Raspi2-3_GenImage Commit - r17:07c05d4ac5d0 · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

cleanup (){

18

cleanup (){

19

set +x

19

set +x

20

set +e

20

set +e

21

echo "removing temporary mount points ..."

21

echo "removing temporary mount points ..."

22

umount -l $R/proc 2> /dev/null

22

umount -l $R/proc 2> /dev/null

23

umount -l $R/sys 2> /dev/null

23

umount -l $R/sys 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

29

trap - 0 1 2 3 6

29

trap - 0 1 2 3 6

30

}

30

}

31

32

set -e

32

set -e

33

set -x

33

set -x

34

35

RELEASE=${RELEASE:=jessie}

35

RELEASE=${RELEASE:=jessie}

36

37

# Build settings

37

# Build settings

38

BASEDIR=./images/${RELEASE}

38

BASEDIR=./images/${RELEASE}

39

BUILDDIR=${BASEDIR}/build

39

BUILDDIR=${BASEDIR}/build

40

41

# General settings

41

# General settings

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

43

PASSWORD=${PASSWORD:=raspberry}

43

PASSWORD=${PASSWORD:=raspberry}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

46

47

# APT settings

47

# APT settings

48

APT_PROXY=${APT_PROXY:=""}

48

APT_PROXY=${APT_PROXY:=""}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

50

51

# Feature settings

51

# Feature settings

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

61

62

# Advanced settings

62

# Advanced settings

63

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

63

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

65

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

65

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

66

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

66

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

67

68

# Image chroot path

68

# Image chroot path

69

R=${BUILDDIR}/chroot

69

R=${BUILDDIR}/chroot

70

71

# Packages required for bootstrapping

71

# Packages required for bootstrapping

72

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

72

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

73

74

# Missing packages that need to be installed

74

# Missing packages that need to be installed

75

MISSING_PACKAGES=""

75

MISSING_PACKAGES=""

76

77

# Packages required in the chroot build enviroment

77

# Packages required in the chroot build enviroment

78

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

78

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

79

80

set +x

80

set +x

81

82

# Are we running as root?

82

# Are we running as root?

83

if [ "$(id -u)" -ne "0" ] ; then

83

if [ "$(id -u)" -ne "0" ] ; then

84

echo "this script must be executed with root privileges"

84

echo "this script must be executed with root privileges"

85

exit 1

85

exit 1

86

fi

86

fi

87

88

# Check if all required packages are installed

88

# Check if all required packages are installed

89

for package in $REQUIRED_PACKAGES ; do

89

for package in $REQUIRED_PACKAGES ; do

90

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

90

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

91

MISSING_PACKAGES="$MISSING_PACKAGES $package"

91

MISSING_PACKAGES="$MISSING_PACKAGES $package"

92

fi

92

fi

93

done

93

done

94

95

# Ask if missing packages should get installed right now

95

# Ask if missing packages should get installed right now

96

if [ -n "$MISSING_PACKAGES" ] ; then

96

if [ -n "$MISSING_PACKAGES" ] ; then

97

echo "the following packages needed by this script are not installed:"

97

echo "the following packages needed by this script are not installed:"

98

echo "$MISSING_PACKAGES"

98

echo "$MISSING_PACKAGES"

99

100

echo -n "\ndo you want to install the missing packages right now? [y/n] "

100

echo -n "\ndo you want to install the missing packages right now? [y/n] "

101

read confirm

101

read confirm

102

if [ "$confirm" != "y" ] ; then

102

if [ "$confirm" != "y" ] ; then

103

exit 1

103

exit 1

104

fi

104

fi

105

fi

105

fi

106

107

# Make sure all required packages are installed

107

# Make sure all required packages are installed

108

apt-get -qq -y install ${REQUIRED_PACKAGES}

108

apt-get -qq -y install ${REQUIRED_PACKAGES}

109

110

# Don't clobber an old build

110

# Don't clobber an old build

111

if [ -e "$BUILDDIR" ]; then

111

if [ -e "$BUILDDIR" ]; then

112

echo "directory $BUILDDIR already exists, not proceeding"

112

echo "directory $BUILDDIR already exists, not proceeding"

113

exit 1

113

exit 1

114

fi

114

fi

115

116

set -x

116

set -x

117

118

# Call "cleanup" function on various signals and errors

118

# Call "cleanup" function on various signals and errors

119

trap cleanup 0 1 2 3 6

119

trap cleanup 0 1 2 3 6

120

121

# Set up chroot directory

121

# Set up chroot directory

122

mkdir -p $R

122

mkdir -p $R

123

124

# Add required packages for the minbase installation

124

# Add required packages for the minbase installation

125

if [ "$ENABLE_MINBASE" = true ] ; then

125

if [ "$ENABLE_MINBASE" = true ] ; then

126

APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools"

126

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

127

else

127

else

128

APT_INCLUDES="${APT_INCLUDES},locales"

128

APT_INCLUDES="${APT_INCLUDES},locales"

129

fi

129

fi

130

131

# Add dbus package, recommended if using systemd

131

# Add dbus package, recommended if using systemd

132

if [ "$ENABLE_DBUS" = true ] ; then

132

if [ "$ENABLE_DBUS" = true ] ; then

133

APT_INCLUDES="${APT_INCLUDES},dbus"

133

APT_INCLUDES="${APT_INCLUDES},dbus"

134

fi

134

fi

135

136

# Add iptables IPv4/IPv6 package

137

if [ "$ENABLE_IPTABLES" = true ] ; then

138

APT_INCLUDES="${APT_INCLUDES},iptables"

139

fi

140

136

# Add openssh server package

141

# Add openssh server package

137

if [ "$ENABLE_SSHD" = true ] ; then

142

if [ "$ENABLE_SSHD" = true ] ; then

138

APT_INCLUDES="${APT_INCLUDES},openssh-server"

143

APT_INCLUDES="${APT_INCLUDES},openssh-server"

139

fi

144

fi

140

145

141

# Add rng-tools package

146

# Add rng-tools package

142

if [ "$ENABLE_HWRANDOM" = true ] ; then

147

if [ "$ENABLE_HWRANDOM" = true ] ; then

143

APT_INCLUDES="${APT_INCLUDES},rng-tools"

148

APT_INCLUDES="${APT_INCLUDES},rng-tools"

144

fi

149

fi

145

150

146

# Add xorg package

147

if [ "$ENABLE_XORG" = true ] ; then

148

APT_INCLUDES="${APT_INCLUDES},xorg"

149

fi

150

151

# Add fluxbox package with eterm

151

# Add fluxbox package with eterm

152

if [ "$ENABLE_FLUXBOX" = true ] ; then

152

if [ "$ENABLE_FLUXBOX" = true ] ; then

153

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

153

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

154

155

# Enable xorg package dependency

156

ENABLE_XORG=true

157

fi

158

159

# Add xorg package

160

if [ "$ENABLE_XORG" = true ] ; then

161

APT_INCLUDES="${APT_INCLUDES},xorg"

154

fi

162

fi

155

163

156

# Set empty proxy string

164

# Set empty proxy string

157

if [ -z "$APT_PROXY" ] ; then

165

if [ -z "$APT_PROXY" ] ; then

158

APT_PROXY="http://"

166

APT_PROXY="http://"

159

fi

167

fi

160

168

161

# Base debootstrap (unpack only)

169

# Base debootstrap (unpack only)

162

if [ "$ENABLE_MINBASE" = true ] ; then

170

if [ "$ENABLE_MINBASE" = true ] ; then

163

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

171

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

164

else

172

else

165

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

173

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

166

fi

174

fi

167

175

168

# Copy qemu emulator binary to chroot

176

# Copy qemu emulator binary to chroot

169

cp /usr/bin/qemu-arm-static $R/usr/bin

177

cp /usr/bin/qemu-arm-static $R/usr/bin

170

178

171

# Copy debian-archive-keyring.pgp

179

# Copy debian-archive-keyring.pgp

172

chroot $R mkdir -p /usr/share/keyrings

180

chroot $R mkdir -p /usr/share/keyrings

173

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

181

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

174

182

175

# Complete the bootstrapping proccess

183

# Complete the bootstrapping proccess

176

chroot $R /debootstrap/debootstrap --second-stage

184

chroot $R /debootstrap/debootstrap --second-stage

177

185

178

# Mount required filesystems

186

# Mount required filesystems

179

mount -t proc none $R/proc

187

mount -t proc none $R/proc

180

mount -t sysfs none $R/sys

188

mount -t sysfs none $R/sys

181

mount --bind /dev/pts $R/dev/pts

189

mount --bind /dev/pts $R/dev/pts

182

190

183

# Use proxy inside chroot

191

# Use proxy inside chroot

184

if [ -z "$APT_PROXY" ] ; then

192

if [ -z "$APT_PROXY" ] ; then

185

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

193

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

186

fi

194

fi

187

195

188

# Pin package flash-kernel to repositories.collabora.co.uk

196

# Pin package flash-kernel to repositories.collabora.co.uk

189

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

197

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

190

Package: flash-kernel

198

Package: flash-kernel

191

Pin: origin repositories.collabora.co.uk

199

Pin: origin repositories.collabora.co.uk

192

Pin-Priority: 1000

200

Pin-Priority: 1000

193

EOM

201

EOM

194

202

195

# Set up timezone

203

# Set up timezone

196

echo ${TIMEZONE} >$R/etc/timezone

204

echo ${TIMEZONE} >$R/etc/timezone

197

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

205

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

198

206

199

# Set up default locales to "en_US.UTF-8" default

207

# Set up default locales to "en_US.UTF-8" default

200

if [ "$ENABLE_MINBASE" = false ] ; then

208

if [ "$ENABLE_MINBASE" = false ] ; then

201

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

209

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

202

LANG=C chroot $R locale-gen ${DEFLOCAL}

210

LANG=C chroot $R locale-gen ${DEFLOCAL}

203

fi

211

fi

204

212

205

# Upgrade collabora package index and install collabora keyring

213

# Upgrade collabora package index and install collabora keyring

206

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

214

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

207

LANG=C chroot $R apt-get -qq -y update

215

LANG=C chroot $R apt-get -qq -y update

208

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

216

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

209

217

210

# Set up initial sources.list

218

# Set up initial sources.list

211

cat <<EOM >$R/etc/apt/sources.list

219

cat <<EOM >$R/etc/apt/sources.list

212

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

220

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

213

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

221

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

214

222

215

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

223

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

216

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

224

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

217

225

218

deb http://security.debian.org/ ${RELEASE}/updates main contrib

226

deb http://security.debian.org/ ${RELEASE}/updates main contrib

219

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

227

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

220

228

221

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

229

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

222

EOM

230

EOM

223

231

224

# Upgrade package index and update all installed packages and changed dependencies

232

# Upgrade package index and update all installed packages and changed dependencies

225

LANG=C chroot $R apt-get -qq -y update

233

LANG=C chroot $R apt-get -qq -y update

226

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

234

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

227

235

228

# Kernel installation

236

# Kernel installation

229

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

237

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

230

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

238

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

231

LANG=C chroot $R apt-get -qq -y install flash-kernel

239

LANG=C chroot $R apt-get -qq -y install flash-kernel

232

240

233

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

241

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

234

[ -z "$VMLINUZ" ] && exit 1

242

[ -z "$VMLINUZ" ] && exit 1

235

mkdir -p $R/boot/firmware

243

mkdir -p $R/boot/firmware

236

244

237

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

245

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

238

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

246

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

239

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

247

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

240

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

248

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

241

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

249

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

242

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

250

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

243

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

251

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

244

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

252

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

245

cp $VMLINUZ $R/boot/firmware/kernel7.img

253

cp $VMLINUZ $R/boot/firmware/kernel7.img

246

254

247

# Set up hosts

255

# Set up hosts

248

echo ${HOSTNAME} >$R/etc/hostname

256

echo ${HOSTNAME} >$R/etc/hostname

249

cat <<EOM >$R/etc/hosts

257

cat <<EOM >$R/etc/hosts

250

127.0.0.1 localhost

258

127.0.0.1 localhost

251

127.0.1.1 ${HOSTNAME}

259

127.0.1.1 ${HOSTNAME}

252

EOM

260

EOM

253

261

254

if [ "$ENABLE_IPV6" = true ] ; then

262

if [ "$ENABLE_IPV6" = true ] ; then

255

cat <<EOM >>$R/etc/hosts

263

cat <<EOM >>$R/etc/hosts

256

264

257

::1 localhost ip6-localhost ip6-loopback

265

::1 localhost ip6-localhost ip6-loopback

258

ff02::1 ip6-allnodes

266

ff02::1 ip6-allnodes

259

ff02::2 ip6-allrouters

267

ff02::2 ip6-allrouters

260

EOM

268

EOM

261

fi

269

fi

262

270

263

# Generate crypt(3) password string

271

# Generate crypt(3) password string

264

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

272

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

265

273

266

# Set up default user

274

# Set up default user

267

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

275

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

268

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

276

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

269

277

270

# Set up root password

278

# Set up root password

271

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

279

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

272

280

273

# Set up interfaces

281

# Set up interfaces

274

cat <<EOM >$R/etc/network/interfaces

282

cat <<EOM >$R/etc/network/interfaces

275

# interfaces(5) file used by ifup(8) and ifdown(8)

283

# interfaces(5) file used by ifup(8) and ifdown(8)

276

# Include files from /etc/network/interfaces.d:

284

# Include files from /etc/network/interfaces.d:

277

source-directory /etc/network/interfaces.d

285

source-directory /etc/network/interfaces.d

278

286

279

# The loopback network interface

287

# The loopback network interface

280

auto lo

288

auto lo

281

iface lo inet loopback

289

iface lo inet loopback

282

290

283

# The primary network interface

291

# The primary network interface

284

allow-hotplug eth0

292

allow-hotplug eth0

285

iface eth0 inet dhcp

293

iface eth0 inet dhcp

286

EOM

294

EOM

287

295

288

# Set up firmware boot cmdline

296

# Set up firmware boot cmdline

289

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

297

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

290

298

291

# Set up serial console support (if requested)

299

# Set up serial console support (if requested)

292

if [ "$ENABLE_CONSOLE" = true ] ; then

300

if [ "$ENABLE_CONSOLE" = true ] ; then

293

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

301

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

294

fi

302

fi

295

303

296

# Set up ipv6 support (if requested)

304

# Set up IPv6 networking support

297

if [ "$ENABLE_IPV6" = false ] ; then

305

if [ "$ENABLE_IPV6" = false ] ; then

298

CMDLINE="${CMDLINE} ipv6.disable=1"

306

CMDLINE="${CMDLINE} ipv6.disable=1"

299

fi

307

fi

300

308

301

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

309

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

302

310

303

# Set up firmware config

311

# Set up firmware config

304

cat <<EOM >$R/boot/firmware/config.txt

312

cat <<EOM >$R/boot/firmware/config.txt

305

# For more options and information see

313

# For more options and information see

306

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

314

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

307

# Some settings may impact device functionality. See link above for details

315

# Some settings may impact device functionality. See link above for details

308

316

309

# uncomment if you get no picture on HDMI for a default "safe" mode

317

# uncomment if you get no picture on HDMI for a default "safe" mode

310

#hdmi_safe=1

318

#hdmi_safe=1

311

319

312

# uncomment this if your display has a black border of unused pixels visible

320

# uncomment this if your display has a black border of unused pixels visible

313

# and your display can output without overscan

321

# and your display can output without overscan

314

#disable_overscan=1

322

#disable_overscan=1

315

323

316

# uncomment the following to adjust overscan. Use positive numbers if console

324

# uncomment the following to adjust overscan. Use positive numbers if console

317

# goes off screen, and negative if there is too much border

325

# goes off screen, and negative if there is too much border

318

#overscan_left=16

326

#overscan_left=16

319

#overscan_right=16

327

#overscan_right=16

320

#overscan_top=16

328

#overscan_top=16

321

#overscan_bottom=16

329

#overscan_bottom=16

322

330

323

# uncomment to force a console size. By default it will be display's size minus

331

# uncomment to force a console size. By default it will be display's size minus

324

# overscan.

332

# overscan.

325

#framebuffer_width=1280

333

#framebuffer_width=1280

326

#framebuffer_height=720

334

#framebuffer_height=720

327

335

328

# uncomment if hdmi display is not detected and composite is being output

336

# uncomment if hdmi display is not detected and composite is being output

329

#hdmi_force_hotplug=1

337

#hdmi_force_hotplug=1

330

338

331

# uncomment to force a specific HDMI mode (this will force VGA)

339

# uncomment to force a specific HDMI mode (this will force VGA)

332

#hdmi_group=1

340

#hdmi_group=1

333

#hdmi_mode=1

341

#hdmi_mode=1

334

342

335

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

343

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

336

# DMT (computer monitor) modes

344

# DMT (computer monitor) modes

337

#hdmi_drive=2

345

#hdmi_drive=2

338

346

339

# uncomment to increase signal to HDMI, if you have interference, blanking, or

347

# uncomment to increase signal to HDMI, if you have interference, blanking, or

340

# no display

348

# no display

341

#config_hdmi_boost=4

349

#config_hdmi_boost=4

342

350

343

# uncomment for composite PAL

351

# uncomment for composite PAL

344

#sdtv_mode=2

352

#sdtv_mode=2

345

353

346

# uncomment to overclock the arm. 700 MHz is the default.

354

# uncomment to overclock the arm. 700 MHz is the default.

347

#arm_freq=800

355

#arm_freq=800

348

EOM

356

EOM

349

357

350

# Set smallest possible GPU memory allocation size: 16MB (no X)

358

# Set smallest possible GPU memory allocation size: 16MB (no X)

351

if [ "$ENABLE_MINGPU" = true ] ; then

359

if [ "$ENABLE_MINGPU" = true ] ; then

352

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

360

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

353

fi

361

fi

354

362

355

# Create symlinks

363

# Create symlinks

356

ln -sf firmware/config.txt $R/boot/config.txt

364

ln -sf firmware/config.txt $R/boot/config.txt

357

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

365

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

358

366

359

# Prepare modules-load.d directory

367

# Prepare modules-load.d directory

360

mkdir -p $R/lib/modules-load.d/

368

mkdir -p $R/lib/modules-load.d/

361

369

362

# Load random module on boot

370

# Load random module on boot

363

if [ "$ENABLE_HWRANDOM" = true ] ; then

371

if [ "$ENABLE_HWRANDOM" = true ] ; then

364

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

372

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

365

bcm2708_rng

373

bcm2708_rng

366

EOM

374

EOM

367

fi

375

fi

368

376

369

# Prepare modprobe.d directory

377

# Prepare modprobe.d directory

370

mkdir -p $R/etc/modprobe.d/

378

mkdir -p $R/etc/modprobe.d/

371

379

372

# Blacklist sound modules

380

# Blacklist sound modules

373

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

381

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

374

blacklist snd_soc_core

382

blacklist snd_soc_core

375

blacklist snd_pcm

383

blacklist snd_pcm

376

blacklist snd_pcm_dmaengine

384

blacklist snd_pcm_dmaengine

377

blacklist snd_timer

385

blacklist snd_timer

378

blacklist snd_compress

386

blacklist snd_compress

379

blacklist snd_soc_pcm512x_i2c

387

blacklist snd_soc_pcm512x_i2c

380

blacklist snd_soc_pcm512x

388

blacklist snd_soc_pcm512x

381

blacklist snd_soc_tas5713

389

blacklist snd_soc_tas5713

382

blacklist snd_soc_wm8804

390

blacklist snd_soc_wm8804

383

EOM

391

EOM

384

392

385

# Create default fstab

393

# Create default fstab

386

cat <<EOM >$R/etc/fstab

394

cat <<EOM >$R/etc/fstab

387

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

395

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

388

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

396

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

389

EOM

397

EOM

390

398

391

# Avoid swapping and increase cache sizes

399

# Avoid swapping and increase cache sizes

392

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

400

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

393

401

394

# Avoid swapping and increase cache sizes

402

# Avoid swapping and increase cache sizes

395

vm.swappiness=1

403

vm.swappiness=1

396

vm.dirty_background_ratio=20

404

vm.dirty_background_ratio=20

397

vm.dirty_ratio=40

405

vm.dirty_ratio=40

398

vm.dirty_writeback_centisecs=500

406

vm.dirty_writeback_centisecs=500

399

vm.dirty_expire_centisecs=6000

407

vm.dirty_expire_centisecs=6000

400

EOM

408

EOM

401

409

402

# Enable network stack hardening

410

# Enable network stack hardening

403

if [ "$ENABLE_HARDNET" = true ] ; then

411

if [ "$ENABLE_HARDNET" = true ] ; then

404

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

412

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

405

413

406

# Enable network stack hardening

414

# Enable network stack hardening

407

net.ipv4.tcp_timestamps=0

415

net.ipv4.tcp_timestamps=0

408

net.ipv4.tcp_syncookies=1

416

net.ipv4.tcp_syncookies=1

409

net.ipv4.conf.all.rp_filter=1

417

net.ipv4.conf.all.rp_filter=1

410

net.ipv4.conf.all.accept_redirects=0

418

net.ipv4.conf.all.accept_redirects=0

411

net.ipv4.conf.all.send_redirects=0

419

net.ipv4.conf.all.send_redirects=0

412

net.ipv4.conf.all.accept_source_route=0

420

net.ipv4.conf.all.accept_source_route=0

413

net.ipv4.conf.default.rp_filter=1

421

net.ipv4.conf.default.rp_filter=1

414

net.ipv4.conf.default.accept_redirects=0

422

net.ipv4.conf.default.accept_redirects=0

415

net.ipv4.conf.default.send_redirects=0

423

net.ipv4.conf.default.send_redirects=0

416

net.ipv4.conf.default.accept_source_route=0

424

net.ipv4.conf.default.accept_source_route=0

417

net.ipv4.conf.lo.accept_redirects=0

425

net.ipv4.conf.lo.accept_redirects=0

418

net.ipv4.conf.lo.send_redirects=0

426

net.ipv4.conf.lo.send_redirects=0

419

net.ipv4.conf.lo.accept_source_route=0

427

net.ipv4.conf.lo.accept_source_route=0

420

net.ipv4.conf.eth0.accept_redirects=0

428

net.ipv4.conf.eth0.accept_redirects=0

421

net.ipv4.conf.eth0.send_redirects=0

429

net.ipv4.conf.eth0.send_redirects=0

422

net.ipv4.conf.eth0.accept_source_route=0

430

net.ipv4.conf.eth0.accept_source_route=0

423

net.ipv4.icmp_echo_ignore_broadcasts=1

431

net.ipv4.icmp_echo_ignore_broadcasts=1

424

net.ipv4.icmp_ignore_bogus_error_responses=1

432

net.ipv4.icmp_ignore_bogus_error_responses=1

425

433

426

net.ipv6.conf.all.accept_redirects=0

434

net.ipv6.conf.all.accept_redirects=0

427

net.ipv6.conf.all.accept_source_route=0

435

net.ipv6.conf.all.accept_source_route=0

428

net.ipv6.conf.all.router_solicitations=0

436

net.ipv6.conf.all.router_solicitations=0

429

net.ipv6.conf.all.accept_ra_rtr_pref=0

437

net.ipv6.conf.all.accept_ra_rtr_pref=0

430

net.ipv6.conf.all.accept_ra_pinfo=0

438

net.ipv6.conf.all.accept_ra_pinfo=0

431

net.ipv6.conf.all.accept_ra_defrtr=0

439

net.ipv6.conf.all.accept_ra_defrtr=0

432

net.ipv6.conf.all.autoconf=0

440

net.ipv6.conf.all.autoconf=0

433

net.ipv6.conf.all.dad_transmits=0

441

net.ipv6.conf.all.dad_transmits=0

434

net.ipv6.conf.all.max_addresses=1

442

net.ipv6.conf.all.max_addresses=1

435

443

436

net.ipv6.conf.default.accept_redirects=0

444

net.ipv6.conf.default.accept_redirects=0

437

net.ipv6.conf.default.accept_source_route=0

445

net.ipv6.conf.default.accept_source_route=0

438

net.ipv6.conf.default.router_solicitations=0

446

net.ipv6.conf.default.router_solicitations=0

439

net.ipv6.conf.default.accept_ra_rtr_pref=0

447

net.ipv6.conf.default.accept_ra_rtr_pref=0

440

net.ipv6.conf.default.accept_ra_pinfo=0

448

net.ipv6.conf.default.accept_ra_pinfo=0

441

net.ipv6.conf.default.accept_ra_defrtr=0

449

net.ipv6.conf.default.accept_ra_defrtr=0

442

net.ipv6.conf.default.autoconf=0

450

net.ipv6.conf.default.autoconf=0

443

net.ipv6.conf.default.dad_transmits=0

451

net.ipv6.conf.default.dad_transmits=0

444

net.ipv6.conf.default.max_addresses=1

452

net.ipv6.conf.default.max_addresses=1

445

453

446

net.ipv6.conf.lo.accept_redirects=0

454

net.ipv6.conf.lo.accept_redirects=0

447

net.ipv6.conf.lo.accept_source_route=0

455

net.ipv6.conf.lo.accept_source_route=0

448

net.ipv6.conf.lo.router_solicitations=0

456

net.ipv6.conf.lo.router_solicitations=0

449

net.ipv6.conf.lo.accept_ra_rtr_pref=0

457

net.ipv6.conf.lo.accept_ra_rtr_pref=0

450

net.ipv6.conf.lo.accept_ra_pinfo=0

458

net.ipv6.conf.lo.accept_ra_pinfo=0

451

net.ipv6.conf.lo.accept_ra_defrtr=0

459

net.ipv6.conf.lo.accept_ra_defrtr=0

452

net.ipv6.conf.lo.autoconf=0

460

net.ipv6.conf.lo.autoconf=0

453

net.ipv6.conf.lo.dad_transmits=0

461

net.ipv6.conf.lo.dad_transmits=0

454

net.ipv6.conf.lo.max_addresses=1

462

net.ipv6.conf.lo.max_addresses=1

455

463

456

net.ipv6.conf.eth0.accept_redirects=0

464

net.ipv6.conf.eth0.accept_redirects=0

457

net.ipv6.conf.eth0.accept_source_route=0

465

net.ipv6.conf.eth0.accept_source_route=0

458

net.ipv6.conf.eth0.router_solicitations=0

466

net.ipv6.conf.eth0.router_solicitations=0

459

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

467

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

460

net.ipv6.conf.eth0.accept_ra_pinfo=0

468

net.ipv6.conf.eth0.accept_ra_pinfo=0

461

net.ipv6.conf.eth0.accept_ra_defrtr=0

469

net.ipv6.conf.eth0.accept_ra_defrtr=0

462

net.ipv6.conf.eth0.autoconf=0

470

net.ipv6.conf.eth0.autoconf=0

463

net.ipv6.conf.eth0.dad_transmits=0

471

net.ipv6.conf.eth0.dad_transmits=0

464

net.ipv6.conf.eth0.max_addresses=1

472

net.ipv6.conf.eth0.max_addresses=1

465

EOM

473

EOM

466

474

467

# Enable resolver warnings about spoofed addresses

475

# Enable resolver warnings about spoofed addresses

468

cat <<EOM >>$R/etc/host.conf

476

cat <<EOM >>$R/etc/host.conf

469

spoof warn

477

spoof warn

470

EOM

478

EOM

471

fi

479

fi

472

480

473

# Regenerate openssh server host keys

481

# Regenerate openssh server host keys

474

if [ "$ENABLE_SSHD" = true ] ; then

482

if [ "$ENABLE_SSHD" = true ] ; then

475

rm -fr $R/etc/ssh/ssh_host_*

483

rm -fr $R/etc/ssh/ssh_host_*

476

LANG=C chroot $R dpkg-reconfigure openssh-server

484

LANG=C chroot $R dpkg-reconfigure openssh-server

477

fi

485

fi

478

486

479

# Enable serial console systemd style

487

# Enable serial console systemd style

480

if [ "$ENABLE_CONSOLE" = true ] ; then

488

if [ "$ENABLE_CONSOLE" = true ] ; then

481

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

489

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

482

fi

490

fi

483

491

484

# Enable firewall based on iptables started by systemd service

492

# Enable firewall based on iptables started by systemd service

485

if [ "$ENABLE_IPTABLES" = true ] ; then

493

if [ "$ENABLE_IPTABLES" = true ] ; then

486

# Create iptables configuration directory

494

# Create iptables configuration directory

487

mkdir -p "$R/etc/iptables"

495

mkdir -p "$R/etc/iptables"

488

496

489

# Create iptables systemd service

497

# Create iptables systemd service

490

cat <<EOM >$R/etc/systemd/system/iptables.service

498

cat <<EOM >$R/etc/systemd/system/iptables.service

491

[Unit]

499

[Unit]

492

Description=Packet Filtering Framework

500

Description=Packet Filtering Framework

493

DefaultDependencies=no

501

DefaultDependencies=no

494

After=systemd-sysctl.service

502

After=systemd-sysctl.service

495

Before=sysinit.target

503

Before=sysinit.target

496

[Service]

504

[Service]

497

Type=oneshot

505

Type=oneshot

498

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

506

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

499

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

507

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

500

ExecStop=/etc/iptables/flush-iptables.sh

508

ExecStop=/etc/iptables/flush-iptables.sh

501

RemainAfterExit=yes

509

RemainAfterExit=yes

502

[Install]

510

[Install]

503

WantedBy=multi-user.target

511

WantedBy=multi-user.target

504

EOM

512

EOM

505

513

506

# Create flush-table script called by iptables service

514

# Create flush-table script called by iptables service

507

cat <<EOM >$R/etc/iptables/flush-iptables.sh

515

cat <<EOM >$R/etc/iptables/flush-iptables.sh

508

#!/bin/sh

516

#!/bin/sh

509

iptables -F

517

iptables -F

510

iptables -X

518

iptables -X

511

iptables -t nat -F

519

iptables -t nat -F

512

iptables -t nat -X

520

iptables -t nat -X

513

iptables -t mangle -F

521

iptables -t mangle -F

514

iptables -t mangle -X

522

iptables -t mangle -X

515

iptables -P INPUT ACCEPT

523

iptables -P INPUT ACCEPT

516

iptables -P FORWARD ACCEPT

524

iptables -P FORWARD ACCEPT

517

iptables -P OUTPUT ACCEPT

525

iptables -P OUTPUT ACCEPT

518

EOM

526

EOM

519

527

520

# Create iptables rule file

528

# Create iptables rule file

521

cat <<EOM >$R/etc/iptables/iptables.rules

529

cat <<EOM >$R/etc/iptables/iptables.rules

522

*filter

530

*filter

523

:INPUT DROP [0:0]

531

:INPUT DROP [0:0]

524

:FORWARD DROP [0:0]

532

:FORWARD DROP [0:0]

525

:OUTPUT ACCEPT [0:0]

533

:OUTPUT ACCEPT [0:0]

526

:TCP - [0:0]

534

:TCP - [0:0]

527

:UDP - [0:0]

535

:UDP - [0:0]

528

:SSH - [0:0]

536

:SSH - [0:0]

529

537

530

# Rate limit ping requests

538

# Rate limit ping requests

531

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

539

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

532

-A INPUT -p icmp --icmp-type echo-request -j DROP

540

-A INPUT -p icmp --icmp-type echo-request -j DROP

533

541

534

# Accept established connections

542

# Accept established connections

535

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

543

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

536

544

537

# Accept all traffic on loopback interface

545

# Accept all traffic on loopback interface

538

-A INPUT -i lo -j ACCEPT

546

-A INPUT -i lo -j ACCEPT

539

547

540

# Drop packets declared invalid

548

# Drop packets declared invalid

541

-A INPUT -m conntrack --ctstate INVALID -j DROP

549

-A INPUT -m conntrack --ctstate INVALID -j DROP

542

550

543

# SSH rate limiting

551

# SSH rate limiting

544

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

552

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

545

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

553

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

546

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

554

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

547

-A SSH -m recent --name sshbf --set -j ACCEPT

555

-A SSH -m recent --name sshbf --set -j ACCEPT

548

556

549

# Send TCP and UDP connections to their respective rules chain

557

# Send TCP and UDP connections to their respective rules chain

550

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

558

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

551

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

559

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

552

560

553

# Reject dropped packets with a RFC compliant responce

561

# Reject dropped packets with a RFC compliant responce

554

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

562

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

555

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

563

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

556

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

564

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

557

565

558

## TCP PORT RULES

566

## TCP PORT RULES

559

# -A TCP -p tcp -j LOG

567

# -A TCP -p tcp -j LOG

560

568

561

## UDP PORT RULES

569

## UDP PORT RULES

562

# -A UDP -p udp -j LOG

570

# -A UDP -p udp -j LOG

563

571

564

COMMIT

572

COMMIT

565

EOM

573

EOM

566

574

567

# Reload systemd configuration and enable iptables service

575

# Reload systemd configuration and enable iptables service

568

LANG=C chroot $R systemctl daemon-reload

576

LANG=C chroot $R systemctl daemon-reload

569

LANG=C chroot $R systemctl enable iptables.service

577

LANG=C chroot $R systemctl enable iptables.service

570

578

571

if [ "$ENABLE_IPV6" = true ] ; then

579

if [ "$ENABLE_IPV6" = true ] ; then

572

# Create ip6tables systemd service

580

# Create ip6tables systemd service

573

cat <<EOM >$R/etc/systemd/system/ip6tables.service

581

cat <<EOM >$R/etc/systemd/system/ip6tables.service

574

[Unit]

582

[Unit]

575

Description=Packet Filtering Framework

583

Description=Packet Filtering Framework

576

DefaultDependencies=no

584

DefaultDependencies=no

577

After=systemd-sysctl.service

585

After=systemd-sysctl.service

578

Before=sysinit.target

586

Before=sysinit.target

579

[Service]

587

[Service]

580

Type=oneshot

588

Type=oneshot

581

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

589

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

582

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

590

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

583

ExecStop=/etc/iptables/flush-ip6tables.sh

591

ExecStop=/etc/iptables/flush-ip6tables.sh

584

RemainAfterExit=yes

592

RemainAfterExit=yes

585

[Install]

593

[Install]

586

WantedBy=multi-user.target

594

WantedBy=multi-user.target

587

EOM

595

EOM

588

596

589

# Create ip6tables file

597

# Create ip6tables file

590

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

598

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

591

#!/bin/sh

599

#!/bin/sh

592

ip6tables -F

600

ip6tables -F

593

ip6tables -X

601

ip6tables -X

594

ip6tables -Z

602

ip6tables -Z

595

for table in $(</proc/net/ip6_tables_names)

603

for table in $(</proc/net/ip6_tables_names)

596

do

604

do

597

ip6tables -t \$table -F

605

ip6tables -t \$table -F

598

ip6tables -t \$table -X

606

ip6tables -t \$table -X

599

ip6tables -t \$table -Z

607

ip6tables -t \$table -Z

600

done

608

done

601

ip6tables -P INPUT ACCEPT

609

ip6tables -P INPUT ACCEPT

602

ip6tables -P OUTPUT ACCEPT

610

ip6tables -P OUTPUT ACCEPT

603

ip6tables -P FORWARD ACCEPT

611

ip6tables -P FORWARD ACCEPT

604

EOM

612

EOM

605

613

606

# Create ip6tables rule file

614

# Create ip6tables rule file

607

cat <<EOM >$R/etc/iptables/ip6tables.rules

615

cat <<EOM >$R/etc/iptables/ip6tables.rules

608

*filter

616

*filter

609

:INPUT DROP [0:0]

617

:INPUT DROP [0:0]

610

:FORWARD DROP [0:0]

618

:FORWARD DROP [0:0]

611

:OUTPUT ACCEPT [0:0]

619

:OUTPUT ACCEPT [0:0]

612

:TCP - [0:0]

620

:TCP - [0:0]

613

:UDP - [0:0]

621

:UDP - [0:0]

614

:SSH - [0:0]

622

:SSH - [0:0]

615

623

616

# Drop packets with RH0 headers

624

# Drop packets with RH0 headers

617

-A INPUT -m rt --rt-type 0 -j DROP

625

-A INPUT -m rt --rt-type 0 -j DROP

618

-A OUTPUT -m rt --rt-type 0 -j DROP

626

-A OUTPUT -m rt --rt-type 0 -j DROP

619

-A FORWARD -m rt --rt-type 0 -j DROP

627

-A FORWARD -m rt --rt-type 0 -j DROP

620

628

621

# Rate limit ping requests

629

# Rate limit ping requests

622

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

630

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

623

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

631

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

624

632

625

# Accept established connections

633

# Accept established connections

626

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

634

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

627

635

628

# Accept all traffic on loopback interface

636

# Accept all traffic on loopback interface

629

-A INPUT -i lo -j ACCEPT

637

-A INPUT -i lo -j ACCEPT

630

638

631

# Drop packets declared invalid

639

# Drop packets declared invalid

632

-A INPUT -m conntrack --ctstate INVALID -j DROP

640

-A INPUT -m conntrack --ctstate INVALID -j DROP

633

641

634

# SSH rate limiting

642

# SSH rate limiting

635

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

643

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

636

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

644

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

637

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

645

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

638

-A SSH -m recent --name sshbf --set -j ACCEPT

646

-A SSH -m recent --name sshbf --set -j ACCEPT

639

647

640

# Send TCP and UDP connections to their respective rules chain

648

# Send TCP and UDP connections to their respective rules chain

641

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

649

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

642

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

650

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

643

651

644

# Reject dropped packets with a RFC compliant responce

652

# Reject dropped packets with a RFC compliant responce

645

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

653

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

646

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

654

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

647

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

655

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

648

656

649

## TCP PORT RULES

657

## TCP PORT RULES

650

# -A TCP -p tcp -j LOG

658

# -A TCP -p tcp -j LOG

651

659

652

## UDP PORT RULES

660

## UDP PORT RULES

653

# -A UDP -p udp -j LOG

661

# -A UDP -p udp -j LOG

654

662

655

COMMIT

663

COMMIT

656

EOM

664

EOM

657

665

658

# Reload systemd configuration and enable iptables service

666

# Reload systemd configuration and enable iptables service

659

LANG=C chroot $R systemctl daemon-reload

667

LANG=C chroot $R systemctl daemon-reload

660

LANG=C chroot $R systemctl enable ip6tables.service

668

LANG=C chroot $R systemctl enable ip6tables.service

661

662

fi

669

fi

663

fi

670

fi

664

671

672

# Remove SSHD related iptables rules

673

if [ "$ENABLE_SSHD" = false ] ; then

674

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

675

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

676

fi

677

665

if [ "$ENABLE_UBOOT" = true ] ; then

678

if [ "$ENABLE_UBOOT" = true ] ; then

666

# Fetch u-boot github

679

# Fetch u-boot github

667

git -C $R/tmp clone git://git.denx.de/u-boot.git

680

git -C $R/tmp clone git://git.denx.de/u-boot.git

668

681

669

# Install minimal gcc/g++ build environment and build u-boot inside chroot

682

# Install minimal gcc/g++ build environment and build u-boot inside chroot

670

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

683

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

671

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

684

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

672

685

673

# Copy compiled bootloader binary and set config.txt to load it

686

# Copy compiled bootloader binary and set config.txt to load it

674

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

687

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

675

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

688

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

676

689

677

# Set u-boot command file

690

# Set u-boot command file

678

cat <<EOM >$R/boot/firmware/uboot.mkimage

691

cat <<EOM >$R/boot/firmware/uboot.mkimage

679

# Tell Linux that it is booting on a Raspberry Pi2

692

# Tell Linux that it is booting on a Raspberry Pi2

680

setenv machid 0x00000c42

693

setenv machid 0x00000c42

681

694

682

# Set the kernel boot command line

695

# Set the kernel boot command line

683

setenv bootargs "earlyprintk ${CMDLINE}"

696

setenv bootargs "earlyprintk ${CMDLINE}"

684

697

685

# Save these changes to u-boot's environment

698

# Save these changes to u-boot's environment

686

saveenv

699

saveenv

687

700

688

# Load the existing Linux kernel into RAM

701

# Load the existing Linux kernel into RAM

689

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

702

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

690

703

691

# Boot the kernel we have just loaded

704

# Boot the kernel we have just loaded

692

bootz \${kernel_addr_r}

705

bootz \${kernel_addr_r}

693

EOM

706

EOM

694

707

695

# Generate u-boot image from command file

708

# Generate u-boot image from command file

696

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

709

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

697

710

698

# Remove gcc/c++ build enviroment

711

# Remove gcc/c++ build enviroment

699

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

712

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

700

fi

713

fi

701

714

702

# Enable systemd-networkd DHCP configuration for the eth0 interface

715

# Enable systemd-networkd DHCP configuration for the eth0 interface

703

printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network

716

printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network

704

717

705

# Set DHCP configuration to IPv4 only

718

# Set DHCP configuration to IPv4 only

706

if [ "$ENABLE_IPV6" = false ] ; then

719

if [ "$ENABLE_IPV6" = false ] ; then

707

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

720

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

708

fi

721

fi

709

722

710

# Enable systemd-networkd service

723

# Enable systemd-networkd service

711

LANG=C chroot $R systemctl enable systemd-networkd

724

LANG=C chroot $R systemctl enable systemd-networkd

712

725

713

# Place hint about netowrk configuration

726

# Place hint about netowrk configuration

714

cat <<EOM >$R/etc/network/interfaces

727

cat <<EOM >$R/etc/network/interfaces

715

# Debian switched to systemd-networkd configuration files.

728

# Debian switched to systemd-networkd configuration files.

716

# please configure your networks in '/etc/systemd/network/'

729

# please configure your networks in '/etc/systemd/network/'

717

EOM

730

EOM

718

731

719

# Clean cached downloads

732

# Clean cached downloads

720

LANG=C chroot $R apt-get -y clean

733

LANG=C chroot $R apt-get -y clean

721

LANG=C chroot $R apt-get -y autoclean

734

LANG=C chroot $R apt-get -y autoclean

722

LANG=C chroot $R apt-get -y autoremove

735

LANG=C chroot $R apt-get -y autoremove

723

736

724

# Unmount mounted filesystems

737

# Unmount mounted filesystems

725

umount -l $R/proc

738

umount -l $R/proc

726

umount -l $R/sys

739

umount -l $R/sys

727

740

728

# Clean up files

741

# Clean up files

729

rm -f $R/etc/apt/sources.list.save

742

rm -f $R/etc/apt/sources.list.save

730

rm -f $R/etc/resolvconf/resolv.conf.d/original

743

rm -f $R/etc/resolvconf/resolv.conf.d/original

731

rm -rf $R/run

744

rm -rf $R/run

732

mkdir -p $R/run

745

mkdir -p $R/run

733

rm -f $R/etc/*-

746

rm -f $R/etc/*-

734

rm -f $R/root/.bash_history

747

rm -f $R/root/.bash_history

735

rm -rf $R/tmp/*

748

rm -rf $R/tmp/*

736

rm -f $R/var/lib/urandom/random-seed

749

rm -f $R/var/lib/urandom/random-seed

737

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

750

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

738

rm -f $R/etc/machine-id

751

rm -f $R/etc/machine-id

739

rm -fr $R/etc/apt/apt.conf.d/10proxy

752

rm -fr $R/etc/apt/apt.conf.d/10proxy

740

753

741

# Calculate size of the chroot directory

754

# Calculate size of the chroot directory

742

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

755

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

743

756

744

# Calculate required image size

757

# Calculate required image size

745

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

758

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

746

759

747

# Calculate number of sectors for the partition

760

# Calculate number of sectors for the partition

748

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

761

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

749

762

750

# Prepare date string for image file name

763

# Prepare date string for image file name

751

DATE="$(date +%Y-%m-%d)"

764

DATE="$(date +%Y-%m-%d)"

752

765

753

# Prepare image file

766

# Prepare image file

754

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

767

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

755

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

768

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

756

769

757

# Write partition table

770

# Write partition table

758

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

771

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

759

unit: sectors

772

unit: sectors

760

773

761

1 : start= 2048, size= 131072, Id= c, bootable

774

1 : start= 2048, size= 131072, Id= c, bootable

762

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

775

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

763

3 : start= 0, size= 0, Id= 0

776

3 : start= 0, size= 0, Id= 0

764

4 : start= 0, size= 0, Id= 0

777

4 : start= 0, size= 0, Id= 0

765

EOM

778

EOM

766

779

767

# Set up temporary loop devices and build filesystems

780

# Set up temporary loop devices and build filesystems

768

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

781

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

769

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

782

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

770

mkfs.vfat "$VFAT_LOOP"

783

mkfs.vfat "$VFAT_LOOP"

771

mkfs.ext4 "$EXT4_LOOP"

784

mkfs.ext4 "$EXT4_LOOP"

772

785

773

# Mount the temporary loop devices

786

# Mount the temporary loop devices

774

mkdir -p "$BUILDDIR/mount"

787

mkdir -p "$BUILDDIR/mount"

775

mount "$EXT4_LOOP" "$BUILDDIR/mount"

788

mount "$EXT4_LOOP" "$BUILDDIR/mount"

776

789

777

mkdir -p "$BUILDDIR/mount/boot/firmware"

790

mkdir -p "$BUILDDIR/mount/boot/firmware"

778

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

791

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

779

792

780

# Copy all files from the chroot to the loop device mount point directory

793

# Copy all files from the chroot to the loop device mount point directory

781

rsync -a "$R/" "$BUILDDIR/mount/"

794

rsync -a "$R/" "$BUILDDIR/mount/"

782

795

783

# Unmount all temporary loop devices and mount points

796

# Unmount all temporary loop devices and mount points

784

cleanup

797

cleanup

785

798

786

# (optinal) create block map file for "bmaptool"

799

# (optinal) create block map file for "bmaptool"

787

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

800

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

788

801

789

# Image was successfully created

802

# Image was successfully created

790

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

803

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build enviroment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
-              APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools"
+              APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
             else
               APT_INCLUDES="${APT_INCLUDES},locales"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
+            # Add iptables IPv4/IPv6 package
+            if [ "$ENABLE_IPTABLES" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},iptables"
+            fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
-            # Add xorg package
-            if [ "$ENABLE_XORG" = true ] ; then
-              APT_INCLUDES="${APT_INCLUDES},xorg"
-            fi
             # Add fluxbox package with eterm
             if [ "$ENABLE_FLUXBOX" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
+              # Enable xorg package dependency
+              ENABLE_XORG=true
+            fi
+            # Add xorg package
+            if [ "$ENABLE_XORG" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             if [ "$ENABLE_MINBASE" = true ] ; then
               debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             else
               debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             fi
             # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping proccess
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Set up default locales to "en_US.UTF-8" default
             if [ "$ENABLE_MINBASE" = false ] ; then
               LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
               LANG=C chroot $R locale-gen ${DEFLOCAL}
             fi
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up interfaces
             cat <<EOM >$R/etc/network/interfaces
             # interfaces(5) file used by ifup(8) and ifdown(8)
             # Include files from /etc/network/interfaces.d:
             source-directory /etc/network/interfaces.d
             # The loopback network interface
             auto lo
             iface lo inet loopback
             # The primary network interface
             allow-hotplug eth0
             iface eth0 inet dhcp
             EOM
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
-            # Set up ipv6 support (if requested)
+            # Set up IPv6 networking support
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
+            # Remove SSHD related iptables rules
+            if [ "$ENABLE_SSHD" = false ] ; then
+             sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
+             sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
+            fi
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch u-boot github
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Install minimal gcc/g++ build environment and build u-boot inside chroot
               LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set u-boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate u-boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
               # Remove gcc/c++ build enviroment
               LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Enable systemd-networkd DHCP configuration for the eth0 interface
             printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network
             # Set DHCP configuration to IPv4 only
             if [ "$ENABLE_IPV6" = false ] ; then
               sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
             fi
             # Enable systemd-networkd service
             LANG=C chroot $R systemctl enable systemd-networkd
             # Place hint about netowrk configuration
             cat <<EOM >$R/etc/network/interfaces
             # Debian switched to systemd-networkd configuration files.
             # please configure your networks in '/etc/systemd/network/'
             EOM
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"