User:Djgera/papucho

From ArchWiki
< User:Djgera
Revision as of 23:25, 21 April 2016 by Djgera (talk | contribs)
Jump to navigation Jump to search

Software configuration

iptables

/etc/iptables/iptables.rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 172.16.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3
-A POSTROUTING -s 10.6.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3
-A POSTROUTING -s 10.17.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3

COMMIT


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-A INPUT -i net0 -m pkttype --pkt-type multicast -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT


-A INPUT ! -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 1194 -j LOG
-A INPUT ! -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT ! -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 1194 -j LOG
-A INPUT ! -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 1194 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 2049 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -d 192.168.91.3/32 -i net0 -p tcp -m tcp --dport 55555 -j ACCEPT
-A INPUT -d 192.168.91.3/32 -i net0 -p udp -m udp --dport 55555 -j ACCEPT


-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 172.16.92.0/28 -i net0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 172.16.92.0/28 -i net0 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT


-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 22 -j ACCEPT


-A INPUT -i ap1 -m pkttype --pkt-type multicast -j ACCEPT

-A INPUT -i ap1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 172.16.93.0/28 -i ap1 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 172.16.93.0/28 -i ap1 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 9091 -j ACCEPT


-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 10.6.93.0/28 -i tun6 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.6.93.0/28 -i tun6 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 10.17.93.0/28 -i tun17 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.17.93.0/28 -i tun17 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.91.0/28 -i net0 -o tun6 -j ACCEPT
-A FORWARD -s 192.168.91.0/28 -i net0 -o tun17 -j ACCEPT
-A FORWARD -s 192.168.91.0/28 -i net0 -o ap1 -j ACCEPT

-A FORWARD -s 172.16.93.0/28 -i ap1 -o net0 -j ACCEPT

-A FORWARD -s 10.6.93.0/28 -i tun6 -o net0 -j ACCEPT
-A FORWARD -s 10.17.93.0/28 -i tun17 -o net0 -j ACCEPT

-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-proto-unreachable

-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 05:00:00 --timestop 12:00:00 -j DROP

COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.91.3/32 -i net0 -p tcp -m tcp --dport 55555 -j CT --notrack
-A PREROUTING -d 192.168.91.3/32 -i net0 -p udp -m udp --dport 55555 -j CT --notrack
-A OUTPUT -s 192.168.91.3/32 -o net0 -p tcp -m tcp --sport 55555 -j CT --notrack
-A OUTPUT -s 192.168.91.3/32 -o net0 -p udp -m udp --sport 55555 -j CT --notrack
COMMIT

openvpn-udp (SERVER)

/etc/openvpn/djgera-udp.conf
port 1194
proto udp
dev tun17

ca ca.crt
cert djgera.crt
key djgera.key

dh dh2048.pem

remote-cert-tls client

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.17.93.3 255.255.255.240
route-gateway 10.17.93.3
push "route-gateway 10.17.93.3"

keepalive 10 120

tls-auth ta.key
key-direction 0

comp-lzo

persist-key
persist-tun

verb 3

push "route 192.168.91.0 255.255.255.240"
client-config-dir /etc/openvpn/ccd-udp
/etc/openvpn/ccd-udp/djgera-android
ifconfig-push 10.17.93.6 255.255.255.240
/etc/openvpn/ccd-udp/djgera-netbook
ifconfig-push 10.17.93.4 255.255.255.240

openvpn-tcp (SERVER)

/etc/openvpn/djgera-tcp.conf
port 1194
proto tcp-server
dev tun6

ca ca.crt
cert djgera.crt
key djgera.key

dh dh2048.pem

remote-cert-tls client

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.6.93.3 255.255.255.240
route-gateway 10.6.93.3
push "route-gateway 10.6.93.3"

keepalive 10 120

tls-auth ta.key
key-direction 0

comp-lzo

persist-key
persist-tun

verb 3

push "route 192.168.91.0 255.255.255.240"
#route 10.101.9.0 255.255.255.0
client-config-dir /etc/openvpn/ccd-tcp
/etc/openvpn/ccd-tcp/djgera-android
ifconfig-push 10.6.93.6 255.255.255.240
/etc/openvpn/ccd-tcp/djgera-netbook
ifconfig-push 10.6.93.4 255.255.255.240
/etc/openvpn/ccd-tcp/djgera-netet28
ifconfig-push 10.6.93.8 255.255.255.240
iroute 10.101.9.0 255.255.255.0


openvpn (CLIENT)

djgera-netbook-tcp.conf
client

dev tun

proto tcp-client
remote <HOST>
port 2068

nobind

persist-key
persist-tun

remote-cert-tls server

comp-lzo

tls-auth ta.key
key-direction 1

ca ca.crt
cert djgera-netbook.crt
key djgera-netbook.key
djgera-android-udp.conf
client

dev tun

proto udp
remote <HOST>
port 2068

nobind

persist-key
persist-tun

remote-cert-tls server

comp-lzo

tls-auth ta.key
key-direction 1

ca ca.crt
cert djgera-android.crt
key djgera-android.key

easy-rsa

vars
...
export KEY_COUNTRY="AR"
export KEY_PROVINCE="Ciudad de Buenos Aires"
export KEY_CITY="Ciudad de Buenos Aires"
export KEY_ORG="Gerardo Exequiel Pozzi"
export KEY_EMAIL="<USER@HOST>"
export KEY_OU="Gerardo Exequiel Pozzi"
...
$ . ./vars
$ ./clean-all
$ ./build-dh
$ ./pkitool --initca
$ ./pkitool --server djgera
$ ./pkitool --pass djgera-netbook
$ ./pkitool --pass djgera-android
$ openvpn --genkey --secret ta.key