Cervin.home

From Fyzix
Revision as of 18:58, 30 July 2019 by Fyzix (talk | contribs) (Created page with "= interfaces = This configuration file provides special support for Centrylink FTTH Vlan tagging (VLAN 201). ''/etc/network/interfaces'' <source lang="bash"> # This file desc...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

interfaces

This configuration file provides special support for Centrylink FTTH Vlan tagging (VLAN 201).

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

### Loopback ###
auto lo
iface lo inet loopback

### ETH0 ###
allow-hotplug eth0
auto eth0 # Uncomment if not using Centrylink FTTH # Both for dhcp & static config

# DHCP eth0 # Uncomment for use with Centrylink FTTH Vlan tagging (VLAN 201)
#auto eth0.201
#iface eth0.201 inet dhcp
# Uncomment if using DCHP for WAN interface and NOT using Centrylink FTTH
iface eth0 inet dhcp

# WAN Interface Static config
# Static eth0
#iface eth0 inet static
#        address 10.1.1.65
#        netmask 255.255.255.0
#        network 10.1.1.0
#        broadcast 10.1.1.255
#        gateway 10.1.1.1
#        dns-nameservers 127.0.0.1 8.8.8.8 8.8.4.4

### ETH1 ###
allow-hotplug eth1
auto eth1

# DHCP eth1
#iface eth1 inet dhcp

# Uncomment this section if NOT using briding mode for Openvpn.
# Static eth1
#iface eth1 inet static
#        address 10.1.1.1
#        netmask 255.255.255.0
#        network 10.1.1.0
#        broadcast 10.1.1.255
#        gateway 10.1.1.1
#        dns-nameservers 127.0.0.1 8.8.8.8 8.8.4.4

# Comment this section if not using bridging mode for Openvpn.
# Bridge interface for VPN
auto br0
iface br0 inet static
        address 10.1.1.1
        network 10.1.1.0
        netmask 255.255.255.0
        broadcast 10.1.1.255
        gateway 10.1.1.1
        bridge_ports eth1
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

### ETH2 ###
allow-hotplug eth2
auto eth2

# DHCP eth2
#iface eth2 inet dhcp

# Static eth2
iface eth2 inet static
        address 10.2.2.1
        netmask 255.255.255.0
        network 10.2.2.0
        broadcast 10.2.2.255
        gateway 10.2.2.1
        dns-nameservers 127.0.0.1 8.8.8.8 8.8.4.4

### ETH3 ###
allow-hotplug eth3
auto eth3

# DHCP eth3
#iface eth3 inet dhcp

# Static eth3
iface eth3 inet static
        address 10.3.3.1
        netmask 255.255.255.0
        network 10.3.3.0
        broadcast 10.3.3.255
        gateway 10.3.3.1
        dns-nameservers 127.0.0.1 8.8.8.8 8.8.4.4

sudoers

Added bob user to sudoders

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
bob     ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

sshd_config

Here we allow SSH on non-standard port 31022. We also allow root login with password (or not).

/etc/ssh/sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 31022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

sources.list

/etc/apt/sources.list

#Debian Repos
deb http://ftp.debian.org/debian/  jessie main contrib non-free
deb-src http://ftp.debian.org/debian/  jessie main contrib non-free
deb http://ftp.debian.org/debian/  jessie-proposed-updates main contrib non-free
deb-src http://ftp.debian.org/debian/  jessie-proposed-updates main contrib non-free
 
deb http://security.debian.org/ jessie/updates main contrib
 
deb-src http://security.debian.org/ jessie/updates main contrib
deb-src http://ftp.debian.org/debian/  jessie-proposed-updates main contrib non-free

crontab -l (root)

# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command

# Twice Daily fix resolv.conf just in case dhcp overrides our values
0 12     * * *   root    /firewall/runresolv &> /dev/null
0 0     * * *   root    /firewall/runresolv &> /dev/null

# Every morning at 7AM run updates
0 7     * * *   root    /firewall/rundailyupdates &> /dev/null

# Daily clock NTP sync
0 0     * * *   root    /firewall/runclock &> /dev/null

# Daily ELK Stack purge Elasticsearch Index
0 0     * * *   root    /firewall/runpurgeelkindex &> /dev/null

# Monthly Geo-IP Database download
0 0     1 * *   root    /firewall/runfetchgeoipdb &> /dev/null

vimrc

Modified vimrc to use syntax highlight feature (i.e. uncomment syntax on).

/etc/vim/vimrc

" All system-wide defaults are set in $VIMRUNTIME/debian.vim and sourced by
" the call to :runtime you can find below.  If you wish to change any of those
" settings, you should do it in this file (/etc/vim/vimrc), since debian.vim
" will be overwritten everytime an upgrade of the vim packages is performed.
" It is recommended to make changes after sourcing debian.vim since it alters
" the value of the 'compatible' option.

" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim

" Uncomment the next line to make Vim more Vi-compatible
" NOTE: debian.vim sets 'nocompatible'.  Setting 'compatible' changes numerous
" options, so any other options should be set AFTER setting 'compatible'.
"set compatible

" Vim5 and later versions support syntax highlighting. Uncommenting the next
" line enables syntax highlighting by default.
syntax on

" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
"set background=dark

" Uncomment the following to have Vim jump to the last position when
" reopening a file
"if has("autocmd")
"  au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
"endif

" Uncomment the following to have Vim load indentation rules and plugins
" according to the detected filetype.
"if has("autocmd")
"  filetype plugin indent on
"endif

" The following are commented out as they cause vim to behave a lot
" differently from regular Vi. They are highly recommended though.
"set showcmd            " Show (partial) command in status line.
"set showmatch          " Show matching brackets.
"set ignorecase         " Do case insensitive matching
"set smartcase          " Do smart case matching
"set incsearch          " Incremental search
"set autowrite          " Automatically save before commands like :next and :make
"set hidden             " Hide buffers when they are abandoned
"set mouse=a            " Enable mouse usage (all modes)

" Source a global configuration file if available
if filereadable("/etc/vim/vimrc.local")
  source /etc/vim/vimrc.local
endif

environment

/etc/environment

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/firewall"

unbound.conf

/etc/unbound/unbound.conf

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

server:
        # verbosity number, 0 is least verbose. 1 is default.
        verbosity: 1

        # specify the interfaces to answer queries from by ip-address.
        interface: 127.0.0.1
        interface: 10.1.1.1
        interface: 10.2.2.1
        interface: 10.3.3.1


        # Enable IPv4, "yes" or "no".
        do-ip4: yes

        # Enable IPv6, "yes" or "no".
        do-ip6: no

        # Enable UDP, "yes" or "no".
        do-udp: yes

        # Enable TCP, "yes" or "no".
        do-tcp: yes

        # Detach from the terminal, run in background, "yes" or "no".
        do-daemonize: yes

        # control which clients are allowed to make (recursive) queries
        # to this server. Specify classless netblocks with /size and action.
        access-control: 127.0.0.0/8 allow
        access-control: 192.168.1.0/24 allow
        access-control: 192.168.0.0/24 allow
        access-control: 10.1.1.0/8 allow
        access-control: 10.2.2.0/8 allow
        access-control: 10.3.3.0/8 allow

        # if given, user privileges are dropped (after binding port),
        username: "unbound"

        # The DNSSEC root key
        # auto-trust-anchor-file: "/etc/unbound/root.key"

        # the working directory. The relative files in this config are
        # relative to this directory. If you give "" the working directory
        # is not changed.
        directory: "/etc/unbound"

        # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
        # log to, with identity "unbound". If yes, it overrides the logfile.
        use-syslog: yes

        # print UTC timestamp in ascii to logfile, default is epoch in seconds.
        log-time-ascii: no

        # the pid file. Can be an absolute path outside of chroot/work dir.
        pidfile: "/var/run/unbound.pid"

        # enable to not answer id.server and hostname.bind queries.
        hide-identity: yes

        # enable to not answer version.server and version.bind queries.
        hide-version: yes

        # Blacklist unavailable hosts only for a minute
        infra-host-ttl: 60

        harden-glue: yes
        harden-dnssec-stripped: yes
        use-caps-for-id: yes
        cache-min-ttl: 3600
        cache-max-ttl: 86400
        prefetch: yes

        # Allow the domain (and its subdomains) to contain private addresses.
        # local-data statements are allowed to contain private addresses too.
        private-domain: "home"

        # Do not query the following addresses. No DNS queries are sent there.
        # List one address per entry. List classless netblocks with /size,
        do-not-query-address: 127.0.0.1/8

        # if yes, the above default do-not-query-address entries are present.
        # if no, localhost can be queried (for testing and debugging).
        do-not-query-localhost: no

        # Enforce privacy of these addresses. Strips them away from answers.
        # It may cause DNSSEC validation to additionally mark it as bogus.
        # Protects against 'DNS Rebinding' (uses browser as network proxy).
        # Only 'private-domain' and 'local-data' names are allowed to have
        # these private addresses. No default.
        private-address: 192.168.0.0/16
        private-address: 192.168.1.0/16
        private-address: 10.1.1.0/16
        private-address: 10.1.1.0/16
        private-address: 10.2.2.0/16
        private-address: 10.3.3.0/16
        private-address: 10.1.38.0/8

        # locally served zones can be configured for the machines on the LAN and VPN.
                # Home zone
        local-zone: "home." static

        local-data: "cervin.home.     IN A 10.1.1.1"
        local-data-ptr: "10.1.1.1  cervin.home"
        local-data: "router.home.     IN A 10.1.1.1"
        local-data-ptr: "10.1.1.1  router.home"


        # forward out for everything else
        forward-zone:
                name: "."
                forward-addr: 8.8.8.8
                forward-addr: 8.8.4.4

dhcpd.conf

/etc/dhcp/dhcpd.conf

### ETH1 - LAN 1  ###
subnet 10.1.1.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option routers 10.1.1.1;
        option broadcast-address 10.1.1.255;
        option domain-name-servers 10.1.1.1, 8.8.8.8;
        option domain-name ".home";
        range 10.1.1.100 10.1.1.250;
## Define static lease based on MAC address
#  host macbookpro{
#   hardware ethernet 70:56:81:22:33:44;
#   fixed-address 10.1.1.35;
#  }
}

### ETH2 - LAN 2  ###
subnet 10.2.2.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option routers 10.2.2.1;
        option broadcast-address 10.2.2.255;
        option domain-name-servers 10.2.2.1, 8.8.8.8;
        option domain-name ".home";
        range 10.2.2.100 10.2.2.250;
## Define static lease based on MAC address
#  host macbookpro{
#   hardware ethernet 70:56:81:22:33:44;
#   fixed-address 10.2.2.35;
#  }
}

### ETH3 - LAN 3  ###
subnet 10.3.3.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option routers 10.3.3.1;
        option broadcast-address 10.3.3.255;
        option domain-name-servers 10.3.3.1, 8.8.8.8;
        option domain-name ".home";
        range 10.3.3.100 10.3.3.250;
## Define static lease based on MAC address
#  host macbookpro{
#   hardware ethernet 70:56:81:22:33:44;
#   fixed-address 10.3.3.35;
#  }
}

Enable DHCP Daemon Service

systemctl enable isc-dhcp-server.service

resolv.conf.base

This will be used by /firewall/runresolv to replace resolve.conf if it gets overridden by DHCP leases.

/etc/resolv.conf.base

nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4

rc.local

/etc/rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Run Firewall rules for ipv4 and ipv6
/firewall/runfirewall

# Run QOS rules
#/firewall/runqos

# Run DMZ
#/firewall/rundmz

# Fix resolv.conf DNS
/firewall/runresolv

exit 0

rsyslog

rsyslog iptables configuration.

30-iptables.conf

Here we specify iptables log messages to fork to different log files. This will be used by logstash to ingest the logs separately and apply tags and unique filters.

/etc/rsyslog.d/30-iptables.conf

# Set permissions for these files so logstash can read them.
$FileCreateMode 0755
$DirCreateMode 0755

# Break the logs out based on the message it contains.
:msg,contains,"DENIED: " -/var/log/firewall/denied.log
& ~
:msg,contains,"BLOCKEDHOSTS: " -/var/log/firewall/blockedhosts.log
& ~
:msg,contains,"WATCHED: " -/var/log/firewall/watched.log
& ~
:msg,contains,"OUTBOUND: " -/var/log/firewall/outbound.log
& ~
:msg,contains,"ACCEPTED: " -/var/log/firewall/accepted.log
& ~
:msg,contains,"UNAUTH SSH: " -/var/log/firewall/unauthssh.log
& ~
:msg,contains,"TRIPPORT: " -/var/log/firewall/tripport.log
& ~
:msg,contains,"SCAN: " -/var/log/firewall/scan.log
& ~
:msg,contains,"INBOUND: " -/var/log/firewall/inbound.log
& ~
:msg,contains,"OUTBOUND: " -/var/log/firewall/outbound.log
& ~
:msg,contains,"PREROUTING: " -/var/log/firewall/prerouting.log
& ~
:msg,contains,"POSTROUTING: " -/var/log/firewall/postrouting.log
& ~

logrotate.d

iptables

Here we specify logrotate rules for the iptables logs forked by rsyslog

/etc/logrotate.d/iptables

/var/log/firewall/denied.log
/var/log/firewall/blockedhosts.log
/var/log/firewall/watched.log
/var/log/firewall/accepted.log
/var/log/firewall/unauthssh.log
/var/log/firewall/tripport.log
/var/log/firewall/scan.log
/var/log/firewall/inbound.log
/var/log/firewall/outbound.log
/var/log/firewall/prerouting.log
/var/log/firewall/postrouting.log
{
        rotate 8
        size 10M
        missingok
        copytruncate
        notifempty
        compress
        sharedscripts
        postrotate
        invoke-rc.d rsyslog restart > /dev/null
        endscript
}

logstash

/etc/logrotate.d/logstash

/var/log/logstash/*.log
/var/log/logstash/*.err
/var/log/logstash/*.stdout
{
        rotate 7
        size 10M
        missingok
        copytruncate
        notifempty
        compress
        sharedscripts
        postrotate
        invoke-rc.d logstash restart > /dev/null
        endscript
}

openvpn

openvpn.conf

/etc/openvpn/openvpn.conf

port 4000
proto tcp
dev tap0
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh2048.pem
remote-cert-tls client
# This defines the IP range (*.80-99) used by the VPN hosts
server-bridge 10.1.1.1 255.255.255.0 10.1.1.80 10.1.1.99
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
script-security 2
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

up.sh

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

down.sh

/etc/openvpn/down.sh

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

Set permissions

chmod 755 /etc/openvpn/up.sh
chmod 755 /etc/openvpn/down.sh

profile

Here we add /firewall directory to the "path" so commands can be run globally from anywhere on the command line.

/etc/profile

# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "`id -u`" -eq 0 ]; then
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/firewall"
else
  PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/firewall"
fi
export PATH

if [ "$PS1" ]; then
  if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then
    # The file bash.bashrc already sets the default PS1.
    # PS1='\h:\w\$ '
    if [ -f /etc/bash.bashrc ]; then
      . /etc/bash.bashrc
    fi
  else
    if [ "`id -u`" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi

grub (defaults)

Set GRUB_TIMEOUT=1 to make host boot faster

/etc/default/grub

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

Ran update-grub for change to take effect.

update-grub

Scripts

runclock

/firewall/runclock

#!/bin/bash

ntpdate clock.isc.org

updates

rundailyupdates

/firewall/rundailyupdates

#!/bin/bash
#  Fyzix 2016/03
# This script executes the /firewall/update script. It works in conjunction with a crontab.

# Run the updates script on screen session.
/usr/bin/screen -dmS apt-daily-updates /usr/sbin/update

update

/firewall/update

#!/bin/bash
echo This script will update and upgrade everything.
echo
#read -p "Press any key to preform apt-get update."
apt-get -y update
#read -p "Press any key to preform apt-get upgrade."
apt-get -y upgrade
#read -p "Press any key to preform apt-get dist-upgrade."
apt-get -y dist-upgrade
#read -p "Press any key to preform apt-get autoremove."
apt-get -y autoremove

Firewall / QOS / DMZ

menu

/firewall/menu

#!/bin/bash

# 2016/02 Fyzix
# Menu script for management of this Firewall/Router and its' features.

### Variables ###
EDITOR="vi"
#EDITOR="nano"
FIREWALL_SCRIPTS_PATH="/firewall"


while :
do
    clear
    cat<<EOF

============================================================================================
                                      Management Menu
--------------------------------------------------------------------------------------------

  Please enter your selection:

  -=[Basics]=-                                    -=[OpenVPN]=-
* Modify IP address configuration    (1)        * Modify OpenVPN configuration       (17)
* Modify Startup configuration       (2)        * Generate OpenVPN client certs      (18)
* Modify crontab                     (3)        * Modify OpenVPN client cert gen     (19)
                                                * Modify OpenVPN client cert index   (20)
  -=[Firewall]=-                                * Restart OpenVPN service            (21)
* (re)Enable Firewall                (4)
* (re)Enable QOS                     (5)          -=[ELK Stack Analytics]=-
* (re)Enable DMZ                     (6)        * Restart ELK Stack                  (22)
* Disable Firewall                   (7)        * Execute ELK Stack index purge      (23)
* Disable QOS                        (8)        * Modify ELK Stack index purge       (24)
* Disable DMZ                        (9)        * Fetch Geo-IP DB for ELK stack      (25)
* Modify IPv4 Firewall               (10)
* Modify IPv6 Firewall               (11)         -=[IDS]=-
* Modify IPv4 DMZ                    (12)       * Bounce IDS                         (26)

  -=[DNS]=-                                     *  Run Updates                       (97)
* Modify DNS configuration           (13)       *  Reboot                            (98)
* Restart DNS service                (14)       *  Poweroff                          (99)
                                                                (Q)uit
  -=[DHCP]=-
* Modify DHCP configuration          (15)
* Restart DHCP service               (16)

--------------------------------------------------------------------------------------------
EOF
    read -p "Selection: " n
    case $n in
    "1")
        $EDITOR /etc/network/interfaces
        ;;
    "2")
        $EDITOR /etc/rc.local
        ;;
    "3")
        crontab -e
        ;;
    "4")
        runfirewall
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "5")
        runqos
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "6")
        rundmz
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "7")
        rundropwall
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "8")
        rundropqos
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "9")
        runfirewall
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "10")
        $EDITOR ${FIREWALL_SCRIPTS_PATH}/run4firewall
        ;;
    "11")
        $EDITOR ${FIREWALL_SCRIPTS_PATH}/run6firewall
        ;;
    "12")
        $EDITOR ${FIREWALL_SCRIPTS_PATH}/rundmz
        ;;
    "13")
        $EDITOR /etc/unbound/unbound.conf
        ;;
    "14")
        echo "Restarting Unbound DNS Service..."
        service unbound restart
        echo "Unbound DNS Service restarted."
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "15")
        $EDITOR /etc/dhcp/dhcpd.conf
        ;;
    "16")
        echo "Restarting DHCP Service..."
        service isc-dhcp-server restart
        echo "DHCP Service restarted."
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "17")
        $EDITOR /etc/openvpn/openvpn.conf
        ;;
    "18")
        /etc/openvpn/gen_ovpn_pw_client_config.sh
        read -p "Press Enter to return to Main Menu."
        ;;
    "19")
        $EDITOR /etc/openvpn/gen_ovpn_pw_client_config.sh
        ;;
    "20")
        $EDITOR /etc/openvpn/easy-rsa/2.0/keys/index.txt
        ;;
    "21")
        echo "Restarting OpenVPN Service..."
        service openvpn restart
        echo "OpenVPN Service restarted."
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "22")
        echo "Restarting ELK Stack...."
        service logstash stop
        echo "Logstash Stopped."
        service elasticsearch stop
        echo "Elasticsearch Stopped."
        service kibana stop
        echo "Kibana Stopped."
        echo ""
        service kibana start
        echo "Kibana Started."
        service elasticsearch start
        echo "Elasticsearch Started."
        service logstash start
        echo "Logstash Started."
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "23")
        runpurgeelkindex
        read -p "Press Enter to return to Main Menu."
        ;;
    "24")
        $EDITOR ${FIREWALL_SCRIPTS_PATH}/runpurgeelkindex
        ;;
    "25")
        cd /etc/logstash
        wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
        gunzip GeoLiteCity.dat.gz
        echo
        echo "You will need to restart the ELK Stack (Option 16) to reinitalize the Geo-IP DB."
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "26")
        runids
        echo ""
        read -p "Press Enter to return to Main Menu."
        ;;
    "97")
        /usr/sbin/update
        ;;
    "98")
        read -p "Are you sure? Ctrl+C to break. Enter to continue."
        echo "Rebooting..."
        reboot
        ;;
    "99")
        read -p "Are you sure? Ctrl+C to break. Enter to continue."
        echo "Powering off..."
        poweroff
        ;;
    "Q")  exit   ;;
    "q")  exit   ;;
     * )  echo "invalid option"     ;;
    esac
    sleep 1
done

runfirewall

/firewall/runfirewall

#!/bin/bash

# 2016/02 Fyzix
# This will execute both ipv4 and ipv6 firewalls.

/firewall/run4firewall
/firewall/run6firewall

run4firewall

This iptables firewall has special support for Centrylink fiber to the home VLAN tagging (VLAN 201).

/firewall/run4firewall

#!/bin/bash

# 2016/02 Fyzix
# Iptables ipv4 firewall ruleset

# The following rules will clear out any existing FIREWALL rules,
# and any chains that might have been created.
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -Z

## Define Networks
# eth0 - External IP - Uncomment for traditional networks without VLAN tagging
EXTNET=`ifconfig eth0 | grep "inet " | awk -F'[: ]+' '{ print $4 }'` # Primary IP Address
# eth0 - External IP - Uncomment for Centurylink FTTH - VLAN tagging 201
#EXTNET=`ifconfig eth0.201 | grep "inet " | awk -F'[: ]+' '{ print $4 }'` # Primary IP Address
# eth1 - Internal Network - LAN 1
INTNET1="10.1.1.0/24"
# eth2 - Internal Network - LAN 2
INTNET2="10.2.2.0/24"
# eth3 - Internal Network - LAN 3
INTNET3="10.3.3.0/24"
# VPN Network
VPNNET1="10.1.1.0/24"

## Real Interfaces
# eth0 - WAN Interface - Uncomment for traditional networks without VLAN tagging
INT0="eth0" # - WAN Interface.
# eth0.201 - WAN Interface -  Uncomment for Centurylink FTTH - VLAN tagging 201
#INT0="eth0.201" # - WAN Interface.
INT1="br0" # 10.1.1.1 - LAN 1 # Use eth1 if not in bridging mode.
INT2="eth1" # 10.1.1.1 - LAN 1
INT3="eth2" # 10.2.2.1 - LAN 3
INT4="eth3" # 10.3.3.1 - LAN 3
VPN0="tap0" # 10.1.1.1 - VPN

# The logs consider the gateway IP for all LAN connections.
# We will use this for exclusion in the Watched feature since we don't want requests to the gateway cluttering our ELK log analysis.
INT1_INTERFACE_IP="10.1.1.1"


# Enable IP Masquerading in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

# Test if iptable_nat module is loaded, its boot time, not likely :)
if [ -z "`lsmod|grep iptable_nat`" ];
  then
  modprobe iptable_nat
fi

# Test if existing MASQ rules exist, its boot time, not likely :)
# Source NAT everything heading out the $INT0 (external)
# interface to be the given IP.
if [ -z "`iptables -L -t nat|grep MASQUERADE`" ];
  then
  iptables -t nat -A POSTROUTING -o $INT0 -j SNAT --to $EXTNET
  iptables -t nat -A POSTROUTING -o $INT0 -s $INTNET1 -j MASQUERADE
  iptables -t nat -A POSTROUTING -o $INT0 -s $INTNET2 -j MASQUERADE
  iptables -t nat -A POSTROUTING -o $INT0 -s $INTNET3 -j MASQUERADE
fi

## Default policies
# Drop everything by default, then punch a hole to allow certain traffic.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow unlimited traffic on Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## Build the chains
## Two logging options are available. 1. Only new connections 2. 15 messages per minute.
# Firewall chain.
iptables -N DENIED
# Only log new inbound connections on this chain.
#iptables -A DENIED -m state --state NEW -j LOG --log-prefix "DENIED: "
# Log connections, but limit their frequency to 15 per minute in the log.
iptables -A DENIED -m limit --limit 15/minute -j LOG --log-prefix "DENIED: "
iptables -A DENIED -j DROP

# Outbound connections chain
iptables -N OUTBOUND
# Only log new outbound connections on this chain.
iptables -A OUTBOUND -m state --state NEW -j LOG --log-prefix "OUTBOUND: "
# Log connections, but limit their frequency to 15 per minute in the log.
#pchains -A OUTBOUND -m limit --limit 15/minute -j LOG --log-prefix "OUTBOUND: "
iptables -I OUTBOUND -j ACCEPT

# Blocked hosts chain
iptables -N BLOCKEDHOSTS
# Only log new inbound connections on this chain.
#iptables -A BLOCKEDHOSTS -m state --state NEW -j LOG --log-prefix "BLOCKEDHOSTS: "
# Log connections, but limit their frequency to 15 per minute in the log.
iptables -A BLOCKEDHOSTS -m limit --limit 15/minute -j LOG --log-prefix "BLOCKEDHOSTS: "
iptables -A BLOCKEDHOSTS -j DROP

# Accepted chain
iptables -N ACCEPTED
# Only log new inbound connections on this chain. - DISABLED
iptables -A ACCEPTED -m state --state NEW -j LOG --log-prefix "ACCEPTED: "
# Log connections, but limit their frequency to 15 per minute in the log.
#iptables -A ACCEPTED -m limit --limit 2/minute -j LOG --log-prefix "ACCEPTED: "
iptables -A ACCEPTED -j ACCEPT

# Forward chain
iptables -N FORWARDED
# Only log new inbound connections on this chain. - DISABLED
iptables -A ACCEPTED -m state --state NEW -j LOG --log-prefix "FORWARDED: "
# Log connections, but limit their frequency to 15 per minute in the log.
#iptables -A ACCEPTED -m limit --limit 2/minute -j LOG --log-prefix "FOWARDED: "
iptables -A ACCEPTED -j ACCEPT

## Basic Traffic Forwarding Rules
# Accept Traffic to and from interfaces.
# External to Internal subnets
iptables -A FORWARD -i $INT1 -o $INT1 -j ACCEPT
iptables -A FORWARD -i $INT1 -o $INT0 -j ACCEPT
# WAN to LAN 1
iptables -A FORWARD -i $INT0 -o $INT1 -j ACCEPT
iptables -A FORWARD -i $INT1 -o $INT0 -j ACCEPT
# WANT to LAN 2
iptables -A FORWARD -i $INT0 -o $INT2 -j ACCEPT
iptables -A FORWARD -i $INT2 -o $INT0 -j ACCEPT
# WAN to LAN 3
iptables -A FORWARD -i $INT0 -o $INT3 -j ACCEPT
iptables -A FORWARD -i $INT3 -o $INT0 -j ACCEPT
# WAN to LAN 4
iptables -A FORWARD -i $INT0 -o $INT4 -j ACCEPT
iptables -A FORWARD -i $INT4 -o $INT0 -j ACCEPT
# For VPN trusted subnet
# Bidirectional forward WAN to VPN
iptables -A FORWARD -i $INT0 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT0 -j ACCEPT
# Bidirectional foward LAN 1 to VPN0
iptables -A FORWARD -i $INT1 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT1 -j ACCEPT
# Bidirectional foward LAN 2 to VPN0
iptables -A FORWARD -i $INT2 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT2 -j ACCEPT
# Bidirectional foward LAN 3 to VPN0
iptables -A FORWARD -i $INT3 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT3 -j ACCEPT
# Forward internal networks to each other so they can see each other. Probably need a route to reach these.
#iptables -I FORWARD -i $INT1 -o $INT2 -s $INTNET1 -d $INTNET2 -j ACCEPT
#iptables -I FORWARD -i $INT2 -o $INT1 -s $INTNET2 -d $INTNET1 -j ACCEPT
#iptables -I FORWARD -i $INT4 -o $INT1 -s $INTNET1 -d $INTNET3 -j ACCEPT
#iptables -I FORWARD -i $INT1 -o $INT4 -s $INTNET3 -d $INTNET1 -j ACCEPT

# These rule protects the forwarding rules.
iptables -A FORWARD -i $INT0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $INT1 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $INT2 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $INT3 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $INT4 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $INT0 -o $INT0 -j REJECT
iptables -A FORWARD -i $INT1 -o $INT1 -j REJECT
iptables -A FORWARD -i $INT2 -o $INT2 -j REJECT
iptables -A FORWARD -i $INT3 -o $INT3 -j REJECT
iptables -A FORWARD -i $INT4 -o $INT4 -j REJECT

# Allow DNS
iptables -A OUTPUT -p udp -o $INT0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $INT0 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o $INT1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $INT1 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o $INT2 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $INT2 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o $INT3 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $INT3 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o $INT4 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $INT4 --sport 53 -j ACCEPT

# Allow internal subnet multicast
iptables -A INPUT -i $INT1 -m pkttype --pkt-type multicast -j ACCEPT
iptables -A INPUT -i $INT2 -m pkttype --pkt-type multicast -j ACCEPT
iptables -A INPUT -i $INT3 -m pkttype --pkt-type multicast -j ACCEPT
iptables -A INPUT -i $VPN0 -m pkttype --pkt-type multicast -j ACCEPT

# We are a dhcp server
iptables -A INPUT -p udp -s $INTNET1 -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s $INTNET2 -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s $INTNET3 -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT

## Blocking and denying traffic
# Block traffic outbound for a specific internal IP address. Host can still hit local subnet hosts.
#iptables -A FORWARD -d some.internal.ip.address -j DROP

# Blocked hosts # Naughty repeat offenders that we want to deny, but log.
#iptables -A INPUT -s some.external.ip.address -j BLOCKEDHOSTS

# Dropped hosts # Naughty repeat offenders that we want to deny, but not log.
#iptables -A INPUT -s some.external.ip.address -j DROP

## Watched hosts # This feature allows a host on the internal network to be monitored.
# It can be analyzed using ELK Stack analytics.
# Uncomment the associated rules in conjunction with the parameter.
#WATCHED01="some.internal.ip.address"
#WATCHED02=""
#WATCHED03=""
#WATCHED04=""
#WATCHED05=""
# WATCHED01
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED01 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED01 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED01 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED01 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
# WATCHED02
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED02 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED02 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED02 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED02 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
# WATCHED03
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED03 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED03 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED03 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED03 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
# WATCHED04
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED04 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED04 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED04 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED04 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
# WATCHED05
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED05 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat ! -d $INT1_INTERFACE_IP -s $WATCHED05 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED05 -A PREROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "
#iptables -t nat -d $WATCHED05 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "WATCHED: "

## Logging for analytics
# Log new connections on FORWARD, INPUT, INPUT NAT, OUTPUT, OUTPUT NAT
iptables -A FORWARD -m state --state NEW -j LOG --log-prefix "FORWARD: "
iptables -I INPUT ! -d 127.0.0.1 -m state --state NEW -j LOG --log-prefix "INBOUND: "
iptables -A OUTPUT ! -d 127.0.0.1 -m state --state NEW -j LOG --log-prefix "OUTBOUND: "
# Log new connections for everything but 127.0.0.1 traffic for pre and post routing.
iptables -t nat ! -d 127.0.0.1 -A INPUT -m state --state NEW -j LOG --log-prefix "INBOUND: "
iptables -t nat ! -d 127.0.0.1 -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUTBOUND: "
iptables -t nat ! -d 127.0.0.1 -A PREROUTING -m state --state NEW -j LOG --log-prefix "PREROUTING: "
iptables -t nat ! -d 127.0.0.1 -A POSTROUTING -m state --state NEW -j LOG --log-prefix "POSTROUTING: "

## Allow traffic
# Allow output traffic from internal subnets
iptables -I OUTPUT -o $INT0 -j ACCEPT
iptables -I OUTPUT -o $INT1 -j ACCEPT
iptables -I OUTPUT -o $INT2 -j ACCEPT
iptables -I OUTPUT -o $INT3 -j ACCEPT
iptables -I OUTPUT -o $INT4 -j ACCEPT
iptables -I OUTPUT -o $VPN0 -j ACCEPT

# Allow input traffic from internal subnets
iptables -I INPUT -i $INT1 -j ACCEPT
iptables -I INPUT -i $INT2 -j ACCEPT
iptables -I INPUT -i $INT3 -j ACCEPT
iptables -I INPUT -i $INT4 -j ACCEPT
iptables -I INPUT -i $VPN0 -j ACCEPT

# Drop invalid packets immediately
iptables -A INPUT   -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT  -m state --state INVALID -j DROP

# Drop these nasty packets! These are all TCP flag
# combinations that should never occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Drop excessive RST packets to avoid SMURF attacks, by giving the
# next real data packet in the sequence a better chance to arrive first.
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j DROP

# Drop icmp, but only after letting certain types through. Rate limit ICMP.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

## Tripport Chain # Hackers commonly hit these ports.
# Port scans that hit the tripport are locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
# Unauthorized SSH on default port.
# TCP
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --name portscan --set -j LOG --log-prefix "UNAUTH SSH: "
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 22 -m recent --name portscan --set -j LOG --log-prefix "UNAUTH SSH: "
iptables -A FORWARD -p tcp -m tcp --dport 22 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 22 -m recent --name portscan --set -j LOG --log-prefix "UNAUTH SSH: "
iptables -A INPUT -p udp -m udp --dport 22 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 22 -m recent --name portscan --set -j LOG --log-prefix "UNAUTH SSH: "
iptables -A FORWARD -p udp -m udp --dport 22 -m recent --name portscan --set -j DROP
# Telnet (this will catch early port scanners).
# TCP
iptables -A INPUT -p tcp -m tcp --dport 23 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 23 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 23 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 23 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 23 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 23 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 23 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 23 -m recent --name portscan --set -j DROP
# MSFT Directory services (e.g. NetBIOS)
# TCP
iptables -A INPUT -p tcp -m tcp --dport 445 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 445 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 445 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 445 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 445 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 445 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 445 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 445 -m recent --name portscan --set -j DROP
# Cisco VPN
# TCP
iptables -A INPUT -p udp -m udp --dport 500 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 500 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 500 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 500 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 500 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 500 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 500 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 500 -m recent --name portscan --set -j DROP
# MSFT SQL Garbage 1024-1030
# TCP
iptables -A INPUT -p tcp -m tcp --dport 1024:1030 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 1024:1030 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 1024:1030 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 1024:1030 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 1024:1030 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 1024:1030 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 1024:1030 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 1024:1030 -m recent --name portscan --set -j DROP
# MSFT SQL Garbage 1433
# TCP
iptables -A INPUT -p tcp -m tcp --dport 1433 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 1433 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 1433 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 1433 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 1433 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 1433 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 1433 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 1433 -m recent --name portscan --set -j DROP
# Remote Desktop # Don't run RDP on standard ports.
# TCP
iptables -A INPUT -p tcp -m tcp --dport 3389 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 3389 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 3389 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 3389 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 3389 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 3389 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 3389 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 3389 -m recent --name portscan --set -j DROP
# 6886
# TCP
iptables -A INPUT -p tcp -m tcp --dport 6886 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 6886 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 6886 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 6886 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 6886 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 6886 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 6886 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 6886 -m recent --name portscan --set -j DROP
# Infront of the ports I use for SSH.
# TCP
iptables -A INPUT -p tcp -m tcp --dport 31020 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p tcp -m tcp --dport 31020 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 31020 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p tcp -m tcp --dport 31020 -m recent --name portscan --set -j DROP
# UDP
iptables -A INPUT -p udp -m udp --dport 31020 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A INPUT -p udp -m udp --dport 31020 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 31020 -m recent --name portscan --set -j LOG --log-prefix "TRIPPORT: "
iptables -A FORWARD -p udp -m udp --dport 31020 -m recent --name portscan --set -j DROP

## Accepted chain.
# Accept HTTP
#iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTED
#iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPTED

# Accept HTTPS
#iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTED
#iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPTED

# Accept OpenVPN
iptables -A INPUT -p tcp --dport 4000 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTED
iptables -A OUTPUT -p tcp --sport 4000 -m conntrack --ctstate ESTABLISHED -j ACCEPTED

# Accept SSH on non-standard port
iptables -A INPUT -p tcp --dport 31022 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTED
iptables -A OUTPUT -p tcp --sport 31022 -m conntrack --ctstate ESTABLISHED -j ACCEPTED

# Accept RDP # Non-Standard port
#iptables -A INPUT -p tcp --dport 46900 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTED
#iptables -A OUTPUT -p tcp --sport 46900 -m conntrack --ctstate ESTABLISHED -j ACCEPTED



# Rate Limit Port Scans/Syn floods (Be sure to put this below certain ports i.e. everything above this chain
iptables -A INPUT -p tcp -i $INT0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -i $INT0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j LOG --log-level 4 --log-prefix "SCAN: "
iptables -A INPUT -p tcp -i $INT0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP

# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Port forwarding chain.
# Here we log new connections and map the ports to their destination host.
# Some examples below. You will need a coresponding rule in the Acceptedchain above.
# Port Forward non-standard SSH to our webserver
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 31022 -i $INT0 -m state --state NEW -j LOG --log-prefix "ACCEPTED: "
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 31022 -i $INT0 -j DNAT --to-destination 10.1.1.4:32022
# Port forward HTTP to our webserver
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 80 -i $INT0 -m state --state NEW -j LOG --log-prefix "ACCEPTED: "
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 80 -i $INT0 -j DNAT --to-destination 10.1.1.4:80
# Port forward HTTPS to our webserver
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 443 -i $INT0 -m state --state NEW -j LOG --log-prefix "ACCEPTED: "
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 443 -i $INT0 -j DNAT --to-destination 10.1.1.4:443
# Port forward RDP on non-standard port # Don't RDP on Standard ports
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 46900 -i $INT0 -m state --state NEW -j LOG --log-prefix "ACCEPTED: "
#iptables -t nat -A PREROUTING -p tcp -d $EXTNET --dport 46900 -i $INT0 -j DNAT --to-destination 10.1.1.11:3389


## Our final trap. Everything on INPUT goes to the DENIED chain.
iptables -A INPUT -j DENIED


echo "IPv4 Firewall Enabled."

run6firewall

/firewall/run6firewall

#!/bin/bash

# 2016/02 Fyzix
# Iptables ipv6 firewall ruleset

# The following rules will clear out any existing FIREWALL rules,
# and any chains that might have been created.
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X

# Real Interfaces
# eth0 - WAN Interface - Uncomment for traditional networks without VLAN tagging
INT0="eth0" # - WAN Interface.
# eth0.201 - WAN Interface -  Uncomment for Centurylink FTTH - VLAN tagging 201
#INT0="eth0.201" # - WAN Interface.
INT1="br0"  # 10.1.1.1 - LAN 1 # Use eth1 if not in bridging mode.
INT2="eth1" # 10.1.1.1 - LAN 1
INT3="eth2" # 10.2.2.1 - LAN 3
INT4="eth3" # 10.3.3.1 - LAN 3
VPN0="tap0" # 10.1.1.1 - VPN

# Enable IP Masquerading in the kernel
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# Default policies
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Allow unlimited traffic on Loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow output traffic from internal subnets
ip6tables -A OUTPUT -o $INT1 -j ACCEPT
ip6tables -A OUTPUT -o $INT2 -j ACCEPT
ip6tables -A OUTPUT -o $INT3 -j ACCEPT
ip6tables -A OUTPUT -o $INT4 -j ACCEPT
ip6tables -A OUTPUT -o $VPN0 -j ACCEPT

# Allow input traffic from internal subnets
ip6tables -A INPUT -i $INT1 -j ACCEPT
ip6tables -A INPUT -i $INT2 -j ACCEPT
ip6tables -A INPUT -i $INT3 -j ACCEPT
ip6tables -A INPUT -i $INT4 -j ACCEPT
ip6tables -A INPUT -i $VPN0 -j ACCEPT

# Allow full outgoing connection but no incoming stuff
ip6tables -A INPUT -i $INT0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $INT0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow DNS
ip6tables -A INPUT -i $INT0 -p tcp --destination-port 53 -j ACCEPT
ip6tables -A INPUT -i $INT0 -p udp --destination-port 53 -j ACCEPT

# Allow HTTP/HTTPS
#ip6tables -A INPUT -i $INT0 -p tcp --destination-port 80 -j ACCEPT
#ip6tables -A INPUT -i $INT0 -p tcp --destination-port 443 -j ACCEPT

# Allow SSH
ip6tables -A INPUT -i $INT0 -p tcp --destination-port 32022 -j ACCEPT

# Log everything else
#ip6tables -A INPUT -i $INT0 -j LOG
# Drop everything else
ip6tables -A INPUT -i $INT0 -j DROP

echo "IPv6 Firewall Enabled."

rundropwall

This iptables firewall has special support for Centrylink fiber to the home VLAN tagging (VLAN 201).

/firewall/rundropwall

#!/bin/bash

# 2016/02 Fyzix
# This will allow all traffic. Note: You will not be protected!! Typically used for troubleshooting.

### Define Networks ###
# eth0 - External IP - Uncomment for traditional networks without VLAN tagging
EXTNET=`ifconfig eth0 | grep "inet " | awk -F'[: ]+' '{ print $4 }'` # Primary IP Address
# eth0 - External IP - Uncomment for Centurylink FTTH - VLAN tagging 201
#EXTNET=`ifconfig eth0.201 | grep "inet " | awk -F'[: ]+' '{ print $4 }'` # Primary IP Address
# eth1 - Internal Network - LAN 1
INTNET1="10.1.1.0/24"
# eth2 - Internal Network - LAN 2
INTNET2="10.2.2.0/24"
# eth3 - Internal Network - LAN 3
INTNET3="10.3.3.0/24"
# VPN Network
VPNNET1="10.1.1.0/24"

# Real Interfaces
INT0="eth0" # 10.1.1.65 - WAN Interface.
INT1="br0" # 10.1.1.1 - LAN 1 # Use eth1 if not in bridging mode.
INT2="eth1" # 10.1.1.1 - LAN 1
INT3="eth2" # 10.2.2.1 - LAN 3
INT4="eth3" # 10.3.3.1 - LAN 3
VPN0="tap0" # 10.1.1.1 - VPN

# Enable IP Masquerading in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

# Test if iptable_nat module is loaded, its boot time, not likely :)
if [ -z "`lsmod|grep iptable_nat`" ];
  then
  modprobe iptable_nat
fi

# Test if existing MASQ rules exist, its boot time, not likely :)
# Source NAT everything heading out the $INT# (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
if [ -z "`iptables -L -t nat|grep MASQUERADE`" ];
  then
  iptables -t nat -A POSTROUTING -o $INT0 -j SNAT --to $EXTNET
  iptables -t nat -A POSTROUTING -o $INT0 -s $INTNET1 -j MASQUERADE
  iptables -t nat -A POSTROUTING -o $INT0 -s $INTNET2 -j MASQUERADE
  iptables -t nat -A POSTROUTING -o $INT0 -s $INTNET3 -j MASQUERADE
fi

# These will setup our policies.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Allow unlimited traffic on Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow unlimited traffic
iptables -A OUTPUT -o $INT0 -j ACCEPT
iptables -A INPUT -i $INT0 -j ACCEPT
iptables -I FORWARD -i $INT0 -j ACCEPT
iptables -A OUTPUT -o $INT1 -j ACCEPT
iptables -A INPUT -i $INT1 -j ACCEPT
iptables -I FORWARD -i $INT1 -j ACCEPT
iptables -A OUTPUT -o $INT2 -j ACCEPT
iptables -A INPUT -i $INT2 -j ACCEPT
iptables -I FORWARD -i $INT2 -j ACCEPT
iptables -A OUTPUT -o $INT3 -j ACCEPT
iptables -A INPUT -i $INT3 -j ACCEPT
iptables -I FORWARD -i $INT3 -j ACCEPT
iptables -A OUTPUT -o $INT4 -j ACCEPT
iptables -A INPUT -i $INT4 -j ACCEPT
iptables -I FORWARD -i $INT4 -j ACCEPT
iptables -A INPUT -i $VPN0 -j ACCEPT
iptables -I FORWARD -i $VPN0 -j ACCEPT

# Basic Traffic Forwarding Rules
# Accept Traffic to and from interfaces.
# External to Internal subnets
iptables -A FORWARD -i $INT1 -o $INT1 -j ACCEPT
iptables -A FORWARD -i $INT1 -o $INT0 -j ACCEPT
# WAN to LAN 1
iptables -A FORWARD -i $INT0 -o $INT1 -j ACCEPT
iptables -A FORWARD -i $INT1 -o $INT0 -j ACCEPT
# WANT to LAN 2
iptables -A FORWARD -i $INT0 -o $INT2 -j ACCEPT
iptables -A FORWARD -i $INT2 -o $INT0 -j ACCEPT
# WAN to LAN 3
iptables -A FORWARD -i $INT0 -o $INT3 -j ACCEPT
iptables -A FORWARD -i $INT3 -o $INT0 -j ACCEPT
# WAN to LAN 4
iptables -A FORWARD -i $INT0 -o $INT4 -j ACCEPT
iptables -A FORWARD -i $INT4 -o $INT0 -j ACCEPT
# For VPN trusted subnet
# Bidirectional forward WAN to VPN
iptables -A FORWARD -i $INT0 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT0 -j ACCEPT
# Bidirectional foward LAN 1 to VPN0
iptables -A FORWARD -i $INT1 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT1 -j ACCEPT
# To and From 10.11.9.0/24 to VPN
iptables -A FORWARD -i $INT2 -o $VPN0 -j ACCEPT
iptables -A FORWARD -i $VPN0 -o $INT2 -j ACCEPT
# Forward internal networks to each other so they can see each other
#iptables -I FORWARD -i $INT1 -o $INT2 -s $INTNET1 -d $INTNET2 -j ACCEPT
#iptables -I FORWARD -i $INT2 -o $INT1 -s $INTNET2 -d $INTNET1 -j ACCEPT
#iptables -I FORWARD -i $INT4 -o $INT1 -s $INTNET1 -d $INTNET3 -j ACCEPT
#iptables -I FORWARD -i $INT1 -o $INT4 -s $INTNET3 -d $INTNET1 -j ACCEPT


echo "IPv4 Firewall Disabled"

rundmz

This iptables firewall has special support for Centrylink fiber to the home VLAN tagging (VLAN 201).

/firewall/rundmz

#!/bin/bash

# 2016/03 Fyzix
# DMZ ruleset. By default it forwards all traffic to $DMZ_HOST

DMZ_HOST=""

# Real Interfaces
# eth0 - WAN Interface - Uncomment for traditional networks without VLAN tagging
INT0="eth0" # - WAN Interface.
# eth0.201 - WAN Interface -  Uncomment for Centurylink FTTH - VLAN tagging 201
#INT0="eth0.201" # - WAN Interface.
INT1="br0" # 10.1.1.1 - LAN 1 # Use eth1 if not in bridging mode.
INT2="eth1" # 10.1.1.1 - LAN 1
INT3="eth2" # 10.2.2.1 - LAN 3
INT4="eth3" # 10.3.3.1 - LAN 3
VPN0="tap0" # 10.1.1.1 - VPN


iptables -t nat -A PREROUTING -i $INT0 -p tcp -j DNAT --to-destination $DMZ_HOST
iptables -t nat -A PREROUTING -i $INT0 -p udp -j DNAT --to-destination $DMZ_HOST

echo "IPv4 DMZ Enabled."

runqos

/firewall/runqos

#!/bin/bash

# 2016/02 Fyzix
# QOS ruleset
# Default ruleset assumes a maximum internet connection speed of 40mbit and targets a MAX ceiling of 40mbit+20.

## Variables
MAX_BITRATE="60mbit" # Set this to just above the maximum speed of your internet connection
CONNECTION_BITRATE="40mbit" # Set this to the bitrate your ISP sells you.

# Below parameters set lower-end bit rate of the traffic shapping.
CLASS1_BITRATE="30mbit" # Highest priority traffic.
CLASS2_BITRATE="20mbit" # High priority traffic.
CLASS3_BITRATE="10mbit" # Medium priority traffic.
CLASS4_BITRATE="512kbit" # Low priority traffic.
CLASS5_BITRATE="512kbit" # Lower priority traffic.
CLASS6_BITRATE="256kbit" # Lowest priority traffic.


modprobe sch_htb
modprobe sch_sfq
modprobe act_police
modprobe sch_netem

# Delete the qdisc so we can try from the beginning
tc qdisc del dev eth0 root

# Add primary qdisc - This disc will default to the 1:4 secondary class (e.g. rate 6mbit ceil 10mbit)
tc qdisc add dev eth0 root handle 1:0 htb default 4

# Add primary class
tc class add dev eth0 parent 1:0 classid 1:1 htb rate $CONNECTION_BITRATE ceil $MAX_BITRATE

# Add secondary classes inside the primary class
tc class add dev eth0 parent 1:1 classid 1:2 htb rate $CLASS1_BITRATE ceil $MAX_BITRATE
tc class add dev eth0 parent 1:1 classid 1:3 htb rate $CLASS2_BITRATE ceil $MAX_BITRATE
tc class add dev eth0 parent 1:1 classid 1:4 htb rate $CLASS3_BITRATE ceil $MAX_BITRATE
tc class add dev eth0 parent 1:1 classid 1:5 htb rate $CLASS4_BITRATE ceil $MAX_BITRATE
tc class add dev eth0 parent 1:1 classid 1:6 htb rate $CLASS5_BITRATE ceil $MAX_BITRATE
tc class add dev eth0 parent 1:1 classid 1:7 htb rate $CLASS6_BITRATE ceil $MAX_BITRATE

# Set priority, and tell packets marked with handle number # (e.g. 1) to go through the defined secondary class channel (e.g. 1:2)
tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 1 fw flowid 1:2
tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw flowid 1:3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw flowid 1:4
tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 4 fw flowid 1:5
tc filter add dev eth0 parent 1:0 protocol ip prio 9 handle 5 fw flowid 1:6
tc filter add dev eth0 parent 1:0 protocol ip prio 8 handle 6 fw flowid 1:7

# Tell which algorithm the classes use. SFQ insures that every packet has a fair chance inside the defined class
tc qdisc add dev eth0 parent 1:2 sfq
tc qdisc add dev eth0 parent 1:3 sfq
tc qdisc add dev eth0 parent 1:4 sfq
tc qdisc add dev eth0 parent 1:5 sfq
tc qdisc add dev eth0 parent 1:6 sfq
tc qdisc add dev eth0 parent 1:7 sfq

# Give "overhead" packets highest priority
iptables -A OUTPUT -t mangle -p tcp --syn -m length --length 40:68 -j CLASSIFY \
  --set-class 1:2
iptables -A OUTPUT -t mangle -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 \
  -j CLASSIFY --set-class 1:2
iptables -A OUTPUT -t mangle -p tcp --tcp-flags ALL ACK -m length --length 40:100 \
  -j CLASSIFY --set-class 1:2
iptables -A OUTPUT -t mangle -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:2
iptables -A OUTPUT -t mangle -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY \
  --set-class 1:2
iptables -A OUTPUT -t mangle -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY \
  --set-class 1:2

# ICMP, UDP
iptables -A OUTPUT -t mangle -p udp -j CLASSIFY --set-class 1:4
iptables -A OUTPUT -t mangle -p icmp -m length --length 28:1500 -m limit \
  --limit 2/s --limit-burst 5 -j CLASSIFY --set-class 1:4

# Domain lookups
iptables -A OUTPUT -t mangle -p tcp --dport domain -j CLASSIFY --set-class 1:2

# Murmur - VOIP
#iptables -A OUTPUT -t mangle -p tcp --dport 64738 -j MARK --set-mark 1
#iptables -A OUTPUT -t mangle -p tcp --sport 64738 -j MARK --set-mark 1
#iptables -A OUTPUT -t mangle -p udp --dport 64738 -j MARK --set-mark 1
#iptables -A OUTPUT -t mangle -p udp --sport 64738 -j MARK --set-mark 1

# OpenVPN
iptables -A OUTPUT -t mangle -p tcp --dport 4000 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p tcp --sport 4000 -j MARK --set-mark 1

# Video Streaming
#iptables -A OUTPUT -t mangle -p tcp --dport 32030 -j MARK --set-mark 2
#iptables -A OUTPUT -t mangle -p tcp --sport 32030 -j MARK --set-mark 2

# SSH
iptables -A OUTPUT -t mangle -p tcp --dport 32022 -j MARK --set-mark 3
iptables -A OUTPUT -t mangle -p tcp --sport 32022 -j MARK --set-mark 3

# HTTP/HTTPS
iptables -A OUTPUT -t mangle -p tcp --dport 80 -j MARK --set-mark 4
iptables -A OUTPUT -t mangle -p tcp --sport 80 -j MARK --set-mark 4
iptables -A OUTPUT -t mangle -p tcp --dport 443 -j MARK --set-mark 4
iptables -A OUTPUT -t mangle -p tcp --sport 443 -j MARK --set-mark 4
iptables -A OUTPUT -t mangle -p tcp -m multiport --sport http,https -j CLASSIFY --set-class 1:5

# Lower priority example
#iptables -A OUTPUT -t mangle -p tcp --dport 48654:50159 -j MARK --set-mark 5
#iptables -A OUTPUT -t mangle -p tcp --sport 48654:50159 -j MARK --set-mark 5
#iptables -A OUTPUT -t mangle -p udp --dport 48654:50159 -j MARK --set-mark 5
#iptables -A OUTPUT -t mangle -p udp --sport 48654:50159 -j MARK --set-mark 5

# Lowest priority example
#iptables -A OUTPUT -t mangle -p udp --dport 22811:22819 -j MARK --set-mark 6
#iptables -A OUTPUT -t mangle -p udp --sport 22811:22819 -j MARK --set-mark 6

echo "Traffic QOS Enabled"

runresolv

/firewall/runresolv

#!/bin/bash

# 2016/03 Fyzix
# This will fix the resolve.conf to point to the local DNS server even if DHCP overrides those settings.

cp /etc/resolv.conf.base /etc/resolv.conf

runpurgeelkindex

/firewall/runpurgeelkindex

#!/bin/bash

# 2016/02 Fyzix
# This script will purge the elk stack indexes on the time specified in the TIME parameter. Default 3 months.

# Target date can be modified based on how long you wish to keep the ELK stack index.
TIME="3 months ago"
TARGET_DATE=`date --date="${TIME}" +%Y.%M.%d`

echo ""
echo "This will purge ELK Stack indexes older than $TIME from current date."
echo "Note: If index does not exist an index_not_found_exception error will be encountered, which can be safely ignored."
echo ""
# Execute purge via Elasticsearch API
curl -XDELETE http://localhost:9200/logstash-${TARGET_DATE}/
echo ""
echo ""

runfetchgeoipdb

/firewall/runfetchgeoipdb

#!/bin/bash

# 2016/03 Fyzix

cd /etc/logstash
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz