Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Aug 2012 13:59:52 +0400
From: gremlin@...mlin.ru
To: owl-dev@...ts.openwall.com
Subject: owl-startup and non-trivial network configuration

The attachment contains an obvious modification of networking
configuration script, which allows to configure the network
subsystem in all and any possible ways.

This also solves the problem with ethernet devices suddenly
becoming the "blackholes" after being configured using ifconfig.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
<gremlin  gremlin  ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

diff -ruN owl-startup.orig/etc/init.d/network owl-startup/etc/init.d/network
--- owl-startup.orig/etc/init.d/network	2012-05-07 01:38:20 +0400
+++ owl-startup/etc/init.d/network	2012-08-13 13:13:13 +0400
@@ -10,6 +10,10 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 
+if [ -x /etc/rc.d/rc.network ]; then
+    exec /etc/rc.d/rc.network $*
+fi
+
 if [ ! -f /etc/sysconfig/network ]; then
     exit 0
 fi
diff -ruN owl-startup.orig/etc/rc.d/rc.network owl-startup/etc/rc.d/rc.network
--- owl-startup.orig/etc/rc.d/rc.network	1970-01-01 03:00:00 +0300
+++ owl-startup/etc/rc.d/rc.network	2012-08-13 13:48:48 +0400
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+test "$1" = "start" || exit
+
+#ip link set dev eth0 up
+#vconfig add eth0 10
+#ip link set dev eth0.10 up
+#brctl addbr br0
+#brctl addif br0 eth0.10
+#ip link set dev br0 up
+#ip address add 10.20.30.40/24 dev br0
+#ip route add default via 10.20.30.1
+
+test -x /etc/rc.d/rc.firewall && /etc/rc.d/rc.firewall
+
diff -ruN owl-startup.orig/etc/rc.d/rc.firewall owl-startup/etc/rc.d/rc.firewall
--- owl-startup.orig/etc/rc.d/rc.firewall	1970-01-01 03:00:00 +0300
+++ owl-startup/etc/rc.d/rc.firewall	2012-08-13 13:50:50 +0400
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+iptables -t raw -F
+iptables -t raw -X
+iptables -t filter -F
+iptables -t filter -X
+iptables -t nat -F
+iptables -t nat -X
+
+iptables -t filter -P INPUT ACCEPT
+iptables -t filter -P OUTPUT ACCEPT
+iptables -t filter -P FORWARD DROP
+
+iptables -t filter -A FORWARD -i venet0 -j ACCEPT
+iptables -t filter -A FORWARD -o venet0 -j ACCEPT
+iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Protect SSH against password bruteforcing
+iptables -t filter -A INPUT -p tcp --syn --dport 22 -m recent \
+ --update --seconds 60 --hitcount 5 -j REJECT --reject-with tcp-reset
+iptables -t filter -A INPUT -p tcp --syn --dport 22 -m recent --set
+
+# Simple NAT example for generic LAN
+#iptables -t filter -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
+#iptables -t nat -A POSTROUTING -o ppp0 -m state --state NEW -j MASQUERADE
+


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ