Refined firewall configuration.

post-install.txt

@@ -50,8 +50,8 @@ echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/ho
 # Post install firewall configuration
 #================================================================
 echo "Switch to legacy iptables for k3s support"
-iptables -F
+#iptables -F
-update-alternatives --set iptables /usr/sbin/iptables-legacy
+#update-alternatives --set iptables /usr/sbin/iptables-legacy
 
 echo "Allowing local traffic in iptables"
 iptables -A INPUT -i lo -j ACCEPT
@@ -59,10 +59,6 @@ iptables -A INPUT -i lo -j ACCEPT
 echo "Allow all established connections in iptables"
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-echo "Allow ssh connections in iptables"
-iptables -A INPUT  -p tcp --dport 2122 -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 2122 -j ACCEPT
-
 echo "Drop all other traffic"
 iptables -A INPUT -j DROP
 
@@ -78,13 +74,23 @@ systemctl enable iptables-persistent
 #================================================================
 # Post install knockd configuration
 #================================================================
-echo "Configuring port knocking..."
+echo "Writing port knocking configuration file..."
-sed -i '/UseSyslog/a\ \ \ \ \ \ \ \ \interface=wlan0' /rootfs/etc/knockd.conf
+cat << EOF > /rootfs/etc/knockd.conf
-sed -i '/UseSyslog/a\ \ \ \ \ \ \ \ \logfile = /var/log/knockd.log' /rootfs/etc/knockd.conf
+[options]
-sed -i "s/sequence    = 7000,8000,9000/sequence    = 6315,3315,1315,5315/" /rootfs/etc/knockd.conf
+  UseSysLog
-sed -i "s/sequence    = 9000,8000,7000/sequence    = 5315,1315,3315,6315/" /rootfs/etc/knockd.conf
+  logfile = /var/log/knockd.log
+  interface=wlan0
+[ssh]
+  sequence = 6315,3315,1315,5315
+  seq_timeout = 15
+  start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 2122 -j ACCEPT
+  tcpflags = syn
+  cmd_timeout = 60
+  stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 2122 -j ACCEPT
+EOF
 
 echo "Enabling port knocking..."
+sed -i "s/START_KNOCKD=0/START_KNOCKD=1/" /rootfs/etc/default/knockd
 systemctl enable knockd
 
 echo "Restarting knock service..."

readme.org

@@ -1,3 +1,4 @@
+B
 #+TITLE: Raspberry pi k3s cluster guide
 #+AUTHOR: James Blair
 #+EMAIL: mail@jamesblair.net
@@ -81,8 +82,8 @@ raspberry pis.
   Checking file is now present
   -rw-rw-rw- 1 james james 60299545 Aug 12 08:35 raspberrypi-ua-netinst-v2.4.0.zip
   Extracting the zip file
-  drwxrwxrwx 1 james james     4096 Jan 20 09:31 installer
+  drwxrwxrwx 1 james james     4096 Jan 20 11:12 installer
-  -rwxrwxrwx 1 james james     2843 Jan  9 08:12 installer-config.txt
+  -rwxrwxrwx 1 james james     2863 Jan 10 17:04 installer-config.txt
   #+end_example
 
 
@@ -115,7 +116,7 @@ raspberry pis.
      3  23 157 installer/raspberrypi-ua-netinst/config/installer-config.txt
    Overwriting /installer/raspberrypi-ua-netinst/config/installer-config.txt
    Display wordcount of file after copy to validate update
-     67   85 2843 installer/raspberrypi-ua-netinst/config/installer-config.txt
+     67   85 2863 installer/raspberrypi-ua-netinst/config/installer-config.txt
    #+end_example
 
 
@@ -142,7 +143,7 @@ raspberry pis.
    #+begin_example
    Copying in post-install.txt
    Display wordcount of file after copy to validate
-     92  290 3483 installer/raspberrypi-ua-netinst/config/post-install.txt
+     98  282 3429 installer/raspberrypi-ua-netinst/config/post-install.txt
    #+end_example
 
 
@@ -221,7 +222,7 @@ raspberry pis.
 
   echo Mount the new partition in wsl
   sudo mkdir /mnt/d
-  sudo mount -t drvfs d: /mnt/d
+  sudo mount -t drvfs d: /mnt/e/
 
   echo Copy the contents of installer to sd
   cp -r installer/* /mnt/d/