From 447fbd715b651a7977c592b923a2ced304440977 Mon Sep 17 00:00:00 2001 From: James Blair Date: Mon, 20 Jan 2020 15:03:46 +1300 Subject: [PATCH] Refined firewall configuration. --- post-install.txt | 28 +++++++++++++++++----------- readme.org | 11 ++++++----- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/post-install.txt b/post-install.txt index 04ce9fe..149eab5 100755 --- a/post-install.txt +++ b/post-install.txt @@ -50,8 +50,8 @@ echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/ho # Post install firewall configuration #================================================================ echo "Switch to legacy iptables for k3s support" -iptables -F -update-alternatives --set iptables /usr/sbin/iptables-legacy +#iptables -F +#update-alternatives --set iptables /usr/sbin/iptables-legacy echo "Allowing local traffic in iptables" iptables -A INPUT -i lo -j ACCEPT @@ -59,10 +59,6 @@ iptables -A INPUT -i lo -j ACCEPT echo "Allow all established connections in iptables" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -echo "Allow ssh connections in iptables" -iptables -A INPUT -p tcp --dport 2122 -j ACCEPT -iptables -A OUTPUT -p tcp --sport 2122 -j ACCEPT - echo "Drop all other traffic" iptables -A INPUT -j DROP @@ -78,13 +74,23 @@ systemctl enable iptables-persistent #================================================================ # Post install knockd configuration #================================================================ -echo "Configuring port knocking..." -sed -i '/UseSyslog/a\ \ \ \ \ \ \ \ \interface=wlan0' /rootfs/etc/knockd.conf -sed -i '/UseSyslog/a\ \ \ \ \ \ \ \ \logfile = /var/log/knockd.log' /rootfs/etc/knockd.conf -sed -i "s/sequence = 7000,8000,9000/sequence = 6315,3315,1315,5315/" /rootfs/etc/knockd.conf -sed -i "s/sequence = 9000,8000,7000/sequence = 5315,1315,3315,6315/" /rootfs/etc/knockd.conf +echo "Writing port knocking configuration file..." +cat << EOF > /rootfs/etc/knockd.conf +[options] + UseSysLog + logfile = /var/log/knockd.log + interface=wlan0 +[ssh] + sequence = 6315,3315,1315,5315 + seq_timeout = 15 + start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 2122 -j ACCEPT + tcpflags = syn + cmd_timeout = 60 + stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 2122 -j ACCEPT +EOF echo "Enabling port knocking..." +sed -i "s/START_KNOCKD=0/START_KNOCKD=1/" /rootfs/etc/default/knockd systemctl enable knockd echo "Restarting knock service..." diff --git a/readme.org b/readme.org index c98fd27..598564a 100644 --- a/readme.org +++ b/readme.org @@ -1,3 +1,4 @@ +B #+TITLE: Raspberry pi k3s cluster guide #+AUTHOR: James Blair #+EMAIL: mail@jamesblair.net @@ -81,8 +82,8 @@ raspberry pis. Checking file is now present -rw-rw-rw- 1 james james 60299545 Aug 12 08:35 raspberrypi-ua-netinst-v2.4.0.zip Extracting the zip file - drwxrwxrwx 1 james james 4096 Jan 20 09:31 installer - -rwxrwxrwx 1 james james 2843 Jan 9 08:12 installer-config.txt + drwxrwxrwx 1 james james 4096 Jan 20 11:12 installer + -rwxrwxrwx 1 james james 2863 Jan 10 17:04 installer-config.txt #+end_example @@ -115,7 +116,7 @@ raspberry pis. 3 23 157 installer/raspberrypi-ua-netinst/config/installer-config.txt Overwriting /installer/raspberrypi-ua-netinst/config/installer-config.txt Display wordcount of file after copy to validate update - 67 85 2843 installer/raspberrypi-ua-netinst/config/installer-config.txt + 67 85 2863 installer/raspberrypi-ua-netinst/config/installer-config.txt #+end_example @@ -142,7 +143,7 @@ raspberry pis. #+begin_example Copying in post-install.txt Display wordcount of file after copy to validate - 92 290 3483 installer/raspberrypi-ua-netinst/config/post-install.txt + 98 282 3429 installer/raspberrypi-ua-netinst/config/post-install.txt #+end_example @@ -221,7 +222,7 @@ raspberry pis. echo Mount the new partition in wsl sudo mkdir /mnt/d - sudo mount -t drvfs d: /mnt/d + sudo mount -t drvfs d: /mnt/e/ echo Copy the contents of installer to sd cp -r installer/* /mnt/d/