commit
70fcc53036
5 changed files with 108 additions and 0 deletions
+ 0
- 0
README.md
View File
+ 16
- 0
install.sh
View File
| #!/bin/sh | |||||
| apt-get install \ | |||||
| build-essential \ | |||||
| linux-headers-amd64 \ | |||||
| iptables-persistent \ | |||||
| gdm3 \ | |||||
| vlc \ | |||||
| firefox-esr \ | |||||
| transmission \ | |||||
| enlightenment \ | |||||
| redsocks \ | |||||
| tor \ | |||||
| cd static && find . | cpio -pdmv / |
+ 66
- 0
static/etc/iptables/rules.v4
View File
| *nat | |||||
| :PREROUTING ACCEPT [0:0] | |||||
| :POSTROUTING ACCEPT [0:0] | |||||
| :OUTPUT ACCEPT [0:0] | |||||
| # Redirect any tcp that is not: | |||||
| # - tor client itself | |||||
| # - localhost traffic | |||||
| # - redsocks traffic to tor socks | |||||
| -A OUTPUT -m owner --uid-owner debian-tor -j RETURN | |||||
| -A OUTPUT -d 127.0.0.0/8 -j RETURN | |||||
| -A OUTPUT -m owner --uid-owner redsocks -p tcp -m tcp --dport 9040 -j RETURN | |||||
| -A OUTPUT ! -p tcp -j RETURN | |||||
| # redirect | |||||
| -A OUTPUT -p tcp -j MARK --set-mark 0x888 | |||||
| -A OUTPUT -p tcp -j REDIRECT --to-port 9040 | |||||
| COMMIT | |||||
| *filter | |||||
| :INPUT ACCEPT [0:0] | |||||
| :FORWARD ACCEPT [0:0] | |||||
| :OUTPUT ACCEPT [0:0] | |||||
| -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | |||||
| -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT | |||||
| -A INPUT -i lo -j ACCEPT | |||||
| -A FORWARD -j DROP | |||||
| -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127 | |||||
| -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127 | |||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777 | |||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777 | |||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777 | |||||
| # tor can go out | |||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777 | |||||
| # ntp can go out, required for tor | |||||
| -A OUTPUT -m mark --mark 0x0 -p udp -m udp --sport 123 --dport 123 -j MARK --set-mark 0x777 | |||||
| # any other udp will be dropped | |||||
| -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666 | |||||
| # any other tcp will be redsock'ed | |||||
| -A OUTPUT -m mark --mark 0x0 -p tcp -j MARK --set-mark 0x888 | |||||
| #-A OUTPUT -m mark --mark 0x666 -j LOG --log-prefix "0x666: " | |||||
| -A OUTPUT -m mark --mark 0x666 -j DROP | |||||
| #-A OUTPUT -m mark --mark 0x777 -j LOG --log-prefix "0x777: " | |||||
| -A OUTPUT -m mark --mark 0x777 -j ACCEPT | |||||
| #-A OUTPUT -m mark --mark 0x888 -j LOG --log-prefix "0x888: " | |||||
| -A OUTPUT -m mark --mark 0x888 -j ACCEPT | |||||
| #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127: " | |||||
| -A OUTPUT -m mark --mark 0x127 -j ACCEPT | |||||
| #-A OUTPUT -j LOG --log-prefix "DROP: " | |||||
| -A OUTPUT -j DROP | |||||
| COMMIT |
+ 10
- 0
static/etc/iptables/rules.v6
View File
| *filter | |||||
| :INPUT ACCEPT [0:0] | |||||
| :FORWARD ACCEPT [0:0] | |||||
| :OUTPUT ACCEPT [0:0] | |||||
| -A INPUT -j DROP | |||||
| -A FORWARD -j DROP | |||||
| -A OUTPUT -j DROP | |||||
| COMMIT |
+ 16
- 0
static/usr/local/bin/cleanup.sh
View File
| #!/bin/bash | |||||
| systemctl stop rsyslog | |||||
| find /var/log -type f -print -delete | |||||
| #find /home/user -mindepth 1 -depth -print -delete | |||||
| find /root -mindepth 1 -depth -print -delete | |||||
| for user in /root /home/user | |||||
| do | |||||
| FILE=${user}/.bash_history | |||||
| echo "rm/ln/dev-null ${FILE}" | |||||
| rm -f ${FILE} | |||||
| ln -s /dev/null ${FILE} | |||||
| done |
Loading…