5 years ago · c2a8006a06
--- a/install.sh
+++ b/install.sh
@@ -1,6 +1,7 @@
 #!/bin/sh

 apt-get -y install \
 echo "Installing required packages"
 for i in `apt-get -y install \
 	build-essential \
 	linux-headers-amd64 \
 	iptables-persistent \
@@ -13,17 +14,32 @@ apt-get -y install \
 	tor \
 	rsync \
 	unbound \
 	vim-tiny
 	vim-tiny` 
 do
 	echo -n .
 done
 echo " Done"


 apt-get -y remove --purge nano
 echo "Removing unused packages"
 for i in `apt-get -y remove --purge nano`; do echo -n "."; done
 echo " Done"


 mount /dev/cdrom /mnt && cd /mnt && ./VBoxLinuxAdditions.run
 echo "Mounting VirtualBox VM guest additions CD..."
 mount /dev/cdrom /mnt
 echo "Compiling VM additions..."
 for i in `cd /mnt && ./VBoxLinuxAdditions.run`; do echo -n "."; done
 echo " Done"

 echo "Unmounting CD..."
 cd -
 umount /mnt

 echo "Copying static configs"
 cd static && rsync -av . /

 echo "Disabling IPv6"
 echo net.ipv6.conf.all.disable_ipv6=1     >> /etc/sysctl.conf
 echo net.ipv6.conf.default.disable_ipv6=1 >> /etc/sysctl.conf

@@ -34,7 +50,7 @@ do
 	chown -R ${INSTUSER}:${INSTUSER} /home/${INSTUSER}/
 	echo "Disable bash_history for user ${INSTUSER}"
 	rm -f /home/${INSTUSER}/.bash_history
 	ln -s /dev/null /home/{$INSTUSER}/.bash_history
 	ln -s /dev/null /home/${INSTUSER}/.bash_history
 done

 echo "Disable bash_history for root"
@@ -48,8 +64,4 @@ echo "Cleaning syslog"
 /etc/init.d/rsyslog stop
 find /var/log -type f -print0 | xargs -0 rm

 echo "Time to reboot, setup will not work until you reboot"
 echo -n "Setup complete, press [Enter] to reboot (CTRL+C to reboot later)"
 read

 reboot
 echo "Setup complete, please reboot to make it active"
--- a/static/etc/iptables/rules.v4
+++ b/static/etc/iptables/rules.v4
@@ -23,25 +23,37 @@ COMMIT
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]

 # allow inbound established or related traffic
 -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

 # allow any traffic on loopback
 -A INPUT -i lo -j ACCEPT

 # log and drop anything else
 -A INPUT -j LOG --log-prefix "INPUT-DROP: "
 -A INPUT -j DROP

 -A FORWARD -j DROP

 # mark 0x127 - permitted local traffic
 # mark 0x666 - denied traffic
 # mark 0x777 - permitted traffic outside TOR (TOR itself)
 # mark 0x888 - permitted TCP traffic inside TOR (over redsocks)

 # mark 0x127 traffic to lo or localhost ip range
 -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127
 -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127

 # mark DHCP
 -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777
 -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777
 -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777
 -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 172.16.0.0/12 -j MARK --set-mark 0x777

 # tor can go out
 # mark tor client traffic
 -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777

 # ntp can go out, required for tor
 -A OUTPUT -m mark --mark 0x0 -p udp -m udp --sport 123 --dport 123 -j MARK --set-mark 0x777

 # any other udp will be dropped
 -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666

@@ -60,7 +72,7 @@ COMMIT
 #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127:  "
 -A OUTPUT -m mark --mark 0x127 -j ACCEPT

 #-A OUTPUT -j LOG --log-prefix "DROP:   "
 -A OUTPUT -j LOG --log-prefix "OUTPUT-DROP: "
 -A OUTPUT -j DROP

 COMMIT