free
/
freedombonee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't set up firewall when creating image

This commit is contained in:
Bob Mottram 2017-02-23 17:04:09 +00:00
parent 5e3a5215fa
commit a65ccc37df
1 changed files with 3 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/freedombone-image-customise
View File

@ -1017,54 +1017,11 @@ function image_setup_utils {
if [[ $ARCHITECTURE == 'amd64' ]]; then
chroot "$rootdir" apt-get -yq install linux-image-amd64 -t jessie-backports
chroot "$rootdir" apt-get -yq install grub2
fi
chroot "$rootdir" apt-get -yq install locales locales-all debconf
# basic firewall
chroot "$rootdir" iptables -P INPUT ACCEPT
chroot "$rootdir" ip6tables -P INPUT ACCEPT
chroot "$rootdir" iptables -F
chroot "$rootdir" ip6tables -F
chroot "$rootdir" iptables -t nat -F
chroot "$rootdir" ip6tables -t nat -F
chroot "$rootdir" iptables -X
chroot "$rootdir" ip6tables -X
chroot "$rootdir" iptables -P INPUT DROP
chroot "$rootdir" ip6tables -P INPUT DROP
chroot "$rootdir" iptables -P FORWARD DROP
chroot "$rootdir" ip6tables -P FORWARD DROP
chroot "$rootdir" iptables -A INPUT -i lo -j ACCEPT
chroot "$rootdir" iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
chroot "$rootdir" iptables -A INPUT -f -j DROP
chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
chroot "$rootdir" iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
chroot "$rootdir" iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp --dport 548 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p udp --dport 548 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p udp --dport 5353 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p udp --dport 5354 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp --dport 80 -j ACCEPT
chroot "$rootdir" iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# save the firewall
chroot "$rootdir" iptables-save > /etc/firewall.conf
chroot "$rootdir" ip6tables-save > /etc/firewall6.conf
printf '#!/bin/sh\n' > $rootdir/etc/network/if-up.d/iptables
printf 'iptables-restore < /etc/firewall.conf\n' >> $rootdir/etc/network/if-up.d/iptables
printf 'ip6tables-restore < /etc/firewall6.conf\n' >> $rootdir/etc/network/if-up.d/iptables
if [ -f $rootdir/etc/network/if-up.d/iptables ]; then
chmod +x $rootdir/etc/network/if-up.d/iptables
fi
SYSCTL_FILE=$rootdir/etc/sysctl.conf
if [ ! -f $SYSCTL_FILE ]; then
touch $SYSCTL_FILE
@ -1092,9 +1049,8 @@ function image_setup_utils {
chroot "$rootdir" apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
chroot "$rootdir" apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc grub2 hostapd haveged
chroot "$rootdir" apt-get -yq install cpulimit screen elinks
chroot "$rootdir" apt-get -yq install libpam-cracklib
chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc hostapd haveged
chroot "$rootdir" apt-get -yq install cpulimit screen elinks libpam-cracklib
# Tor and ssh over tor
chroot "$rootdir" apt-get -yq install tor connect-proxy