##// END OF EJS Templates
Merge branch 'master' of https://github.com/fpytloun/rpi2-gen-image into fpytloun-master
Jan Wagner -
r50:58eaf5383a31 Fusion
parent child
Show More
@@ -0,0 +1,43
1 # For more options and information see
2 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
3 # Some settings may impact device functionality. See link above for details
4
5 # uncomment if you get no picture on HDMI for a default "safe" mode
6 #hdmi_safe=1
7
8 # uncomment this if your display has a black border of unused pixels visible
9 # and your display can output without overscan
10 #disable_overscan=1
11
12 # uncomment the following to adjust overscan. Use positive numbers if console
13 # goes off screen, and negative if there is too much border
14 #overscan_left=16
15 #overscan_right=16
16 #overscan_top=16
17 #overscan_bottom=16
18
19 # uncomment to force a console size. By default it will be display's size minus
20 # overscan.
21 #framebuffer_width=1280
22 #framebuffer_height=720
23
24 # uncomment if hdmi display is not detected and composite is being output
25 #hdmi_force_hotplug=1
26
27 # uncomment to force a specific HDMI mode (this will force VGA)
28 #hdmi_group=1
29 #hdmi_mode=1
30
31 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
32 # DMT (computer monitor) modes
33 #hdmi_drive=2
34
35 # uncomment to increase signal to HDMI, if you have interference, blanking, or
36 # no display
37 #config_hdmi_boost=4
38
39 # uncomment for composite PAL
40 #sdtv_mode=2
41
42 # uncomment to overclock the arm. 700 MHz is the default.
43 #arm_freq=800
@@ -0,0 +1,2
1 #!/bin/sh -e
2 logger -t "rc.firstboot" "Starting first boot actions"
@@ -0,0 +1,8
1 logger -t "rc.firstboot" "Generating SSH host keys"
2 rm -f /etc/ssh/ssh_host_*
3 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
7
8 systemctl restart sshd
@@ -0,0 +1,52
1 logger -t "rc.firstboot" "Expanding root"
2 ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
3 PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
4 case "${ROOT_PART}" in
5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 sda*) ROOT_DEV=sda ;;
7 esac
8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 return 0
11 fi
12
13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 # agree to work with a sufficiently simple partition layout
15 if [ "$PART_NUM" -gt 2 ]; then
16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 return 0
18 fi
19 LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
20 if [ $LAST_PART_NUM -ne $PART_NUM ]; then
21 logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
22 return 0
23 fi
24
25 # Get the starting offset of the root partition
26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
28
29 # Get the possible last sector for the root partition
30 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
32
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 p
38 d
39 $PART_NUM
40 n
41 p
42 $PART_NUM
43 $PART_START
44 $PART_LAST
45 p
46 w
47 EOF2
48
49 # Reload the partition table, resize root filesystem then remove resizing code from this file
50 partprobe &&
51 resize2fs /dev/${ROOT_PART} &&
52 logger -t "rc.firstboot" "Root partition successfuly resized."
@@ -0,0 +1,3
1 logger -t "rc.firstboot" "First boot actions finished"
2 rm -f /etc/rc.firstboot
3 sed -i '/.*rc.firstboot/d' /etc/rc.local
@@ -0,0 +1,2
1 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
2 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
@@ -0,0 +1,15
1 #!/bin/sh
2 ip6tables -F
3 ip6tables -X
4 ip6tables -Z
5
6 for table in $(</proc/net/ip6_tables_names)
7 do
8 ip6tables -t \$table -F
9 ip6tables -t \$table -X
10 ip6tables -t \$table -Z
11 done
12
13 ip6tables -P INPUT ACCEPT
14 ip6tables -P OUTPUT ACCEPT
15 ip6tables -P FORWARD ACCEPT
@@ -0,0 +1,10
1 #!/bin/sh
2 iptables -F
3 iptables -X
4 iptables -t nat -F
5 iptables -t nat -X
6 iptables -t mangle -F
7 iptables -t mangle -X
8 iptables -P INPUT ACCEPT
9 iptables -P FORWARD ACCEPT
10 iptables -P OUTPUT ACCEPT
@@ -0,0 +1,48
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Drop packets with RH0 headers
10 -A INPUT -m rt --rt-type 0 -j DROP
11 -A OUTPUT -m rt --rt-type 0 -j DROP
12 -A FORWARD -m rt --rt-type 0 -j DROP
13
14 # Rate limit ping requests
15 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
16 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
17
18 # Accept established connections
19 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
20
21 # Accept all traffic on loopback interface
22 -A INPUT -i lo -j ACCEPT
23
24 # Drop packets declared invalid
25 -A INPUT -m conntrack --ctstate INVALID -j DROP
26
27 # SSH rate limiting
28 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
29 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
30 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
31 -A SSH -m recent --name sshbf --set -j ACCEPT
32
33 # Send TCP and UDP connections to their respective rules chain
34 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
35 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
36
37 # Reject dropped packets with a RFC compliant responce
38 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
39 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
40 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
41
42 ## TCP PORT RULES
43 # -A TCP -p tcp -j LOG
44
45 ## UDP PORT RULES
46 # -A UDP -p udp -j LOG
47
48 COMMIT
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
10 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
11 ExecStop=/etc/iptables/flush-ip6tables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
@@ -0,0 +1,43
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Rate limit ping requests
10 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
11 -A INPUT -p icmp --icmp-type echo-request -j DROP
12
13 # Accept established connections
14 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
15
16 # Accept all traffic on loopback interface
17 -A INPUT -i lo -j ACCEPT
18
19 # Drop packets declared invalid
20 -A INPUT -m conntrack --ctstate INVALID -j DROP
21
22 # SSH rate limiting
23 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
24 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
25 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
26 -A SSH -m recent --name sshbf --set -j ACCEPT
27
28 # Send TCP and UDP connections to their respective rules chain
29 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
30 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
31
32 # Reject dropped packets with a RFC compliant responce
33 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
34 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
35 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
36
37 ## TCP PORT RULES
38 # -A TCP -p tcp -j LOG
39
40 ## UDP PORT RULES
41 # -A UDP -p udp -j LOG
42
43 COMMIT
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
10 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
11 ExecStop=/etc/iptables/flush-iptables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
@@ -0,0 +1,9
1 blacklist snd_soc_core
2 blacklist snd_pcm
3 blacklist snd_pcm_dmaengine
4 blacklist snd_timer
5 blacklist snd_compress
6 blacklist snd_soc_pcm512x_i2c
7 blacklist snd_soc_pcm512x
8 blacklist snd_soc_tas5713
9 blacklist snd_soc_wm8804
@@ -0,0 +1,6
1 # Avoid swapping and increase cache sizes
2 vm.swappiness=1
3 vm.dirty_background_ratio=20
4 vm.dirty_ratio=40
5 vm.dirty_writeback_centisecs=500
6 vm.dirty_expire_centisecs=6000
@@ -0,0 +1,59
1 # Enable network stack hardening
2 net.ipv4.tcp_timestamps=0
3 net.ipv4.tcp_syncookies=1
4 net.ipv4.conf.all.rp_filter=1
5 net.ipv4.conf.all.accept_redirects=0
6 net.ipv4.conf.all.send_redirects=0
7 net.ipv4.conf.all.accept_source_route=0
8 net.ipv4.conf.default.rp_filter=1
9 net.ipv4.conf.default.accept_redirects=0
10 net.ipv4.conf.default.send_redirects=0
11 net.ipv4.conf.default.accept_source_route=0
12 net.ipv4.conf.lo.accept_redirects=0
13 net.ipv4.conf.lo.send_redirects=0
14 net.ipv4.conf.lo.accept_source_route=0
15 net.ipv4.conf.eth0.accept_redirects=0
16 net.ipv4.conf.eth0.send_redirects=0
17 net.ipv4.conf.eth0.accept_source_route=0
18 net.ipv4.icmp_echo_ignore_broadcasts=1
19 net.ipv4.icmp_ignore_bogus_error_responses=1
20
21 net.ipv6.conf.all.accept_redirects=0
22 net.ipv6.conf.all.accept_source_route=0
23 net.ipv6.conf.all.router_solicitations=0
24 net.ipv6.conf.all.accept_ra_rtr_pref=0
25 net.ipv6.conf.all.accept_ra_pinfo=0
26 net.ipv6.conf.all.accept_ra_defrtr=0
27 net.ipv6.conf.all.autoconf=0
28 net.ipv6.conf.all.dad_transmits=0
29 net.ipv6.conf.all.max_addresses=1
30
31 net.ipv6.conf.default.accept_redirects=0
32 net.ipv6.conf.default.accept_source_route=0
33 net.ipv6.conf.default.router_solicitations=0
34 net.ipv6.conf.default.accept_ra_rtr_pref=0
35 net.ipv6.conf.default.accept_ra_pinfo=0
36 net.ipv6.conf.default.accept_ra_defrtr=0
37 net.ipv6.conf.default.autoconf=0
38 net.ipv6.conf.default.dad_transmits=0
39 net.ipv6.conf.default.max_addresses=1
40
41 net.ipv6.conf.lo.accept_redirects=0
42 net.ipv6.conf.lo.accept_source_route=0
43 net.ipv6.conf.lo.router_solicitations=0
44 net.ipv6.conf.lo.accept_ra_rtr_pref=0
45 net.ipv6.conf.lo.accept_ra_pinfo=0
46 net.ipv6.conf.lo.accept_ra_defrtr=0
47 net.ipv6.conf.lo.autoconf=0
48 net.ipv6.conf.lo.dad_transmits=0
49 net.ipv6.conf.lo.max_addresses=1
50
51 net.ipv6.conf.eth0.accept_redirects=0
52 net.ipv6.conf.eth0.accept_source_route=0
53 net.ipv6.conf.eth0.router_solicitations=0
54 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
55 net.ipv6.conf.eth0.accept_ra_pinfo=0
56 net.ipv6.conf.eth0.accept_ra_defrtr=0
57 net.ipv6.conf.eth0.autoconf=0
58 net.ipv6.conf.eth0.dad_transmits=0
59 net.ipv6.conf.eth0.max_addresses=1
@@ -43,6 +43,9 Set default system locale. This setting can also be changed inside the running O
43 ##### `TIMEZONE`="Europe/Berlin"
43 ##### `TIMEZONE`="Europe/Berlin"
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45
45
46 ##### `EXPANDROOT`=true
47 Expand the root partition and filesystem automatically on first boot.
48
46 #### Keyboard settings:
49 #### Keyboard settings:
47 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
50 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 ##### `XKBMODEL`=""
51 ##### `XKBMODEL`=""
@@ -87,6 +90,10 Enable IPv6 support. The network interface configuration is managed via systemd-
87 ##### `ENABLE_SSHD`=true
90 ##### `ENABLE_SSHD`=true
88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
91 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89
92
93 ##### `ENABLE_RSYSLOG`=true
94 If set to false, disable and uninstall rsyslog (so logs will be available only
95 in journal files)
96
90 ##### `ENABLE_SOUND`=true
97 ##### `ENABLE_SOUND`=true
91 Enable sound hardware and install Advanced Linux Sound Architecture.
98 Enable sound hardware and install Advanced Linux Sound Architecture.
92
99
@@ -118,6 +125,16 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please
118 ##### `ENABLE_IPTABLES`=false
125 ##### `ENABLE_IPTABLES`=false
119 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
126 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
120
127
128 ##### `ENABLE_USER`=true
129 Create pi user with password raspberry
130
131 ##### `ENABLE_ROOT`=true
132 Set root user password so root login will be enabled
133
134 ##### `ENABLE_ROOT_SSH`=true
135 Enable password root login via SSH. May be a security risk with default
136 password, use only in trusted environments.
137
121 ##### `ENABLE_HARDNET`=false
138 ##### `ENABLE_HARDNET`=false
122 Enable IPv4/IPv6 network stack hardening settings.
139 Enable IPv4/IPv6 network stack hardening settings.
123
140
@@ -30,11 +30,17 cleanup (){
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
33 set -e
38 set -e
34 set -x
39 set -x
35
40
36 # Debian release
41 # Debian release
37 RELEASE=${RELEASE:=jessie}
42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
38
44
39 # Build settings
45 # Build settings
40 BASEDIR=./images/${RELEASE}
46 BASEDIR=./images/${RELEASE}
@@ -49,6 +55,7 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
55 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
56 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
57 XKBOPTIONS=${XKBOPTIONS:=""}
58 EXPANDROOT=${EXPANDROOT:=true}
52
59
53 # Network settings
60 # Network settings
54 ENABLE_DHCP=${ENABLE_DHCP:=true}
61 ENABLE_DHCP=${ENABLE_DHCP:=true}
@@ -76,6 +83,10 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 ENABLE_XORG=${ENABLE_XORG:=false}
84 ENABLE_XORG=${ENABLE_XORG:=false}
78 ENABLE_WM=${ENABLE_WM:=""}
85 ENABLE_WM=${ENABLE_WM:=""}
86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
87 ENABLE_USER=${ENABLE_USER:=true}
88 ENABLE_ROOT=${ENABLE_ROOT:=false}
89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
79
90
80 # Advanced settings
91 # Advanced settings
81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
@@ -148,6 +159,11 else
148 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
159 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
149 fi
160 fi
150
161
162 # Add parted package, required to get partprobe utility
163 if [ "$EXPANDROOT" = true ] ; then
164 APT_INCLUDES="${APT_INCLUDES},parted"
165 fi
166
151 # Add dbus package, recommended if using systemd
167 # Add dbus package, recommended if using systemd
152 if [ "$ENABLE_DBUS" = true ] ; then
168 if [ "$ENABLE_DBUS" = true ] ; then
153 APT_INCLUDES="${APT_INCLUDES},dbus"
169 APT_INCLUDES="${APT_INCLUDES},dbus"
@@ -173,6 +189,10 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 APT_INCLUDES="${APT_INCLUDES},rng-tools"
189 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 fi
190 fi
175
191
192 if [ "$ENABLE_USER" = true ]; then
193 APT_INCLUDES="${APT_INCLUDES},sudo"
194 fi
195
176 # Add fbturbo video driver
196 # Add fbturbo video driver
177 if [ "$ENABLE_FBTURBO" = true ] ; then
197 if [ "$ENABLE_FBTURBO" = true ] ; then
178 # Enable xorg package dependencies
198 # Enable xorg package dependencies
@@ -228,12 +248,12 EOM
228
248
229 # Set up timezone
249 # Set up timezone
230 echo ${TIMEZONE} >$R/etc/timezone
250 echo ${TIMEZONE} >$R/etc/timezone
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
251 chroot_exec dpkg-reconfigure -f noninteractive tzdata
232
252
233 # Upgrade collabora package index and install collabora keyring
253 # Upgrade collabora package index and install collabora keyring
234 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
254 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 LANG=C chroot $R apt-get -qq -y update
255 chroot_exec apt-get -qq -y update
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
256 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237
257
238 # Set up initial sources.list
258 # Set up initial sources.list
239 cat <<EOM >$R/etc/apt/sources.list
259 cat <<EOM >$R/etc/apt/sources.list
@@ -250,8 +270,8 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 EOM
270 EOM
251
271
252 # Upgrade package index and update all installed packages and changed dependencies
272 # Upgrade package index and update all installed packages and changed dependencies
253 LANG=C chroot $R apt-get -qq -y update
273 chroot_exec apt-get -qq -y update
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
274 chroot_exec apt-get -qq -y -u dist-upgrade
255
275
256 # Set up default locale and keyboard configuration
276 # Set up default locale and keyboard configuration
257 if [ "$ENABLE_MINBASE" = false ] ; then
277 if [ "$ENABLE_MINBASE" = false ] ; then
@@ -259,60 +279,50 if [ "$ENABLE_MINBASE" = false ] ; then
259 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
279 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 # ... so we have to set locales manually
280 # ... so we have to set locales manually
261 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
281 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
282 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 else
283 else
264 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
284 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
285 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
286 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 fi
287 fi
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
288 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
289 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 LANG=C chroot $R locale-gen
290 chroot_exec locale-gen
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
291 chroot_exec update-locale LANG=${DEFLOCAL}
272
292
273 # Keyboard configuration, if requested
293 # Keyboard configuration, if requested
274 if [ "$XKBMODEL" != "" ] ; then
294 if [ "$XKBMODEL" != "" ] ; then
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 fi
296 fi
277 if [ "$XKBLAYOUT" != "" ] ; then
297 if [ "$XKBLAYOUT" != "" ] ; then
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 fi
299 fi
280 if [ "$XKBVARIANT" != "" ] ; then
300 if [ "$XKBVARIANT" != "" ] ; then
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
301 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 fi
302 fi
283 if [ "$XKBOPTIONS" != "" ] ; then
303 if [ "$XKBOPTIONS" != "" ] ; then
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
304 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 fi
305 fi
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
306 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
287 # Set up font console
307 # Set up font console
288 case "${DEFLOCAL}" in
308 case "${DEFLOCAL}" in
289 *UTF-8)
309 *UTF-8)
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
310 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 ;;
311 ;;
292 *)
312 *)
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
313 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 ;;
314 ;;
295 esac
315 esac
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
316 chroot_exec dpkg-reconfigure -f noninteractive console-setup
297 fi
317 fi
298
318
299 # Kernel installation
319 # Kernel installation
300 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
320 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
321 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
322 chroot_exec apt-get -qq -y install flash-kernel
303
323
304 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
324 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 [ -z "$VMLINUZ" ] && exit 1
325 [ -z "$VMLINUZ" ] && exit 1
306 mkdir -p $R/boot/firmware
307
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 cp $VMLINUZ $R/boot/firmware/kernel7.img
326 cp $VMLINUZ $R/boot/firmware/kernel7.img
317
327
318 # Set up IPv4 hosts
328 # Set up IPv4 hosts
@@ -374,17 +384,27 EOM
374 fi
384 fi
375
385
376 # Enable systemd-networkd service
386 # Enable systemd-networkd service
377 LANG=C chroot $R systemctl enable systemd-networkd
387 chroot_exec systemctl enable systemd-networkd
378
388
379 # Generate crypt(3) password string
389 # Generate crypt(3) password string
380 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
390 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381
391
382 # Set up default user
392 # Set up default user
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
393 if [ "$ENABLE_USER" = true ] ; then
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
394 chroot_exec adduser --gecos \"Raspberry\ PI\ user\" --add_extra_groups --disabled-password pi
395 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
396 fi
397
398 # Set up root password or not
399 if [ "$ENABLE_ROOT" = true ]; then
400 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
385
401
386 # Set up root password
402 if [ "$ENABLE_ROOT_SSH" = true ]; then
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
403 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
404 fi
405 else
406 chroot_exec usermod -p \'!\' root
407 fi
388
408
389 # Set up firmware boot cmdline
409 # Set up firmware boot cmdline
390 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
410 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
@@ -402,51 +422,7 fi
402 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
403
423
404 # Set up firmware config
424 # Set up firmware config
405 cat <<EOM >$R/boot/firmware/config.txt
425 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
406 # For more options and information see
407 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
408 # Some settings may impact device functionality. See link above for details
409
410 # uncomment if you get no picture on HDMI for a default "safe" mode
411 #hdmi_safe=1
412
413 # uncomment this if your display has a black border of unused pixels visible
414 # and your display can output without overscan
415 #disable_overscan=1
416
417 # uncomment the following to adjust overscan. Use positive numbers if console
418 # goes off screen, and negative if there is too much border
419 #overscan_left=16
420 #overscan_right=16
421 #overscan_top=16
422 #overscan_bottom=16
423
424 # uncomment to force a console size. By default it will be display's size minus
425 # overscan.
426 #framebuffer_width=1280
427 #framebuffer_height=720
428
429 # uncomment if hdmi display is not detected and composite is being output
430 #hdmi_force_hotplug=1
431
432 # uncomment to force a specific HDMI mode (this will force VGA)
433 #hdmi_group=1
434 #hdmi_mode=1
435
436 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
437 # DMT (computer monitor) modes
438 #hdmi_drive=2
439
440 # uncomment to increase signal to HDMI, if you have interference, blanking, or
441 # no display
442 #config_hdmi_boost=4
443
444 # uncomment for composite PAL
445 #sdtv_mode=2
446
447 # uncomment to overclock the arm. 700 MHz is the default.
448 #arm_freq=800
449 EOM
450
426
451 # Load snd_bcm2835 kernel module at boot time
427 # Load snd_bcm2835 kernel module at boot time
452 if [ "$ENABLE_SOUND" = true ] ; then
428 if [ "$ENABLE_SOUND" = true ] ; then
@@ -476,99 +452,17 fi
476 mkdir -p $R/etc/modprobe.d/
452 mkdir -p $R/etc/modprobe.d/
477
453
478 # Blacklist sound modules
454 # Blacklist sound modules
479 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
455 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
480 blacklist snd_soc_core
481 blacklist snd_pcm
482 blacklist snd_pcm_dmaengine
483 blacklist snd_timer
484 blacklist snd_compress
485 blacklist snd_soc_pcm512x_i2c
486 blacklist snd_soc_pcm512x
487 blacklist snd_soc_tas5713
488 blacklist snd_soc_wm8804
489 EOM
490
456
491 # Create default fstab
457 # Create default fstab
492 cat <<EOM >$R/etc/fstab
458 install -o root -g root -m 644 files/fstab $R/etc/fstab
493 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
494 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
495 EOM
496
497 # Avoid swapping and increase cache sizes
498 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
499
459
500 # Avoid swapping and increase cache sizes
460 # Avoid swapping and increase cache sizes
501 vm.swappiness=1
461 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
502 vm.dirty_background_ratio=20
503 vm.dirty_ratio=40
504 vm.dirty_writeback_centisecs=500
505 vm.dirty_expire_centisecs=6000
506 EOM
507
462
508 # Enable network stack hardening
463 # Enable network stack hardening
509 if [ "$ENABLE_HARDNET" = true ] ; then
464 if [ "$ENABLE_HARDNET" = true ] ; then
510 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
511
512 # Enable network stack hardening
513 net.ipv4.tcp_timestamps=0
514 net.ipv4.tcp_syncookies=1
515 net.ipv4.conf.all.rp_filter=1
516 net.ipv4.conf.all.accept_redirects=0
517 net.ipv4.conf.all.send_redirects=0
518 net.ipv4.conf.all.accept_source_route=0
519 net.ipv4.conf.default.rp_filter=1
520 net.ipv4.conf.default.accept_redirects=0
521 net.ipv4.conf.default.send_redirects=0
522 net.ipv4.conf.default.accept_source_route=0
523 net.ipv4.conf.lo.accept_redirects=0
524 net.ipv4.conf.lo.send_redirects=0
525 net.ipv4.conf.lo.accept_source_route=0
526 net.ipv4.conf.eth0.accept_redirects=0
527 net.ipv4.conf.eth0.send_redirects=0
528 net.ipv4.conf.eth0.accept_source_route=0
529 net.ipv4.icmp_echo_ignore_broadcasts=1
530 net.ipv4.icmp_ignore_bogus_error_responses=1
531
532 net.ipv6.conf.all.accept_redirects=0
533 net.ipv6.conf.all.accept_source_route=0
534 net.ipv6.conf.all.router_solicitations=0
535 net.ipv6.conf.all.accept_ra_rtr_pref=0
536 net.ipv6.conf.all.accept_ra_pinfo=0
537 net.ipv6.conf.all.accept_ra_defrtr=0
538 net.ipv6.conf.all.autoconf=0
539 net.ipv6.conf.all.dad_transmits=0
540 net.ipv6.conf.all.max_addresses=1
541
542 net.ipv6.conf.default.accept_redirects=0
543 net.ipv6.conf.default.accept_source_route=0
544 net.ipv6.conf.default.router_solicitations=0
545 net.ipv6.conf.default.accept_ra_rtr_pref=0
546 net.ipv6.conf.default.accept_ra_pinfo=0
547 net.ipv6.conf.default.accept_ra_defrtr=0
548 net.ipv6.conf.default.autoconf=0
549 net.ipv6.conf.default.dad_transmits=0
550 net.ipv6.conf.default.max_addresses=1
551
552 net.ipv6.conf.lo.accept_redirects=0
553 net.ipv6.conf.lo.accept_source_route=0
554 net.ipv6.conf.lo.router_solicitations=0
555 net.ipv6.conf.lo.accept_ra_rtr_pref=0
556 net.ipv6.conf.lo.accept_ra_pinfo=0
557 net.ipv6.conf.lo.accept_ra_defrtr=0
558 net.ipv6.conf.lo.autoconf=0
559 net.ipv6.conf.lo.dad_transmits=0
560 net.ipv6.conf.lo.max_addresses=1
561
562 net.ipv6.conf.eth0.accept_redirects=0
563 net.ipv6.conf.eth0.accept_source_route=0
564 net.ipv6.conf.eth0.router_solicitations=0
565 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
566 net.ipv6.conf.eth0.accept_ra_pinfo=0
567 net.ipv6.conf.eth0.accept_ra_defrtr=0
568 net.ipv6.conf.eth0.autoconf=0
569 net.ipv6.conf.eth0.dad_transmits=0
570 net.ipv6.conf.eth0.max_addresses=1
571 EOM
572
466
573 # Enable resolver warnings about spoofed addresses
467 # Enable resolver warnings about spoofed addresses
574 cat <<EOM >>$R/etc/host.conf
468 cat <<EOM >>$R/etc/host.conf
@@ -576,15 +470,36 spoof warn
576 EOM
470 EOM
577 fi
471 fi
578
472
579 # Regenerate openssh server host keys
473 # First boot actions
474 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
475
476 # Ensure openssh server host keys are regenerated on first boot
580 if [ "$ENABLE_SSHD" = true ] ; then
477 if [ "$ENABLE_SSHD" = true ] ; then
581 rm -fr $R/etc/ssh/ssh_host_*
478 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
582 LANG=C chroot $R dpkg-reconfigure openssh-server
479 rm -f $R/etc/ssh/ssh_host_*
480 fi
481
482 if [ "$EXPANDROOT" = true ] ; then
483 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
484 fi
485
486 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
487 chmod +x $R/etc/rc.firstboot
488
489 sed -i '/exit 0/d' $R/etc/rc.local
490 echo /etc/rc.firstboot >> $R/etc/rc.local
491 echo exit 0 >> $R/etc/rc.local
492
493 # Disable rsyslog
494 if [ "$ENABLE_RSYSLOG" = false ]; then
495 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
496 chroot_exec systemctl disable rsyslog
497 chroot_exec apt-get purge -q -y --force-yes rsyslog
583 fi
498 fi
584
499
585 # Enable serial console systemd style
500 # Enable serial console systemd style
586 if [ "$ENABLE_CONSOLE" = true ] ; then
501 if [ "$ENABLE_CONSOLE" = true ] ; then
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
502 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
588 fi
503 fi
589
504
590 # Enable firewall based on iptables started by systemd service
505 # Enable firewall based on iptables started by systemd service
@@ -593,177 +508,30 if [ "$ENABLE_IPTABLES" = true ] ; then
593 mkdir -p "$R/etc/iptables"
508 mkdir -p "$R/etc/iptables"
594
509
595 # Create iptables systemd service
510 # Create iptables systemd service
596 cat <<EOM >$R/etc/systemd/system/iptables.service
511 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
597 [Unit]
598 Description=Packet Filtering Framework
599 DefaultDependencies=no
600 After=systemd-sysctl.service
601 Before=sysinit.target
602 [Service]
603 Type=oneshot
604 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
605 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
606 ExecStop=/etc/iptables/flush-iptables.sh
607 RemainAfterExit=yes
608 [Install]
609 WantedBy=multi-user.target
610 EOM
611
512
612 # Create flush-table script called by iptables service
513 # Create flush-table script called by iptables service
613 cat <<EOM >$R/etc/iptables/flush-iptables.sh
514 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
614 #!/bin/sh
615 iptables -F
616 iptables -X
617 iptables -t nat -F
618 iptables -t nat -X
619 iptables -t mangle -F
620 iptables -t mangle -X
621 iptables -P INPUT ACCEPT
622 iptables -P FORWARD ACCEPT
623 iptables -P OUTPUT ACCEPT
624 EOM
625
515
626 # Create iptables rule file
516 # Create iptables rule file
627 cat <<EOM >$R/etc/iptables/iptables.rules
517 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
628 *filter
629 :INPUT DROP [0:0]
630 :FORWARD DROP [0:0]
631 :OUTPUT ACCEPT [0:0]
632 :TCP - [0:0]
633 :UDP - [0:0]
634 :SSH - [0:0]
635
636 # Rate limit ping requests
637 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
638 -A INPUT -p icmp --icmp-type echo-request -j DROP
639
640 # Accept established connections
641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
642
643 # Accept all traffic on loopback interface
644 -A INPUT -i lo -j ACCEPT
645
646 # Drop packets declared invalid
647 -A INPUT -m conntrack --ctstate INVALID -j DROP
648
649 # SSH rate limiting
650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
653 -A SSH -m recent --name sshbf --set -j ACCEPT
654
655 # Send TCP and UDP connections to their respective rules chain
656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
658
659 # Reject dropped packets with a RFC compliant responce
660 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
661 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
662 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
663
664 ## TCP PORT RULES
665 # -A TCP -p tcp -j LOG
666
667 ## UDP PORT RULES
668 # -A UDP -p udp -j LOG
669
670 COMMIT
671 EOM
672
518
673 # Reload systemd configuration and enable iptables service
519 # Reload systemd configuration and enable iptables service
674 LANG=C chroot $R systemctl daemon-reload
520 chroot_exec systemctl daemon-reload
675 LANG=C chroot $R systemctl enable iptables.service
521 chroot_exec systemctl enable iptables.service
676
522
677 if [ "$ENABLE_IPV6" = true ] ; then
523 if [ "$ENABLE_IPV6" = true ] ; then
678 # Create ip6tables systemd service
524 # Create ip6tables systemd service
679 cat <<EOM >$R/etc/systemd/system/ip6tables.service
525 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
680 [Unit]
681 Description=Packet Filtering Framework
682 DefaultDependencies=no
683 After=systemd-sysctl.service
684 Before=sysinit.target
685 [Service]
686 Type=oneshot
687 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
689 ExecStop=/etc/iptables/flush-ip6tables.sh
690 RemainAfterExit=yes
691 [Install]
692 WantedBy=multi-user.target
693 EOM
694
526
695 # Create ip6tables file
527 # Create ip6tables file
696 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
528 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
697 #!/bin/sh
698 ip6tables -F
699 ip6tables -X
700 ip6tables -Z
701 for table in $(</proc/net/ip6_tables_names)
702 do
703 ip6tables -t \$table -F
704 ip6tables -t \$table -X
705 ip6tables -t \$table -Z
706 done
707 ip6tables -P INPUT ACCEPT
708 ip6tables -P OUTPUT ACCEPT
709 ip6tables -P FORWARD ACCEPT
710 EOM
711
712 # Create ip6tables rule file
713 cat <<EOM >$R/etc/iptables/ip6tables.rules
714 *filter
715 :INPUT DROP [0:0]
716 :FORWARD DROP [0:0]
717 :OUTPUT ACCEPT [0:0]
718 :TCP - [0:0]
719 :UDP - [0:0]
720 :SSH - [0:0]
721
529
722 # Drop packets with RH0 headers
530 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
723 -A INPUT -m rt --rt-type 0 -j DROP
724 -A OUTPUT -m rt --rt-type 0 -j DROP
725 -A FORWARD -m rt --rt-type 0 -j DROP
726
531
727 # Rate limit ping requests
532 # Reload systemd configuration and enable iptables service
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
533 chroot_exec systemctl daemon-reload
729 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
534 chroot_exec systemctl enable ip6tables.service
730
731 # Accept established connections
732 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
733
734 # Accept all traffic on loopback interface
735 -A INPUT -i lo -j ACCEPT
736
737 # Drop packets declared invalid
738 -A INPUT -m conntrack --ctstate INVALID -j DROP
739
740 # SSH rate limiting
741 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
743 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
744 -A SSH -m recent --name sshbf --set -j ACCEPT
745
746 # Send TCP and UDP connections to their respective rules chain
747 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
748 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
749
750 # Reject dropped packets with a RFC compliant responce
751 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
753 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
754
755 ## TCP PORT RULES
756 # -A TCP -p tcp -j LOG
757
758 ## UDP PORT RULES
759 # -A UDP -p udp -j LOG
760
761 COMMIT
762 EOM
763
764 # Reload systemd configuration and enable iptables service
765 LANG=C chroot $R systemctl daemon-reload
766 LANG=C chroot $R systemctl enable ip6tables.service
767 fi
535 fi
768 fi
536 fi
769
537
@@ -775,7 +543,7 fi
775
543
776 # Install gcc/c++ build environment inside the chroot
544 # Install gcc/c++ build environment inside the chroot
777 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
545 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
546 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 fi
547 fi
780
548
781 # Fetch and build U-Boot bootloader
549 # Fetch and build U-Boot bootloader
@@ -784,7 +552,7 if [ "$ENABLE_UBOOT" = true ] ; then
784 git -C $R/tmp clone git://git.denx.de/u-boot.git
552 git -C $R/tmp clone git://git.denx.de/u-boot.git
785
553
786 # Build and install U-Boot inside chroot
554 # Build and install U-Boot inside chroot
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
555 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
788
556
789 # Copy compiled bootloader binary and set config.txt to load it
557 # Copy compiled bootloader binary and set config.txt to load it
790 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
558 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
@@ -809,7 +577,7 bootz \${kernel_addr_r}
809 EOM
577 EOM
810
578
811 # Generate U-Boot image from command file
579 # Generate U-Boot image from command file
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
580 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 fi
581 fi
814
582
815 # Fetch and build fbturbo Xorg driver
583 # Fetch and build fbturbo Xorg driver
@@ -818,10 +586,10 if [ "$ENABLE_FBTURBO" = true ] ; then
818 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
586 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819
587
820 # Install Xorg build dependencies
588 # Install Xorg build dependencies
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
589 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822
590
823 # Build and install fbturbo driver inside chroot
591 # Build and install fbturbo driver inside chroot
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
592 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825
593
826 # Add fbturbo driver to Xorg configuration
594 # Add fbturbo driver to Xorg configuration
827 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
595 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
@@ -834,18 +602,18 EndSection
834 EOM
602 EOM
835
603
836 # Remove Xorg build dependencies
604 # Remove Xorg build dependencies
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
605 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 fi
606 fi
839
607
840 # Remove gcc/c++ build environment from the chroot
608 # Remove gcc/c++ build environment from the chroot
841 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
609 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
610 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 fi
611 fi
844
612
845 # Clean cached downloads
613 # Clean cached downloads
846 LANG=C chroot $R apt-get -y clean
614 chroot_exec apt-get -y clean
847 LANG=C chroot $R apt-get -y autoclean
615 chroot_exec apt-get -y autoclean
848 LANG=C chroot $R apt-get -y autoremove
616 chroot_exec apt-get -y autoremove
849
617
850 # Unmount mounted filesystems
618 # Unmount mounted filesystems
851 umount -l $R/proc
619 umount -l $R/proc
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant