diff options
Diffstat (limited to 'config')
-rwxr-xr-x | config/hooks/remove-packages.sh.chroot | 5 | ||||
-rwxr-xr-x | config/hooks/tor-usergroup.sh.chroot | 15 | ||||
-rw-r--r-- | config/includes.chroot/etc/default/dnsmasq | 2 | ||||
-rw-r--r-- | config/includes.chroot/etc/default/openntpd | 6 | ||||
-rwxr-xr-x | config/includes.chroot/etc/default/ttdnsd | 17 | ||||
-rw-r--r-- | config/includes.chroot/etc/dnsmasq.conf | 555 | ||||
-rw-r--r-- | config/includes.chroot/etc/dnsmasq_lan.conf | 6 | ||||
-rw-r--r-- | config/includes.chroot/etc/dnsmasq_wifi.conf | 7 | ||||
-rwxr-xr-x | config/includes.chroot/etc/init.d/dnsmasq_lan | 290 | ||||
-rwxr-xr-x | config/includes.chroot/etc/init.d/dnsmasq_wifi | 290 | ||||
-rwxr-xr-x | config/includes.chroot/etc/init.d/proxy | 61 | ||||
-rw-r--r-- | config/includes.chroot/etc/modprobe.d/blacklist.conf | 26 | ||||
-rw-r--r-- | config/includes.chroot/etc/network/interfaces | 44 | ||||
-rw-r--r-- | config/includes.chroot/etc/ssh/sshd_config | 87 | ||||
-rw-r--r-- | config/includes.chroot/etc/sysctl.conf | 5 | ||||
-rw-r--r-- | config/includes.chroot/etc/tor/torrc | 183 | ||||
-rwxr-xr-x | config/includes.chroot/sbin/tor-wireless-firewall.sh | 20 |
17 files changed, 1619 insertions, 0 deletions
diff --git a/config/hooks/remove-packages.sh.chroot b/config/hooks/remove-packages.sh.chroot new file mode 100755 index 0000000..10fa78b --- /dev/null +++ b/config/hooks/remove-packages.sh.chroot @@ -0,0 +1,5 @@ +#!/bin/sh + +apt-get -f -y remove --purge polipo minissdpd +apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus isc-dhcp-server + diff --git a/config/hooks/tor-usergroup.sh.chroot b/config/hooks/tor-usergroup.sh.chroot new file mode 100755 index 0000000..e46ad16 --- /dev/null +++ b/config/hooks/tor-usergroup.sh.chroot @@ -0,0 +1,15 @@ +#!/bin/sh + +export ADMINUSER="tor" +export ADMINGROUP="tor" +export TORADMINGROUP="debian-tor" + +# add users and groups (ignore failures if groups already exist) +addgroup $ADMINGROUP +useradd -g $ADMINGROUP -G $TORADMINGROUP -s /bin/bash $ADMINUSER +# TODO: $ADMINUSER passwd? + +# give Tor permission to modify it's own configuration +chgrp $TORADMINGROUP /etc/tor/ /etc/tor/* +chmod g+rw /etc/tor/ /etc/tor/* + diff --git a/config/includes.chroot/etc/default/dnsmasq b/config/includes.chroot/etc/default/dnsmasq new file mode 100644 index 0000000..ddaa02b --- /dev/null +++ b/config/includes.chroot/etc/default/dnsmasq @@ -0,0 +1,2 @@ + +ENABLED=0 diff --git a/config/includes.chroot/etc/default/openntpd b/config/includes.chroot/etc/default/openntpd new file mode 100644 index 0000000..318e7bd --- /dev/null +++ b/config/includes.chroot/etc/default/openntpd @@ -0,0 +1,6 @@ +# /etc/default/openntpd + +# Append '-s' to set the system time when starting in case the offset +# between the local clock and the servers is more than 180 seconds. +# For other options, see man ntpd(8). +DAEMON_OPTS="-f /etc/openntpd/ntpd.conf -s" diff --git a/config/includes.chroot/etc/default/ttdnsd b/config/includes.chroot/etc/default/ttdnsd new file mode 100755 index 0000000..0a22bc4 --- /dev/null +++ b/config/includes.chroot/etc/default/ttdnsd @@ -0,0 +1,17 @@ +# /etc/default/ttdnsd + +# Address to bind to - usually this should be 127.0.0.1 +# unless a copy of ttdnsd runs on 127.0.0.n +ADDR_ARG="-b 172.16.23.1" + +# Port to listen on - almost always this should be port 53 +# unless an additional local DNS cache (like unbound, dnscache, pdnsd) +# listen on port 53 as system resolver and is used in front of ttdnsd +# for caching purposes. +PORT_ARG="-p 5354" + +# Debug logging +# DEBUG_LOGGING="-l" + +# Glue all of it together below +DEFAULTS="$ADDR_ARG $PORT_ARG" diff --git a/config/includes.chroot/etc/dnsmasq.conf b/config/includes.chroot/etc/dnsmasq.conf new file mode 100644 index 0000000..806996e --- /dev/null +++ b/config/includes.chroot/etc/dnsmasq.conf @@ -0,0 +1,555 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# uneccessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link uneccessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in doubleclick.net to a local +# webserver. +#address=/doubleclick.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface=eth1 +#interface=uap0 +# Or you can specify which interface _not_ to listen on +#except-interface=eth0 +#except-interface=lo +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# see also /etc/dnsmasq.d/lan and /etc/dnsmasq.d/wifi + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explict netmask instead. +#dhcp-range=192.168.0.0,static + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissble to give name,adddress and MAC in any order + +# Always allocate the host with ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Ignore any clients which are specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unkown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files availble via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=net:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slighest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come form /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are <name>,<target>,<port>,<priority>,<weight> +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include a another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d diff --git a/config/includes.chroot/etc/dnsmasq_lan.conf b/config/includes.chroot/etc/dnsmasq_lan.conf new file mode 100644 index 0000000..1143401 --- /dev/null +++ b/config/includes.chroot/etc/dnsmasq_lan.conf @@ -0,0 +1,6 @@ + +no-poll +bind-interfaces +interface=eth1 +except-interface=lo +dhcp-range=10.23.42.10,10.23.42.254,255.255.255.0,12h diff --git a/config/includes.chroot/etc/dnsmasq_wifi.conf b/config/includes.chroot/etc/dnsmasq_wifi.conf new file mode 100644 index 0000000..56c268e --- /dev/null +++ b/config/includes.chroot/etc/dnsmasq_wifi.conf @@ -0,0 +1,7 @@ + +no-poll +bind-interfaces +except-interface=lo +interface=uap0 +server=172.16.23.1#5353 +dhcp-range=172.16.23.10,172.16.23.254,255.255.255.0,12h diff --git a/config/includes.chroot/etc/init.d/dnsmasq_lan b/config/includes.chroot/etc/init.d/dnsmasq_lan new file mode 100755 index 0000000..22f2557 --- /dev/null +++ b/config/includes.chroot/etc/init.d/dnsmasq_lan @@ -0,0 +1,290 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: dnsmasq_lan +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Description: DHCP and DNS server +### END INIT INFO + +set +e # Don't exit on error status + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/dnsmasq +NAME=dnsmasq_lan +DESC="DNS forwarder and DHCP server" + +# Most configuration options in /etc/default/dnsmasq are deprecated +# but still honoured. +ENABLED=1 +if [ -r /etc/default/$NAME ]; then + . /etc/default/$NAME +fi + +# Get the system locale, so that messages are in the correct language, and the +# charset for IDN is correct +if [ -r /etc/default/locale ]; then + . /etc/default/locale + export LANG +fi + +test -x $DAEMON || exit 0 + +# Provide skeleton LSB log functions for backports which don't have LSB functions. +if [ -f /lib/lsb/init-functions ]; then + . /lib/lsb/init-functions +else + log_warning_msg () { + echo "${@}." + } + + log_success_msg () { + echo "${@}." + } + + log_daemon_msg () { + echo -n "${1}: $2" + } + + log_end_msg () { + if [ $1 -eq 0 ]; then + echo "." + elif [ $1 -eq 255 ]; then + /bin/echo -e " (warning)." + else + /bin/echo -e " failed!" + fi + } +fi + +# RESOLV_CONF: +# If the resolvconf package is installed then use the resolv conf file +# that it provides as the default. Otherwise use /etc/resolv.conf as +# the default. +# +# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit +# filename is set there then this inhibits the use of the resolvconf-provided +# information. +# +# Note that if the resolvconf package is installed it is not possible to +# override it just by configuration in /etc/dnsmasq.conf, it is necessary +# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq. + +if [ ! "$RESOLV_CONF" ] && + [ "$IGNORE_RESOLVCONF" != "yes" ] && + [ -x /sbin/resolvconf ] +then + RESOLV_CONF=/var/run/dnsmasq/resolv.conf +fi + +for INTERFACE in $DNSMASQ_INTERFACE; do + DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE" +done + +for INTERFACE in $DNSMASQ_EXCEPT; do + DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE" +done + +if [ ! "$DNSMASQ_USER" ]; then + DNSMASQ_USER="dnsmasq" +fi + +start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + # /var/run may be volatile, so we need to ensure that + # /var/run/dnsmasq exists here as well as in postinst + if [ ! -d /var/run/dnsmasq ]; then + mkdir /var/run/dnsmasq || return 2 + chown dnsmasq:nogroup /var/run/dnsmasq || return 2 + fi + + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test -- -C /etc/dnsmasq_lan.conf > /dev/null || return 1 + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- -C /etc/dnsmasq_lan.conf \ + -x /var/run/dnsmasq/$NAME.pid \ + ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \ + ${MAILTARGET:+ -t $MAILTARGET} \ + ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \ + ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \ + ${DHCP_LEASE:+ -l $DHCP_LEASE} \ + ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \ + ${RESOLV_CONF:+ -r $RESOLV_CONF} \ + ${CACHESIZE:+ -c $CACHESIZE} \ + ${CONFIG_DIR:+ -7 $CONFIG_DIR} \ + ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \ + || return 2 +} + +start_resolvconf() +{ +# If interface "lo" is explicitly disabled in /etc/default/dnsmasq +# Then dnsmasq won't be providing local DNS, so don't add it to +# the resolvconf server set. + for interface in $DNSMASQ_EXCEPT + do + [ $interface = lo ] && return + done + + if [ -x /sbin/resolvconf ] ; then + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME + fi + return 0 +} + +stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + return "$RETVAL" +} + +stop_resolvconf() +{ + if [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d lo.$NAME + fi + return 0 +} + +status() +{ + # Return + # 0 if daemon is running + # 1 if daemon is dead and pid file exists + # 3 if daemon is not running + # 4 if daemon status is unknown + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null + case "$?" in + 0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;; + 1) return 0 ;; + *) return 4 ;; + esac +} + +case "$1" in + start) + test "$ENABLED" != "0" || exit 0 + log_daemon_msg "Starting $DESC" "$NAME" + start + case "$?" in + 0) + log_end_msg 0 + start_resolvconf + exit 0 + ;; + 1) + log_success_msg "(already running)" + exit 0 + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + stop) + stop_resolvconf + if [ "$ENABLED" != "0" ]; then + log_daemon_msg "Stopping $DESC" "$NAME" + fi + stop + RETVAL="$?" + if [ "$ENABLED" = "0" ]; then + case "$RETVAL" in + 0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;; + esac + exit 0 + fi + case "$RETVAL" in + 0) log_end_msg 0 ; exit 0 ;; + 1) log_warning_msg "(not running)" ; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + restart|force-reload) + test "$ENABLED" != "0" || exit 1 + $DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1 + if [ $? -ne 0 ]; then + NAME="configuration syntax check" + RETVAL="2" + else + stop_resolvconf + stop + RETVAL="$?" + fi + log_daemon_msg "Restarting $DESC" "$NAME" + case "$RETVAL" in + 0|1) + sleep 2 + start + case "$?" in + 0) + log_end_msg 0 + start_resolvconf + exit 0 + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + status) + log_daemon_msg "Checking $DESC" "$NAME" + status + case "$?" in + 0) log_success_msg "(running)" ; exit 0 ;; + 1) log_success_msg "(dead, pid file exists)" ; exit 1 ;; + 3) log_success_msg "(not running)" ; exit 3 ;; + *) log_success_msg "(unknown)" ; exit 4 ;; + esac + ;; + dump-stats) + kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid` + ;; + systemd-start-resolvconf) + start_resolvconf + ;; + systemd-stop-resolvconf) + stop_resolvconf + ;; + systemd-exec) +# --pid-file without argument disables writing a PIDfile, we don't need one with sytemd. +# Enable DBus by default because we use DBus activation with systemd. + exec $DAEMON --keep-in-foreground --pid-file --enable-dbus \ + ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \ + ${MAILTARGET:+ -t $MAILTARGET} \ + ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \ + ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \ + ${DHCP_LEASE:+ -l $DHCP_LEASE} \ + ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \ + ${RESOLV_CONF:+ -r $RESOLV_CONF} \ + ${CACHESIZE:+ -c $CACHESIZE} \ + ${CONFIG_DIR:+ -7 $CONFIG_DIR} \ + ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2 + exit 3 + ;; +esac + +exit 0 + diff --git a/config/includes.chroot/etc/init.d/dnsmasq_wifi b/config/includes.chroot/etc/init.d/dnsmasq_wifi new file mode 100755 index 0000000..dfd103c --- /dev/null +++ b/config/includes.chroot/etc/init.d/dnsmasq_wifi @@ -0,0 +1,290 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: dnsmasq_wifi +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Description: DHCP and DNS server +### END INIT INFO + +set +e # Don't exit on error status + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/dnsmasq +NAME=dnsmasq_wifi +DESC="DNS forwarder and DHCP server" + +# Most configuration options in /etc/default/dnsmasq are deprecated +# but still honoured. +ENABLED=1 +if [ -r /etc/default/$NAME ]; then + . /etc/default/$NAME +fi + +# Get the system locale, so that messages are in the correct language, and the +# charset for IDN is correct +if [ -r /etc/default/locale ]; then + . /etc/default/locale + export LANG +fi + +test -x $DAEMON || exit 0 + +# Provide skeleton LSB log functions for backports which don't have LSB functions. +if [ -f /lib/lsb/init-functions ]; then + . /lib/lsb/init-functions +else + log_warning_msg () { + echo "${@}." + } + + log_success_msg () { + echo "${@}." + } + + log_daemon_msg () { + echo -n "${1}: $2" + } + + log_end_msg () { + if [ $1 -eq 0 ]; then + echo "." + elif [ $1 -eq 255 ]; then + /bin/echo -e " (warning)." + else + /bin/echo -e " failed!" + fi + } +fi + +# RESOLV_CONF: +# If the resolvconf package is installed then use the resolv conf file +# that it provides as the default. Otherwise use /etc/resolv.conf as +# the default. +# +# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit +# filename is set there then this inhibits the use of the resolvconf-provided +# information. +# +# Note that if the resolvconf package is installed it is not possible to +# override it just by configuration in /etc/dnsmasq.conf, it is necessary +# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq. + +if [ ! "$RESOLV_CONF" ] && + [ "$IGNORE_RESOLVCONF" != "yes" ] && + [ -x /sbin/resolvconf ] +then + RESOLV_CONF=/var/run/dnsmasq/resolv.conf +fi + +for INTERFACE in $DNSMASQ_INTERFACE; do + DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE" +done + +for INTERFACE in $DNSMASQ_EXCEPT; do + DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE" +done + +if [ ! "$DNSMASQ_USER" ]; then + DNSMASQ_USER="dnsmasq" +fi + +start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + # /var/run may be volatile, so we need to ensure that + # /var/run/dnsmasq exists here as well as in postinst + if [ ! -d /var/run/dnsmasq ]; then + mkdir /var/run/dnsmasq || return 2 + chown dnsmasq:nogroup /var/run/dnsmasq || return 2 + fi + + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test -- -C /etc/dnsmasq_wifi.conf > /dev/null || return 1 + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- -C /etc/dnsmasq_wifi.conf \ + -x /var/run/dnsmasq/$NAME.pid \ + ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \ + ${MAILTARGET:+ -t $MAILTARGET} \ + ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \ + ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \ + ${DHCP_LEASE:+ -l $DHCP_LEASE} \ + ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \ + ${RESOLV_CONF:+ -r $RESOLV_CONF} \ + ${CACHESIZE:+ -c $CACHESIZE} \ + ${CONFIG_DIR:+ -7 $CONFIG_DIR} \ + ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \ + || return 2 +} + +start_resolvconf() +{ +# If interface "lo" is explicitly disabled in /etc/default/dnsmasq +# Then dnsmasq won't be providing local DNS, so don't add it to +# the resolvconf server set. + for interface in $DNSMASQ_EXCEPT + do + [ $interface = lo ] && return + done + + if [ -x /sbin/resolvconf ] ; then + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME + fi + return 0 +} + +stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + return "$RETVAL" +} + +stop_resolvconf() +{ + if [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d lo.$NAME + fi + return 0 +} + +status() +{ + # Return + # 0 if daemon is running + # 1 if daemon is dead and pid file exists + # 3 if daemon is not running + # 4 if daemon status is unknown + start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null + case "$?" in + 0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;; + 1) return 0 ;; + *) return 4 ;; + esac +} + +case "$1" in + start) + test "$ENABLED" != "0" || exit 0 + log_daemon_msg "Starting $DESC" "$NAME" + start + case "$?" in + 0) + log_end_msg 0 + start_resolvconf + exit 0 + ;; + 1) + log_success_msg "(already running)" + exit 0 + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + stop) + stop_resolvconf + if [ "$ENABLED" != "0" ]; then + log_daemon_msg "Stopping $DESC" "$NAME" + fi + stop + RETVAL="$?" + if [ "$ENABLED" = "0" ]; then + case "$RETVAL" in + 0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;; + esac + exit 0 + fi + case "$RETVAL" in + 0) log_end_msg 0 ; exit 0 ;; + 1) log_warning_msg "(not running)" ; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + restart|force-reload) + test "$ENABLED" != "0" || exit 1 + $DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1 + if [ $? -ne 0 ]; then + NAME="configuration syntax check" + RETVAL="2" + else + stop_resolvconf + stop + RETVAL="$?" + fi + log_daemon_msg "Restarting $DESC" "$NAME" + case "$RETVAL" in + 0|1) + sleep 2 + start + case "$?" in + 0) + log_end_msg 0 + start_resolvconf + exit 0 + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + *) + log_end_msg 1 + exit 1 + ;; + esac + ;; + status) + log_daemon_msg "Checking $DESC" "$NAME" + status + case "$?" in + 0) log_success_msg "(running)" ; exit 0 ;; + 1) log_success_msg "(dead, pid file exists)" ; exit 1 ;; + 3) log_success_msg "(not running)" ; exit 3 ;; + *) log_success_msg "(unknown)" ; exit 4 ;; + esac + ;; + dump-stats) + kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid` + ;; + systemd-start-resolvconf) + start_resolvconf + ;; + systemd-stop-resolvconf) + stop_resolvconf + ;; + systemd-exec) +# --pid-file without argument disables writing a PIDfile, we don't need one with sytemd. +# Enable DBus by default because we use DBus activation with systemd. + exec $DAEMON --keep-in-foreground --pid-file --enable-dbus \ + ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \ + ${MAILTARGET:+ -t $MAILTARGET} \ + ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \ + ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \ + ${DHCP_LEASE:+ -l $DHCP_LEASE} \ + ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \ + ${RESOLV_CONF:+ -r $RESOLV_CONF} \ + ${CACHESIZE:+ -c $CACHESIZE} \ + ${CONFIG_DIR:+ -7 $CONFIG_DIR} \ + ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2 + exit 3 + ;; +esac + +exit 0 + diff --git a/config/includes.chroot/etc/init.d/proxy b/config/includes.chroot/etc/init.d/proxy new file mode 100755 index 0000000..901507b --- /dev/null +++ b/config/includes.chroot/etc/init.d/proxy @@ -0,0 +1,61 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: proxy +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Proxy for clients. +### END INIT INFO + +set -e + +INTIF1="eth0" +INTIF2="uap0" +EXTIF="eth1" +EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" + +loadModules() { + depmod -a + modprobe ip_tables + modprobe ip_conntrack + modprobe ip_conntrack_ftp + modprobe ip_conntrack_irc + modprobe iptable_nat + modprobe ip_nat_ftp +} + +setProc() { + echo "1" > /proc/sys/net/ipv4/ip_forward + echo "1" > /proc/sys/net/ipv4/ip_dynaddr +} + +configIpTables() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P OUTPUT ACCEPT + iptables -F OUTPUT + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -t nat -F + + iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT + iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT + + iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +} + +case "$1" in + start) + loadModules + setProc + configIpTables + ;; + *) + log_success_msg "Usage: /etc/init.d/proxy {start}" + exit 1 + ;; +esac diff --git a/config/includes.chroot/etc/modprobe.d/blacklist.conf b/config/includes.chroot/etc/modprobe.d/blacklist.conf new file mode 100644 index 0000000..dfb7967 --- /dev/null +++ b/config/includes.chroot/etc/modprobe.d/blacklist.conf @@ -0,0 +1,26 @@ +# This file lists modules which will not be loaded as the result of +# alias expansion, with the purpose of preventing the hotplug subsystem +# to load them. It does not affect autoloading of modules by the kernel. +# This file is provided by the udev package. + +# evbug is a debug tool and should be loaded explicitly +blacklist evbug + +# these drivers are very simple, the HID drivers are usually preferred +blacklist usbmouse +blacklist usbkbd + +# replaced by e100 +blacklist eepro100 + +# replaced by tulip +blacklist de4x5 + +# replaced by tmscsim +blacklist am53c974 + +# these watchdog drivers break some systems +blacklist iTCO_wdt + +# We do not need or want ipv6 right now +blacklist ipv6 diff --git a/config/includes.chroot/etc/network/interfaces b/config/includes.chroot/etc/network/interfaces new file mode 100644 index 0000000..34b2f35 --- /dev/null +++ b/config/includes.chroot/etc/network/interfaces @@ -0,0 +1,44 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +auto eth0 +iface eth0 inet dhcp + post-down ifdown uap0 + +auto eth1 +iface eth1 inet static + address 10.23.42.1 + netmask 255.255.255.0 + network 10.23.42.0 + broadcast 10.23.42.255 + pre-up ip addr del 10.23.42.1/24 dev eth1 || true + post-up echo 1 > /proc/sys/net/ipv4/ip_forward + post-up /etc/init.d/dnsmasq_lan start + # this must happen after have brought up uap0 because it clears the nat tables + post-up iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -o eth0 -j MASQUERADE + pre-down /etc/init.d/dnsmasq_lan stop + +# The magic Tor wireless network +auto uap0 +iface uap0 inet static + address 172.16.23.1 + netmask 255.255.255.0 + network 172.16.23.0 + broadcast 172.16.23.255 + pre-up ifconfig uap0 hw ether 00:66:66:66:66:66 + pre-up ip addr del 172.16.23.1/24 dev uap0 || true + post-up /etc/init.d/tor start + post-up /etc/init.d/tor reload + post-up /etc/init.d/dnsmasq_wifi start + post-up /etc/init.d/ttdnsd restart + post-up /usr/bin/uaputl sys_cfg_ssid "torproject" || true + post-up /usr/bin/uaputl bss_start || true + post-up /usr/sbin/tor-wireless-firewall.sh || true + post-up /sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 + pre-down /usr/bin/uaputl bss_stop || true + pre-down /etc/init.d/dnsmasq_wifi stop diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config new file mode 100644 index 0000000..d079ac0 --- /dev/null +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -0,0 +1,87 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin yes +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +AddressFamily inet diff --git a/config/includes.chroot/etc/sysctl.conf b/config/includes.chroot/etc/sysctl.conf new file mode 100644 index 0000000..916e972 --- /dev/null +++ b/config/includes.chroot/etc/sysctl.conf @@ -0,0 +1,5 @@ +# Reduce writes to flash drives +vm.laptop_mode=5 +vm.swappiness=0 +vm.dirty_writeback_centisecs=1500 +vm.dirty_expire_centisecs=1500 diff --git a/config/includes.chroot/etc/tor/torrc b/config/includes.chroot/etc/tor/torrc new file mode 100644 index 0000000..063dde8 --- /dev/null +++ b/config/includes.chroot/etc/tor/torrc @@ -0,0 +1,183 @@ +## Configuration file for a typical Tor user +## Last updated 12 April 2009 for Tor 0.2.1.14-rc. +## (May or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc + + +## Replace this with "SocksPort 0" if you plan to run Tor only as a +## relay, and not make any local application connections yourself. +SocksPort 9050 # what port to open for local application connections +SocksListenAddress 127.0.0.1 # accept connections only from localhost +#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests from SocksListenAddress. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +# Uncomment this to allow ssh access to the Torouter over your own Hidden Service +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 22 127.0.0.1:22 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +### Required: what port to advertise for incoming Tor connections. +ORPort auto +## If you want to listen on a port other than the one advertised +## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the +## line below too. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORListenAddress 0.0.0.0:9090 +#ORListenAddress 0.0.0.0:9090 +Nickname Torouter + +## The IP address or full DNS name for your relay. Leave commented out +## and Tor will guess. +#Address noname.example.com + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KBytes. +RelayBandwidthRate 50KB +RelayBandwidthBurst 75KB + +## Contact info to be published in the directory, so we can contact you +## if your relay is misconfigured or something else goes wrong. Google +## indexes this, so spammers might also collect it. +#ContactInfo Random Person <nobody AT example dot com> +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com> + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised +## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line +## below too. You'll need to do ipchains or other port forwarding yourself +## to make this work. +#DirListenAddress 0.0.0.0:9091 +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html for a sample. +#DirPortFrontPage /etc/tor/exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even if an +## ISP is filtering connections to all the known Tor relays, they probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +# be a real relay, please do; but if not, be a bridge! +BridgeRelay 1 +ExitPolicy reject *:* + +AvoidDiskWrites 1 + +# middle box stuff +VirtualAddrNetwork 10.192.0.0/10 +AutomapHostsOnResolve 1 +TransPort 9040 +TransListenAddress 172.16.23.1 +DNSPort 5353 +DNSListenAddress 172.16.23.1 +# If you disable unbound, you may enable this +#DNSListenAddress 127.0.0.1:53 + +User debian-tor + +# By default we do not have PortForwarding support +# PortForwarding 1 +# PortForwardingHelper /usr/local/bin/tor-fw-helper + +PIDFile /var/run/tor/tor.pid + +ControlPort 9051 +ControlListenAddress 127.0.0.1:9051 +CookieAuthentication 1 + +# On torouter, tor daemon should always be running, but defaults to disabled +# until user enables it specifically through the web interface +DisableNetwork 1 diff --git a/config/includes.chroot/sbin/tor-wireless-firewall.sh b/config/includes.chroot/sbin/tor-wireless-firewall.sh new file mode 100755 index 0000000..4310e7b --- /dev/null +++ b/config/includes.chroot/sbin/tor-wireless-firewall.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# destinations you don't want routed through Tor +NON_TOR="10.0.2.0/24 10.23.42.0/24 172.16.23.0/24" + +# Tor's TransPort +TRANS_PORT="9040" + +# your internal interface +INT_IF="uap0" + +iptables -F +iptables -t nat -F + +for NET in $NON_TOR; do + iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN +done +iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 5353 +#iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 67 -j REDIRECT --to-ports 67 +iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT |