Skip to content

Instantly share code, notes, and snippets.

@vanpelt

vanpelt/firewall

Created December 2, 2008 07:07
Show Gist options
  • Save vanpelt/31036 to your computer and use it in GitHub Desktop.
Save vanpelt/31036 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
firewall
#!/bin/bash
# very helpful is: https://help.ubuntu.com/community/IptablesHowTo -brendan
#
# type: sudo iptables -L to see the current rules
#
set -eu
UPLINK="eth0"
# Change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0"
# Change this line so that it lists the assigned numbers or symbolic names (from
# /etc/services) of all the services that you'd like to provide to the general
# public. If you don't want any services enabled, set it to ""
SERVICES="http https ssh"
#Add ips that you whish to give full access to here
#ALLOW="66.66.66.66"
ALLOW="$ALLOW 127.0.0.1"
if [ "$1" = "restart" ]
then
set -e
$0 stop
$0 start
elif [ "$1" = "start" ]
then
echo "Starting firewall..."
echo "All ports for these hosts:" $ALLOW
echo "Full internet for these services:" $SERVICES
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for x in ${ALLOW}
do
iptables -A INPUT -s ${x} -j ACCEPT
done
# Enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
# Explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# Disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
# Turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
elif [ "$1" = "" ]
then
echo "ERROR didn't specify start, stop, or restart."
exit 1
fi
Raw
ubuntu_bootstrap.sh
set -eux
echo welcome to my awesome machine yo! > /etc/motd
###### USERS ######
groupadd wheel
# best dotfiles evar
for f in .inputrc .vimrc .zshrc; do
curl dotfiles.org/~brendano/$f > /etc/skel/$f
done
echo "alias ll='ls -l'" >> /etc/skel/.bashrc
# sudo gem install will pick up this, makes things go way faster
echo 'gem: --no-ri --no-rdoc' > /etc/skel/.gemrc
for f in .inputrc .vimrc .zshrc .gemrc; do
cp /etc/skel/$f /root
done
USERS="yourself deployer"
for u in $USERS; do
useradd -m -G users,wheel -s /bin/bash $u
yes 123something | passwd $u
mkdir -p /home/$u/.ssh
done
chmod +w /etc/sudoers
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
chmod -w /etc/sudoers
###### SSH ######
perl -pi -e 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
# perl -pi -e 's/^UsePAM.*/UsePAM no/' /etc/ssh/sshd_config
## host-based auth ... outgoing works but not incoming.
cp /root/dl.hosts /etc/ssh/shosts.equiv
perl -pi -e 's/^HostbasedAuthentication.*/HostbasedAuthentication yes/' /etc/ssh/sshd_config
ssh-keyscan -t rsa $(cat /root/dl.hosts) > /etc/ssh/ssh_known_hosts
# added this to sshd_config, incoming still doesnt work --> RhostsRSAAuthentication yes
cat >> /etc/ssh/ssh_config <<EOF
## for outgoing ssh'ing
EnableSSHKeysign yes
HostbasedAuthentication yes
EOF
/etc/init.d/ssh reload
######### FIREWALL #############
mv firewall /etc/init.d
update-rc.d firewall defaults
/etc/init.d/firewall start
###### PATHS ######
DEPLOYER_PATHS="/var/conf /var/www"
mkdir -p $DEPLOYER_PATHS
chown -R deployer.deployer $DEPLOYER_PATHS
chmod a+w /var/log # deployer-run processes need this
###### PACKAGES ######
# faster than the default mirror
echo "
deb http://ubuntu.osuosl.org/ubuntu/ intrepid main restricted universe
deb http://ubuntu.osuosl.org/ubuntu/ intrepid-updates main restricted universe
" > /etc/apt/sources.list.d/osuosl.list
apt-get update
apt-get install -y ruby-full libsqlite3-ruby libpgsql-ruby rubygems
apt-get install -y build-essential git-core rsync lsof
apt-get install -y vim zsh nano
update-alternatives --set editor /usr/bin/vim.basic # otherwise nano is default in many places, egads! crontab -e then keeps pulling it up, which is very sad.
#Might need to do this...
#wget http://rubyforge.org/frs/download.php/38646/rubygems-1.2.0.tgz
###### GOD ######
mkdir -p /var/conf/god
echo "God.load('/var/conf/god/*.conf')" > /var/conf/god.conf
gem install god
mv god.init /etc/init.d/god
update-rc.d god defaults
/etc/init.d/god start
###### MEMCACHED ######
apt-get install -y memcached
gem install memcache-client
# need to adjust /etc/memcached.conf
# should already be signed up for startup
###### MAIL ######
# ok this really should be via cap since so much config...
# please just press "enter" through all the postfix menus: "Internet Host".
apt-get install -y postfix mailx
ruby -r erb -e 'puts ERB.new(File.read("postfix_main.cf.erb")).result' > /etc/postfix/main.cf
/etc/init.d/postfix restart
echo "messages are great" | mail info@doloreslabs.com -s "hello i'm up! love, `hostname`"
###### LOGROTATE ######
apt-get install -y logrotate
echo "
/var/www/facestat/shared/log/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
copytruncate
}
" > /etc/logrotate.d/facestat
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment