop lxcfs.
[ -x /etc/rc.d/rc.lxcfs ] && /etc/rc.d/rc.lxcfs stop
# Stop libvirt.
[ -x /etc/rc.d/rc.libvirt ] && {
/etc/rc.d/rc.libvirt guests_shutdown
/etc/rc.d/rc.libvirt stop
}
# Stop the rtorrent instances started at boot.
grep "^seeder:" /etc/passwd >/dev/null 2>&1 && {
pkill -INT -u seeder '^rtorrent .*$'
printf "%s" "Waiting up to 30 seconds for rtorrent to exit"
for ((i=0; i <= 59; i++)); do
if pgrep -u seeder '^rtorrent .*$' >/dev/null 2>&1; then
printf "%s" "."
sleep 0.5
else
break
fi
done
if ! pgrep -u seeder '^rtorrent .*$' >/dev/null 2>&1; then
printf "%s\n" " clean exit."
else
printf "%s\n" " failed - terminating."
pkill -TERM -u seeder '^rtorrent .*$'
sleep 2
pkill -KILL -u seeder '^rtorrent .*$'
fi
}
# Stop rsyncd.
[ -x /etc/rc.d/rc.rsyncd ] && /etc/rc.d/rc.rsyncd stop
# Stop proftpd.
[ -x /etc/rc.d/rc.proftpd ] && /etc/rc.d/rc.proftpd stop
# Stop greylistd.
[ -x /etc/rc.d/rc.greylistd ] && /etc/rc.d/rc.greylistd stop
# Stop SpamAssassin.
[ -x /etc/rc.d/rc.spamd ] && /etc/rc.d/rc.spamd stop
# Stop the php-fpm FastCGI daemon.
[ -x /etc/rc.d/rc.php-fpm ] && /etc/rc.d/rc.php-fpm stop
# Stop fail2ban.
[ -x /etc/rc.d/rc.fail2ban ] && /etc/rc.d/rc.fail2ban stop
# Stop netdata.
[ -x /etc/rc.d/rc.netdata ] && /etc/rc.d/rc.netdata stop
# Stop the vnstat daemon.
[ -x /etc/rc.d/rc.vnstat ] && /etc/rc.d/rc.vnstat stop
# Stop GlusterFS daemon.
[ -x /etc/rc.d/rc.glusterd ] && /etc/rc.d/rc.glusterd stop
# Stop the qemu guest additions agent.
[ -x /etc/rc.d/rc.qemu-ga ] && /etc/rc.d/rc.qemu-ga stop
# Stop the MCE daemon.
[ -x /etc/rc.d/rc.mcelog ] && /etc/rc.d/rc.mcelog stop

24
rc.d/rc.modules.local Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
# /etc/rc.d/rc.modules.local
# The Linux kernel source is the best place to look for documentation
# for the many available kernel modules. This can be found under
# /usr/src/linux-$VERSION/Documentation/.
# Almost all necessary modules are automatically loaded when needed,
# but there are a few exceptions. Here's a (not all-inclusive) list,
# so uncomment any of the below entries or add others as needed:
# Note that you could also create/edit rc.modules-$version if you
# only wanted specific modules loaded for particular kernels.
#/sbin/modprobe tun # Universal TUN/TAP device driver
#/sbin/modprobe sg # Generic SCSI support for SATA DVD-RW
# Load sensor modules.
if [ -e /etc/sysconfig/lm_sensors ]; then
. /etc/sysconfig/lm_sensors
for MOD in $HWMON_MODULES; do
/sbin/modprobe "$MOD"
done
fi

108
rc.d/rc.proftpd Executable file
View file

@ -0,0 +1,108 @@
#!/bin/bash
# Version: 0.2.9
# Copyright (c) 2005-2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
EXEC="/usr/sbin/proftpd"
ARGS=()
PIDFILE="/var/run/proftpd.pid"
checkconfigured() {
# This function can be used to perform any pre-start tests; hopfully to insure the daemon
# can start correctly, before actually trying to start it. A return value of 0 means the
# tests were passed and the daemon should be started. Any other value prevents the
# daemon from being started and an error message will be emitted.
return 0
}
checkstatus() {
# Note: this has been changed from the standard 'pgrep -f "$EXEC"' as pgrep doesn't match
# the process because proftp changes its argv0.
local RUNPIDS="$(pgrep -F "$PIDFILE" 2>/dev/null)"
if [ ! -z "$RUNPIDS" ]; then
echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running"
if [ ! -z "$PIDFILE" ]; then
if [ ! -e "$PIDFILE" ]; then
echo -n ", but .pid file does not exist"
elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then
echo -n ", but .pid file is stale"
fi
fi
echo
else
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped"
return 1
fi
return 0
}
startdaemon() {
if ! checkconfigured; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2
return 1
elif [ ! -e "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2
return 1
elif [ ! -x "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2
return 1
fi
env -i -S "$EXEC" "${ARGS[@]}"
return $?
}
stopdaemon() {
# Note: this has been changed from the standard way of doing things because we can't use
# 'pgrep -f' to match the process since proftpd changes its argv0.
if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then
sleep 2
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2
kill -KILL "$(pgrep "${EXEC##*/}")" >/dev/null 2>&1
fi
fi
return 0
}
case "$1" in
'start')
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
startdaemon
ERR=$?
fi
;;
'stop')
if ! checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
stopdaemon
ERR=$?
fi
;;
'restart')
if checkstatus >/dev/null; then
stopdaemon && sleep 2 && startdaemon
ERR=$?
else
startdaemon
ERR=$?
fi
;;
'status')
checkstatus
ERR=$?
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart|status>" >&2
ERR=1
;;
esac
return $ERR 2>/dev/null || exit $ERR

105
rc.d/rc.rsyncd Executable file
View file

@ -0,0 +1,105 @@
#!/bin/bash
# Version: 0.2.9
# Copyright (c) 2005-2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
EXEC="/usr/bin/rsync"
ARGS=(--daemon --config=/etc/rsyncd/rsyncd.conf)
PIDFILE="/var/run/rsyncd.pid"
checkconfigured() {
# This function can be used to perform any pre-start tests; hopfully to insure the daemon
# can start correctly, before actually trying to start it. A return value of 0 means the
# tests were passed and the daemon should be started. Any other value prevents the
# daemon from being started and an error message will be emitted.
return 0
}
checkstatus() {
local RUNPIDS="$(pgrep -f "$EXEC")"
if [ ! -z "$RUNPIDS" ]; then
echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running"
if [ ! -z "$PIDFILE" ]; then
if [ ! -e "$PIDFILE" ]; then
echo -n ", but .pid file does not exist"
elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then
echo -n ", but .pid file is stale"
fi
fi
echo
else
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped"
return 1
fi
return 0
}
startdaemon() {
if ! checkconfigured; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2
return 1
elif [ ! -e "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2
return 1
elif [ ! -x "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2
return 1
fi
"$EXEC" "${ARGS[@]}"
return $?
}
stopdaemon() {
if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then
kill -TERM "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
sleep 2
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2
kill -KILL "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
return 0
}
case "$1" in
'start')
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
startdaemon
ERR=$?
fi
;;
'stop')
if ! checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
stopdaemon
ERR=$?
fi
;;
'restart')
if checkstatus >/dev/null; then
stopdaemon && sleep 2 && startdaemon
ERR=$?
else
startdaemon
ERR=$?
fi
;;
'status')
checkstatus
ERR=$?
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart|status>" >&2
ERR=1
;;
esac
return $ERR 2>/dev/null || exit $ERR

105
rc.d/rc.tftpd Executable file
View file

@ -0,0 +1,105 @@
#!/bin/bash
# Version: 0.2.9
# Copyright (c) 2005-2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
EXEC="/usr/sbin/in.tftpd"
ARGS=(--listen --address=FIXME --user tftp --secure /data/tftpboot)
PIDFILE=""
checkconfigured() {
# This function can be used to perform any pre-start tests; hopfully to insure the daemon
# can start correctly, before actually trying to start it. A return value of 0 means the
# tests were passed and the daemon should be started. Any other value prevents the
# daemon from being started and an error message will be emitted.
return 0
}
checkstatus() {
local RUNPIDS="$(pgrep -f "$EXEC")"
if [ ! -z "$RUNPIDS" ]; then
echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running"
if [ ! -z "$PIDFILE" ]; then
if [ ! -e "$PIDFILE" ]; then
echo -n ", but .pid file does not exist"
elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then
echo -n ", but .pid file is stale"
fi
fi
echo
else
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped"
return 1
fi
return 0
}
startdaemon() {
if ! checkconfigured; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2
return 1
elif [ ! -e "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2
return 1
elif [ ! -x "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2
return 1
fi
"$EXEC" "${ARGS[@]}"
return $?
}
stopdaemon() {
if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then
kill -TERM "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
sleep 2
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2
kill -KILL "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
return 0
}
case "$1" in
'start')
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
startdaemon
ERR=$?
fi
;;
'stop')
if ! checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
stopdaemon
ERR=$?
fi
;;
'restart')
if checkstatus >/dev/null; then
stopdaemon && sleep 2 && startdaemon
ERR=$?
else
startdaemon
ERR=$?
fi
;;
'status')
checkstatus
ERR=$?
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart|status>" >&2
ERR=1
;;
esac
return $ERR 2>/dev/null || exit $ERR