summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--server/setup/01-zfs_linux_bringup/README.txt (renamed from server/setup/zfs_linux_bringup/README.txt)0
-rw-r--r--server/setup/01-zfs_linux_bringup/apt-install-zfs_kernel_etc.sh (renamed from server/setup/zfs_linux_bringup/apt-install-zfs_kernel_etc.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/apt-sources.list (renamed from server/setup/zfs_linux_bringup/apt-sources.list)0
-rw-r--r--server/setup/01-zfs_linux_bringup/chroot-chroot.sh (renamed from server/setup/zfs_linux_bringup/chroot-chroot.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/chroot-mount.sh (renamed from server/setup/zfs_linux_bringup/chroot-mount.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/chroot-umount.sh (renamed from server/setup/zfs_linux_bringup/chroot-umount.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/etc_fstab.txt (renamed from server/setup/zfs_linux_bringup/etc_fstab.txt)0
-rw-r--r--server/setup/01-zfs_linux_bringup/grub_custom.cfg (renamed from server/setup/zfs_linux_bringup/grub_custom.cfg)0
-rw-r--r--server/setup/01-zfs_linux_bringup/initramfs-tools.scripts.zfs (renamed from server/setup/zfs_linux_bringup/initramfs-tools.scripts.zfs)0
-rw-r--r--server/setup/01-zfs_linux_bringup/zfs01-create_config-pool.sh (renamed from server/setup/zfs_linux_bringup/zfs01-create_config-pool.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/zfs02-create-datasets.sh (renamed from server/setup/zfs_linux_bringup/zfs02-create-datasets.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/zfs03-export_import.sh (renamed from server/setup/zfs_linux_bringup/zfs03-export_import.sh)0
-rw-r--r--server/setup/01-zfs_linux_bringup/zfs04-system-populate.sh (renamed from server/setup/zfs_linux_bringup/zfs04-system-populate.sh)0
-rwxr-xr-xserver/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure303
-rwxr-xr-xserver/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure285
-rwxr-xr-xserver/setup/02-firewall/etc/iptables/iptables_all56
-rw-r--r--server/setup/02-firewall/etc/network/interfaces22
17 files changed, 666 insertions, 0 deletions
diff --git a/server/setup/zfs_linux_bringup/README.txt b/server/setup/01-zfs_linux_bringup/README.txt
index 5307abc..5307abc 100644
--- a/server/setup/zfs_linux_bringup/README.txt
+++ b/server/setup/01-zfs_linux_bringup/README.txt
diff --git a/server/setup/zfs_linux_bringup/apt-install-zfs_kernel_etc.sh b/server/setup/01-zfs_linux_bringup/apt-install-zfs_kernel_etc.sh
index 7c43ed2..7c43ed2 100644
--- a/server/setup/zfs_linux_bringup/apt-install-zfs_kernel_etc.sh
+++ b/server/setup/01-zfs_linux_bringup/apt-install-zfs_kernel_etc.sh
diff --git a/server/setup/zfs_linux_bringup/apt-sources.list b/server/setup/01-zfs_linux_bringup/apt-sources.list
index b7d90e2..b7d90e2 100644
--- a/server/setup/zfs_linux_bringup/apt-sources.list
+++ b/server/setup/01-zfs_linux_bringup/apt-sources.list
diff --git a/server/setup/zfs_linux_bringup/chroot-chroot.sh b/server/setup/01-zfs_linux_bringup/chroot-chroot.sh
index 2786bca..2786bca 100644
--- a/server/setup/zfs_linux_bringup/chroot-chroot.sh
+++ b/server/setup/01-zfs_linux_bringup/chroot-chroot.sh
diff --git a/server/setup/zfs_linux_bringup/chroot-mount.sh b/server/setup/01-zfs_linux_bringup/chroot-mount.sh
index a719301..a719301 100644
--- a/server/setup/zfs_linux_bringup/chroot-mount.sh
+++ b/server/setup/01-zfs_linux_bringup/chroot-mount.sh
diff --git a/server/setup/zfs_linux_bringup/chroot-umount.sh b/server/setup/01-zfs_linux_bringup/chroot-umount.sh
index f53d3b9..f53d3b9 100644
--- a/server/setup/zfs_linux_bringup/chroot-umount.sh
+++ b/server/setup/01-zfs_linux_bringup/chroot-umount.sh
diff --git a/server/setup/zfs_linux_bringup/etc_fstab.txt b/server/setup/01-zfs_linux_bringup/etc_fstab.txt
index 8f5f16f..8f5f16f 100644
--- a/server/setup/zfs_linux_bringup/etc_fstab.txt
+++ b/server/setup/01-zfs_linux_bringup/etc_fstab.txt
diff --git a/server/setup/zfs_linux_bringup/grub_custom.cfg b/server/setup/01-zfs_linux_bringup/grub_custom.cfg
index 1402481..1402481 100644
--- a/server/setup/zfs_linux_bringup/grub_custom.cfg
+++ b/server/setup/01-zfs_linux_bringup/grub_custom.cfg
diff --git a/server/setup/zfs_linux_bringup/initramfs-tools.scripts.zfs b/server/setup/01-zfs_linux_bringup/initramfs-tools.scripts.zfs
index 328cfca..328cfca 100644
--- a/server/setup/zfs_linux_bringup/initramfs-tools.scripts.zfs
+++ b/server/setup/01-zfs_linux_bringup/initramfs-tools.scripts.zfs
diff --git a/server/setup/zfs_linux_bringup/zfs01-create_config-pool.sh b/server/setup/01-zfs_linux_bringup/zfs01-create_config-pool.sh
index dc0c80d..dc0c80d 100644
--- a/server/setup/zfs_linux_bringup/zfs01-create_config-pool.sh
+++ b/server/setup/01-zfs_linux_bringup/zfs01-create_config-pool.sh
diff --git a/server/setup/zfs_linux_bringup/zfs02-create-datasets.sh b/server/setup/01-zfs_linux_bringup/zfs02-create-datasets.sh
index c8a0d3a..c8a0d3a 100644
--- a/server/setup/zfs_linux_bringup/zfs02-create-datasets.sh
+++ b/server/setup/01-zfs_linux_bringup/zfs02-create-datasets.sh
diff --git a/server/setup/zfs_linux_bringup/zfs03-export_import.sh b/server/setup/01-zfs_linux_bringup/zfs03-export_import.sh
index 90a5cbe..90a5cbe 100644
--- a/server/setup/zfs_linux_bringup/zfs03-export_import.sh
+++ b/server/setup/01-zfs_linux_bringup/zfs03-export_import.sh
diff --git a/server/setup/zfs_linux_bringup/zfs04-system-populate.sh b/server/setup/01-zfs_linux_bringup/zfs04-system-populate.sh
index ae1b109..ae1b109 100644
--- a/server/setup/zfs_linux_bringup/zfs04-system-populate.sh
+++ b/server/setup/01-zfs_linux_bringup/zfs04-system-populate.sh
diff --git a/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure
new file mode 100755
index 0000000..a9813cb
--- /dev/null
+++ b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure
@@ -0,0 +1,303 @@
+#! /bin/sh
+
+#set -x
+
+action=$1
+shift
+
+#
+#* Single end device with untrusted inet connection
+#
+
+ETH_EXTERN=eth0
+IP_EXTERN_SELF=$( /sbin/ip -o -f inet addr show dev $ETH_EXTERN scope global | awk ' { print $4; } ' )
+IP_EXTERN_GW=$( /sbin/ip -o -f inet route show dev $ETH_EXTERN | grep default | awk ' { print $3; } ' )
+
+##
+##
+
+IPTABLES=/sbin/iptables
+
+if [ "$action" != "start" -a "$action" != "stop" ] ; then
+ echo usage $0 \( start \| stop \)
+ echo
+ echo $0 start
+ echo $0 stop
+ exit 1
+fi
+
+if [ "$action" = "stop" ] ; then
+ echo "IPTABLES rules down"
+
+ $IPTABLES -F acl_external_input
+ $IPTABLES -F acl_srv_connect
+ $IPTABLES -F acl_srv_web
+ $IPTABLES -F acl_srv_shared
+ $IPTABLES -F acl_srv_email
+ $IPTABLES -F acl_srv_login_sec
+ $IPTABLES -F INPUT
+ $IPTABLES -F FORWARD
+
+ $IPTABLES -X acl_external_input
+ $IPTABLES -X acl_srv_connect
+ $IPTABLES -X acl_srv_web
+ $IPTABLES -X acl_srv_shared
+ $IPTABLES -X acl_srv_email
+ $IPTABLES -X acl_srv_login_sec
+
+ $IPTABLES -P INPUT ACCEPT
+ $IPTABLES -P FORWARD ACCEPT
+
+ exit 0
+fi
+
+if [ "$action" = "start" ] ; then
+ echo "IPTABLES rules up"
+
+ # Anti-spoofing
+ #
+ # Since we don't have any asymmetric routing,
+ # we can simply turn on anti-spoofing for all interfaces.
+ #
+ #for f in /proc/sys/net/ipv4/conf/*ppp*/rp_filter; do echo 1 > $f; done
+
+ echo 1 > /proc/sys/net/ipv4/conf/$ETH_EXTERN/rp_filter
+
+ /sbin/modprobe iptable_filter
+ /sbin/modprobe iptable_mangle
+ /sbin/modprobe iptable_nat
+ /sbin/modprobe ip_tables
+ /sbin/modprobe ipt_LOG
+ /sbin/modprobe ipt_MASQUERADE
+ /sbin/modprobe ipt_NETMAP
+ /sbin/modprobe ipt_REDIRECT
+ /sbin/modprobe ipt_REJECT
+ /sbin/modprobe ipt_ULOG
+ /sbin/modprobe nf_conntrack_ipv4
+ /sbin/modprobe nf_conntrack_sane
+ /sbin/modprobe nf_conntrack_sip
+ /sbin/modprobe nf_conntrack_snmp
+ /sbin/modprobe nf_conntrack_tftp
+ /sbin/modprobe nf_nat_ftp
+ /sbin/modprobe nf_nat_h323
+ /sbin/modprobe nf_nat_irc
+ /sbin/modprobe nf_nat
+ /sbin/modprobe nf_nat_pptp
+ /sbin/modprobe nf_nat_sip
+ /sbin/modprobe nf_nat_snmp_basic
+ /sbin/modprobe nf_nat_tftp
+
+ $IPTABLES -P INPUT DROP
+ $IPTABLES -P FORWARD DROP
+ $IPTABLES -P OUTPUT ACCEPT
+
+ $IPTABLES -N acl_external_input
+ $IPTABLES -N acl_srv_connect
+ $IPTABLES -N acl_srv_web
+ $IPTABLES -N acl_srv_shared
+ $IPTABLES -N acl_srv_email
+ $IPTABLES -N acl_srv_login_sec
+
+ ###################################################################
+ ###################################################################
+ #
+
+ # INPUT -> user chains
+ #
+ # Unfortunately, we only know (in the FORWARD chain) the outgoing interface.
+ # Thus, to figure out what interface the packet came in on,
+ # we use the source address (the anti-spoofing prevents address faking).
+ #
+ # Note that we log anything which doesn't match any of these (obviously, this should never happen).
+ #
+
+ #
+ # INPUT Allow FIREWALL itself !
+ #
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT
+ $IPTABLES -p all -A INPUT -i lo -j ACCEPT
+
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j acl_external_input
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW4-IN: rej acl_ext input "
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j REJECT
+
+ #
+ # INPUT Log & Reject any
+ #
+ $IPTABLES -p all -A INPUT -j LOG --log-level debug --log-prefix "FW4-IN: rej ANY input "
+ $IPTABLES -p all -A INPUT -j REJECT
+
+ #
+ ###################################################################
+ ###################################################################
+ ###################################################################
+ #
+
+ # FORWARD -> user chains
+ #
+
+ #
+ # FORWARD Allow FIREWALL itself !
+ #
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT
+ $IPTABLES -p all -A FORWARD -i lo -j ACCEPT
+
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j acl_external_input
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW4-FWD: rej acl_ext input "
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j REJECT
+
+ #
+ # FORWARD Log & Reject any
+ #
+ $IPTABLES -p all -A FORWARD -j LOG --log-level debug --log-prefix "FW4-FWD: rej ANY input "
+ $IPTABLES -p all -A FORWARD -j REJECT
+
+ #
+ #
+ #########################################################################################################################
+ #########################################################################################################################
+ #########################################################################################################################
+ #
+ # acl_extern_
+ #
+
+ #
+ # Allow fragments (second etc. parts of a huge packet ..)
+ # Allow icmp notification: 3/4 destination-unreachable/fragmentation-needed
+ #
+ # ATTENTION .. can be anything (ICMP), but the very 1st will be filtered ok !
+ #
+ $IPTABLES -A acl_external_input -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT
+
+ $IPTABLES -A acl_external_input -p icmp --icmp-type destination-unreachable -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmp --icmp-type time-exceeded -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmp --icmp-type parameter-problem -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmp --icmp-type timestamp-request -j ACCEPT
+
+ $IPTABLES -p all -A acl_external_input -j acl_srv_connect # includes: allow to answer ..
+ $IPTABLES -p all -A acl_external_input -j acl_srv_login_sec
+ $IPTABLES -p all -A acl_external_input -j acl_srv_web
+ $IPTABLES -p all -A acl_external_input -j acl_srv_shared
+ $IPTABLES -p all -A acl_external_input -j acl_srv_email
+
+ # --syn == "--tcp-flags SYN,RST,ACK SYN"
+ #$IPTABLES -p tcp -A acl_external_input ! --syn -j LOG --log-level debug --log-prefix "FW4-Ext: rej INET !syn "
+ #$IPTABLES -p tcp -A acl_external_input ! --syn -j REJECT
+ #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j LOG --log-level debug --log-prefix "FW4-Ext: rej INET !resp "
+ #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j REJECT
+
+ #
+ #########################################################################################################################
+ #########################################################################################################################
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_shared
+ #
+ # FTP, SAMBA, GNUnet clients
+ #
+
+ # ANONYMOUS FTP
+ #
+ #$IPTABLES -p tcp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT
+ #$IPTABLES -p udp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT
+
+ $IPTABLES -p tcp -A acl_srv_shared --dport git -j ACCEPT
+ $IPTABLES -p udp -A acl_srv_shared --dport git -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_login_sec
+ #
+ # SSH
+ #
+
+ # SSH
+ #
+ #$IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j LOG --log-level debug --log-prefix "FW4-ACL_SSH: "
+ $IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j ACCEPT
+ $IPTABLES -p udp -A acl_srv_login_sec --dport ssh -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_email
+ #
+ # POP3s, SMTP
+ #
+
+ # IMAPs
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport imaps -j ACCEPT
+
+ # POP3s
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport pop3s -j ACCEPT
+
+ # ident
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport ident -j ACCEPT
+
+ # SMTPs
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport smtp -j ACCEPT
+ $IPTABLES -p tcp -A acl_srv_email --dport smtps -j ACCEPT
+
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_web
+ #
+ # HTTP, NTP
+ #
+
+ # HTTP
+ #
+ $IPTABLES -p tcp -A acl_srv_web --dport http -j ACCEPT
+ $IPTABLES -p tcp -A acl_srv_web --dport https -j ACCEPT
+ #$IPTABLES -p tcp -A acl_srv_web --dport http-alt -j ACCEPT
+ #$IPTABLES -p tcp -A acl_srv_web --dport webcache -j ACCEPT
+ #$IPTABLES -p tcp -A acl_srv_web --dport squid -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_connect
+ #
+ # ICMP, NTP, DHCP, DNS, ANSWER
+ #
+
+ # IPSEC
+ #
+ $IPTABLES -p ah -A acl_srv_connect -j ACCEPT
+ $IPTABLES -p esp -A acl_srv_connect -j ACCEPT
+
+ # DHCP .. TFTP
+ #
+ $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport mdns -s $IP_EXTERN_SELF -j ACCEPT #
+ $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:tftp -s $IP_EXTERN_GW -j ACCEPT #
+ $IPTABLES -p tcp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:69 -s $IP_EXTERN_GW -j ACCEPT #
+
+ # DNS
+ #
+ # $IPTABLES -p tcp -A acl_srv_connect --dport mdns -j ACCEPT
+ # $IPTABLES -p udp -A acl_srv_connect --dport mdns -j ACCEPT
+ # $IPTABLES -p tcp -A acl_srv_connect --dport domain -j ACCEPT
+ # $IPTABLES -p udp -A acl_srv_connect --dport domain -j ACCEPT
+ # $IPTABLES -p tcp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT
+ # $IPTABLES -p udp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT
+
+ #
+ # acl_srv_connect Allow * to answer,
+ # only for known connections - no new unknown ones !
+ #
+ $IPTABLES -p all -A acl_srv_connect -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+fi
+
diff --git a/server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure b/server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure
new file mode 100755
index 0000000..ada1c94
--- /dev/null
+++ b/server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure
@@ -0,0 +1,285 @@
+#! /bin/sh
+
+# set -x
+
+action=$1
+shift
+
+#
+#* Single end device with untrusted inet connection
+#
+
+ETH_EXTERN=eth0
+IP_EXTERN_SELF=$( /sbin/ip -o -f inet6 addr show dev $ETH_EXTERN scope global | awk ' { print $4; } ' )
+IP_EXTERN_GW=$( /sbin/ip -o -f inet6 route show dev $ETH_EXTERN | grep default | awk ' { print $3; } ' )
+
+##
+##
+
+IPTABLES=/sbin/ip6tables
+
+if [ "$action" != "start" -a "$action" != "stop" ] ; then
+ echo usage $0 \( start \| stop \)
+ echo
+ echo $0 start
+ echo $0 stop
+ exit 1
+fi
+
+if [ "$action" = "stop" ] ; then
+ echo "IPTABLES rules down"
+
+ $IPTABLES -F acl_external_input
+ $IPTABLES -F acl_srv_connect
+ $IPTABLES -F acl_srv_web
+ $IPTABLES -F acl_srv_shared
+ $IPTABLES -F acl_srv_email
+ $IPTABLES -F acl_srv_login_sec
+ $IPTABLES -F INPUT
+ $IPTABLES -F FORWARD
+
+ $IPTABLES -X acl_external_input
+ $IPTABLES -X acl_srv_connect
+ $IPTABLES -X acl_srv_web
+ $IPTABLES -X acl_srv_shared
+ $IPTABLES -X acl_srv_email
+ $IPTABLES -X acl_srv_login_sec
+
+ $IPTABLES -P INPUT ACCEPT
+ $IPTABLES -P FORWARD ACCEPT
+
+ exit 0
+fi
+
+if [ "$action" = "start" ] ; then
+ echo "IPTABLES rules up"
+
+ # Anti-spoofing
+ #
+ # Since we don't have any asymmetric routing,
+ # we can simply turn on anti-spoofing for all interfaces.
+ #
+ #for f in /proc/sys/net/ipv4/conf/*ppp*/rp_filter; do echo 1 > $f; done
+
+ $IPTABLES -P INPUT DROP
+
+ $IPTABLES -N acl_external_input
+ $IPTABLES -N acl_srv_connect
+ $IPTABLES -N acl_srv_web
+ $IPTABLES -N acl_srv_shared
+ $IPTABLES -N acl_srv_email
+ $IPTABLES -N acl_srv_login_sec
+
+ ###################################################################
+ ###################################################################
+ #
+
+ # INPUT -> user chains
+ #
+ # Unfortunately, we only know (in the FORWARD chain) the outgoing interface.
+ # Thus, to figure out what interface the packet came in on,
+ # we use the source address (the anti-spoofing prevents address faking).
+ #
+ # Note that we log anything which doesn't match any of these (obviously, this should never happen).
+ #
+
+ #
+ # INPUT Allow FIREWALL itself !
+ #
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT
+ $IPTABLES -p all -A INPUT -i lo -j ACCEPT
+
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j acl_external_input
+
+ #$IPTABLES -p tcp -A INPUT -i $ETH_EXTERN --tcp-flags ACK ACK -j LOG \
+ # --log-level debug --log-prefix "FW6-IN: ack "
+ $IPTABLES -p tcp -A INPUT -i $ETH_EXTERN --tcp-flags ACK ACK -j ACCEPT
+
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW6-IN: rej acl_ext input "
+ $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j REJECT
+
+ #
+ # INPUT Log & Reject any
+ #
+ $IPTABLES -p all -A INPUT -j LOG --log-level debug --log-prefix "FW6-IN: rej ANY input "
+ $IPTABLES -p all -A INPUT -j REJECT
+
+ #
+ ###################################################################
+ ###################################################################
+ ###################################################################
+ #
+
+ # FORWARD -> user chains
+ #
+
+ #
+ # FORWARD Allow FIREWALL itself !
+ #
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT
+ $IPTABLES -p all -A FORWARD -i lo -j ACCEPT
+
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j acl_external_input
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW6-FWD: rej acl_ext input "
+ $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j REJECT
+
+ #
+ # FORWARD Log & Reject any
+ #
+ $IPTABLES -p all -A FORWARD -j LOG --log-level debug --log-prefix "FW6-FWD: rej ANY input "
+ $IPTABLES -p all -A FORWARD -j REJECT
+
+ #
+ #
+ #########################################################################################################################
+ #########################################################################################################################
+ #########################################################################################################################
+ #
+ # acl_extern_
+ #
+
+ #
+ # Allow fragments (second etc. parts of a huge packet ..)
+ # Allow icmpv6 notification: 3/4 destination-unreachable/fragmentation-needed
+ #
+ # ATTENTION .. can be anything (ICMP), but the very 1st will be filtered ok !
+ #
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type echo-request -m limit --limit 5/s -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
+ $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
+
+ $IPTABLES -p all -A acl_external_input -j acl_srv_connect # includes: allow to answer ..
+ $IPTABLES -p all -A acl_external_input -j acl_srv_login_sec
+ $IPTABLES -p all -A acl_external_input -j acl_srv_web
+ $IPTABLES -p all -A acl_external_input -j acl_srv_shared
+ $IPTABLES -p all -A acl_external_input -j acl_srv_email
+
+ # --syn == "--tcp-flags SYN,RST,ACK SYN"
+ #$IPTABLES -p tcp -A acl_external_input ! --syn -j LOG --log-level debug --log-prefix "FW6-Ext: rej INET !syn "
+ #$IPTABLES -p tcp -A acl_external_input ! --syn -j REJECT
+ #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j LOG --log-level debug --log-prefix "FW6-Ext: rej INET !resp "
+ #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j REJECT
+
+ #
+ #########################################################################################################################
+ #########################################################################################################################
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_shared
+ #
+ # FTP, SAMBA, GNUnet clients
+ #
+
+ # ANONYMOUS FTP
+ #
+ #$IPTABLES -p tcp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT
+ #$IPTABLES -p udp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT
+
+ $IPTABLES -p tcp -A acl_srv_shared --dport git -j ACCEPT
+ $IPTABLES -p udp -A acl_srv_shared --dport git -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_login_sec
+ #
+ # SSH
+ #
+
+ # SSH
+ #
+ #$IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j LOG --log-level debug --log-prefix "FW6-ACL_SSH: "
+ $IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j ACCEPT
+ $IPTABLES -p udp -A acl_srv_login_sec --dport ssh -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_email
+ #
+ # POP3s, SMTP
+ #
+
+ # IMAPs
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport imaps -j ACCEPT
+
+ # POP3s
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport pop3s -j ACCEPT
+
+ # ident
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport ident -j ACCEPT
+
+ # SMTPs
+ #
+ $IPTABLES -p tcp -A acl_srv_email --dport smtp -j ACCEPT
+ $IPTABLES -p tcp -A acl_srv_email --dport smtps -j ACCEPT
+
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_web
+ #
+ # HTTP, NTP
+ #
+
+ # HTTP
+ #
+ $IPTABLES -p tcp -A acl_srv_web --dport http -j ACCEPT
+ $IPTABLES -p tcp -A acl_srv_web --dport https -j ACCEPT
+ #$IPTABLES -p tcp -A acl_srv_web --dport http-alt -j ACCEPT
+ #$IPTABLES -p tcp -A acl_srv_web --dport webcache -j ACCEPT
+ #$IPTABLES -p tcp -A acl_srv_web --dport squid -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+ #
+ # INPUT Allow acl_srv_connect
+ #
+ # ICMP, NTP, DHCP, DNS, ANSWER
+ #
+
+ # IPSEC
+ #
+ #$IPTABLES -p ah -A acl_srv_connect -j ACCEPT
+ $IPTABLES -p esp -A acl_srv_connect -j ACCEPT
+
+ # DHCP .. TFTP
+ #
+ $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport mdns -s $IP_EXTERN_SELF -j ACCEPT #
+ $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:tftp -s $IP_EXTERN_GW -j ACCEPT #
+ $IPTABLES -p tcp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:69 -s $IP_EXTERN_GW -j ACCEPT #
+
+ # DNS
+ #
+ # $IPTABLES -p tcp -A acl_srv_connect --dport mdns -j ACCEPT
+ # $IPTABLES -p udp -A acl_srv_connect --dport mdns -j ACCEPT
+ # $IPTABLES -p tcp -A acl_srv_connect --dport domain -j ACCEPT
+ # $IPTABLES -p udp -A acl_srv_connect --dport domain -j ACCEPT
+ # $IPTABLES -p tcp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT
+ # $IPTABLES -p udp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT
+
+ #
+ # acl_srv_connect Allow * to answer,
+ # only for known connections - no new unknown ones !
+ #
+ $IPTABLES -p all -A acl_srv_connect -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ #
+ #
+ #########################################################################################################################
+fi
+
diff --git a/server/setup/02-firewall/etc/iptables/iptables_all b/server/setup/02-firewall/etc/iptables/iptables_all
new file mode 100755
index 0000000..95af1e1
--- /dev/null
+++ b/server/setup/02-firewall/etc/iptables/iptables_all
@@ -0,0 +1,56 @@
+#! /bin/bash
+
+case "$1" in
+ start)
+ echo "iptables-all start"
+
+ #/etc/iptables/ipv6_6to4_tunnel start
+ #/etc/iptables/ip_tc start
+ #/etc/iptables/ip_alias start
+ #/etc/iptables/ip_route start
+
+ #sleep 1s
+ #/etc/init.d/rpcbind start
+ #/etc/init.d/named start
+ #/etc/init.d/dhcp6s start
+ #/etc/init.d/dhcpd start
+ #/etc/init.d/radvd start
+ #/etc/init.d/ypserv start
+ #/etc/init.d/yppasswdd start
+ #/etc/init.d/nfsserver start
+
+ echo -n "iptables setup init"
+ /etc/iptables/ip6tables_bad_fwdmz_good-secure start
+ /etc/iptables/ip4tables_bad_fwdmz_good-secure start
+ ;;
+
+ stop)
+ echo "iptables-all stop"
+
+ /etc/iptables/ip4tables_bad_fwdmz_good-secure stop
+ /etc/iptables/ip6tables_bad_fwdmz_good-secure stop
+
+ #/etc/init.d/nfsserver stop
+ #/etc/init.d/yppasswdd stop
+ #/etc/init.d/ypserv stop
+ #/etc/init.d/radvd stop
+ #/etc/init.d/dhcpd stop
+ #/etc/init.d/dhcp6s stop
+ #/etc/init.d/named stop
+ #/etc/init.d/rpcbind stop
+
+ #/etc/iptables/ip_route stop
+ #/etc/iptables/ip_alias stop
+ #/etc/iptables/ip_tc stop
+ #/etc/iptables/ipv6_6to4_tunnel stop
+ ;;
+
+ restart)
+ $0 stop && $0 start || return=$rc_failed
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart}"
+ exit 1
+ ;;
+esac
+
diff --git a/server/setup/02-firewall/etc/network/interfaces b/server/setup/02-firewall/etc/network/interfaces
new file mode 100644
index 0000000..0156198
--- /dev/null
+++ b/server/setup/02-firewall/etc/network/interfaces
@@ -0,0 +1,22 @@
+### Hetzner Online AG - installimage
+# Loopback device:
+auto lo
+iface lo inet loopback
+
+# device: eth0
+auto eth0
+iface eth0 inet static
+ address 144.76.84.101
+ broadcast 144.76.84.127
+ netmask 255.255.255.224
+ gateway 144.76.84.97
+ # default route to access subnet
+ up route add -net 144.76.84.96 netmask 255.255.255.224 gw 144.76.84.97 eth0
+ # firewall
+ up /etc/iptables/iptables_all start
+ down /etc/iptables/iptables_all stop
+
+iface eth0 inet6 static
+ address 2a01:4f8:192:1164::2
+ netmask 64
+ gateway fe80::1