-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added i3 black wallpaper and iptables script to configure the system.
- Loading branch information
Showing
2 changed files
with
137 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
# Clearing any previous configuration | ||
echo "Clearing any existing rules and setting default policy to ACCEPT." | ||
iptables -t filter -F | ||
iptables -t filter -X | ||
iptables -t nat -F | ||
iptables -t nat -X | ||
iptables -t mangle -F | ||
iptables -t mangle -X | ||
iptables -t raw -F | ||
iptables -t raw -X | ||
iptables -t security -F | ||
iptables -t security -X | ||
iptables -P INPUT ACCEPT | ||
iptables -P OUTPUT ACCEPT | ||
iptables -P FORWARD ACCEPT | ||
|
||
echo "Default policy DROP any package except for localhost and docker0" | ||
# Default policy DROP any package except forwaring (needed for Docker) | ||
iptables -P INPUT DROP | ||
iptables -P OUTPUT DROP | ||
iptables -P FORWARD ACCEPT ## Allow forwarding for Docker | ||
|
||
# Allow any connections in localhost | ||
iptables -A INPUT -i lo -j ACCEPT | ||
iptables -A OUTPUT -o lo -j ACCEPT | ||
iptables -A FORWARD -o lo -j ACCEPT | ||
# Allow any connections in docker0 | ||
iptables -A INPUT -i docker0 -j ACCEPT | ||
iptables -A OUTPUT -o docker0 -j ACCEPT | ||
iptables -A FORWARD -o docker0 -j ACCEPT | ||
|
||
echo "Setting up rules." | ||
# Allow ICMP (outbound) connection | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p icmp -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p icmp -j ACCEPT | ||
# Allow traceroute (outbound) connection | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 33434:33524 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 33434:33524 -j ACCEPT | ||
# Allow SSH TCP (inbound) connections [only used at work] | ||
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT | ||
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 22 -j ACCEPT | ||
# Allow SSH TCP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 22 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT | ||
# Allow DNS TCP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 53 -j ACCEPT | ||
# Allow DNS UDP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 53 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 53 -j ACCEPT | ||
# Allow DHCP UDP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 67:68 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 67:68 -j ACCEPT | ||
# Allow HTTP TCP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 80 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT | ||
# Allow NTP UDP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 123 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 123 -j ACCEPT | ||
# Allow HTTPS TCP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 443 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 443 -j ACCEPT | ||
# Allow VPN UDP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 500 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 500 -j ACCEPT | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 4500 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 4500 -j ACCEPT | ||
# Allow PROXY 8080 TCP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 8080 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 8080 -j ACCEPT | ||
# Allow GIT TCP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 9418 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 9418 -j ACCEPT | ||
# Allow GIT remote on 29418 (outbound) connections [only used at work] | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --sport 29418 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 29418 -j ACCEPT | ||
# Allow DROPBOX UDP (outbound) connections | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p udp --sport 17500 -j ACCEPT | ||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 17500 -j ACCEPT | ||
# Allow DROPBOX UDP (inbound) connections | ||
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 17500 -j ACCEPT | ||
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p udp --sport 17500 -j ACCEPT | ||
|
||
echo "Setting up drop rules to avoid fludding the logs" | ||
# Drop uPnP (inbound). It's mainly used to discover devices (i.e. Chromecast) | ||
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 1900 -j DROP | ||
|
||
#LOGGING | ||
# See https://linux.die.net/man/8/iptables | ||
# and https://serverfault.com/a/213285 | ||
# --limit The number of packets to let through per unit of time, | ||
# default is 3/hour. For instance 2/m will allow just 2 | ||
# packages per minute. | ||
# | ||
#Level name Description | ||
# 0 emerg or panic Something is incredibly wrong; the system is probably about to crash | ||
# 1 alert Immediate attention is required | ||
# 2 crit Critical hardware or software failure | ||
# 3 error Usually used for reporting of hardware problems by drivers | ||
# 4 warning Something isn't right, but the problem is not serious | ||
# 5 notice No problems; indicates an advisory of some sort. | ||
# 6 info General information | ||
# 7 debug Deguging | ||
# | ||
# --log-uid Log the userid of the process which generated the packet. | ||
# | ||
echo "Enabling logging (/var/log/messages)." | ||
iptables -N LOGGING | ||
iptables -A INPUT -j LOGGING | ||
iptables -A OUTPUT -j LOGGING | ||
iptables -A LOGGING -m limit --limit 2/min -j LOG \ | ||
--log-level 6 \ | ||
--log-prefix "iptables logging: " \ | ||
--log-tcp-options \ | ||
--log-ip-options \ | ||
--log-uid | ||
iptables -A LOGGING -j DROP | ||
|
||
# Understanding iptables logging: | ||
# Example 1: | ||
# ========== | ||
# Jan 18 15:27:22 hodei-hp kernel: [ 5316.768782] iptables logging: IN=wlp1s0 OUT= | ||
# MAC=f8:34:41:67:ef:26:8c:59:73:84:5d:ec:08:00 SRC=192.168.1.1 DST=192.168.1.6 | ||
# LEN=28 TOS=0x00 PREC=0x00 TTL=255 ID=36156 PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0 | ||
# | ||
# Explanation: A package has been received (IN) at interface wlp1s0 and it was | ||
# sent by 192.168.1.1 (router) to 192.168.1.6 (my laptop) | ||
# | ||
# Example 2: | ||
# ========== | ||
# Jan 18 15:37:42 hodei-hp kernel: [ 5936.724263] iptables logging: IN= OUT=wlp1s0 | ||
# SRC=192.168.1.6 DST=162.125.64.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6044 DF | ||
# PROTO=TCP SPT=59218 DPT=443 WINDOW=491 RES=0x00 ACK RST URGP=0 | ||
# | ||
# Explanation: A package has been sent (OUT) using interface wlp1s0 and it was | ||
# sent by 192.168.1.6 (my laptop) to 162.125.64.3 (apparently to | ||
# Dropbox) |