tadgy/system-configs
1
0
Fork 0
Code Releases Wiki Activity

Initial configurations for Bender.

Browse source
This commit is contained in:
Darren 'Tadgy' Austin 2022-09-03 21:19:07 +01:00
commit 0b63587655
53 changed files with 14071 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
etc/rc.d/.gitignore vendored Normal file
View file

@ -0,0 +1,5 @@
init.d/
rc.*
!rc.firewall
!rc.inet1.conf
rc?.d/

167
etc/rc.d/rc.firewall Executable file
View file

@ -0,0 +1,167 @@
#!/bin/bash
# Version: 0.2.0
# Copyright (c) 2022:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
# The name of the main external interface.
EX_IF="eth0"
# The IP ranges from where to accept unfiltered connections
# |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----|
UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk')
# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----|
UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
# Allow local nets if our IP is in the same range.
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
fi
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done
for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH (from anywhere).
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
sleep 0.5
start_firewall
;;
*)
echo "Usage: ${BASH_SOURCE[0]} <start|stop|restart>" >&2
exit 1
;;
esac
# Unless the system is booting, restart fail2ban to re-create the ban chains.
[[ "$PREVLEVEL" != "N" ]] && {
[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
}
exit 0

240
etc/rc.d/rc.inet1.conf Normal file
View file

@ -0,0 +1,240 @@
# /etc/rc.d/rc.inet1.conf
#
# This file contains the configuration settings for network interfaces.
#
# If USE_DHCP[interface] is set to "yes", this overrides any other settings.
# If you don't have an interface, leave the settings null ("").
#
# You can configure network interfaces other than eth0,eth1... by setting
# IFNAME[interface] to the interface's name. If IFNAME[interface] is unset
# or empty, it is assumed you're configuring eth<interface>.
#
# Several other parameters are available; the end of this file contains a
# comprehensive set of examples.
#
# Important note for IPv6 stateless auto configuration (SLAAC) users:
# From Slackware 15.0 onwards, you need to set USE_SLAAC[0]="yes" below.
# =============================================================================
# IPv4 config options for eth0:
IPADDRS[0]="5.101.171.211/28 5.101.171.215/28 5.101.171.216/28"
USE_DHCP[0]=""
# IPv6 config options for eth0:
IP6ADDRS[0]="2a01:a500:2981:1::d3/64 2a01:a500:2981:1::d7/64 2a01:a500:2981:1::d8/64"
USE_SLAAC[0]=""
USE_DHCP6[0]=""
# Generic options for eth0:
DHCP_HOSTNAME[0]=""
# IPv4 config options for eth1:
IPADDRS[1]=""
USE_DHCP[1]=""
# IPv6 config options for eth1:
IP6ADDRS[1]=""
USE_SLAAC[1]=""
USE_DHCP6[1]=""
# Generic options for eth1:
DHCP_HOSTNAME[1]=""
# IPv4 config options for eth2:
IPADDRS[2]=""
USE_DHCP[2]=""
# IPv6 config options for eth2:
IP6ADDRS[2]=""
USE_SLAAC[2]=""
USE_DHCP6[2]=""
# Generic options for eth2:
DHCP_HOSTNAME[2]=""
# IPv4 config options for eth3:
IPADDRS[3]=""
USE_DHCP[3]=""
# IPv6 config options for eth3:
IP6ADDRS[3]=""
USE_SLAAC[3]=""
USE_DHCP6[3]=""
# Generic options for eth3:
DHCP_HOSTNAME[3]=""
# IPv4 default gateway IP address:
GATEWAY="5.101.171.209"
# IPv6 default gateway IP address:
GATEWAY6="2a01:a500:2981:1:ff:ff:ff:ff"
# =============================================================================
# Example of how to configure a bond (link aggregation) interface.
# Note the addition of the BONDNICS and BONDMODE parameters.
# BONDNICS is a space delimited list of interfaces to add to this bond. The
# BONDNICS interfaces will be brought up and configured while bringing up the
# bond interface, so do not need to be previously defined in rc.inet1.conf.
# BONDMODE sets the bonding mode for this interface. If not specified when
# BONDNICS has been used, the default is 'balance-rr'.
# IFOPTS is a pipe (|) delimited list of bonding module specific settings to be
# applied to the interface, and should always include the 'miimon' option when
# configuring bonding - not using this option will result in network
# degradation. In 'active-backup' mode, the 'primary' option should also be
# supplied. When using '802.3ad' mode, set "lacp_rate fast" for faster
# recovery from an interface failure. In other modes, the 'xmit_hash_policy'
# should be set. See the /usr/src/linux/Documentation/networking/bonding.txt
# file (search for "Bonding Driver Options") for the full set of options.
#IFNAME[0]="bond0"
#BONDNICS[0]="eth0 eth1"
#BONDMODE[0]="balance-rr"
#IFOPTS[0]="xmit_hash_policy layer2+3 | miimon 100"
#IPADDRS[0]="192.168.0.1/24"
#USE_DHCP[0]=""
#DHCP_HOSTNAME[0]=""
#IP6ADDRS[0]=""
#USE_SLAAC[0]=""
#USE_DHCP6[0]=""
# =============================================================================
# Example of how to configure a VLAN interface:
# The VLAN ID is taken from the full interface name, which is comprised of the
# underlying interface name, a period (.) and then the VLAN ID.
# IFOPTS is a pipe (|) delimited list of VLAN module specific settings to be
# applied to the interface. See the ip-link(8) man page (search for "VLAN Type
# Support") for details of the options available. This option is not required
# for a standard VLAN to be configured.
#IFNAME[0]="eth0.10"
#IFOPTS[0]=""
#IPADDRS[0]="192.168.10.1/24"
#USE_DHCP[0]=""
#DHCP_HOSTNAME[0]=""
#IP6ADDRS[0]=""
#USE_SLAAC[0]=""
#USE_DHCP6[0]=""
# =============================================================================
# Example of how to configure a bridge:
# Note the added "BRNICS" variable which contains a space-separated list
# of the physical or virtual network interfaces you want to add to the bridge.
# IFOPTS is a pipe (|) delimited list of bridge module specific settings to be
# applied to the interface. See the ip-link(8) man page (search for "BRIDGE
# Type Support") for details of the options available. This option is not
# required for a standard bridge to be configured.
#IFNAME[0]="br0"
#BRNICS[0]="eth0"
#IFOPTS[0]=""
#IPADDRS[0]="192.168.0.1/24"
#USE_DHCP[0]=""
#DHCP_HOSTNAME[0]=""
# =============================================================================
# Virtual interfaces to create - these are created before any address
# configuration or bridge setup is done, so you may use these interfaces
# as IFNAME or BRNICS values. These can be tun or tap interfaces:
# adjust VIRTIFNAME and VIRTIFTYPE accordingly.
# Starting with VIRTIFNAME[0] is mandatory, and each next one must be
# incremented by one, so VIRTIFNAME[1], VIRTIFNAME[2], and so on.
# Virtual tap interface example
#VIRTIFNAME[0]="tap0"
#VIRTIFTYPE[0]="tap"
#VIRTIFUSER[0]="root"
#VIRTIFGROUP[0]="root"
# Virtual tun interface example
#VIRTIFNAME[1]="tun0"
#VIRTIFTYPE[1]="tun"
#VIRTIFUSER[1]="someuser"
#VIRTIFGROUP[1]="somegroup"
# =============================================================================
# Example config information for wlan0:
# Uncomment the lines you need and fill in your data. You may not need all of
# these for your wireless network.
#IFNAME[4]="wlan0"
#IPADDRS[4]=""
#USE_DHCP[4]="yes"
#DHCP_HOSTNAME[4]="icculus-wireless"
#DHCP_KEEPRESOLV[4]="yes"
#DHCP_KEEPNTP[4]="yes"
#DHCP_KEEPGW[4]="yes"
#DHCP_IPADDR[4]=""
#WLAN_ESSID[4]=DARKSTAR
#WLAN_MODE[4]=Managed
#WLAN_RATE[4]="54M auto"
#WLAN_CHANNEL[4]="auto"
#WLAN_KEY[4]="D5A31F54ACF0487C2D0B1C10D2"
#WLAN_IWPRIV[4]="set AuthMode=WPAPSK | set EncrypType=TKIP | set WPAPSK=96389dc66eaf7e6efd5b5523ae43c7925ff4df2f8b7099495192d44a774fda16"
#WLAN_WPA[4]="wpa_supplicant"
#WLAN_WPADRIVER[4]="wext"
#WLAN_WPAWAIT[4]=30
# =============================================================================
# Some examples of additional network parameters that you can use.
#IFNAME[4]="wlan0" # Use a different interface name instead of
# the default 'eth4'
#IFOPTS[4]="" # A pipe (|) delimited list of interface type
# specific options to apply. These options
# can be found in the ip-link(8) man page in
# the approprite section for the interface
# type being configured.
#HWADDR[4]="00:01:23:45:67:89" # Overrule the card's hardware MAC address
#MTU[4]="" # The default MTU is 1500, but you might need
# 1360 when you use NAT'ed IPSec traffic.
#PROMISCUOUS[4]="yes" # Set promiscuous mode on the interface.
#DHCP_TIMEOUT[4]="15" # The default timeout for the DHCP client to
# wait for server resonse is 15 seconds, but
# you might want a shorter or longer wait.
#DHCP_KEEPRESOLV[4]="yes" # If you don't want /etc/resolv.conf overwritten
#DHCP_KEEPNTP[4]="yes" # If you don't want ntp.conf overwritten
#DHCP_KEEPGW[4]="yes" # If you don't want the DHCP server to change
# your default gateway
#DHCP_IPADDR[4]="" # Request a specific IP address from the DHCP
# server
#DHCP_DEBUG[4]="yes" # Make dhcpcd show verbose diagnostics
#DHCP_NOIPV4LL[4]="yes" # Do not assign an ipv4ll address when a DHCP
# server is not found (ipv4ll link-local
# adresses in the IP range 169.254.0.0/16 are
# also known as "zeroconf" addresses)
#SLAAC_TIMEOUT[4]="15" # The default timeout for auto configuration to
# wait for the interface to come up is 15 sec.
# Increase the timeout if required.
#SLAAC_PRIVIPGEN[4]="yes" # When assigning addresses via SLAAC, use the
# 'private' (RFC7217) address generation method.
# It is advisable to also set SLAAC_SECRET[x].
#SLAAC_SECRET[4]="xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx"
# When SLAAC_PRIVIPGEN[x]="yes" is set, this is
# the secret to be used. This must be in the
# form of an IPv6 address. When left unset, a
# random secret is used (this is the default).
#SLAAC_TEMPADDR[4]="yes" # Use a temporary address with SLAAC to enhance
# security.
#USE_RA[4]="yes" # Accept router advertisements even when SLAAC
# is disabled on the interface.
#WLAN_ESSID[4]="DARKSTAR" # An example of how you can override _any_
# parameter defined in rc.wireless.conf, by
# prepending 'WLAN_' to the parameter's name.
# Useful with multiple wireless interfaces.
#WLAN_IWPRIV[4]="set AuthMode=WPAPSK | set EncrypType=TKIP | set WPAPSK=thekey"
# Some drivers require a private ioctl to be
# set through the iwpriv command. If more than
# one is required, you can place them in the
# IWPRIV parameter (separated with the pipe (|)
# character, see the example).
#WLAN_WPA[4]="wpa_supplicant" # Run wpa_supplicant for WPA support
#WLAN_WPADRIVER[4]="ndiswrapper"# Tell wpa_supplicant to specifically use the
# ndiswrapper driver (if you leave this empty
# the 'wext' driver is used by default)
#WLAN_WPAWAIT[4]="30" # In case it takes long for the WPA association
# to finish, you can increase the wait time
# (defaults to 10 seconds)
# =============================================================================
# Change this to "yes" for debugging output to syslog (if available, stdout if
# not).
DEBUG_ETH_UP="no"
# MAXNICS is the maximum number of interfaces that will be configured.
# You may need to increase the MAXNICS value if you have many interfaces, or
# you use multiple VLANs and/or bridges. The default is 6.
#MAXNICS="6"