From a65ccc37dfe3b82941417a357b53722bc8008764 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 23 Feb 2017 17:04:09 +0000 Subject: [PATCH] Don't set up firewall when creating image --- src/freedombone-image-customise | 50 ++------------------------------- 1 file changed, 3 insertions(+), 47 deletions(-) diff --git a/src/freedombone-image-customise b/src/freedombone-image-customise index f61c9e53..b9bd7c64 100755 --- a/src/freedombone-image-customise +++ b/src/freedombone-image-customise @@ -1017,54 +1017,11 @@ function image_setup_utils { if [[ $ARCHITECTURE == 'amd64' ]]; then chroot "$rootdir" apt-get -yq install linux-image-amd64 -t jessie-backports + chroot "$rootdir" apt-get -yq install grub2 fi chroot "$rootdir" apt-get -yq install locales locales-all debconf - # basic firewall - chroot "$rootdir" iptables -P INPUT ACCEPT - chroot "$rootdir" ip6tables -P INPUT ACCEPT - chroot "$rootdir" iptables -F - chroot "$rootdir" ip6tables -F - chroot "$rootdir" iptables -t nat -F - chroot "$rootdir" ip6tables -t nat -F - chroot "$rootdir" iptables -X - chroot "$rootdir" ip6tables -X - chroot "$rootdir" iptables -P INPUT DROP - chroot "$rootdir" ip6tables -P INPUT DROP - chroot "$rootdir" iptables -P FORWARD DROP - chroot "$rootdir" ip6tables -P FORWARD DROP - chroot "$rootdir" iptables -A INPUT -i lo -j ACCEPT - chroot "$rootdir" iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP - chroot "$rootdir" iptables -A INPUT -f -j DROP - chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP - chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP - chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - chroot "$rootdir" iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP - chroot "$rootdir" iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - chroot "$rootdir" iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp --dport 548 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p udp --dport 548 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp --dport 5353 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p udp --dport 5353 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp --dport 5354 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p udp --dport 5354 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp --dport 80 -j ACCEPT - chroot "$rootdir" iptables -A INPUT -p tcp --dport 443 -j ACCEPT - - # save the firewall - chroot "$rootdir" iptables-save > /etc/firewall.conf - chroot "$rootdir" ip6tables-save > /etc/firewall6.conf - printf '#!/bin/sh\n' > $rootdir/etc/network/if-up.d/iptables - printf 'iptables-restore < /etc/firewall.conf\n' >> $rootdir/etc/network/if-up.d/iptables - printf 'ip6tables-restore < /etc/firewall6.conf\n' >> $rootdir/etc/network/if-up.d/iptables - if [ -f $rootdir/etc/network/if-up.d/iptables ]; then - chmod +x $rootdir/etc/network/if-up.d/iptables - fi - SYSCTL_FILE=$rootdir/etc/sysctl.conf if [ ! -f $SYSCTL_FILE ]; then touch $SYSCTL_FILE @@ -1092,9 +1049,8 @@ function image_setup_utils { chroot "$rootdir" apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname chroot "$rootdir" apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh - chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc grub2 hostapd haveged - chroot "$rootdir" apt-get -yq install cpulimit screen elinks - chroot "$rootdir" apt-get -yq install libpam-cracklib + chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc hostapd haveged + chroot "$rootdir" apt-get -yq install cpulimit screen elinks libpam-cracklib # Tor and ssh over tor chroot "$rootdir" apt-get -yq install tor connect-proxy