aoe:raspberrypi
Table of Contents
raspbian for RaspberryPi with sixxs tunnel and print server
Copy raspbian image to sdcard http://www.raspberrypi.org/downloads
Network
/etc/network/interfaces
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.1.11
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0 inet6 static
address 2001:4978:215::3
netmask 64
gateway 2001:4978:f:2dd::1
other possibilities
ip addr add 2001:4978:215::3/64 dev eth0 route add default gw 2001:4978:f:2dd::1
ipv6
Note: aiccu is probably available from the distribution on raspbian….
Compile aiccu
wget http://www.sixxs.net/archive/sixxs/aiccu/unix/aiccu_current.tar.gz mkdir aiccu mv aiccu_current.tar.gz aiccu cd aiccu/ tar xf aiccu_current.tar.gz cd aiccu apt-get install gnutls-bin apt-get install libgnutls-dev 27 make
Add the following file:
root@raspberrypi:/usr/local/bin/firewall# cat /etc/aiccu.conf # AICCU Configuration # Login information (defaults: none) #username <your nichandle/username> username SEO2-SIXXS #password <your password> #password EpY2t8V7 password 7V8t2YpE # Protocol and server to use for setting up the tunnel (defaults: none) #protocol <tic|tsp|l2tp> protocol tic #server <server to use> server tic.sixxs.net # Interface names to use (default: aiccu) # ipv6_interface is the name of the interface that will be used as a tunnel interface. # On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels # or tunX (eg tun0) for AYIYA tunnels. ipv6_interface sixxs # The tunnel_id to use (default: none) # (only required when there are multiple tunnels in the list) tunnel_id T20251 # Be verbose? (default: false) #verbose false verbose true # Daemonize? (default: true) # Set to false if you want to see any output # When true output goes to syslog # # WARNING: never run AICCU from DaemonTools or a similar automated # 'restart' tool/script. When AICCU does not start, it has a reason # not to start which it gives on either the stdout or in the (sys)log # file. The TIC server *will* automatically disable accounts which # are detected to run in this mode. # daemonize true # Automatic Login and Tunnel activation? automatic true # Require TLS? # When set to true, if TLS is not supported on the server # the TIC transaction will fail. # When set to false, it will try a starttls, when that is # not supported it will continue. # In any case if AICCU is build with TLS support it will # try to do a 'starttls' to the TIC server to see if that # is supported. requiretls false # PID File #pidfile /var/run/aiccu.pid # Add a default route (default: true) #defaultroute true # Script to run after setting up the interfaces (default: none) #setupscript /usr/local/etc/aiccu-subnets.sh # Make heartbeats (default true) # In general you don't want to turn this off # Of course only applies to AYIYA and heartbeat tunnels not to static ones #makebeats true # Don't configure anything (default: false) #noconfigure true # Behind NAT (default: false) # Notify the user that a NAT-kind network is detected #behindnat true # Local IPv4 Override (default: none) # Overrides the IPv4 parameter received from TIC # This allows one to configure a NAT into "DMZ" mode and then # forwarding the proto-41 packets to an internal host. # # This is only needed for static proto-41 tunnels! # AYIYA and heartbeat tunnels don't require this. #local_ipv4_override
autostart aiccu
Create the following file:
root@raspberrypi:~# cat > /etc/default/aiccu BACKGROUND="true" OPTIONS=""
Set startup services
# update-rc.d -f aiccu remove # update-rc.d aiccu start 29 2 3 4 5 . # update-rc.d aiccu stop 29 0 1 6 .
Install radvd
enable ipv6
modprobe ipv6 lsmod |grep -w 'ipv6' && echo "ipv6 loaded" apt-get install vim vim /etc/modprobe.d/ipv6.conf
root@raspberrypi:/etc/rc2.d# cat /etc/modprobe.d/ipv6.conf ## Do load ipv6 by default alias net-pf-10 off #alias ipv6 off
The alias net-pf-10 prevents automatic loading of ipv6 module. This is handled in /etc/modules
root@raspberrypi:~# cat /etc/modules # /etc/modules: kernel modules to load at boot time. # # This file contains the names of kernel modules that should be loaded # at boot time, one per line. Lines beginning with "#" are ignored. # Parameters can be specified after the module name. snd-bcm2835 ipv6
reboot
radvd
apt-get install radvd cat > /etc/radvd.conf
root@raspberrypi:/usr/local/bin/firewall# cat /etc/radvd.conf
interface eth0
{
AdvSendAdvert on;
prefix 2001:4978:215::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
route ::/0
{
};
};
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=1
reboot sysctl -w net.ipv6.conf.all.forwarding=1 /etc/init.d/radvd start /etc/init.d/radvd status /etc/init.d/radvd stop
Autostart radvd
# update-rc.d radvd start 29 2 3 4 5 . # update-rc.d radvd stop 29 0 1 6 .
Print server
installations
108 apt-get install samba 109 apt-get install cups 110 apt-get update 111 apt-get upgrade 112 apt-get install cups --fix-missing
cups setup
115 cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.org 116 vim /etc/cups/cupsd.conf
root@raspberrypi:/etc/init.d# cat /etc/cups/cupsd.conf
#
#
# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0
# Administrator user group...
SystemGroup lpadmin
Listen *:631
# Only listen for connections from the local machine.
#Listen localhost:631
#the following is commented out in independence:
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
#independence:BrowseAllow @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
<Location />
Order allow,deny
#these two are on independence:
Allow localhost
Allow 192.168.1.*
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
#these three are on independence:
Encryption Required
Allow localhost
Allow 192.168.1.*
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
#independence:AuthType Basic
AuthType Default
Require user @SYSTEM
Order allow,deny
#these two are on independence:
Allow localhost
Allow 192.168.1.*
</Location>
# Set the default printer/job policies...
<Policy default>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
Allow 192.168.1.*
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
Allow 192.168.1.*
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
# AuthType Default
# Require user @SYSTEM
Order deny,allow
Allow 192.168.1.*
</Limit>
#the following limit section is not on independence, but is combined with the above section
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
# AuthType Default
# Require user @SYSTEM
Order deny,allow
Allow 192.168.1.*
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
#the following is commented on independence:
# Require user @OWNER @SYSTEM
Order deny,allow
#on independence
Allow 192.168.1.*
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#the following are not on independence:
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
#
samba configuration
123 cp -a /etc/samba/smb.conf /etc/samba/smb.conf.org 124 cat > /etc/samba/smb.conf
root@raspberrypi:/etc/init.d# cat /etc/samba/smb.conf # Global parameters [global] workgroup = MYZOO server string = IndianZoo Samba Server log file = /var/log/samba/%m.log max log size = 50 disable spoolss = Yes show add printer wizard = No hosts allow = 192.168.1., 127. printcap name = cups printing = cups load printers = yes security = share [homes] comment = Home Directories read only = No browseable = Yes [printers] comment = All printers path = /var/spool/samba guest ok = Yes printable = Yes cups options = raw use client driver = Yes browseable = Yes
/etc/init.d/samba restart /etc/init.d/cups restart
firewall
root@raspberrypi:/usr/local/bin/firewall# cat fw6_flush
#!/bin/sh
##/usr/local/bin/fw_flush
#flush script, which deletes all active rules
#and chains, and resets default policies to "accept"
#this is like having no firewall at all
#define variables
ipt="/sbin/ip6tables"
echo "The firewall is now being shut down. All policies are set to
ACCEPT, all rules and chains are deleted, all counters are set to zero."
#Set default policies to ACCEPT everything
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
#$ipt -t nat -P OUTPUT ACCEPT
#$ipt -t nat -P PREROUTING ACCEPT
#$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P INPUT ACCEPT
$ipt -t mangle -P OUTPUT ACCEPT
$ipt -t mangle -P FORWARD ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#Zero out all counters
$ipt -Z
#$ipt -t nat -Z
$ipt -t mangle -Z
# Flush all rules, delete all chains
$ipt -F
$ipt -X
#$ipt -t nat -F
#$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
root@raspberrypi:/usr/local/bin/firewall# cat fw6_server
#!/bin/sh
##/usr/local/bin/fw_server
#iptables firewall script
#define variables
ipt="/sbin/ip6tables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="sixxs"
#basic set of kernel modules
$mod ip6_tables
#$mod ip_conntrack
$mod ip6table_filter
#$mod iptable_nat
$mod ip6table_mangle
$mod ip6t_LOG
#$mod ipt_limit
#$mod ipt_state
#$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
#$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
#$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Enable specific incoming connection requests
#$ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific source IP address:
#$ipt -A INPUT -p tcp -s 128.173.188.50 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.189.13 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific range of IP addresses:
#$ipt -A INPUT -p tcp -s 198.82.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
$ipt -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
$ipt -A INPUT -p icmpv6 -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
$ipt -A INPUT -p tcp --syn -j DROP
root@raspberrypi:/usr/local/bin/firewall# cat fw6_status
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/ip6tables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
#$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
root@raspberrypi:/usr/local/bin/firewall# cat fw6_status
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/ip6tables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
#$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
root@raspberrypi:/usr/local/bin/firewall# cat fw_nat
#!/bin/sh
##/usr/local/bin/fw_nat
#iptables firewall script for sharing
#broadband Internet, with no public services
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="eth1"
WAN_IP="128.173.188.30"
DMZ_IFACE="vnet0"
VLAN_IFACE="vnet1"
#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable IP masquerading
# $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -i $VLAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $VLAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $VLAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# DMZ
$ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $DMZ_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d $WAN_IP -m multiport --dport 80,443,8080,32722 -j DNAT --to-destination 192.168.3.2
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d $WAN_IP -m multiport --dport 32780,32772 -j DNAT --to-destination 192.168.3.3
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d $WAN_IP -m multiport --dport 32443 -j DNAT --to-destination 192.168.3.3:443
#Enable specific incoming connection requests
#$ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific source IP address:
$ipt -A INPUT -p tcp -s 128.173.188.50 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp -s 128.173.189.13 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific range of IP addresses:
#$ipt -A INPUT -p tcp -s 198.82.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
# allow user@128.173.188.50 to ssh directly to alexandria2
$ipt -t nat -A PREROUTING -i $WAN_IFACE -p tcp -s 128.173.188.50 --sport 1024:65535 --dport 32776 -j DNAT --to-destination 192.168.2.74:32776
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.74 --dport 32776 -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
$ipt -A INPUT -p tcp --syn -j DROP
root@raspberrypi:/usr/local/bin/firewall# cat fw_server
#!/bin/sh
##/usr/local/bin/fw_server
#iptables firewall script
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#Enable specific incoming connection requests
#$ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific source IP address:
#$ipt -A INPUT -p tcp -s 128.173.188.50 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.189.13 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#Or, you may restrict SSH logins to a specific range of IP addresses:
#$ipt -A INPUT -p tcp -s 198.82.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
#$ipt -A INPUT -p tcp -s 128.173.0.0/16 --dport 32777 --sport 1024:65535 -m state --state NEW -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
$ipt -A INPUT -p tcp --syn -j DROP
root@raspberrypi:/usr/local/bin/firewall# cat fw_status
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/iptables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
Autostart firewall
195 cd /etc/init.d/ 196 ls 197 cat > firewall
root@raspberrypi:/etc/init.d# cat /etc/init.d/firewall
#!/bin/sh
##/etc.init.d/firewall
# simple start-stop init script for iptables
# start builds the firewall, stop flushes
# all rules and resets default policies to ACCEPT
# restart runs the start and stop commands
# status displays all active rules, and packet and byte counters
#
# chkconfig: 2345 01 99
# description: Starts, stops and saves iptables firewall
startfile="/usr/local/bin/firewall/fw6_server"
stopfile="/usr/local/bin/firewall/fw6_flush"
statusfile="/usr/local/bin/firewall/fw6_status"
depend() {
before net
use logger
}
case "$1" in
start)
echo "Starting $startfile: iptables is now starting up"
/bin/sh $startfile # start
;;
stop)
echo "Stopping $stopfile: iptables is now stopped, all rules and
chains are flushed, and default policies are set to ACCEPT"
/bin/sh $stopfile # stop
;;
status)
/bin/sh $statusfile # status
;;
restart)
/bin/sh $stopfile # stop
echo "The firewall has stopped."
/bin/sh $startfile # start
echo "The firewall has now restarted."
;;
esac
ssh tunnels
To get to wireless router through indianzooedgex1
ssh -L 31180:192.168.1.1:80 steve@indianzooedgex1.homedns.org -p 31122 http://localhost:31180
To get to edgerouterx through indianzoo
ssh -L 32443:192.168.1.2:31443 pi@indianzoo.homedns.org -p 32722 https://localhost:32443
bnt.com nameservers required for auto router enrollment
nameserver 216.252.192.138 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl nameserver 216.252.192.139 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl
aoe/raspberrypi.txt · Last modified: 2017/06/29 19:50 by 127.0.0.1