====== raspbian for RaspberryPi with sixxs tunnel and print server ======
Copy raspbian image to sdcard http://www.raspberrypi.org/downloads
===== Network =====
/etc/network/interfaces
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.1.11
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0 inet6 static
address 2001:4978:215::3
netmask 64
gateway 2001:4978:f:2dd::1
===== other possibilities =====
ip addr add 2001:4978:215::3/64 dev eth0
route add default gw 2001:4978:f:2dd::1
===== ipv6 =====
Note: aiccu is probably available from the distribution on raspbian....
==== Compile aiccu ====
wget http://www.sixxs.net/archive/sixxs/aiccu/unix/aiccu_current.tar.gz
mkdir aiccu
mv aiccu_current.tar.gz aiccu
cd aiccu/
tar xf aiccu_current.tar.gz
cd aiccu
apt-get install gnutls-bin
apt-get install libgnutls-dev
27 make
Add the following file:
root@raspberrypi:/usr/local/bin/firewall# cat /etc/aiccu.conf
# AICCU Configuration
# Login information (defaults: none)
#username
username SEO2-SIXXS
#password
#password EpY2t8V7
password 7V8t2YpE
# Protocol and server to use for setting up the tunnel (defaults: none)
#protocol
protocol tic
#server
server tic.sixxs.net
# Interface names to use (default: aiccu)
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
ipv6_interface sixxs
# The tunnel_id to use (default: none)
# (only required when there are multiple tunnels in the list)
tunnel_id T20251
# Be verbose? (default: false)
#verbose false
verbose true
# Daemonize? (default: true)
# Set to false if you want to see any output
# When true output goes to syslog
#
# WARNING: never run AICCU from DaemonTools or a similar automated
# 'restart' tool/script. When AICCU does not start, it has a reason
# not to start which it gives on either the stdout or in the (sys)log
# file. The TIC server *will* automatically disable accounts which
# are detected to run in this mode.
#
daemonize true
# Automatic Login and Tunnel activation?
automatic true
# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls false
# PID File
#pidfile /var/run/aiccu.pid
# Add a default route (default: true)
#defaultroute true
# Script to run after setting up the interfaces (default: none)
#setupscript /usr/local/etc/aiccu-subnets.sh
# Make heartbeats (default true)
# In general you don't want to turn this off
# Of course only applies to AYIYA and heartbeat tunnels not to static ones
#makebeats true
# Don't configure anything (default: false)
#noconfigure true
# Behind NAT (default: false)
# Notify the user that a NAT-kind network is detected
#behindnat true
# Local IPv4 Override (default: none)
# Overrides the IPv4 parameter received from TIC
# This allows one to configure a NAT into "DMZ" mode and then
# forwarding the proto-41 packets to an internal host.
#
# This is only needed for static proto-41 tunnels!
# AYIYA and heartbeat tunnels don't require this.
#local_ipv4_override
=== autostart aiccu ===
Create the following file:
root@raspberrypi:~# cat > /etc/default/aiccu
BACKGROUND="true"
OPTIONS=""
Set startup services
# update-rc.d -f aiccu remove
# update-rc.d aiccu start 29 2 3 4 5 .
# update-rc.d aiccu stop 29 0 1 6 .
==== Install radvd ====
=== enable ipv6 ===
modprobe ipv6
lsmod |grep -w 'ipv6' && echo "ipv6 loaded"
apt-get install vim
vim /etc/modprobe.d/ipv6.conf
root@raspberrypi:/etc/rc2.d# cat /etc/modprobe.d/ipv6.conf
## Do load ipv6 by default
alias net-pf-10 off
#alias ipv6 off
The alias net-pf-10 prevents automatic loading of ipv6 module. This is handled in /etc/modules
root@raspberrypi:~# cat /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.
snd-bcm2835
ipv6
reboot
=== radvd ===
apt-get install radvd
cat > /etc/radvd.conf
root@raspberrypi:/usr/local/bin/firewall# cat /etc/radvd.conf
interface eth0
{
AdvSendAdvert on;
prefix 2001:4978:215::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
route ::/0
{
};
};
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
reboot
sysctl -w net.ipv6.conf.all.forwarding=1
/etc/init.d/radvd start
/etc/init.d/radvd status
/etc/init.d/radvd stop
=== Autostart radvd ===
# update-rc.d radvd start 29 2 3 4 5 .
# update-rc.d radvd stop 29 0 1 6 .
===== Print server =====
==== installations ====
108 apt-get install samba
109 apt-get install cups
110 apt-get update
111 apt-get upgrade
112 apt-get install cups --fix-missing
==== cups setup ====
115 cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.org
116 vim /etc/cups/cupsd.conf
root@raspberrypi:/etc/init.d# cat /etc/cups/cupsd.conf
#
#
# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0
# Administrator user group...
SystemGroup lpadmin
Listen *:631
# Only listen for connections from the local machine.
#Listen localhost:631
#the following is commented out in independence:
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
#independence:BrowseAllow @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
Order allow,deny
#these two are on independence:
Allow localhost
Allow 192.168.1.*
# Restrict access to the admin pages...
Order allow,deny
#these three are on independence:
Encryption Required
Allow localhost
Allow 192.168.1.*
# Restrict access to configuration files...
#independence:AuthType Basic
AuthType Default
Require user @SYSTEM
Order allow,deny
#these two are on independence:
Allow localhost
Allow 192.168.1.*
# Set the default printer/job policies...
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
Order deny,allow
Allow 192.168.1.*
Require user @OWNER @SYSTEM
Order deny,allow
Allow 192.168.1.*
# All administration operations require an administrator to authenticate...
# AuthType Default
# Require user @SYSTEM
Order deny,allow
Allow 192.168.1.*
#the following limit section is not on independence, but is combined with the above section
# All printer operations require a printer operator to authenticate...
# AuthType Default
# Require user @SYSTEM
Order deny,allow
Allow 192.168.1.*
# Only the owner or an administrator can cancel or authenticate a job...
#the following is commented on independence:
# Require user @OWNER @SYSTEM
Order deny,allow
#on independence
Allow 192.168.1.*
Order deny,allow
#the following are not on independence:
# Set the authenticated printer/job policies...
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
AuthType Default
Order deny,allow
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
# All administration operations require an administrator to authenticate...
AuthType Default
Require user @SYSTEM
Order deny,allow
# All printer operations require a printer operator to authenticate...
AuthType Default
Require user @SYSTEM
Order deny,allow
# Only the owner or an administrator can cancel or authenticate a job...
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Order deny,allow
#
#
==== samba configuration ====
123 cp -a /etc/samba/smb.conf /etc/samba/smb.conf.org
124 cat > /etc/samba/smb.conf
root@raspberrypi:/etc/init.d# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = MYZOO
server string = IndianZoo Samba Server
log file = /var/log/samba/%m.log
max log size = 50
disable spoolss = Yes
show add printer wizard = No
hosts allow = 192.168.1., 127.
printcap name = cups
printing = cups
load printers = yes
security = share
[homes]
comment = Home Directories
read only = No
browseable = Yes
[printers]
comment = All printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
cups options = raw
use client driver = Yes
browseable = Yes
/etc/init.d/samba restart
/etc/init.d/cups restart
===== firewall =====
root@raspberrypi:/usr/local/bin/firewall# cat fw6_flush
#!/bin/sh
##/usr/local/bin/fw_flush
#flush script, which deletes all active rules
#and chains, and resets default policies to "accept"
#this is like having no firewall at all
#define variables
ipt="/sbin/ip6tables"
echo "The firewall is now being shut down. All policies are set to
ACCEPT, all rules and chains are deleted, all counters are set to zero."
#Set default policies to ACCEPT everything
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
#$ipt -t nat -P OUTPUT ACCEPT
#$ipt -t nat -P PREROUTING ACCEPT
#$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P INPUT ACCEPT
$ipt -t mangle -P OUTPUT ACCEPT
$ipt -t mangle -P FORWARD ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#Zero out all counters
$ipt -Z
#$ipt -t nat -Z
$ipt -t mangle -Z
# Flush all rules, delete all chains
$ipt -F
$ipt -X
#$ipt -t nat -F
#$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
root@raspberrypi:/usr/local/bin/firewall# cat fw6_server
#!/bin/sh
##/usr/local/bin/fw_server
#iptables firewall script
#define variables
ipt="/sbin/ip6tables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="sixxs"
#basic set of kernel modules
$mod ip6_tables
#$mod ip_conntrack
$mod ip6table_filter
#$mod iptable_nat
$mod ip6table_mangle
$mod ip6t_LOG
#$mod ipt_limit
#$mod ipt_state
#$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
#$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
#$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Enable specific incoming connection requests
#$ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific source IP address:
#$ipt -A INPUT -p tcp -s 128.173.188.50 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.189.13 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific range of IP addresses:
#$ipt -A INPUT -p tcp -s 198.82.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
$ipt -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
$ipt -A INPUT -p icmpv6 -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
$ipt -A INPUT -p tcp --syn -j DROP
root@raspberrypi:/usr/local/bin/firewall# cat fw6_status
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/ip6tables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
#$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
root@raspberrypi:/usr/local/bin/firewall# cat fw6_status
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/ip6tables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
#$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
root@raspberrypi:/usr/local/bin/firewall# cat fw_nat
#!/bin/sh
##/usr/local/bin/fw_nat
#iptables firewall script for sharing
#broadband Internet, with no public services
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="eth1"
WAN_IP="128.173.188.30"
DMZ_IFACE="vnet0"
VLAN_IFACE="vnet1"
#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable IP masquerading
# $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -i $VLAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $VLAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $VLAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# DMZ
$ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $DMZ_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d $WAN_IP -m multiport --dport 80,443,8080,32722 -j DNAT --to-destination 192.168.3.2
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d $WAN_IP -m multiport --dport 32780,32772 -j DNAT --to-destination 192.168.3.3
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d $WAN_IP -m multiport --dport 32443 -j DNAT --to-destination 192.168.3.3:443
#Enable specific incoming connection requests
#$ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific source IP address:
$ipt -A INPUT -p tcp -s 128.173.188.50 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp -s 128.173.189.13 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific range of IP addresses:
#$ipt -A INPUT -p tcp -s 198.82.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
# allow user@128.173.188.50 to ssh directly to alexandria2
$ipt -t nat -A PREROUTING -i $WAN_IFACE -p tcp -s 128.173.188.50 --sport 1024:65535 --dport 32776 -j DNAT --to-destination 192.168.2.74:32776
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.74 --dport 32776 -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
$ipt -A INPUT -p tcp --syn -j DROP
root@raspberrypi:/usr/local/bin/firewall# cat fw_server
#!/bin/sh
##/usr/local/bin/fw_server
#iptables firewall script
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#Enable specific incoming connection requests
#$ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific source IP address:
#$ipt -A INPUT -p tcp -s 128.173.188.50 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.189.13 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific range of IP addresses:
#$ipt -A INPUT -p tcp -s 198.82.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
$ipt -A INPUT -p tcp --syn -j DROP
root@raspberrypi:/usr/local/bin/firewall# cat fw_status
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/iptables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
==== Autostart firewall ====
195 cd /etc/init.d/
196 ls
197 cat > firewall
root@raspberrypi:/etc/init.d# cat /etc/init.d/firewall
#!/bin/sh
##/etc.init.d/firewall
# simple start-stop init script for iptables
# start builds the firewall, stop flushes
# all rules and resets default policies to ACCEPT
# restart runs the start and stop commands
# status displays all active rules, and packet and byte counters
#
# chkconfig: 2345 01 99
# description: Starts, stops and saves iptables firewall
startfile="/usr/local/bin/firewall/fw6_server"
stopfile="/usr/local/bin/firewall/fw6_flush"
statusfile="/usr/local/bin/firewall/fw6_status"
depend() {
before net
use logger
}
case "$1" in
start)
echo "Starting $startfile: iptables is now starting up"
/bin/sh $startfile # start
;;
stop)
echo "Stopping $stopfile: iptables is now stopped, all rules and
chains are flushed, and default policies are set to ACCEPT"
/bin/sh $stopfile # stop
;;
status)
/bin/sh $statusfile # status
;;
restart)
/bin/sh $stopfile # stop
echo "The firewall has stopped."
/bin/sh $startfile # start
echo "The firewall has now restarted."
;;
esac
===== ssh tunnels =====
To get to wireless router through indianzooedgex1
ssh -L 31180:192.168.1.1:80 steve@indianzooedgex1.homedns.org -p 31122
http://localhost:31180
To get to edgerouterx through indianzoo
ssh -L 32443:192.168.1.2:31443 pi@indianzoo.homedns.org -p 32722
https://localhost:32443
bnt.com nameservers required for auto router enrollment
nameserver 216.252.192.138 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl
nameserver 216.252.192.139 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl