Rock64-wall image - Printable Version +- PINE64 (https://forum.pine64.org) +-- Forum: ROCK64 (https://forum.pine64.org/forumdisplay.php?fid=85) +--- Forum: Linux on Rock64 (https://forum.pine64.org/forumdisplay.php?fid=88) +--- Thread: Rock64-wall image (/showthread.php?tid=5248) Pages:
1
2
|
Rock64-wall image - stuartiannaylor - 10-11-2017 https://sourceforge.net/projects/rock64-wall/files/118/Base/rockwall-base.img/download https://sourceforge.net/projects/rock64-wall/ Will be knocking up a simple firewall router image based on Ayufans xenial image. Currently just a simple base with webmin / dnsmasq with iptables completely open with routing enable Base uploaded next will be openvpn, snort Finish off with dansuardian / squid. May include samba4 and use kerberos will see how things go RE: Rock64-wall image - Luke - 10-11-2017 (10-11-2017, 01:43 AM)stuartiannaylor Wrote: https://sourceforge.net/projects/rock64-wall/files/Base-118/rockwall-base.img/download This is really good. May I suggest that perhaps you put together a script instead of a dedicated image and push that to ayufan ? Kind of like how ayufan added the OMV script to his minimal. RE: Rock64-wall image - stuartiannaylor - 10-11-2017 (10-11-2017, 02:21 AM)Luke Wrote:(10-11-2017, 01:43 AM)stuartiannaylor Wrote: https://sourceforge.net/projects/rock64-wall/files/Base-118/rockwall-base.img/download Prob not a script as I fail totally with regexs, but yeah loaded up the image for those who just want to grab at various stages without having to bother. With each image just going to document the cli commands used and a little bit of rationale & reason why. Image first then go back to scratch and do it again a just document cli, which prob this aft will do. I may use the full isc dhcp & bind9 but to be honest I have used them before and always been a little bemused as yeah I know what they can do above dnsmasq but frankly never have. dnsmasq is just a great lightweight dns/dhcp that if someone can post good reasons I might also go down that route. Will see what you guys say. So far it been extremely simple, so not much to script, but thought maybe my fudges and poor attempts may be a gauntlet thrown to someone else ## CLI Commands from start Starting with xenial-minimal-rock64-0.5.10-118-arm64 https://github.com/ayufan-rock64/linux-build/releases/download/0.5.10/xenial-minimal-rock64-0.5.10-118-arm64.img.xz ``` sudo -i systemctl -l ``` Looking through the list of services we have 2 failures ureadahead & zram-config. Also noticed network-manager in that list! Bye to him as well. ``` apt-get remove ureadahead apt-get remove zram-config apt-get remove network-manager apt-get remove dnsmasq-base ``` Really not more than a little bit of housekeeping but yeah get rid of network manager for a server base. So now to turn on IP4 forwarding and because I have over 1gb ram I am actually going to tell Ubuntu to prefer it a bit more. ``` nano /etc/sysctl.conf ``` change #net.ipv4.ip_forward=1 to net.ipv4.ip_forward=1 to enable At the end tack on # Improve cache management vm.vfs_cache_pressure=50 I have also banged my 32Gb eMMC opened up gparted and created a 4Gb swap. If you do add this line as it will prefer memory and is a good level with more fickle media such a SSD & flash. vm.swappiness=10 So its up to you and either just delete the hash to enable net.ipv4.ip_forward=1 and ignore the rest if you so wish. ``` ip addr show ``` If you have plugged in a USB ethernet adapter you will see that it is down and highly likely to have an ethernet name from hell like mine which is enx00e04c534458! So we are going to create a udev persistant rule to give us a much nicer name. ``` nano /etc/udev/rules.d/70-persistent-net.rules ``` SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:53:44:58", KERNEL=="eth*", NAME="eth1" From the ip addr show I returned 3: enx00e04c534458: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fas t state DOWN group default qlen 1000 link/ether 00:e0:4c:53:44:58 brd ff:ff:ff:ff:ff:ff You can see where I copied and pasted the mac notation into the persistant rule and on next boot I will have eth1. Same with multiple Nics if you are going to go crazy and maybe have a DMZ or even port trunking just increment NAME="ethx". Again not essential but for me are much more logical when adminstering the system. So before we install webmin a bit more housekeeping. ``` apt-get update apt-get upgrade apt autoremove ``` So webmin needs. ``` apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python wget http://prdownloads.sourceforge.net/webadmin/webmin_1.850_all.deb dpkg --install webmin_1.850_all.deb rm webmin_1.850_all.deb ``` At this stage you could fire up webmin on the eth0 IP and configure from there but prefer cli to start with also dnsmasq module for webmin needs to be downloaded and installed and doesn't at all like remarks in the config file. My router creates a private lan on 192.168.1.0 which will be the WAN subnet. I have chosen 192.168.0.0 for my LAN subnet but... "The private address segments (10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255) are commonly referred to as "non-routable" addresses." Any of those 10.0.0.0 is common but plenty to choose from, but it is important its a "non-routable" addresses." scope. ``` nano /etc/network/interfaces.d/eth1 ``` Copy & paste or chose your own based on auto eth1 iface eth1 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 post-up iptables-restore < /etc/iptables.up.rules Now dnsmasq ``` apt-get install dnsmasq cp /etc/dnsmasq.conf /etc/dnsmasq.old ``` As we edit dnsmasq.conf delete all the remarks and we have a backup copy in dnsmasq.old for reference as the webmin module just doesn't like them. ``` nano /etc/dnsmasq.conf ``` Delete all the guff and start with something simple you can always refer back to dnsmasq.old for more complex setups. domain-needed bogus-priv no-resolv no-poll server=192.168.1.1 server=8.8.8.8 interface=eth1 domain=rock.lan dhcp-range=192.168.0.24,192.168.0.254,12h Then we will set up a FQDN in /etc/hosts & /etc/hostname ``` nano /etc/hosts ``` so its looks something like 127.0.0.1 localhost 127.0.1.1 rock64.rock.lan rock64 192.168.0.1 rock64.rock.lan rock64 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` nano /etc/hostname ``` rock64.rock.lan Obviously change to whatever registered or non registered domain name that fits your organisation. Then set the iptables and NAT masquerade up the easy way. ``` apt-get install iptables ``` In a browser type in https://wan-assigned-router-addr:10000 Mine is https://192.168.1.20:10000 and log into webmin with the sudo user rock64 In networking -> linux firewall Select Do network address translation on external interface in my case set to eth0 Enable firewall at boot and click setup firewall. Now to get the dnsmasq module that is a bit old & creaky but after getting rid of all the remarks in dnsmasq.conf seems to work quite well and is good for refernce at least. So google search for webmin dnsmasq I downloaded from http://nixbit.com/software/dnsmasq-webmin-module-review/ Webmin -> Webmin Configuration -> Webmin modules. Select From uploaded files and browse to the .wbm download Click install module System -> Bootup & Shutdown scroll down to the bottom and click Shutdown system & confirm click shutdown system Swap your ethernet cables around so router is on eth0 (wan) and you switch/hub is on eth1 (lan) Press the power on button on the rock64. What you might have to do is force dhcp to get the new ip address (windows way). ``` ipconfig /release ipconfig /renew ipconfig /all ``` Should see us rocking on the rock.lan RE: Rock64-wall image - stuartiannaylor - 10-11-2017 Add shorewall apt-get install shorewall nano -w /etc/default/shorewall Change startup = 0 to startup = 1 Copy the example rules from /usr/share/doc/shorewall/examples/two-interfaces/ cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/interfaces cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall/masq cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/policy cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/rules cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/zones Here are the contents of mine and apart from rules with an additional DNS rule of loc to fw & webmin, ntp all are verbatum. /etc/shorewall/interfaces # # Shorewall - Sample Interfaces File for two-interface configuration. # Copyright © 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-interfaces" ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,nosmurfs,routefilter,logmartians /etc/shorewall/masq # # Shorewall - Sample Masq file for two-interface configuration. # Copyright © 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-masq" ################################################################################################################ #INTERFACEEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL # GROUP DEST eth0 192.168.0.0/16 /etc/shorewall/policy # # Shorewall - Sample Policy File for two-interface configuration. # Copyright © 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-policy" ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/rules # # Shorewall - Sample Rules File for two-interface configuration. # Copyright © 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW Invalid(DROP) net all tcp # Don't allow connection pickup from the net # # Accept NTP connections from the firewall to the network ACCEPT $FW net udp 123 # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # # Accept DNS connections from the local network to the network DNS(ACCEPT) loc $FW # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # #Webmin ACCEPT loc $FW tcp 10000 /etc/shorewall/zones # # Shorewall - Sample Zones File for two-interface configuration. # Copyright © 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-zones" ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 So you can now refresh your webmin page and you should automatically get a shorewall admin section. IP6 is done by shorewall6 and its a duplicate just with IP addresses that twist my melon. So before anyone says its just an apt-get install shorewall6 if you wish. Currently we still have the iptables we originally setup but when you do start shorewall it will overwrite those rules with the shorewall setup. When you stop shorewall it will revert back to a working but open router setup. So its up to you but to run with shorewall only then firstly systemctl enable shorewall As to be honest I think its needed even if the docs I read never mentioned it. If you want to take out the rules that we originally created and test shorewall only. nano /etc/network/interfaces.d/eth1 auto eth1 iface eth1 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 #post-up iptables-restore < /etc/iptables.up.rules Comment out the post-up condition with a hash as above. nano /etc/sysctl.conf #net.ipv4.ip_forward=1 Again comment out ip_forward. Click check firewall and if all is ok click apply configuration in webmin. Then that is the next part done and we are a little more safe with ssh & webmin only available from the local network. Nextstep is to install openvpn and only allow ssh & webmin on localhost and the only way you can connect is via a vpn. Which is really how ssh & webmin should be run on any server in my books. There is a lot of internet chatter about webmin being unsafe which seems to suggest running an admin console public means the software is unsafe. It so paradoxical that we shall not go there and after the next step once we add the vpn subnet as the only access point to the settings of webmin and ssh dunno just don't get the arguments. Who would run an web based admin console public??! So all is good so far with the rockwall next step openvpn. PS haven't got the functionality to put my rock public and port scan external but the above should find it locked from external access. Anyone want to check please do. RE: Rock64-wall image - Luke - 10-11-2017 Maybe pastebin would be better RE: Rock64-wall image - stuartiannaylor - 10-11-2017 (10-11-2017, 09:17 AM)Luke Wrote: Maybe pastebin would be better Maybe I will just supply the finished image? RE: Rock64-wall image - Luke - 10-11-2017 (10-11-2017, 09:38 AM)stuartiannaylor Wrote:(10-11-2017, 09:17 AM)Luke Wrote: Maybe pastebin would be better As you prefer RE: Rock64-wall image - stuartiannaylor - 10-11-2017 Wish my memory was better but scrapped the idea of squid / dansguardian as been round this one before squid / dansguardian is completely useless unless you use MITM ssl filetering. My vague memory sparked a community centre I once had squid / dansguardian and the realization that kids no what https is and also anonymous proxies, the URL filter was always playing catch up and got ditched because of needed admin time (blacklist / whitelist requests) all the time. Also because we where public and had open sessions there was such a huge grey area in privacy that even if technically feasible, legally ssl filtering definitely is not depending on environment if there is no user signature. I have a MS type illness that plays havoc with my memory and others and it took a while to remember why I abandoned this and had an opinion http / url filtering is pretty damn pointless server wise. The kids that frequented the center knew the anonymous proxies and the dans/squid just seemed to encourage a few to show how clever they where. Twas a complete failure. If you are going to do MITM then boy do you need something with some meat to be encrypting / decrypting & filtering volume user ssl and started seeing many implementations as pure snake oil of no worth. Best way to do it would have internal nat with a dedicated mitm proxy & filter but the whole self issuing certificate distribution is a complete pia and thinking scrap that idea. Anyone with more recent or contary experience as its almost 5 years ago I had a Zentyal server being a relative failure for filtering. RE: Rock64-wall image - stuartiannaylor - 10-13-2017 Rock64-wall-snort Rock64 Base + Snort + Barnyard2 + Pulledpork + Basic Analysis and Security Engine (BASE) + Apache + Webmin https://sourceforge.net/projects/rock64-wall/files/118/snort/ rock64-wall-snort.img.zip https://sourceforge.net/projects/rock64-wall/files/118/snort/rock64-wall-snort.img.zip/download Rock64 1gb = Etho0 DHCP WAN Need to edit udev persistence rule mentioned in base https://sourceforge.net/projects/rock64-wall/files/118/Base/ Webmin https://rock64.rock.lan:10000/?dashboard BASE http://rock64.rock.lan:10001/base_main.php RE: Rock64-wall image - stuartiannaylor - 10-14-2017 Rock64-wall-snort-shorewall Rock64 Base + Snort + Barnyard2 + Pulledpork + Basic Analysis and Security Engine (BASE) + Apache + Webmin + Shorewall https://sourceforge.net/projects/rock64-wall/files/118/snort%2Bshorewall/ rock64-wall-snort-shorewall.img.zip https://sourceforge.net/projects/rock64-wall/files/118/snort%2Bshorewall/rock64-wall-snort-shorewall.img.zip/download Webmin https://rock64.rock.lan:10000/?dashboard BASE http://rock64.rock.lan:10001/base_main.php Just wasted loads of time trying to fix a barnyard2 problem. For some reason it takes 10 - 20 minutes to get going and then it catches up to current. I haven't a clue and thought it was broke, so many hours wasted on that one. If you are giving it a try post results and also the chipset of your USB ethernet adapter I have one that can only manage 5mbs! I should have delivery of a Plugable USB 3.0 Gig ethernet with the AX88179 chipset that will at least do 600mbs! Haven't been able to really stress test things and may have to scrap Snort for Suricata as Snort runs in a single thread whilst Suricata is multithreading. The barnyard delay have just played havoc I will get round to installing openvpn but going to examine suricata and see how that stacks up once that Plugable adapter shows up. |