##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Cleanup code by spliting files
Filip Pytloun -
r47:a2923b42dbd0
parent child
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,43
1 # For more options and information see
2 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
3 # Some settings may impact device functionality. See link above for details
4
5 # uncomment if you get no picture on HDMI for a default "safe" mode
6 #hdmi_safe=1
7
8 # uncomment this if your display has a black border of unused pixels visible
9 # and your display can output without overscan
10 #disable_overscan=1
11
12 # uncomment the following to adjust overscan. Use positive numbers if console
13 # goes off screen, and negative if there is too much border
14 #overscan_left=16
15 #overscan_right=16
16 #overscan_top=16
17 #overscan_bottom=16
18
19 # uncomment to force a console size. By default it will be display's size minus
20 # overscan.
21 #framebuffer_width=1280
22 #framebuffer_height=720
23
24 # uncomment if hdmi display is not detected and composite is being output
25 #hdmi_force_hotplug=1
26
27 # uncomment to force a specific HDMI mode (this will force VGA)
28 #hdmi_group=1
29 #hdmi_mode=1
30
31 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
32 # DMT (computer monitor) modes
33 #hdmi_drive=2
34
35 # uncomment to increase signal to HDMI, if you have interference, blanking, or
36 # no display
37 #config_hdmi_boost=4
38
39 # uncomment for composite PAL
40 #sdtv_mode=2
41
42 # uncomment to overclock the arm. 700 MHz is the default.
43 #arm_freq=800
Show file before | Show file after | Hide comments
@@ -0,0 +1,2
1 #!/bin/sh -e
2 logger -t "rc.firstboot" "Starting first boot actions"
Show file before | Show file after | Hide comments
@@ -0,0 +1,8
1 logger -t "rc.firstboot" "Generating SSH host keys"
2 rm -f /etc/ssh/ssh_host_*
3 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
7
8 systemctl restart sshd
Show file before | Show file after | Hide comments
@@ -0,0 +1,52
1 logger -t "rc.firstboot" "Expanding root"
2 ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
3 PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
4 case "${ROOT_PART}" in
5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 sda*) ROOT_DEV=sda ;;
7 esac
8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 return 0
11 fi
12
13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 # agree to work with a sufficiently simple partition layout
15 if [ "$PART_NUM" -gt 2 ]; then
16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 return 0
18 fi
19 LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
20 if [ $LAST_PART_NUM -ne $PART_NUM ]; then
21 logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
22 return 0
23 fi
24
25 # Get the starting offset of the root partition
26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
28
29 # Get the possible last sector for the root partition
30 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
32
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 p
38 d
39 $PART_NUM
40 n
41 p
42 $PART_NUM
43 $PART_START
44 $PART_LAST
45 p
46 w
47 EOF2
48
49 # Reload the partition table, resize root filesystem then remove resizing code from this file
50 partprobe &&
51 resize2fs /dev/${ROOT_PART} &&
52 logger -t "rc.firstboot" "Root partition successfuly resized."
Show file before | Show file after | Hide comments
@@ -0,0 +1,3
1 logger -t "rc.firstboot" "First boot actions finished"
2 rm -f /etc/rc.firstboot
3 sed -i '/.*rc.firstboot/d' /etc/rc.local
Show file before | Show file after | Hide comments
@@ -0,0 +1,2
1 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
2 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
Show file before | Show file after | Hide comments
@@ -0,0 +1,15
1 #!/bin/sh
2 ip6tables -F
3 ip6tables -X
4 ip6tables -Z
5
6 for table in $(</proc/net/ip6_tables_names)
7 do
8 ip6tables -t \$table -F
9 ip6tables -t \$table -X
10 ip6tables -t \$table -Z
11 done
12
13 ip6tables -P INPUT ACCEPT
14 ip6tables -P OUTPUT ACCEPT
15 ip6tables -P FORWARD ACCEPT
Show file before | Show file after | Hide comments
@@ -0,0 +1,10
1 #!/bin/sh
2 iptables -F
3 iptables -X
4 iptables -t nat -F
5 iptables -t nat -X
6 iptables -t mangle -F
7 iptables -t mangle -X
8 iptables -P INPUT ACCEPT
9 iptables -P FORWARD ACCEPT
10 iptables -P OUTPUT ACCEPT
Show file before | Show file after | Hide comments
@@ -0,0 +1,48
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Drop packets with RH0 headers
10 -A INPUT -m rt --rt-type 0 -j DROP
11 -A OUTPUT -m rt --rt-type 0 -j DROP
12 -A FORWARD -m rt --rt-type 0 -j DROP
13
14 # Rate limit ping requests
15 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
16 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
17
18 # Accept established connections
19 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
20
21 # Accept all traffic on loopback interface
22 -A INPUT -i lo -j ACCEPT
23
24 # Drop packets declared invalid
25 -A INPUT -m conntrack --ctstate INVALID -j DROP
26
27 # SSH rate limiting
28 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
29 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
30 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
31 -A SSH -m recent --name sshbf --set -j ACCEPT
32
33 # Send TCP and UDP connections to their respective rules chain
34 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
35 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
36
37 # Reject dropped packets with a RFC compliant responce
38 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
39 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
40 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
41
42 ## TCP PORT RULES
43 # -A TCP -p tcp -j LOG
44
45 ## UDP PORT RULES
46 # -A UDP -p udp -j LOG
47
48 COMMIT
Show file before | Show file after | Hide comments
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
10 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
11 ExecStop=/etc/iptables/flush-ip6tables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
Show file before | Show file after | Hide comments
@@ -0,0 +1,43
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Rate limit ping requests
10 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
11 -A INPUT -p icmp --icmp-type echo-request -j DROP
12
13 # Accept established connections
14 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
15
16 # Accept all traffic on loopback interface
17 -A INPUT -i lo -j ACCEPT
18
19 # Drop packets declared invalid
20 -A INPUT -m conntrack --ctstate INVALID -j DROP
21
22 # SSH rate limiting
23 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
24 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
25 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
26 -A SSH -m recent --name sshbf --set -j ACCEPT
27
28 # Send TCP and UDP connections to their respective rules chain
29 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
30 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
31
32 # Reject dropped packets with a RFC compliant responce
33 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
34 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
35 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
36
37 ## TCP PORT RULES
38 # -A TCP -p tcp -j LOG
39
40 ## UDP PORT RULES
41 # -A UDP -p udp -j LOG
42
43 COMMIT
Show file before | Show file after | Hide comments
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
10 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
11 ExecStop=/etc/iptables/flush-iptables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
Show file before | Show file after | Hide comments
@@ -0,0 +1,9
1 blacklist snd_soc_core
2 blacklist snd_pcm
3 blacklist snd_pcm_dmaengine
4 blacklist snd_timer
5 blacklist snd_compress
6 blacklist snd_soc_pcm512x_i2c
7 blacklist snd_soc_pcm512x
8 blacklist snd_soc_tas5713
9 blacklist snd_soc_wm8804
Show file before | Show file after | Hide comments
@@ -0,0 +1,6
1 # Avoid swapping and increase cache sizes
2 vm.swappiness=1
3 vm.dirty_background_ratio=20
4 vm.dirty_ratio=40
5 vm.dirty_writeback_centisecs=500
6 vm.dirty_expire_centisecs=6000
Show file before | Show file after | Hide comments
@@ -0,0 +1,59
1 # Enable network stack hardening
2 net.ipv4.tcp_timestamps=0
3 net.ipv4.tcp_syncookies=1
4 net.ipv4.conf.all.rp_filter=1
5 net.ipv4.conf.all.accept_redirects=0
6 net.ipv4.conf.all.send_redirects=0
7 net.ipv4.conf.all.accept_source_route=0
8 net.ipv4.conf.default.rp_filter=1
9 net.ipv4.conf.default.accept_redirects=0
10 net.ipv4.conf.default.send_redirects=0
11 net.ipv4.conf.default.accept_source_route=0
12 net.ipv4.conf.lo.accept_redirects=0
13 net.ipv4.conf.lo.send_redirects=0
14 net.ipv4.conf.lo.accept_source_route=0
15 net.ipv4.conf.eth0.accept_redirects=0
16 net.ipv4.conf.eth0.send_redirects=0
17 net.ipv4.conf.eth0.accept_source_route=0
18 net.ipv4.icmp_echo_ignore_broadcasts=1
19 net.ipv4.icmp_ignore_bogus_error_responses=1
20
21 net.ipv6.conf.all.accept_redirects=0
22 net.ipv6.conf.all.accept_source_route=0
23 net.ipv6.conf.all.router_solicitations=0
24 net.ipv6.conf.all.accept_ra_rtr_pref=0
25 net.ipv6.conf.all.accept_ra_pinfo=0
26 net.ipv6.conf.all.accept_ra_defrtr=0
27 net.ipv6.conf.all.autoconf=0
28 net.ipv6.conf.all.dad_transmits=0
29 net.ipv6.conf.all.max_addresses=1
30
31 net.ipv6.conf.default.accept_redirects=0
32 net.ipv6.conf.default.accept_source_route=0
33 net.ipv6.conf.default.router_solicitations=0
34 net.ipv6.conf.default.accept_ra_rtr_pref=0
35 net.ipv6.conf.default.accept_ra_pinfo=0
36 net.ipv6.conf.default.accept_ra_defrtr=0
37 net.ipv6.conf.default.autoconf=0
38 net.ipv6.conf.default.dad_transmits=0
39 net.ipv6.conf.default.max_addresses=1
40
41 net.ipv6.conf.lo.accept_redirects=0
42 net.ipv6.conf.lo.accept_source_route=0
43 net.ipv6.conf.lo.router_solicitations=0
44 net.ipv6.conf.lo.accept_ra_rtr_pref=0
45 net.ipv6.conf.lo.accept_ra_pinfo=0
46 net.ipv6.conf.lo.accept_ra_defrtr=0
47 net.ipv6.conf.lo.autoconf=0
48 net.ipv6.conf.lo.dad_transmits=0
49 net.ipv6.conf.lo.max_addresses=1
50
51 net.ipv6.conf.eth0.accept_redirects=0
52 net.ipv6.conf.eth0.accept_source_route=0
53 net.ipv6.conf.eth0.router_solicitations=0
54 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
55 net.ipv6.conf.eth0.accept_ra_pinfo=0
56 net.ipv6.conf.eth0.accept_ra_defrtr=0
57 net.ipv6.conf.eth0.autoconf=0
58 net.ipv6.conf.eth0.dad_transmits=0
59 net.ipv6.conf.eth0.max_addresses=1
Show file before | Show file after | Hide comments
@@ -422,51 +422,7 fi
422 422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
423 423
424 424 # Set up firmware config
425 cat <<EOM >$R/boot/firmware/config.txt
426 # For more options and information see
427 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
428 # Some settings may impact device functionality. See link above for details
429
430 # uncomment if you get no picture on HDMI for a default "safe" mode
431 #hdmi_safe=1
432
433 # uncomment this if your display has a black border of unused pixels visible
434 # and your display can output without overscan
435 #disable_overscan=1
436
437 # uncomment the following to adjust overscan. Use positive numbers if console
438 # goes off screen, and negative if there is too much border
439 #overscan_left=16
440 #overscan_right=16
441 #overscan_top=16
442 #overscan_bottom=16
443
444 # uncomment to force a console size. By default it will be display's size minus
445 # overscan.
446 #framebuffer_width=1280
447 #framebuffer_height=720
448
449 # uncomment if hdmi display is not detected and composite is being output
450 #hdmi_force_hotplug=1
451
452 # uncomment to force a specific HDMI mode (this will force VGA)
453 #hdmi_group=1
454 #hdmi_mode=1
455
456 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
457 # DMT (computer monitor) modes
458 #hdmi_drive=2
459
460 # uncomment to increase signal to HDMI, if you have interference, blanking, or
461 # no display
462 #config_hdmi_boost=4
463
464 # uncomment for composite PAL
465 #sdtv_mode=2
466
467 # uncomment to overclock the arm. 700 MHz is the default.
468 #arm_freq=800
469 EOM
425 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
470 426
471 427 # Load snd_bcm2835 kernel module at boot time
472 428 if [ "$ENABLE_SOUND" = true ] ; then
@@ -496,99 +452,17 fi
496 452 mkdir -p $R/etc/modprobe.d/
497 453
498 454 # Blacklist sound modules
499 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
500 blacklist snd_soc_core
501 blacklist snd_pcm
502 blacklist snd_pcm_dmaengine
503 blacklist snd_timer
504 blacklist snd_compress
505 blacklist snd_soc_pcm512x_i2c
506 blacklist snd_soc_pcm512x
507 blacklist snd_soc_tas5713
508 blacklist snd_soc_wm8804
509 EOM
455 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
510 456
511 457 # Create default fstab
512 cat <<EOM >$R/etc/fstab
513 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
514 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
515 EOM
516
517 # Avoid swapping and increase cache sizes
518 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
458 install -o root -g root -m 644 files/fstab $R/etc/fstab
519 459
520 460 # Avoid swapping and increase cache sizes
521 vm.swappiness=1
522 vm.dirty_background_ratio=20
523 vm.dirty_ratio=40
524 vm.dirty_writeback_centisecs=500
525 vm.dirty_expire_centisecs=6000
526 EOM
461 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
527 462
528 463 # Enable network stack hardening
529 464 if [ "$ENABLE_HARDNET" = true ] ; then
530 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
531
532 # Enable network stack hardening
533 net.ipv4.tcp_timestamps=0
534 net.ipv4.tcp_syncookies=1
535 net.ipv4.conf.all.rp_filter=1
536 net.ipv4.conf.all.accept_redirects=0
537 net.ipv4.conf.all.send_redirects=0
538 net.ipv4.conf.all.accept_source_route=0
539 net.ipv4.conf.default.rp_filter=1
540 net.ipv4.conf.default.accept_redirects=0
541 net.ipv4.conf.default.send_redirects=0
542 net.ipv4.conf.default.accept_source_route=0
543 net.ipv4.conf.lo.accept_redirects=0
544 net.ipv4.conf.lo.send_redirects=0
545 net.ipv4.conf.lo.accept_source_route=0
546 net.ipv4.conf.eth0.accept_redirects=0
547 net.ipv4.conf.eth0.send_redirects=0
548 net.ipv4.conf.eth0.accept_source_route=0
549 net.ipv4.icmp_echo_ignore_broadcasts=1
550 net.ipv4.icmp_ignore_bogus_error_responses=1
551
552 net.ipv6.conf.all.accept_redirects=0
553 net.ipv6.conf.all.accept_source_route=0
554 net.ipv6.conf.all.router_solicitations=0
555 net.ipv6.conf.all.accept_ra_rtr_pref=0
556 net.ipv6.conf.all.accept_ra_pinfo=0
557 net.ipv6.conf.all.accept_ra_defrtr=0
558 net.ipv6.conf.all.autoconf=0
559 net.ipv6.conf.all.dad_transmits=0
560 net.ipv6.conf.all.max_addresses=1
561
562 net.ipv6.conf.default.accept_redirects=0
563 net.ipv6.conf.default.accept_source_route=0
564 net.ipv6.conf.default.router_solicitations=0
565 net.ipv6.conf.default.accept_ra_rtr_pref=0
566 net.ipv6.conf.default.accept_ra_pinfo=0
567 net.ipv6.conf.default.accept_ra_defrtr=0
568 net.ipv6.conf.default.autoconf=0
569 net.ipv6.conf.default.dad_transmits=0
570 net.ipv6.conf.default.max_addresses=1
571
572 net.ipv6.conf.lo.accept_redirects=0
573 net.ipv6.conf.lo.accept_source_route=0
574 net.ipv6.conf.lo.router_solicitations=0
575 net.ipv6.conf.lo.accept_ra_rtr_pref=0
576 net.ipv6.conf.lo.accept_ra_pinfo=0
577 net.ipv6.conf.lo.accept_ra_defrtr=0
578 net.ipv6.conf.lo.autoconf=0
579 net.ipv6.conf.lo.dad_transmits=0
580 net.ipv6.conf.lo.max_addresses=1
581
582 net.ipv6.conf.eth0.accept_redirects=0
583 net.ipv6.conf.eth0.accept_source_route=0
584 net.ipv6.conf.eth0.router_solicitations=0
585 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
586 net.ipv6.conf.eth0.accept_ra_pinfo=0
587 net.ipv6.conf.eth0.accept_ra_defrtr=0
588 net.ipv6.conf.eth0.autoconf=0
589 net.ipv6.conf.eth0.dad_transmits=0
590 net.ipv6.conf.eth0.max_addresses=1
591 EOM
465 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
592 466
593 467 # Enable resolver warnings about spoofed addresses
594 468 cat <<EOM >>$R/etc/host.conf
@@ -596,85 +470,26 spoof warn
596 470 EOM
597 471 fi
598 472
473 # First boot actions
474 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
475
599 476 # Ensure openssh server host keys are regenerated on first boot
600 477 if [ "$ENABLE_SSHD" = true ] ; then
601 cat <<EOM >>$R/etc/rc.firstboot
602 #!/bin/sh
603 rm -f /etc/ssh/ssh_host_*
604 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
605 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
606 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
607 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
608 sync
609
610 systemctl restart sshd
611 sed -i '/.*rc.firstboot/d' /etc/rc.local
612 rm -f /etc/rc.firstboot
613 EOM
614 chmod +x $R/etc/rc.firstboot
615 sed -i '/exit 0/d' $R/etc/rc.local
616 echo /etc/rc.firstboot >> $R/etc/rc.local
478 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
617 479 rm -f $R/etc/ssh/ssh_host_*
618 480 fi
619 481
620 482 if [ "$EXPANDROOT" = true ] ; then
621 cat <<EOF > $R/etc/rc.expandroot
622 #!/bin/sh
623
624 ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
625 PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$')
626 case "\${ROOT_PART}" in
627 mmcblk0*) ROOT_DEV=mmcblk0 ;;
628 sda*) ROOT_DEV=sda ;;
629 esac
630 if [ "\$PART_NUM" = "\$ROOT_PART" ]; then
631 logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand"
632 return 0
633 fi
634 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
635 # agree to work with a sufficiently simple partition layout
636 if [ "\$PART_NUM" -gt 2 ]; then
637 logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool."
638 return 0
639 fi
640 LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
641 if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then
642 logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand"
643 return 0
644 fi
645 # Get the starting offset of the root partition
646 PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
647 [ "\$PART_START" ] || return 1
648 # Get the possible last sector for the root partition
649 PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }')
650 [ "\$PART_LAST" ] || return 1
651 # Return value will likely be error for fdisk as it fails to reload the
652 # partition table because the root fs is mounted
653 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
654 fdisk /dev/\${ROOT_DEV} <<EOF2 || true
655 p
656 d
657 \$PART_NUM
658 n
659 p
660 \$PART_NUM
661 \$PART_START
662 \$PART_LAST
663 p
664 w
665 EOF2
666 # Reload the partition table, resize root filesystem then remove resizing code from this file
667 partprobe &&
668 resize2fs /dev/\${ROOT_PART} &&
669 logger -t "rc.expandroot" "Root partition successfuly resized." &&
670 sed -i '/.*rc.expandroot/d' /etc/rc.local
671 rm -f /etc/rc.expandroot
672 EOF
673 chmod +x $R/etc/rc.expandroot
674 sed -i '/exit 0/d' $R/etc/rc.local
675 echo /etc/rc.expandroot >> $R/etc/rc.local
483 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
676 484 fi
677 485
486 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
487 chmod +x $R/etc/rc.firstboot
488
489 sed -i '/exit 0/d' $R/etc/rc.local
490 echo /etc/rc.firstboot >> $R/etc/rc.local
491 echo exit 0 >> $R/etc/rc.local
492
678 493 # Disable rsyslog
679 494 if [ "$ENABLE_RSYSLOG" = false ]; then
680 495 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
@@ -693,82 +508,13 if [ "$ENABLE_IPTABLES" = true ] ; then
693 508 mkdir -p "$R/etc/iptables"
694 509
695 510 # Create iptables systemd service
696 cat <<EOM >$R/etc/systemd/system/iptables.service
697 [Unit]
698 Description=Packet Filtering Framework
699 DefaultDependencies=no
700 After=systemd-sysctl.service
701 Before=sysinit.target
702 [Service]
703 Type=oneshot
704 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
705 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
706 ExecStop=/etc/iptables/flush-iptables.sh
707 RemainAfterExit=yes
708 [Install]
709 WantedBy=multi-user.target
710 EOM
511 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
711 512
712 513 # Create flush-table script called by iptables service
713 cat <<EOM >$R/etc/iptables/flush-iptables.sh
714 #!/bin/sh
715 iptables -F
716 iptables -X
717 iptables -t nat -F
718 iptables -t nat -X
719 iptables -t mangle -F
720 iptables -t mangle -X
721 iptables -P INPUT ACCEPT
722 iptables -P FORWARD ACCEPT
723 iptables -P OUTPUT ACCEPT
724 EOM
514 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
725 515
726 516 # Create iptables rule file
727 cat <<EOM >$R/etc/iptables/iptables.rules
728 *filter
729 :INPUT DROP [0:0]
730 :FORWARD DROP [0:0]
731 :OUTPUT ACCEPT [0:0]
732 :TCP - [0:0]
733 :UDP - [0:0]
734 :SSH - [0:0]
735
736 # Rate limit ping requests
737 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
738 -A INPUT -p icmp --icmp-type echo-request -j DROP
739
740 # Accept established connections
741 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
742
743 # Accept all traffic on loopback interface
744 -A INPUT -i lo -j ACCEPT
745
746 # Drop packets declared invalid
747 -A INPUT -m conntrack --ctstate INVALID -j DROP
748
749 # SSH rate limiting
750 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
751 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
752 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
753 -A SSH -m recent --name sshbf --set -j ACCEPT
754
755 # Send TCP and UDP connections to their respective rules chain
756 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
757 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
758
759 # Reject dropped packets with a RFC compliant responce
760 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
761 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
762 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
763
764 ## TCP PORT RULES
765 # -A TCP -p tcp -j LOG
766
767 ## UDP PORT RULES
768 # -A UDP -p udp -j LOG
769
770 COMMIT
771 EOM
517 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
772 518
773 519 # Reload systemd configuration and enable iptables service
774 520 chroot_exec systemctl daemon-reload
@@ -776,94 +522,16 EOM
776 522
777 523 if [ "$ENABLE_IPV6" = true ] ; then
778 524 # Create ip6tables systemd service
779 cat <<EOM >$R/etc/systemd/system/ip6tables.service
780 [Unit]
781 Description=Packet Filtering Framework
782 DefaultDependencies=no
783 After=systemd-sysctl.service
784 Before=sysinit.target
785 [Service]
786 Type=oneshot
787 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
788 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
789 ExecStop=/etc/iptables/flush-ip6tables.sh
790 RemainAfterExit=yes
791 [Install]
792 WantedBy=multi-user.target
793 EOM
525 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
794 526
795 527 # Create ip6tables file
796 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
797 #!/bin/sh
798 ip6tables -F
799 ip6tables -X
800 ip6tables -Z
801 for table in $(</proc/net/ip6_tables_names)
802 do
803 ip6tables -t \$table -F
804 ip6tables -t \$table -X
805 ip6tables -t \$table -Z
806 done
807 ip6tables -P INPUT ACCEPT
808 ip6tables -P OUTPUT ACCEPT
809 ip6tables -P FORWARD ACCEPT
810 EOM
811
812 # Create ip6tables rule file
813 cat <<EOM >$R/etc/iptables/ip6tables.rules
814 *filter
815 :INPUT DROP [0:0]
816 :FORWARD DROP [0:0]
817 :OUTPUT ACCEPT [0:0]
818 :TCP - [0:0]
819 :UDP - [0:0]
820 :SSH - [0:0]
821
822 # Drop packets with RH0 headers
823 -A INPUT -m rt --rt-type 0 -j DROP
824 -A OUTPUT -m rt --rt-type 0 -j DROP
825 -A FORWARD -m rt --rt-type 0 -j DROP
826
827 # Rate limit ping requests
828 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
829 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
830
831 # Accept established connections
832 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
833
834 # Accept all traffic on loopback interface
835 -A INPUT -i lo -j ACCEPT
528 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
836 529
837 # Drop packets declared invalid
838 -A INPUT -m conntrack --ctstate INVALID -j DROP
530 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
839 531
840 # SSH rate limiting
841 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
842 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
843 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
844 -A SSH -m recent --name sshbf --set -j ACCEPT
845
846 # Send TCP and UDP connections to their respective rules chain
847 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
848 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
849
850 # Reject dropped packets with a RFC compliant responce
851 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
852 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
853 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
854
855 ## TCP PORT RULES
856 # -A TCP -p tcp -j LOG
857
858 ## UDP PORT RULES
859 # -A UDP -p udp -j LOG
860
861 COMMIT
862 EOM
863
864 # Reload systemd configuration and enable iptables service
865 chroot_exec systemctl daemon-reload
866 chroot_exec systemctl enable ip6tables.service
532 # Reload systemd configuration and enable iptables service
533 chroot_exec systemctl daemon-reload
534 chroot_exec systemctl enable ip6tables.service
867 535 fi
868 536 fi
869 537
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant