2 changed files with 39 additions and 15 deletions
+ 22
- 10
install.sh
View File
| #!/bin/sh | #!/bin/sh | ||||
| apt-get -y install \ | |||||
| echo "Installing required packages" | |||||
| for i in `apt-get -y install \ | |||||
| build-essential \ | build-essential \ | ||||
| linux-headers-amd64 \ | linux-headers-amd64 \ | ||||
| iptables-persistent \ | iptables-persistent \ | ||||
| tor \ | tor \ | ||||
| rsync \ | rsync \ | ||||
| unbound \ | unbound \ | ||||
| vim-tiny | |||||
| vim-tiny` | |||||
| do | |||||
| echo -n . | |||||
| done | |||||
| echo " Done" | |||||
| apt-get -y remove --purge nano | |||||
| echo "Removing unused packages" | |||||
| for i in `apt-get -y remove --purge nano`; do echo -n "."; done | |||||
| echo " Done" | |||||
| mount /dev/cdrom /mnt && cd /mnt && ./VBoxLinuxAdditions.run | |||||
| echo "Mounting VirtualBox VM guest additions CD..." | |||||
| mount /dev/cdrom /mnt | |||||
| echo "Compiling VM additions..." | |||||
| for i in `cd /mnt && ./VBoxLinuxAdditions.run`; do echo -n "."; done | |||||
| echo " Done" | |||||
| echo "Unmounting CD..." | |||||
| cd - | cd - | ||||
| umount /mnt | umount /mnt | ||||
| echo "Copying static configs" | |||||
| cd static && rsync -av . / | cd static && rsync -av . / | ||||
| echo "Disabling IPv6" | |||||
| echo net.ipv6.conf.all.disable_ipv6=1 >> /etc/sysctl.conf | echo net.ipv6.conf.all.disable_ipv6=1 >> /etc/sysctl.conf | ||||
| echo net.ipv6.conf.default.disable_ipv6=1 >> /etc/sysctl.conf | echo net.ipv6.conf.default.disable_ipv6=1 >> /etc/sysctl.conf | ||||
| chown -R ${INSTUSER}:${INSTUSER} /home/${INSTUSER}/ | chown -R ${INSTUSER}:${INSTUSER} /home/${INSTUSER}/ | ||||
| echo "Disable bash_history for user ${INSTUSER}" | echo "Disable bash_history for user ${INSTUSER}" | ||||
| rm -f /home/${INSTUSER}/.bash_history | rm -f /home/${INSTUSER}/.bash_history | ||||
| ln -s /dev/null /home/{$INSTUSER}/.bash_history | |||||
| ln -s /dev/null /home/${INSTUSER}/.bash_history | |||||
| done | done | ||||
| echo "Disable bash_history for root" | echo "Disable bash_history for root" | ||||
| /etc/init.d/rsyslog stop | /etc/init.d/rsyslog stop | ||||
| find /var/log -type f -print0 | xargs -0 rm | find /var/log -type f -print0 | xargs -0 rm | ||||
| echo "Time to reboot, setup will not work until you reboot" | |||||
| echo -n "Setup complete, press [Enter] to reboot (CTRL+C to reboot later)" | |||||
| read | |||||
| reboot | |||||
| echo "Setup complete, please reboot to make it active" |
+ 17
- 5
static/etc/iptables/rules.v4
View File
| :FORWARD ACCEPT [0:0] | :FORWARD ACCEPT [0:0] | ||||
| :OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||||
| # allow inbound established or related traffic | |||||
| -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | ||||
| -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT | -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT | ||||
| # allow any traffic on loopback | |||||
| -A INPUT -i lo -j ACCEPT | -A INPUT -i lo -j ACCEPT | ||||
| # log and drop anything else | |||||
| -A INPUT -j LOG --log-prefix "INPUT-DROP: " | |||||
| -A INPUT -j DROP | |||||
| -A FORWARD -j DROP | -A FORWARD -j DROP | ||||
| # mark 0x127 - permitted local traffic | |||||
| # mark 0x666 - denied traffic | |||||
| # mark 0x777 - permitted traffic outside TOR (TOR itself) | |||||
| # mark 0x888 - permitted TCP traffic inside TOR (over redsocks) | |||||
| # mark 0x127 traffic to lo or localhost ip range | |||||
| -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127 | -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127 | ||||
| -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127 | -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127 | ||||
| # mark DHCP | |||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777 | -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777 | ||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777 | -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777 | ||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777 | -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777 | ||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 172.16.0.0/12 -j MARK --set-mark 0x777 | |||||
| # tor can go out | |||||
| # mark tor client traffic | |||||
| -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777 | -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777 | ||||
| # ntp can go out, required for tor | |||||
| -A OUTPUT -m mark --mark 0x0 -p udp -m udp --sport 123 --dport 123 -j MARK --set-mark 0x777 | |||||
| # any other udp will be dropped | # any other udp will be dropped | ||||
| -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666 | -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666 | ||||
| #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127: " | #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127: " | ||||
| -A OUTPUT -m mark --mark 0x127 -j ACCEPT | -A OUTPUT -m mark --mark 0x127 -j ACCEPT | ||||
| #-A OUTPUT -j LOG --log-prefix "DROP: " | |||||
| -A OUTPUT -j LOG --log-prefix "OUTPUT-DROP: " | |||||
| -A OUTPUT -j DROP | -A OUTPUT -j DROP | ||||
| COMMIT | COMMIT |
Loading…