commit
70fcc53036
Se han modificado 5 ficheros con 108 adiciones y 0 borrados
+ 0
- 0
README.md
Ver fichero
+ 16
- 0
install.sh
Ver fichero
| @@ -0,0 +1,16 @@ | |||
| #!/bin/sh | |||
| apt-get install \ | |||
| build-essential \ | |||
| linux-headers-amd64 \ | |||
| iptables-persistent \ | |||
| gdm3 \ | |||
| vlc \ | |||
| firefox-esr \ | |||
| transmission \ | |||
| enlightenment \ | |||
| redsocks \ | |||
| tor \ | |||
| cd static && find . | cpio -pdmv / | |||
+ 66
- 0
static/etc/iptables/rules.v4
Ver fichero
| @@ -0,0 +1,66 @@ | |||
| *nat | |||
| :PREROUTING ACCEPT [0:0] | |||
| :POSTROUTING ACCEPT [0:0] | |||
| :OUTPUT ACCEPT [0:0] | |||
| # Redirect any tcp that is not: | |||
| # - tor client itself | |||
| # - localhost traffic | |||
| # - redsocks traffic to tor socks | |||
| -A OUTPUT -m owner --uid-owner debian-tor -j RETURN | |||
| -A OUTPUT -d 127.0.0.0/8 -j RETURN | |||
| -A OUTPUT -m owner --uid-owner redsocks -p tcp -m tcp --dport 9040 -j RETURN | |||
| -A OUTPUT ! -p tcp -j RETURN | |||
| # redirect | |||
| -A OUTPUT -p tcp -j MARK --set-mark 0x888 | |||
| -A OUTPUT -p tcp -j REDIRECT --to-port 9040 | |||
| COMMIT | |||
| *filter | |||
| :INPUT ACCEPT [0:0] | |||
| :FORWARD ACCEPT [0:0] | |||
| :OUTPUT ACCEPT [0:0] | |||
| -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
| -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
| -A INPUT -i lo -j ACCEPT | |||
| -A FORWARD -j DROP | |||
| -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127 | |||
| -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127 | |||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777 | |||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777 | |||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777 | |||
| # tor can go out | |||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777 | |||
| # ntp can go out, required for tor | |||
| -A OUTPUT -m mark --mark 0x0 -p udp -m udp --sport 123 --dport 123 -j MARK --set-mark 0x777 | |||
| # any other udp will be dropped | |||
| -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666 | |||
| # any other tcp will be redsock'ed | |||
| -A OUTPUT -m mark --mark 0x0 -p tcp -j MARK --set-mark 0x888 | |||
| #-A OUTPUT -m mark --mark 0x666 -j LOG --log-prefix "0x666: " | |||
| -A OUTPUT -m mark --mark 0x666 -j DROP | |||
| #-A OUTPUT -m mark --mark 0x777 -j LOG --log-prefix "0x777: " | |||
| -A OUTPUT -m mark --mark 0x777 -j ACCEPT | |||
| #-A OUTPUT -m mark --mark 0x888 -j LOG --log-prefix "0x888: " | |||
| -A OUTPUT -m mark --mark 0x888 -j ACCEPT | |||
| #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127: " | |||
| -A OUTPUT -m mark --mark 0x127 -j ACCEPT | |||
| #-A OUTPUT -j LOG --log-prefix "DROP: " | |||
| -A OUTPUT -j DROP | |||
| COMMIT | |||
+ 10
- 0
static/etc/iptables/rules.v6
Ver fichero
| @@ -0,0 +1,10 @@ | |||
| *filter | |||
| :INPUT ACCEPT [0:0] | |||
| :FORWARD ACCEPT [0:0] | |||
| :OUTPUT ACCEPT [0:0] | |||
| -A INPUT -j DROP | |||
| -A FORWARD -j DROP | |||
| -A OUTPUT -j DROP | |||
| COMMIT | |||
+ 16
- 0
static/usr/local/bin/cleanup.sh
Ver fichero
| @@ -0,0 +1,16 @@ | |||
| #!/bin/bash | |||
| systemctl stop rsyslog | |||
| find /var/log -type f -print -delete | |||
| #find /home/user -mindepth 1 -depth -print -delete | |||
| find /root -mindepth 1 -depth -print -delete | |||
| for user in /root /home/user | |||
| do | |||
| FILE=${user}/.bash_history | |||
| echo "rm/ln/dev-null ${FILE}" | |||
| rm -f ${FILE} | |||
| ln -s /dev/null ${FILE} | |||
| done | |||
Cargando…