pjammer/new_iptablez.sh Secret

## gistfile1.txt
Follow the usual getting started ssh setup plus syncing up emerge, other starters.
http://articles.slicehost.com/2010/11/19/gentoo-10-1-setup-part-1
http://articles.slicehost.com/2010/11/19/gentoo-10-1-setup-part-2

For user adding:
useradd -m -G wheel -g deployer deployer

We had the fortune of updating to openrc; This called for us to do an

sudo dispath-conf
sudo etc-update

I'm pretty sure you do these after all updates, but this one had a scary message that we wouldn't be able to re-log in after.

iptables use:
https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall file with the line about ssh port appended.

Install Git (gets curl needed for rvm)

Install Postgresql

sudo emerge postgresql-server

follow the message below:

 * Before initializing the database, you may want to edit PG_INITDB_OPTS so that it
 * contains your preferred locale and character encoding in:
 *
 *     /etc/conf.d/postgresql-9.0
 * Add
 *  PG_INITDB_OPTS="--locale=en_US.UTF-8"
 * Then, execute the following command to setup the initial database environment:
 *
 *     emerge --config =dev-db/postgresql-server-9.0.3

ran command and got:
 * You can change the directory where the database cluster is being created by
 * setting the PGDATA variable.
 *
 * PG_INITDB_OPTS is currently set to:
 *     "--locale=en_US.UTF-8"
 * and the database cluster will be created in:
 *     "/var/lib/postgresql/9.0/data"
Said Y

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the -A option the
next time you run initdb.

Success. You can now start the database server using:

    /usr/lib64/postgresql-9.0/bin/postgres -D /var/lib/postgresql/9.0/data
or
    /usr/lib64/postgresql-9.0/bin/pg_ctl -D /var/lib/postgresql/9.0/data -l logfile start

 *
 * You can use the '/etc/init.d/postgresql-9.0' script to run PostgreSQL
 * instead of 'pg_ctl'.
 *
sudo usermod -a -G postgres deployer
/etc/init.d/postgresql-9.0 start
sudo rc-update add postgresql-9.0 default
Adding above will add postgres run at reboot.

** Watch that group, wheels got disenfucked and i couldn't sudo. you'll also need to re log in as deployer for it to stick for some reason... need to find out why **
adding deployer as postgresql user
---
createuser --interactive deployer
Migrate Database:  psql -d db_name -U db_owner_username -W < backup.sql

Make sure to use mysql2pgsql gem... worked like a charm in way less time... 10s of minutes less.

Install RVM
basics. however installing the deps for ruby made me install emerge gentoolkit and used revdep-rebuild.

Install ruby-1.9.2p180
rvm install 1.9.2
Install nginx
http://sirupsen.com/setting-up-unicorn-with-nginx/
These two configs work.  added deployer to nginx group.
Install Unicorn

gem install unicorn

We'll use the default gentoo one with a change to the servername.

emerge logrotate and add to /etc/logrotate.conf (sp?)
  /home/deployer/projectname/log/*.log {
  daily
  missingok
  rotate 14
  compress
  delaycompress
  notifempty
  copytruncate
  create 0666 deployer deployer}

emerge monit and edit config at :

check process nginx
with pidfile /tmp/nginx.pid
start program = "/etc/init.d/nginx start "
stop program = "/etc/init.d/nginx stop "
if failed host IP_ADDRESS port 80 protocol HTTP then restart #set your server IP that runs nginx
if 5 restarts with 5 cycles then timeout
if cpu is greater than 30% for 2 cycles then alert
if cpu is greater than 50% for 5 cycles then restart
if totalmem is greater than 50.0 MB for 5 cycles then restart
if children is greater than 10 then restart

## new_iptablez.sh
#!/bin/bash

# vars
IPT=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22200  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP

#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save
	Follow the usual getting started ssh setup plus syncing up emerge, other starters.
	http://articles.slicehost.com/2010/11/19/gentoo-10-1-setup-part-1
	http://articles.slicehost.com/2010/11/19/gentoo-10-1-setup-part-2

	For user adding:
	useradd -m -G wheel -g deployer deployer

	We had the fortune of updating to openrc; This called for us to do an

	sudo dispath-conf
	sudo etc-update

	I'm pretty sure you do these after all updates, but this one had a scary message that we wouldn't be able to re-log in after.

	iptables use:
	https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall file with the line about ssh port appended.

	Install Git (gets curl needed for rvm)

	Install Postgresql

	sudo emerge postgresql-server

	follow the message below:

	* Before initializing the database, you may want to edit PG_INITDB_OPTS so that it
	* contains your preferred locale and character encoding in:
	*
	* /etc/conf.d/postgresql-9.0
	* Add
	* PG_INITDB_OPTS="--locale=en_US.UTF-8"
	* Then, execute the following command to setup the initial database environment:
	*
	* emerge --config =dev-db/postgresql-server-9.0.3

	ran command and got:
	* You can change the directory where the database cluster is being created by
	* setting the PGDATA variable.
	*
	* PG_INITDB_OPTS is currently set to:
	* "--locale=en_US.UTF-8"
	* and the database cluster will be created in:
	* "/var/lib/postgresql/9.0/data"
	Said Y

	WARNING: enabling "trust" authentication for local connections
	You can change this by editing pg_hba.conf or using the -A option the
	next time you run initdb.

	Success. You can now start the database server using:

	/usr/lib64/postgresql-9.0/bin/postgres -D /var/lib/postgresql/9.0/data
	or
	/usr/lib64/postgresql-9.0/bin/pg_ctl -D /var/lib/postgresql/9.0/data -l logfile start

	*
	* You can use the '/etc/init.d/postgresql-9.0' script to run PostgreSQL
	* instead of 'pg_ctl'.
	*
	sudo usermod -a -G postgres deployer
	/etc/init.d/postgresql-9.0 start
	sudo rc-update add postgresql-9.0 default
	Adding above will add postgres run at reboot.

	Watch that group, wheels got disenfucked and i couldn't sudo. you'll also need to re log in as deployer for it to stick for some reason... need to find out why
	adding deployer as postgresql user
	---
	createuser --interactive deployer
	Migrate Database: psql -d db_name -U db_owner_username -W < backup.sql

	Make sure to use mysql2pgsql gem... worked like a charm in way less time... 10s of minutes less.

	Install RVM
	basics. however installing the deps for ruby made me install emerge gentoolkit and used revdep-rebuild.

	Install ruby-1.9.2p180
	rvm install 1.9.2
	Install nginx
	http://sirupsen.com/setting-up-unicorn-with-nginx/
	These two configs work. added deployer to nginx group.
	Install Unicorn

	gem install unicorn

	We'll use the default gentoo one with a change to the servername.

	emerge logrotate and add to /etc/logrotate.conf (sp?)
	/home/deployer/projectname/log/*.log {
	daily
	missingok
	rotate 14
	compress
	delaycompress
	notifempty
	copytruncate
	create 0666 deployer deployer}

	emerge monit and edit config at :

	check process nginx
	with pidfile /tmp/nginx.pid
	start program = "/etc/init.d/nginx start "
	stop program = "/etc/init.d/nginx stop "
	if failed host IP_ADDRESS port 80 protocol HTTP then restart #set your server IP that runs nginx
	if 5 restarts with 5 cycles then timeout
	if cpu is greater than 30% for 2 cycles then alert
	if cpu is greater than 50% for 5 cycles then restart
	if totalmem is greater than 50.0 MB for 5 cycles then restart
	if children is greater than 10 then restart
	#!/bin/bash

	# vars
	IPT=/sbin/iptables

	# Flush old rules, old custom tables
	echo " * flushing old rules"
	$IPT --flush
	$IPT --delete-chain

	# Set default policies for all three default chains
	echo " * setting default policies"
	$IPT -P INPUT DROP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT ACCEPT

	# Enable free use of loopback interfaces
	echo " * allowing loopback devices"
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT

	# All TCP sessions should begin with SYN
	$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

	# Allow established and related packets
	$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Open the following ports
	echo " * allowing ssh on port 22"
	$IPT -A INPUT -p tcp --dport 22200 -m state --state NEW -j ACCEPT

	echo " * allowing dns on port 53"
	$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

	echo " * allowing http on port 80"
	$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

	echo " * allowing https on port 443"
	$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

	echo " * allowing ping responses"
	$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

	# DROP everything else and Log it
	$IPT -A INPUT -j LOG
	$IPT -A INPUT -j DROP

	#
	# Save settings
	#
	echo " * saving settings"
	/etc/init.d/iptables save