Seguridad en sico

Cambios que afectan a la seguridad de la red de SICO

sed -i "/^GatewayPorts.*/d" /etc/ssh/sshd_config
echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config
/etc/init.d/ssh restart

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
IPTABLES=/sbin/iptables
DEV=ens3

echo "$(date) $0 $@" >> /tmp/iptables.log

if [ "m$1" = "m--help" ] ; then
        echo "$0 [revenga]"
        exit 1
fi
REVENGA=off
while [ "m$1" != "m" ] ; do
        if [ "m$1" = "mrevenga" ] ; then
                REVENGA=on
        else
                echo "Parametro no reconocido: $1"
        fi
        shift
done


# Activamos el anti-spoofing
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 >$i ; done

# Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

# Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Desabilitar la redireccion del ping
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Registrar los paquetes extranios (martians: packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Anti-flooding o inundacin de tramas SYN.
$IPTABLES -N syn-flood
for IFACE in `ifconfig -a | grep -B 1 "inet addr" | grep ^[a-z] | expand | cut -d ' ' -f 1 | grep -v "^lo\$"` ; do
        $IPTABLES -A INPUT -i $IFACE -p tcp --syn -j syn-flood
done
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP

# Quitamos todo lo que hubiera
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

for i in `$IPTABLES -L | grep "^Chain" | cut -d " " -f 2 | grep -v "INPUT\|FORWARD\|OUT
PUT"` ; do
        $IPTABLES -F $i
        $IPTABLES -X $i
done

$IPTABLES -A INPUT -s 83.48.87.215/32 -j ACCEPT
# START Pupitre y VNC de pruebas para revenga
if [ "m$REVENGA" != "moff" ] ; then
        ip_revenga=195.57.30.139
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 5900 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 5899 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 20 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 21 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 60000 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 60001 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 60002 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 60003 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 60004 -j ACCEPT
        $IPTABLES -A INPUT -s ${ip_revenga}/32 -p tcp --dport 60005 -j ACCEPT
fi
$IPTABLES -A INPUT -p tcp --dport 5900 -j DROP
$IPTABLES -A INPUT -p tcp --dport 5899 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20 -j DROP
$IPTABLES -A INPUT -p tcp --dport 21 -j DROP
$IPTABLES -A INPUT -p tcp --dport 60000 -j DROP
$IPTABLES -A INPUT -p tcp --dport 60001 -j DROP
$IPTABLES -A INPUT -p tcp --dport 60002 -j DROP
$IPTABLES -A INPUT -p tcp --dport 60003 -j DROP
$IPTABLES -A INPUT -p tcp --dport 60004 -j DROP
$IPTABLES -A INPUT -p tcp --dport 60005 -j DROP
# END Pupitre y VNC de pruebas para revenga

$IPTABLES -A INPUT -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -p udp --dport 25 -j DROP

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

apt-get install anacron

0 8 * * 1,2,3,4,5 /bin/bash /etc/default/iptables revenga
0 18 * * 1,2,3,4,5 /bin/bash /etc/default/iptables

 /etc/init.d/ssh restart
 bash /etc/default/iptables revenga

sudo -u dario autossh -f -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -N root@vps.sicosoft.es -R 51.38.32.171:5900:3.0.1.64:5900 -R 51.38.32.171:5899:3.0.1.59:2500 -R 51.38.32.171:20:3.0.1.59:20 -R 51.38.32.171:21:3.0.1.59:21 -R 51.38.32.171:60000:3.0.1.59:60000 -R 51.38.32.171:60001:3.0.1.59:60001 -R 51.38.32.171:60002:3.0.1.59:60002 -R 51.38.32.171:60003:3.0.1.59:60003 -R 51.38.32.171:60004:3.0.1.59:60004 -R 51.38.32.171:60005:3.0.1.59:60005

cd /chroot/etc/rcS.d
mount -o remount,rw /chroot
vi S47sico_miscmain1
#...añado esos puertos al for que ya tenía el 5543
:wq
cp S47sico_miscmain1 /etc/rcS.d/
mount -o remount,ro /chroot

cd /tmp
nohup autossh -nNT -i /root/.ssh/id_rsa -L 16.0.62.18:5541:localhost:5541 -L 16.0.62.18:5542:localhost:5542 metro@185.89.60.47 &

cd /chroot/etc/init.d
mount -o remount,rw /chroot
vi firewall
#...añado esos puertos al for que ya tenía el 5543
:wq
cp firewall /etc/init.d/
mount -o remount,ro /chroot
/etc/init.d/firewall

 ListenAddress 3.0.1.42

 /etc/init.d/ssh restart

./rcS.d/S47sico_miscmain1:/usr/bin/socat TCP4-LISTEN:${i},fork,bind=3.0.1.42 EXEC:"/usr/bin/sudo -u metro /usr/bin/ssh misc${i}@16.0.62.18" &
./rcS.d/S47sico_miscmain1:/usr/bin/socat TCP4-LISTEN:${i},fork,bind=127.0.0.1 EXEC:"/usr/bin/sudo -u metro /usr/bin/ssh misc${i}@16.0.62.18" &

mount -o remount,rw /chroot
cd /chroot/etc
vi ./rcS.d/S47sico_maintdserver
vi ./rcS.d/S47sico_webmain1
vi ./rcS.d/S47sico_miscmain1 
cd /
mount -o remount,ro /chroot
reboot

(
ifconfig eth0:1 16.0.62.18 netmask 255.255.255.255
cd /etc/rcS.d
puertos1=$(cat `ls | grep sico_` | grep TCP4-LISTEN:[0-9] | sed "s/^.*TCP4-LISTEN:\([0-9][0-9]*\).*/\1/g" | uniq)
puertos2=$(cat `ls | grep sico_` | grep ^for | sed "s/for i in //g;s/\; do//g" | tr '`' '\n' | grep seq | while read l ; do $l ; done)
puertos3=$(cat `ls | grep sico_` | grep ^for | sed "s/for i in //g;s/\; do//g" | tr '`' '\n' | grep -v seq  | tr ' ' '\n' | grep .)
params=""
for i in 22 $puertos1 $puertos2 $puertos3 ; do
        params="$params -L 16.0.62.18:$i:localhost:$i"
done
autossh -f -nNT -i /root/.ssh/id_rsa $params -L 2222:localhost:22 -R 2223:localhost:22 metro@185.89.60.47
)

autossh -f -nNT -i /root/.ssh/id_rsa -L 2222:localhost:22 -R 2223:localhost:22 metro@185.89.60.47

vi /etc/init.d/firewall
# añado las siguientes líneas después del forwardeo del puerto 8081
# iptables -t nat -I OUTPUT -p tcp -d 16.0.62.18 --dport 22 -j DNAT --to-destination 127.0.0.1:2222
# iptables -t nat -A PREROUTING  -d 16.0.62.18 -p tcp --dport 22 -j DNAT --to 127.0.0.1:2222
#:wq
mount -o remount,rw /chroot/
cp  /etc/init.d/firewall /chroot/etc/init.d/firewall
mount -o remount,ro /chroot/
/etc/init.d/firewall

...
# Permitimos de forma explicita el correo desde salchicha y zen
-A FORWARD -p tcp -s 3.0.1.170 --dport 25 -j ACCEPT
-A FORWARD -p tcp -s 3.0.1.124 --dport 25 -j ACCEPT

# Denegamos de forma explicita el correo desde el resto de las maquinas de SICO
-A FORWARD -p tcp -s 3.0.1.0/24 --dport 25 -j LOG --log-prefix "noforward-correo:"
-A FORWARD -p tcp -s 3.0.1.0/24 --dport 25 -j DROP

#-A FORWARD -j LOG --log-prefix "noforward:"
COMMIT

cd
vi /etc/rcS.d/S47sico_miscmain1 
# añado el 8888 y 8889 a la lista de puertos de misc_main1.sh
#:wq
mount -o remount,rw /chroot/
cp  /etc/rcS.d/S47sico_miscmain1 /chroot/etc/rcS.d/S47sico_miscmain1 
mount -o remount,ro /chroot/
for i in 8888 8889 ; do nohup /usr/bin/socat TCP4-LISTEN:${i},fork,reuseaddr EXEC:"/usr/local/sbin/miscport.sh ${i}",pty,raw,echo=0 & done

vi /etc/init.d/firewall
# añado el 8888 8889 a la lista de puertos 
#:wq
mount -o remount,rw /chroot/
cp  /etc/init.d/firewall /chroot/etc/init.d/firewall
mount -o remount,ro /chroot/
/etc/init.d/firewall

cd
./virinetd
# Se añaden las siguientes dos líneas (sin la almohadilla inicial)
#0.0.0.0 8888 16.0.62.10 8888
#0.0.0.0 8889 16.0.59.14 8888
#:wq
nohup redir --lport=8888 --caddr=16.0.62.10 --cport=8888 &
nohup redir --lport=8889 --caddr=16.0.59.14 --cport=8888 &

asterisk:/root/renew-certbot.sh

#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
n=`certbot certificates 2>/dev/null | grep "[^A-Z]VALID: [0-9]" | wc -l | tr -dc 0-9`
daysleft=`certbot certificates 2>/dev/null | grep "[^A-Z]VALID: [0-9]" | head -1 | sed "s/^.*VALID: \([0-9][0-9]*\).*/\1/g"`
if [ "m$n" != "m1" ] || [ $daysleft -le 30 ] ; then
        ssh root@vps.sicosoft.es "ps -efa | grep 'redir .*83.48.87.215:80\|redir .*83.48.87.215:443' | expand | sed 's/  */ /g' | cut -d ' '  -f 2 | xargs kill"
        ssh root@vps.sicosoft.es "redir 51.38.32.171:80 83.48.87.215:80 ; redir 51.38.32.171:443 83.48.87.215:443 "
        service nginx stop
        certbot renew
        service nginx start
        ssh root@vps.sicosoft.es "ps -efa | grep 'redir .*83.48.87.215:80\|redir .*83.48.87.215:443' | expand | sed 's/  */ /g' | cut -d ' '  -f 2 | xargs kill"
        scp /etc/letsencrypt/live/sico.sicosoft.es/fullchain.pem /etc/letsencrypt/live/sico.sicosoft.es/privkey.pem root@zen:/etc/letsencrypt/live/sico.sicosoft.es/
        ssh root@zen "apache2ctl restart"
fi

adduser tablet
su - tablet
ssh-keygen -t rsa
scp .ssh/id_rsa.pub metro@16.0.62.18:/tmp/
ssh metro@16.0.62.18
su
cd
rm /etc/mtab ; ln -s /proc/mounts /etc/mtab
mount -o remount,rw /chroot/home/
cd /chroot/home/miscport
cat /tmp/id_rsa.pub >> .ssh/authorized_keys 
mount -o remount,ro /chroot/home/
exit
exit
touch .hushlogin
echo -e '#!/bin/bash\nexec ssh miscport@16.0.62.18' > connect
chmod 755 connect
su
sed -i "s#/home/tablet:/bin/bash#/home/tablet:/home/tablet/connect#g" /etc/passwd
exit
echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCa9khU8/6CkaBo7r
Zd0B5W75zWIa5wS+BWMDwYq746+avLqmPSUKKmu43nE5GE9pT0UsVKhJr4pLB1E
6UR5yqh6OeGvvg8YUYcbVXJzRUdIQ41nkcyK6HkrhliIr3TXrHGuZZ7TYzIXKZi
9nU5iIvgaSHYMR/4yOL9As6A461AitzlKmfdF2zXSnTFoFfNU2KFDG946otm4d7
MQ4RKaQ0GEZi1Gw87zz953ZLH3bloLzKTX848l8ZgCMs1ZxGLzQ3SgyfFW/46FD
W26d/9DA5eGzahuaYtfpEkEdpJWxxLy6ROsz601zr1VF7IRMD7Pg6BvztvPGGzK
2rwxUf9isREumeZvFRNcxpggTocnR95EXkDSYAbnZgP1F1arTD39S9F4U6tzxwG
2NodQIQHLq32XucmIdgZ/zWwNs+p+Qb2VaEe20MMDeP2mLeTaNSXkOMUAOJdbqh
eTKrghteFqrr/OF066e+bnYeS1uoP6NdvBVowBZOOHAcFIh+Yvc8I1CTCcWpqZX
LukvhBuve/EtXCfpfiKIGWiNOp8VVCTr+CS4ABhtKQX10a4bpZoDGrHiYYzaydA
5qAvifKe6Ba3oZc5NtKsylFxCmkwyEqZK27UHW4/hKs7GQZld3ghQxZtPhxCKMU
bFGzZYRr3WNjnNzITLsyntJTf1Js9/Vcw== root@raspberrypi" | tr -d '\n' >> .ssh/authorized_keys

vi /etc/dhcpcd.conf 
apt-get install nfs-common expect tk8.6 wish openssh-server rsh-server telnetd-ssl vsftpd
vi /etc/vsftpd.conf
apt-get update
apt-get install ssh-server
apt-get install openssh-server
apt-get -f install
hostname raspberry
apt-get -f install
hostname
vi /etc/hosts
apt-get -f install
dpkg -C
cat /etc/dhcpcd.conf 
exit
cd /etc/ssl/
vi openssl.cnf 
apt-get install --reinstall openssh-server
systemctl enable ssh
systemctl start ssh
reboot
cd /etc/
vi /etc/dhcpcd.enter-hook
chmod a+x dhcpcd.enter-hook 
cd /root/
scp ana@sico.sicosoft.es:/tmp/redirmetro.tgz .
tar -xvzf redirmetro.tgz 
vi redir-metro.sh 
apt-get install build-essential
scp ana@sico.sicosoft.es:/tmp/redir4.tgz .
tar -xvzf redir4.tgz 
cd redir4/src/
ls
make clean
make
cp redir4-* /usr/local/bin/
redir4-client 
cd
cd .ssh/
ssh-keygen -t rsa -b 4096
rfkill unblock 0
cat /etc/dhcpcd.enter-hook
cp /dev/tty dhcpcd.enter-hook
chmod a+x dhcpcd.enter-hook 
vi /etc/dhcpcd.enter-hook
apt install hostapd
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
sudo apt install dnsmasq
vi /etc/dhcpcd.conf
vi /etc/hostapd/hostapd.conf
systemctl reboot
apt-get install bc
vi redir-metro.sh 
mkdir src
cd src
scp ana@sico.sicosoft.es:/tmp/tctivideoserver-src.tgz .
tar -xvzf tctivideoserver-src.tgz 
vi Makefile 
apt-get install libjpeg62-turbo-dev
ln -s /usr/lib/arm-linux-gnueabihf/libjpeg.a .
make clean all
./tctivideoserver --help
cp tctivideoserver ..
./tctivideoserver -nocams
^C
rm -rf src
reboot
apt-get install socat
vi redir-metro.sh 
echo "#!/bin/bash\nexport TERM=$1\nexec ssh tablet@sico.sicosoft.es\n" > miscport.sh
chmod a+x miscport.sh 
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
vi /etc/dnsmasq.conf
systemctl enable dnsmasq
systemctl start dnsmasq
systemctl restart dnsmasq

 /etc/dhcpcd.conf

hostname
clientid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option interface_mtu
require dhcp_server_identifier
slaac private
interface eth0
static ip_address=192.168.1.5/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 fd51:42f8:caae:d92e::1
interface wlan0
    static ip_address=16.0.62.18/8
    nohook wpa_supplicant

 /etc/vsftpd.conf

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

 /etc/dnsmasq.conf

interface=wlan0 # Listening interface
dhcp-range=16.0.62.1,16.0.62.4,255.255.255.0,24h
                # Pool of IP addresses served via DHCP
domain=wlan     # Local wireless DNS domain
address=/gw.wlan/16.0.62.18
                # Alias for this router

 /etc/dhcpcd.enter-hook

/root/dhcpcd.enter-hook

 /root/dhcpcd.enter-hook

#!/bin/bash
rfkill unblock 0
rfkill unblock 1
/sbin/ifconfig wlan0 down
/sbin/ifconfig wlan0 up
/sbin/ifconfig wlan0 16.0.62.18 netmask 255.255.255.0
/root/redir-metro.sh

 /root/miscport.sh

#!/bin/bash
TERM=$1 ssh tablet@sico.sicosoft.es

 /root/redir-metro-off.sh

#!/bin/sh
ps -efa | grep redir | grep -v metro | grep -v qemu | grep -v libvirt | sed "s/  */ /g" | cut -d ' ' -f 2 | xargs kill 2>/dev/null
# Para el redir-metro.sh
for i in `ifconfig -a | grep wlan0: | expand | cut -d ' ' -f 1 | sed "s/:\$//g" `; do 
        ifconfig $i down
done

 /root/redir-metro.sh

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH
if [ "m$(whoami)" != "mroot" ] ; then
        echo "ERROR: esta script requiere root\n"
        exit 1
fi
echo 1 > /proc/sys/net/ipv4/ip_forward
dev=wlan0
echo "DEVICE: $dev"
n=`/sbin/ifconfig -a | grep "^$dev[ :]" | wc -l | tr -dc 0-9`
echo "n: $n"
if [ "m$n" == "m0" ] ; then
        echo "ERROR: No hay interfaz ${dev} (el ethernet USB de uiharu), comprueba que esta bien conectado"
        exit 1
fi
cd /root
echo "Cleaning old configuration..."
./redir-metro-off.sh 2>/dev/null >/dev/null
echo "Stopping tctivideoserver..."
ps -efa | grep "tctivi[d]eoserver" | expand | grep -v "zed\| vi" | sed "s/  */ /g" | cut -d ' '  -f 2 | xargs kill 2>/dev/null
(
nohup redir4-client 10001 127.0.0.1 11001 &
nohup redir4-client 10003 127.0.0.1 11001 &
nohup redir4-client 10011 127.0.0.1 11001 &
nohup redir4-client 10013 127.0.0.1 11001 &
nohup redir4-client 10016 127.0.0.1 11001 &
nohup redir4-client 10017 127.0.0.1 11001 &

) 2>/dev/null
ifconfig ${dev} 16.0.62.18 netmask 255.255.255.255
ifconfig ${dev}:1 16.13.62.60
ifconfig ${dev}:1 up
ifconfig ${dev}:2 16.0.62.62
ifconfig ${dev}:2 up
n=3;
for i in `ls planos_linea*.cfg | tr -cd "0-9\n" | sort -n` ; do
    for ip in `cat planos_linea${i}.cfg  | expand | cut -d ' '  -f 1 | grep ^[0-9]` ; do
        ifconfig ${dev}:$n $ip netmask 255.255.255.255
        ifconfig ${dev}:$n up
        n=`echo ${n}+1| bc`
    done
done
for i in planos_piloto.cfg ; do
    for ip in `cat ${i}  | expand | cut -d ' '  -f 1 | grep ^[0-9]` ; do
        ifconfig ${dev}:$n $ip netmask 255.255.255.255
        ifconfig ${dev}:$n up
        n=`echo ${n}+1| bc`
    done
done
nohup ./tctivideoserver -nocams &
for i in 11001 ; do 
/usr/bin/socat TCP4-LISTEN:${i},fork,reuseaddr EXEC:"/root/miscport.sh ${i}",pty,raw,echo=0 &
done

 /etc/ssl/openssl.cnf

HOME                    = .
oid_section             = new_oids
openssl_conf = default_conf
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca      = CA_default
[ CA_default ]
dir             = ./demoCA
certs           = $dir/certs
crl_dir         = $dir/crl
database        = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate     = $dir/cacert.pem
serial          = $dir/serial
crlnumber       = $dir/crlnumber
crl             = $dir/crl.pem
private_key     = $dir/private/cakey.pem
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 365
default_crl_days= 30
default_md      = default
preserve        = no
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64
[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1
[ tsa_config1 ]
dir             = ./demoCA
serial          = $dir/tsaserial
crypto_device   = builtin
signer_cert     = $dir/tsacert.pem
certs           = $dir/cacert.pem
signer_key      = $dir/private/tsakey.pem
signer_digest  = sha256
default_policy  = tsa_policy1
other_policies  = tsa_policy2, tsa_policy3
digests     = sha1, sha256, sha384, sha512
accuracy        = secs:1, millisecs:500, microsecs:100
clock_precision_digits  = 0
ordering                = yes
tsa_name                = yes
ess_cert_id_chain       = no
ess_cert_id_alg         = sha1
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.1
CipherString = DEFAULT@SECLEVEL=1

 shirka:/chroot/etc/rcS.d/S47sico_miscmain1

#!/bin/sh
#
# start/stop webmain1 forward daemon.

### BEGIN INIT INFO
# Provides:          webmain1
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     S 2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start webmain1 port forward
# Description:       webmain1 port forward
#                    (does an ssh to maintd@16.0.62.18)
### END INIT INFO

test -f /usr/bin/socat || exit 0

for i in 1525 1527 1528 1529 1530 1531 5901 5902 5969 5979 5989 5999 11001 11003 4321 ; do 
/usr/bin/socat TCP4-LISTEN:${i},fork EXEC:"/usr/bin/sudo -u metro /usr/bin/ssh misc${i}@16.0.62.18" &
done
for i in `seq 5501 5516` `seq 5521 5536` ; do 
/usr/bin/socat TCP4-LISTEN:${i},fork,reuseaddr EXEC:"/usr/local/sbin/miscport.sh ${i}",pty,raw,echo=0 &
done

 shirka:/chroot/usr/local/sbin/miscport.sh

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=$1
exec /usr/bin/sudo -u metro /usr/bin/ssh miscport@16.0.62.18

 main1:/etc/passwd

...
miscport:$1$TGFZ7KXc$ZAASPd1KfpVSmwasMq0At.:1020:1020:-,-,-,-,-:/home/miscport:/home/miscport/connect
...

 main1:/home/miscport/connect

#!/bin/bash
MISCPORT=$( echo "$TERM" | tr -dc 0-9 | grep ....)
if [ "m$MISCPORT" == "m" ] ; then
        exit
fi
exec /usr/local/bin/nc localhost $MISCPORT

service nginx stop
certbot certonly --standalone -d sico.sicosoft.es -d mail.sicosoft.es -d mail2.sicosoft.es -d informes.sicosoft.es -d vpn.sicosoft.es -d webmail.sicosoft.es
service nginx start
scp /etc/letsencrypt/live/sico.sicosoft.es/fullchain.pem /etc/letsencrypt/live/sico.sicosoft.es/privkey.pem root@zen:/etc/letsencrypt/live/sico.sicosoft.es/
ssh root@zen "apache2ctl restart"

 /root/renew-certbot.sh

 autossh-vps.sh 

#!/bin/bash
cd /tmp
autossh -f -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -N root@vps.sicosoft.es -R 2222:192.168.1.2:22 -R 443:192.168.1.2:443 -R 80:192.168.1.2:80 -C

 /etc/network/interfaces

...
iface eth1 inet static
        address 192.168.1.2
        network 192.168.1.0
        netmask 255.255.255.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        post-up /bin/sh -c "/etc/init.d/iptables start ; sleep 1 ; /root/nat.sh eth1 ; /root/autossh-sico2.sh ; /root/nat-carteles.sh ; /root/autossh-vps.sh"
...

 /etc/init.d/networking

...
case "$1" in
start)
...
        if ifup -a $exclusions $verbose && ifup_hotplug $exclusions $verbose
        then
            log_action_end_msg $?
        else
            log_action_end_msg $?
        fi
        ### SICO
        for i in 2222 443 80 ; do
                redir 51.38.32.171:$i 127.0.0.1:$i 
        done
        ### END SICO
        ;;

stop)
        if init_is_upstart; then
                exit 0
...

 /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo eth0 eth1
allow-hotplug eth2

iface lo inet loopback

iface eth0 inet static
        address 3.0.1.52
        #gateway 3.0.1.51
        network 3.0.1.0
        netmask 255.255.255.0
        broadcast 3.0.1.255
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 3.0.1.3
        dns-search sicosoft.es
        post-up /sbin/ifconfig eth0:1 3.0.1.51
        post-up /sbin/ifconfig eth0:2 192.168.2.254 netmask 255.255.255.0
        post-up /sbin/route add -host 16.0.62.18 gw 3.0.1.42
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

iface eth1 inet static
        address 192.168.1.2
        network 192.168.1.0
        netmask 255.255.255.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        post-up /bin/sh -c "/etc/init.d/iptables start ; sleep 1 ; /root/nat.sh eth1 ; /root/autossh-sico2.sh"


iface eth2 inet dhcp
        post-up /usr/local/sbin/ppp_huawei_e5563_modem.sh on
        post-up /etc/init.d/iptables start
        post-up /bin/sh -c "sleep 5 ; /root/nat.sh eth2 ; /root/autossh-sico2.sh"
        post-down /usr/local/sbin/ppp_huawei_e5563_modem.sh off

 /etc/default/iptables

...
# Loop device.
-A INPUT -i lo -j ACCEPT

# Para la red aislada (WAG320N 192.168.2.1 a ASTERISK 192.168.2.254)
-A INPUT -s 192.168.2.1 -d 192.168.1.2 -j DROP
-A INPUT -s 192.168.2.1 -d 192.168.2.254 -p tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.2.1 -d 192.168.2.254 -p udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.2.1 -d 192.168.2.254 -j DROP

# socket-upipe-server usage
-A INPUT -p tcp --dport 10000 -j ACCEPT

# dns
-A INPUT -p tcp --dport 53  -j ACCEPT
-A INPUT -p udp --dport 53  -j ACCEPT

...

• Pongo el user/pass de los routers de internet de sico (admin:qni...)
• Desactivo el WiFi
• Le pongo como red de la LAN la 3.0.1.51 (y me reconecto a http://3.0.1.51)
• Le pongo en modo bridge
• Le configuro el LANPORT1 como WAN, con la IP 192.168.2.1, GATEWAY 192.168.1.254, DNS 192.168.1.254 y 8.8.8.8
• Reconecto el portátil al puerto LANPORT2
• Configuro los forwards de puertos (ver forwardeos-carteles-laboratorio_20210929-1.png):

 asterisk:/etc/network/interfaces

...
iface eth1 inet static
        address 192.168.1.2
        network 192.168.1.0
        netmask 255.255.255.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        post-up /bin/sh -c "/etc/init.d/iptables start ; sleep 1 ; /root/nat.sh eth1 ; /root/autossh-sico2.sh ; /root/nat.sh eth0"
...

• Lo pongo en el DNS de sico como "vps.sicosoft.es"
• Le autorizo para mandar emails de sico (añado su IP registro SPF del DNS)
• Genero una clave rsa para root@vps.sicosoft.es
• Igual que con el anterior, se ha autorizado a root@asterisk y a dario@uiharu para acceder al equipo por ssh ("ssh root@vps.sicosoft.es").
• En el vps, se ha desactivado el acceso por ssh con password siguiendo este tutorial.
• Pongo un firewall en /etc/default/iptables y lo llamo desde rc.local (ver fichero al final de esta entrada)
• Instalo un postfix como "open relay", ya que sólo aceptamos mails que vengan de vps.sicosoft.es, siguiendo esta guía, pero sin desactivar lo de "open relay".

apt-get install postfix mailutils
# NOTA: Cuando pregunte, queremos "Internet Host" y el nombre a usar er "vps.sicosoft.es"
sed -i "s/^myhostname = .*/myhostname = vps.sicosoft.es/g" /etc/postfix/main.cf
echo -e "\n# ADDED\n\nrelay_domains = sicosoft.es\nmynetowrks = 2.136.41.224/32\nsmtpd_client_restrictions = permit_mynetworks" >> /etc/postfix/main.cf
/etc/init.d/postfix restart

• Configuro zen para que use vps para los correos de yahoo, usando este tutorial y esta lista de dominios:

cd /etc/postfix
for i in rocketmail.com yahoo.ae yahoo.at yahoo.be yahoo.ch yahoo.co.id yahoo.co.il yahoo.co.in yahoo.co.jp yahoo.co.nz yahoo.co.th yahoo.co.uk yahoo.co.za yahoo.com yahoo.com.ar yahoo.com.au yahoo.com.br yahoo.com.co yahoo.com.hk yahoo.com.hr yahoo.com.mx yahoo.com.my yahoo.com.ph yahoo.com.sg yahoo.com.tr yahoo.com.tw yahoo.com.vn yahoo.cz yahoo.de yahoo.dk yahoo.es yahoo.fi yahoo.fr yahoo.gr yahoo.hu yahoo.ie yahoo.in yahoo.it yahoo.nl yahoo.no yahoo.pl yahoo.pt yahoo.ro yahoo.ru yahoo.se ymail.com ; do echo "$i smtp:vps.sicosoft.es:25" >> transport ; done
postmap hash:/etc/postfix/transport
sed -i "s@\(^transport_maps = .*\)@\1, hash:/etc/postfix/transport@g" main.cf
/etc/init.d/postfix restart

 /etc/default/iptables

IPTABLES=/sbin/iptables
DEV=ens3

# Activamos el anti-spoofing
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 >$i ; done

# Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

# Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Desabilitar la redireccion del ping
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Registrar los paquetes extranios (martians: packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Anti-flooding o inundacin de tramas SYN.
$IPTABLES -N syn-flood
for IFACE in `ifconfig -a | grep -B 1 "inet addr" | grep ^[a-z] | expand | cut -d ' ' -f 1 | grep -v "^lo\$"` ; do
        $IPTABLES -A INPUT -i $IFACE -p tcp --syn -j syn-flood
done
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP

# Quitamos todo lo que hubiera
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

for i in `$IPTABLES -L | grep "^Chain" | cut -d " " -f 2 | grep -v "INPUT\|FORWARD\|OUT
PUT"` ; do
        $IPTABLES -F $i
        $IPTABLES -X $i
done

$IPTABLES -A INPUT -s 2.136.41.224/32 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 25 -j DROP
$IPTABLES -A INPUT -p udp --dport 25 -j DROP

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

/etc/init.d/nginx stop
apt-get update
echo "deb http://ftp.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list
apt-get update
apt-get install certbot -t jessie-backports
cd /root
cat > renew-certbot.sh <<'EOF'
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
n=`certbot certificates 2>/dev/null | grep "[^A-Z]VALID: [0-9]" | wc -l | tr -dc 0-9`
if [ "m$n" != "m1" ] ; then
        service nginx stop
        certbot renew
        service nginx start
fi
EOF
chmod 755 renew-certbot.sh
certbot certonly --standalone -d sico.sicosoft.es -d mail.sicosoft.es -d mail2.sicosoft.es -d informes.sicosoft.es -d vpn.sicosoft.es
/etc/init.d/nginx start

51 3,17 * * * /root/renew-certbot.sh

• /etc/init.d/network/interfaces (arranca el ppp_huawei_e5563_modem.sh cuando se levanta el interfaz eth2)
• /etc/init.d/iptables (nuevo, copiado de nas)
• /etc/default/iptables (nuevo, copiado de nas)
• /usr/local/sbin/ppp_huawei_e5563_modem.sh (nuevo, arranca el dhcp en el interfaz eth2, que es el modem 3G usb)
• /etc/wvdial.conf (no se usa)
• /etc/rc.local (arrancar el autossh contra vps para forwardeo inverso desde vps:2222 al puerto ssh de asterisk)
• /etc/secirity/access.com (listar todos los usuario como no permitidos desde otras redes, excepto al usuario ana)
• /etc/pam.d/sshd (activar el uso de pam_access.so)

0 3 * * * /usr/sbin/ntpdate hora.rediris.es

# echo nameserver 3.0.1.3 > /etc/resolv.conf

/sbin/route add default gw 3.0.1.51

cd /root
mkdir iptables_amd64
cd iptables_amd64
scp dario@3.0.1.3:/sbin/iptables .
cp ../modprobe_amd64/*so* .
cat > iptables.sh <<'EOF'
#!/bin/bash
LANG=C
LC_ALL=C
export LANG LC_ALL
LD_LIBRARY_PATH=/root/iptables_amd64 /root/iptables_amd64/ld-linux-x86-64.so.2 /root/iptables_amd64/iptables "$@"
EOF
chmod 755 iptables.sh
scp dario@3.0.1.3:/lib64/ld-linux-x86-64.so.2 .
scp dario@3.0.1.3:/lib/x86_64-linux-gnu/libc.so.6 .
scp dario@3.0.1.3:/lib/x86_64-linux-gnu/libm.so.6 .
scp dario@3.0.1.3:/lib/x86_64-linux-gnu/libdl.so.2 .
scp dario@3.0.1.3:/usr/lib/x86_64-linux-gnu/libip4tc.so.0 .
scp dario@3.0.1.3:/usr/lib/x86_64-linux-gnu/libip6tc.so.0 .
scp dario@3.0.1.3:/usr/lib/x86_64-linux-gnu/libxtables.so.12 .
cd /sbin
mv iptables iptables.orig
ln -s /root/iptables_amd64/iptables.sh iptables

cd /etc/init.d/
./firewall.sico.solocorreo

portsnap fetch extract
cd /usr/ports/ports-mgmt/pkg
make reinstall
make clean
cd /usr/ports/www/nginx
pkg install nginx
service nginx restart

portsnap fetch update
portsnap fetch
portsnap extract
pkg install pkgconf
cd /usr/ports/security/py-certbot && make install clean
mkdir -p /var/www
cd /usr/local/etc/nginx
service nginx stop
certbot certonly --standalone -d informes.sicosoft.es -d sico2.sicosoft.es -d mail.sicosoft.es
service nginx start

...
         ssl on;
         ssl_certificate /usr/local/etc/letsencrypt/live/informes.sicosoft.es/fullchain.pem;
         ssl_certificate_key  /usr/local/etc/letsencrypt/live/informes.sicosoft.es/privkey.pem;
...

 /usr/local/etc/nginx/renew-certbot.sh

#!/bin/sh
n=`certbot certificates 2>/dev/null | grep "[^A-Z]VALID: [0-9]" | wc -l | tr -dc 0-9`
if [ "m$n" != "m1" ] ; then
        service nginx stop
        certbot renew
        service nginx start
fi

chmod 755 /usr/local/etc/nginx/renew-certbot.sh
echo "51 3,17 * * * /usr/local/etc/nginx/renew-certbot.sh" | crontab -e

cd
: > /usr/bin/bspatch
freebsd-update upgrade -r 11.0-RELEASE
freebsd-update install
shutdown -r now
freebsd-update install
pkg-static install -f pkg
# Recompilamos los paquetes que estaban instalados usando ports
cd /usr/ports/net/trafshow
make clean deinstall reinstall
cd /usr/ports/dns/bind99
make clean deinstall reinstall
cd /usr/ports/net/mpd5
make clean deinstall reinstall
# quitamos las librerías antiguas
freebsd-update install
# actualizamos el nginx
pkg install nginx
# reiniciamos para usar la nueva versión del s.o.
shutdown -r now

freebsd-update fetch
freebsd-update install
freebsd-update upgrade -r 10.3-RELEASE
freebsd-update install
shutdown -r now
# se reinicia y se vuelve a ejecutar para las actualizaciones que dependían del kernel
freebsd-update install
# Una vez que termina, se vuelve a ejeuctar (si lo pide) para borrar librerías antiguas
# Por último se vuelve a reiniciar para que use la nueva versión de todo
shutdown -r now

cd /var/db/pkg
mv local.sqlite local.sqlite.bad2
xzcat /var/backups/pkg.sql.xz.1 | sqlite3 /var/db/pkg/local.sqlite
pkg info

pkg update
pkg install py-letsencrypt
cd /usr/ports/ports-mgmt/pkg
make clean deinstall reinstall -D ALLOW_UNSUPPORTED_SYSTEM
pkg-static install sqlite3
cp /var/db/pkg/local.sqlite /var/db/pkg/local.sqlite.backup
sqlite3 /var/db/pkg/local.sqlite
#tambien se puede hacer un "pkg shell" en vez del sqlite3
sqlite> pragma integrity_check;
ok
sqlite> pragma user_version="31";
sqlite> .mode insert
sqlite> .output local.sqlite.dump
sqlite> .dump
sqlite> .quit
root@internetti:/usr/ports/ports-mgmt/pkg # mv /var/db/pkg/local.sqlite /var/db/pkg/local.sqlite.bad
root@internetti:/usr/ports/ports-mgmt/pkg # sqlite3 /var/db/pkg/local.sqlite
SQLite version 3.18.0 2017-03-28 18:48:43
Enter ".help" for usage hints.
sqlite> .read local.sqlite.dump
sqlite> .quit
cd /usr/ports/ports-mgmt/pkg
make clean deinstall reinstall -D ALLOW_UNSUPPORTED_SYSTEM

portsnap fetch
portsnap extract
# (Para las siguientes veces no no se hace el extract, sino solo un "portsnap fetch update")

• DD-WRT: https://forum.openwrt.org/viewtopic.php?pid=316836#p316836
• Instrucciones con TFTP
• Downgrade

stat -x /usr/ports/UPDATING > ~/last_update
sudo portsnap fetch update
cd /usr/ports/net/trafshow
make config-recursive install distclean

 trafshow -i em0 -n

portsnap fetch update
make -C /usr/ports/dns/bind99 install clean

ln -s /usr/local/etc/namedb /etc/bind
cd /etc/bind
mkdir zones
cd zones
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/var/named/zones/sicosoft.es.db .
chown bind:bind sicosoft.es.db

acl trusted-servers {
    79.98.145.34; 195.80.237.194;
};

zone "sicosoft.es" {
        type master;
        file "/etc/bind/zones/sicosoft.es.db";
        allow-transfer { 79.98.145.34; 195.80.237.194; };
        also-notify { 79.98.145.34; 195.80.237.194; };
};

options {
...
        listen-on       { any; };
...
        allow-recursion { 127.0.0.1; 3.0.1.0/24; };
};

 named_enable="YES"

 service named start
 tail -25 /var/log/messages

portsnap fetch update

 cloned_interfaces="${cloned_interfaces} lo2"

 service netif cloneup

 ezjail-admin create dns1 'lo2|127.0.3.1,em0|3.0.1.51'

 ezjail-admin start dns1

 ezjail_enable="NO"

ifconfig br0:1 16.13.62.60
route add -host 18.132.58.12 gw 3.0.1.4
/etc/init.d/firewall stop

ifconfig eth0:1 18.132.58.12
route add -net 192.168.0.0 netmask 255.255.255.0 gw 3.0.1.3

test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available
cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/easy-rsa
cd /root/easy-rsa
cp vars{,.orig}
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/home/ana/easyrsa/* .
openvpn --genkey --secret /root/easy-rsa/keys/ta.key
cp -pv /root/easy-rsa/keys/{ca.{crt,key},{vpn,carlosculebras,jjcriado}.sicosoft.es.{crt,key},ta.key,dh1024.pem} /etc/openvpn/certs/
mkdir -p /etc/openvpn/private
chmod 700 /etc/openvpn/private
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/openvpn/private/vpn.sicosoft.es.key /etc/openvpn/private
cat > /etc/openvpn/server.conf <'EOF'

port 1194
proto udp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/vpn.sicosoft.es.crt
key /etc/openvpn/private/vpn.sicosoft.es.key
dh /etc/openvpn/certs/dh1024.pem
tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo

max-clients 10

user nobody
group nogroup

persist-key
persist-tun

#log openvpn.log
#status openvpn-status.log
verb 5
mute 20
EOF
service openvpn restart
update-rc.d -f openvpn defaults
sed -i "s:^#*net.ipv4.ip_forward=.*:net.ipv4.ip_forward=1:g" /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
iptables -A FORWARD -s 192.168.88.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.rules
echo '#!/bin/bash' > /etc/network/if-pre-up.d/iptables
echo 'test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules' >> /etc/network/if-pre-up.d/iptables
chmod 755 /etc/network/if-pre-up.d/iptables

TCP_SERVICES="{ 22, 25, 53, 80, 443 }"
UDP_SERVICES="{ 53 }"

...

OPENVPN_PORT="1194"
HOST_GEA="3.0.1.198"

...
rdr pass on $EXT_NIC inet proto tcp from any to $EXT_IP port 25 -> 3.0.1.123 port 25
rdr pass on $EXT_NIC inet proto tcp from any to $EXT_IP port 80 -> $HOST_GEA port $OPENVPN_PORT
...

 /etc/rc.d/pf reload

pkg remove openvpn
pkg remove easy-rsa

vi /etc/rc.conf

 reboot

pkg update
pkg install openvpn
cd /usr/local/etc
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.6/etc/openvpn .
ln -s /usr/local/etc/openvpn /etc/openvpn
sed "s/_openvpn/nobody/g;s/port 80/port 8080/g" < server.conf > /tmp/a
cat /tmp/a > server.conf

vi /etc/rc.conf

# openvpn firewall options
natd_enable="YES"
natd_interface="vtnet0"
natd_flags="-dynamic -m"

# Start openvpn
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"

 vi /etc/pf.conf

 reboot

pkg install nginx
cd /usr/local/etc/nginx
mv nginx.conf nginx.conf.ori
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/nginx/nginx.conf .
mkdir -p /var/log/nginx/log/ /etc/ssl/certs /etc/ssl/private
scp "root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/ssl/private/*sicosoft*" /etc/ssl/private/
echo 'nginx_enable="YES"' >> /etc/rc.conf
service nginx start

• Añadir el hosts "ALL WIFI DHCP" que incluya el 192.168.0.100-192.168.0.199
• Añadir los target "VERY LOW IP SICO" (3.0.1.1-3.0.1.2), "LOW IP SICO" (3.0.1.4-3.0.1.50), "HIGH IP SICO split 1/2" (3.0.1.53-3.0.1.87), "HIGH IP SICO split 2/2" (3.0.1.89-3.0.1.197), "VERY HIGH IP SICO" (3.0.1.199-3.0.1.254)
• Añadir las rules "DENY VERY LOW" ("ALL WIFI DHCP", "VERY LOW IP SICO"),"DENY LOW" ("ALL WIFI DHCP", "LOW IP SICO"),"DENY HIGH split 1/2" ("ALL WIFI DHCP", "HIGH IP SICO split 1/2"),"DENY HIGH split 2/2" ("ALL WIFI DHCP", "HIGH IP SICO split 2/2"), ,"DENY VERY HIGH" ("ALL WIFI DHCP", "VERY HIGH IP SICO")
• Dejar seleccionado que las reglas son un DENY.
• Activar el Access Control en el checkbox de arriba.
• Dar al SAVE

• Poner la zona horatia como Europe/Berlin
• Poner como servidor de NTP a "hora.rediris.es"
• Dar a "get GMT"
• Dar a "SAVE"

portsnap fetch extract
freebsd-update fetch install

echo 'cloned_interfaces="${cloned_interfaces} lo1"' >> /etc/rc.conf
service netif cloneup

cd /usr/ports/sysutils/ezjail
make install clean

echo 'ezjail_enable="YES"' >> /etc/rc.conf
service ezjail start

ezjail-admin install -p

 /etc/rc.local

 http://www.linuxforums.org/forum/networking/153506-solved-iproute2-rule-based-multi-homed-snat-problem.html
 conntrack -L | grep "=25\b"
 watch "netstat -pan | grep \":25\b\""

SYN_ONLY="S/FSRA"
EXT_NIC="tun0"
INT_NIC="em0"
EXT_IP="80.28.211.112"
INT_IP="3.0.1.51"
INT_IP2="3.0.1.52"
TCP_SERVICES="{ 22, 25, 53, 80, 443 }"
UDP_SERVICES="{ 53 }"
ICMP_TYPES="{ echoreq, unreach}"
set limit states 100000
set skip on lo
scrub all fragment reassemble
nat on $EXT_NIC from !($EXT_NIC) to any -> ($EXT_NIC)
rdr pass on $EXT_NIC inet proto tcp from any to $EXT_IP port 25 -> 3.0.1.123 port 25
block           # block stateless traffic
pass            # establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block return-rst in log on $EXT_NIC proto TCP all
   pass in on $EXT_NIC proto TCP from any to $EXT_IP port $TCP_SERVICES flags $SYN_ONLY keep state
block in on $EXT_NIC proto udp all
   pass in quick on $EXT_NIC proto UDP from any to $EXT_IP port $UDP_SERVICES keep state
pass in inet proto icmp all icmp-type $ICMP_TYPES
block out on $EXT_NIC all
   pass out quick on $EXT_NIC from $EXT_IP to any keep state
set skip on lo0
set skip on $INT_NIC

 pfctl -F all -f /etc/pf.conf

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [17:884]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17:1596]
:POSTROUTING ACCEPT [17:1596]
:MARK-FIBRA - [0:0]
-A PREROUTING -s 3.0.1.0/24 -d 3.0.1.0/24 -i eth0 -j ACCEPT
-A PREROUTING -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -d 3.0.1.123 -m conntrack --ctstate NEW -j MARK-FIBRA
-A INPUT -d 3.0.1.123  -m conntrack --ctstate NEW -j MARK-FIBRA
-A OUTPUT -d 3.0.1.123  -m conntrack --ctstate NEW -j MARK-FIBRA
-A MARK-FIBRA -j MARK --set-xmark 0x2/0xffffffff
-A MARK-FIBRA -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A MARK-FIBRA -j MARK --set-xmark 0x2/0xffffffff
-A MARK-FIBRA -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp --dport 53  -j ACCEPT
-A INPUT -p udp --dport 53  -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
COMMIT

250     ADSL
249     FIBRA

#!/bin/bash
export PATH=$PATH:/sbin:/usr/sbin
ip route flush table FIBRA
ip route add default via 3.0.1.51 dev eth1 table FIBRA
ip route add to 3.0.1.0/24 dev eth0 table default
ip route flush cache
ip rule flush
ip rule add from all lookup local priority 0
ip rule add from all fwmark 0x2 lookup FIBRA priority 90
ip rule add from 3.0.1.123 lookup FIBRA priority 91
ip rule add from all lookup main priority 32766
ip rule add from all lookup default priority 32767

#Finally, make sure that the rp_filter option is disabled on the router, otherwise it could drop packets:
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > "$i"; done

# Set up so that both cards can share network
# http://unix.stackexchange.com/questions/126832/linux-routing-for-receiving-packet
sysctl -w net.ipv4.conf.eth0.arp_announce=2
sysctl -w net.ipv4.conf.eth1.arp_announce=2
sysctl -w net.ipv4.conf.eth0.arp_filter=1
sysctl -w net.ipv4.conf.eth1.arp_filter=1
sysctl -w net.ipv4.conf.eth0.arp_ignore=1
sysctl -w net.ipv4.conf.eth1.arp_ignore=1

 chmod 755 /etc/init.d/routes

...
 start() {
     # Do not start if there is no config file.
     [ -f "$IPTABLES_DATA" ] || return 1
 
     log_daemon_msg "Applying $IPTABLES firewall rules"
 
     OPT=
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
 
     $IPTABLES-restore $OPT $IPTABLES_DATA
     if [ $? -eq 0 ]; then
         log_end_msg 0
     else
         log_end_msg 1; return 1
     fi
     
     # Load additional modules (helpers)
     if [ -n "$IPTABLES_MODULES" ]; then
        echo -n "Loading additional $IPTABLES modules"
        ret=0
        for mod in $IPTABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1
            let ret+=$?;
        done
        [ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
     fi
     
     touch $VAR_SUBSYS_IPTABLES
 
+### SICO ADDENDA
+/etc/init.d/routes start
+### END OF SICO ADDENDA
 
     return $ret
 }
...

sysctl -w net.ipv4.conf.eth0.arp_announce=2
sysctl -w net.ipv4.conf.eth0:1.arp_announce=2
sysctl -w net.ipv4.conf.eth0.arp_filter=1
sysctl -w net.ipv4.conf.eth0:1.arp_filter=1
sysctl -w net.ipv4.conf.eth0.arp_ignore=1
sysctl -w net.ipv4.conf.eth0:1.arp_ignore=1

ifconfig vlan0 create
ifconfig vlan0 vlan 6 vlandev re0
cd /usr/ports/net/mpd5
make install clean
cp /dev/tty /usr/local/etc/mpd5/mpd.conf
infinity:
  create bundle static B1
  set iface name tun0
  set iface enable tcpmssfix
  set iface route default
  set ipcp ranges 0.0.0.0/0 0.0.0.0/0
  create link static L1 pppoe
  set link action bundle B1
  set auth authname adslppp@telefonicanetpa
  set auth password adslppp
  set link max-redial 0
  set link mtu 1492
  set link mru 1492
  set link keep-alive 10 60
  set pppoe iface vlan0
  set pppoe service ""
  open
default:
  load infinity
^D
/usr/local/etc/rc.d/mpd5 onestart

vi /etc/rc.conf

ifconfig_re0="up"
cloned_interfaces="vlan0"
ifconfig_vlan0="vlan 6 vlandev re0"

mpd_enable="YES"
gateway_enable="YES"

echo 'pf_enable="YES"' >> /etc/rc.conf
echo 'pf_rules="/etc/pf.conf"' >> /etc/rc.conf
ssh root@3.0.1.46 "cat /shared/unix/chroots/internettiOBSD5.6/etc/pf.conf" | sed "s/pppoe/tun/g" | grep -v scrub | grep -v "^pass.*rdr-to\|nat-to" > pf.conf
pfctl -F all -f /etc/pf.conf

 reboot

pkg install mpd5

 internetti# ppp -ddial fibra

cd /etc
mv pf.conf pf.conf.sample
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.6/etc/pf.conf .

kldload ng_pppoe

 no matching cipher found
 no kex alg 

• hibernate on close lid [yes]: no
• whole disk: yes
• sólo instalo los paquetes que NO empiezan por x

cd /etc/
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/hostname.em0 .
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/hostname.pppoe0 .
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/hostname.re0 .
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/hostname.vlan6 .
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/pf.conf .
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/sysctl.conf .
cd /var/named  
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/var/named/* .
cd /etc/
scp root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/rc.conf.local .
export PKG_PATH="ftp://ftp.openbsd.org/pub/OpenBSD/5.6/packages/amd64/"
pkg_add -i lzo
pkg_add -i openvpn
pkg_add -i git
cd /usr/local/share/examples/openvpn/
git clone -b release/2.x https://github.com/OpenVPN/easy-rsa.git easy-rsa
su - ana

cd
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/home/ana/easyrsa .
exit

cd /etc
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/openvpn .
pkg_add pcre
pkg_add nginx
mkdir -p /var/log/nginx/log/
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/nginx .
cd /etc/ssl
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/ssl/certs .
scp -r root@3.0.1.46:/shared/unix/chroots/internettiOBSD5.4/etc/ssl/private .

• SSL Checker
• SSLTools

export PKG_PATH="ftp://ftp.openbsd.org/pub/OpenBSD/5.4/packages/amd64/"
pkg_add -uvi

cd /root
curl http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch > 007_openssl.patch
curl http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch > 008_openssl.patch
curl http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/009_openssl.patch > 009_openssl.patch

dmesg | grep sd0 
disklabel sd0
mount /dev/sd0i /usr/src

openssl req -new -newkey rsa:4096 -days $(( 365 * 2 )) -nodes -keyout asterisk.sicosoft.es.key -out asterisk.sicosoft.es.csr

curl  http://www.startssl.com/certs/sub.class2.server.ca.pem > sub.class2.server.ca.pem
curl https://www.startssl.com/certs/ca.pem > startssl.ca.crt
wget http://www.startssl.com/certs/sub.class2.server.ca.pem 
cat sub.class2.server.ca.pem startssl.ca.crt > startssl.chain.class2.server.crt
cat asterisk.sicosoft.es.crt startssl.chain.class2.server.crt > asterisk.sicosoft.es.pem

cd /etc/ssl/private/
scp dario@3.0.1.3:certs/asterisk.sicosoft.es/asterisk.sicosoft.es.key .
chmod 640 *.key *.pem *.crt
cd /etc/ssl/certs/
scp dario@3.0.1.3:certs/asterisk.sicosoft.es/asterisk.sicosoft.es.pem .
cd /etc/nginx/
vi nginx.conf

cd /etc/ssl/certs
scp dario@3.0.1.3:certs/asterisk.sicosoft.es/asterisk.sicosoft.es.pem iRedMail_CA.pem
cd /etc/ssl/private
scp dario@3.0.1.3:certs/asterisk.sicosoft.es/asterisk.sicosoft.es.key iRedMail.key
chmod 640 iRedMail.key 
chgrp ssl-cert iRedMail.key

 openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout sico2.sicosoft.es.key -out sico2.sicosoft.es.csr

openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout mail.sicosoft.es.key -out mail.sicosoft.es.csr

openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout informes.sicosoft.es.key -out informes.sicosoft.es.csr

curl https://www.startssl.com/certs/sub.class1.server.ca.pem > startssl.sub.class1.server.ca.crt
curl https://www.startssl.com/certs/ca.pem > startssl.ca.crt
cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat informes.sicosoft.es.crt startssl.chain.class1.server.crt > informes.sicosoft.es.pem
chown root:root *.crt *.key *.pem
chmod 640 *.key *.pem
cp informes.sicosoft.es.pem /etc/ssl/certs/
chmod 644 /etc/ssl/certs/informes.sicosoft.es.pem
cp informes.sicosoft.es.key /etc/ssl/private/
chgrp ssl-cert /etc/ssl/private/informes.sicosoft.es.key

dario@uiharu:~/certs/informes.sicosoft.es$ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout informes.sicosoft.es.key -out informes.sicosoft.es.csr
Generating a 4096 bit RSA private key
.............................................................................................................................................++
.........................................................................................................++
writing new private key to 'informes.sicosoft.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Spain
Locality Name (eg, city) []:Alcobendas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SICOSOFT
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:sicosoft.es
Email Address []:javiersoler@sicosoft.es

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
dario@uiharu:~/certs/informes.sicosoft.es$

pkg_add pcre
pkg_add nginx

cd easyrsa
. ./vars
KEY_NAME=clientcarlosculebras ./pkitool carlosculebras.sicosoft.es

pkg_add -i lzo
pkg_add -i openvpn
pkg_add -i git
cd /usr/local/share/examples/openvpn/
git clone -b release/2.x https://github.com/OpenVPN/easy-rsa.git easy-rsa

cp -R /usr/local/share/examples/openvpn/easy-rsa/easy-rsa/2.0 easyrsa
cd easyrsa
vi vars

--- /usr/local/share/examples/openvpn/easy-rsa/easy-rsa/2.0/vars        Tue Sep  2 10:17:45 2014
+++ vars        Tue Sep  2 10:23:51 2014
@@ -50,7 +50,7 @@
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
-export KEY_SIZE=2048
+export KEY_SIZE=1024
 
 # In how many days should the root CA key expire?
 export CA_EXPIRE=3650
@@ -61,12 +61,12 @@
 # These are the default values for fields
 # which will be placed in the certificate.
 # Don't leave any of these fields blank.
-export KEY_COUNTRY="US"
-export KEY_PROVINCE="CA"
-export KEY_CITY="SanFrancisco"
-export KEY_ORG="Fort-Funston"
-export KEY_EMAIL="me@myhost.mydomain"
-export KEY_OU="MyOrganizationalUnit"
+export KEY_COUNTRY="ES"
+export KEY_PROVINCE="Madrid"
+export KEY_CITY="Alcobendas"
+export KEY_ORG="SICOSOFT"
+export KEY_EMAIL="dariorodriguez@sicosoft.es"
+export KEY_OU="IT"
 
 # X509 Subject Field
 export KEY_NAME="EasyRSA"

. vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server vpn.sicosoft.es
KEY_NAME=clientjjcriado ./pkitool jjcriado.sicosoft.es

cd /home/ana/easyrsa
mkdir /etc/openvpn
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf
cp keys/ca.crt /etc/openvpn/ca.crt
cp keys/dh1024.pem /etc/openvpn/dh1024.pem
cp keys/vpn.sicosoft.es.crt  /etc/openvpn/vpn.sicosoft.es.crt
mkdir /etc/openvpn/private
chmod 500 /etc/openvpn/private
mv keys/vpn.sicosoft.es.key /etc/openvpn/private/vpn.sicosoft.es.key
chmod 400 /etc/openvpn/private/vpn.sicosoft.es.key
vi /etc/openvpn/server.conf

--- /usr/local/share/examples/openvpn/sample-config-files/server.conf   Tue Jul 23 16:16:46 2013
+++ /etc/openvpn/server.conf    Tue Sep  2 11:00:13 2014
@@ -29,11 +29,11 @@
 # on the same machine, use a different port
 # number for each one.  You will need to
 # open up this port on your firewall.
-port 1194
+port 80
 
 # TCP or UDP server?
-;proto tcp
-proto udp
+proto tcp
+;proto udp
 
 # "dev tun" will create a routed IP tunnel,
 # "dev tap" will create an ethernet tunnel.
@@ -50,7 +50,7 @@
 # unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 ;dev tap
-dev tun
+dev tun0
 
 # Windows needs the TAP-Win32 adapter name
 # from the Network Connections panel if you
@@ -75,16 +75,16 @@
 # Any X509 key management system can be used.
 # OpenVPN can also use a PKCS #12 formatted key file
 # (see "pkcs12" directive in man page).
-ca ca.crt
-cert server.crt
-key server.key  # This file should be kept secret
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/vpn.sicosoft.es.crt
+key /etc/openvpn/private/vpn.sicosoft.es.key  # This file should be kept secret
 
 # Diffie hellman parameters.
 # Generate your own with:
 #   openssl dhparam -out dh1024.pem 1024
 # Substitute 2048 for 1024 if you are using
 # 2048 bit keys. 
-dh dh1024.pem
+dh /etc/openvpn/dh1024.pem
 
 # Configure server mode and supply a VPN subnet
 # for OpenVPN to draw client addresses from.
@@ -184,7 +184,7 @@
 # (The OpenVPN server machine may need to NAT
 # or bridge the TUN/TAP interface to the internet
 # in order for this to work properly).
-;push "redirect-gateway def1 bypass-dhcp"
+push "redirect-gateway def1 bypass-dhcp"
 
 # Certain Windows-specific network settings
 # can be pushed to clients, such as DNS
@@ -192,8 +192,8 @@
 # http://openvpn.net/faq.html#dhcpcaveats
 # The addresses below refer to the public
 # DNS servers provided by opendns.com.
-;push "dhcp-option DNS 208.67.222.222"
-;push "dhcp-option DNS 208.67.220.220"
+push "dhcp-option DNS 3.0.1.51"
+push "dhcp-option DNS 3.0.1.170"
 
 # Uncomment this directive to allow different
 # clients to be able to "see" each other.
@@ -252,7 +252,7 @@
 
 # The maximum number of concurrently connected
 # clients we want to allow.
-;max-clients 100
+max-clients 2
 
 # It's a good idea to reduce the OpenVPN
 # daemon's privileges after initialization.

pass out on $INT_NIC from 10.8.0.0/24 to any nat-to ($INT_NIC)

sh -c "sleep 20 ; exec /usr/local/sbin/openvpn --daemon --config /etc/openvpn/se
rver.conf" &

apt-get install linux-headers-amd64 build-essential dkms
cd /usr/src/
mkdir rtl8192cu-fixes
cd rtl8192cu-fixes/
git clone https://github.com/pvaret/rtl8192cu-fixes.git
dkms add ./rtl8192cu-fixes
dkms install 8192cu/1.9
depmod -a
cp ./rtl8192cu-fixes/blacklist-native-rtl8192.conf /etc/modprobe.d/
reboot
cd /usr/src/
rm -rf wpa-1.1/
dpkg-source -x wpa*dsc
cd wpa-1.1/
patch -Np1 < ../hostapd-rtl871xdrv/rtlxdrv.patch 
vi src/wps/wps_registrar.c
# comentamos las líneas 512-516
# básicamente son dos "methods &= "...
cp /dev/tty /tmp/newchangelog
cat <<'EOF' >/tmp/newchangelog
wpa (1.1-1rt8192cu) unstable; urgency=medium

  * apply rt8192cu patches, https://github.com/pritambaral/hostapd-rtl871xdrv 

 -- Dario Rodriguez <dario@softhome.net>  Tue, 15 Jul 2014 09:29:52 +0100

EOF
cp debian/changelog /tmp
cat /tmp/newchangelog /tmp/changelog debian/changelog
sed -i "/cp.*hostapd..config/d" debian/rules
sed -i "s:hostapd/.config::g" debian/rules
cp ../hostapd-rtl871xdrv/.config hostapd/
cp ../hostapd-rtl871xdrv/*.[ch] src/drivers/
vi src/drivers/driver_rtw.c # comentar el include del "linux_wext.h" y
                            # descomentar rel anterior de "wireless_copy.h"
fakeroot debian/rules binary
cp ./debian/hostapd/usr/sbin/hostapd /usr/sbin/hostapd
/usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
/etc/init.d/udhcpd restart
/etc/init.d/firewall restart

apt-get install wpasupplicant hostapd bridge-utils wireless-regdb \
   iw wireless-tools usbutils psmisc crda apt-utils dialog
sed -i "s/jessie main\$/jessie main contrib non-free/g" \
   /etc/apt/sources.list
apt-get update
apt-get install firmware-atheros firmware-realtek

 /etc/hostapd/hostapd.conf

interface=wlan0
bridge=br0
driver=rtl871xdrv
device_name=RTL8192CU
manufacturer=Realtek
hw_mode=g
ieee80211n=1
wmm_enabled=1
channel=2
country_code=ES
ieee80211d=1
ssid=WiFiAp
auth_algs=3
wpa=3
wpa_passphrase=contake
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
macaddr_acl=0
ht_capab=[HT20][SHORT-GI-20]
eap_reauth_period=360000000
ignore_broadcast_ssid=0

chmod 640 /etc/hostapd/hostapd.conf
cd /etc/init.d/
mv hostapd hostapd.disabled
cd /etc/network
mv interfaces interfaces.stock-backup

 /etc/network/interfaces

auto lo eth0
iface lo inet loopback
iface eth0 inet static
        address 3.0.1.3
        gateway 3.0.1.51
        network 3.0.1.0
        netmask 255.255.255.0
        broadcast 3.0.1.255
        post-up /bin/sleep 10 ; /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
        pre-down /usr/bin/killall hostapd
iface wlan0 inet static
        address 192.168.3.5
        network 192.168.3.0
        gateway 192.168.3.0
        netmask 255.255.255.0
        broadcast 192.168.3.255

apt-get install udhcpd
vi /etc/default/udhcpd #(<--enable daemon)
cd /etc
scp root@3.0.1.46:/shared/unix/chroots/phonedevel/etc/udhcpd.conf .
cd init.d/
scp root@3.0.1.46:/shared/unix/chroots/phonedevel/etc/init.d/firewall .
sed -i "s/ath0/wlan0/g" firewall
vi networking #(<--add a call to firewall after start/restart)

cd /usr/src
apt-get source hostapd
apt-get build-dep hostapd
git clone https://github.com/pritambaral/hostapd-rtl871xdrv.git
cd wpa-1.1
patch -Np1 < ../hostapd-rtl871xdrv/rtlxdrv.patch 
cat src/wps/wps_registrar.c.rej
vi src/wps/wps_registrar.c # comentamos las líneas 512-516
                           # básicamente son dos "methods &= "...
cp /dev/tty /tmp/newchangelog
cat <<'EOF' >/tmp/newchangelog
wpa (1.1-1rt8192cu) unstable; urgency=medium

  * apply rt8192cu patches, https://github.com/pritambaral/hostapd-rtl871xdrv 

 -- Dario Rodriguez <dario@softhome.net>  Tue, 15 Jul 2014 09:29:52 +0100

EOF
cp debian/changelog /tmp
cat /tmp/newchangelog /tmp/changelog debian/changelog
sed -i "/cp.*hostapd..config/d" debian/rules
sed -i "s:hostapd/.config::g" debian/rules
cp ../hostapd-rtl871xdrv/.config hostapd/
cp ../hostapd-rtl871xdrv/*.[ch] src/drivers/
vi src/drivers/driver_rtw.c # comentar el include del "linux_wext.h" y
                            # descomentar rel anterior de "wireless_copy.h"
fakeroot debian/rules binary
cd ..
dpkg -i hostapd_1.1-1rt8192cu_amd64.deb
echo hostapd hold | dpkg --set-selections
dpkg -i wpasupplicant_1.1-1rt8192cu_amd64.deb
echo wpasupplicant hold | dpkg --set-selections

[hostname.em0]
inet 3.0.1.51 255.255.255.0
!/sbin/route add 16.0.62.18 3.0.1.42
[hostname.pppoe0]
inet 0.0.0.0 255.255.255.255 NONE \
        pppoedev vlan6 authproto pap \
        authname adslppp@telefonicanetpa authkey adslppp up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/usr/bin/pkill named
!/usr/sbin/named -t /var/named -u named
[hostname.re0]
up
[hostname.vlan6]
vlan 6 vlandev re0

set limit states 100000
set skip on lo
block           # block stateless traffic
pass            # establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
SYN_ONLY="S/FSRA"
EXT_NIC="pppoe0"
INT_NIC="em0"
EXT_IP="80.28.211.112"
INT_IP="3.0.1.51"
INT_IP2="3.0.1.52"
TCP_SERVICES="{ 22, 25, 53, 443 }"
UDP_SERVICES="{ 53 }"
ICMP_TYPES="echoreq"
match on $EXT_NIC scrub (max-mss 1440)
block return-rst in log on $EXT_NIC proto TCP all
   pass in on $EXT_NIC proto TCP from any to $EXT_IP port $TCP_SERVICES flags $S
YN_ONLY keep state
block in on $EXT_NIC proto udp all
   pass in quick on $EXT_NIC proto UDP from any to $EXT_IP port $UDP_SERVICES ke
ep state
pass in inet proto icmp all icmp-type $ICMP_TYPES
block out on $EXT_NIC all
   pass out quick on $EXT_NIC from $EXT_IP to any keep state
pass in on $EXT_NIC proto tcp from any to any port 25 rdr-to 3.0.1.124
pass in on $EXT_NIC proto tcp from any to any port 443 rdr-to 3.0.1.124
pass out on $EXT_NIC from 3.0.1.0/24 to any nat-to $EXT_IP
set skip on lo0
set skip on $INT_NIC

net.inet.tcp.mssdflt=1452
net.inet.tcp.recvspace=131072
net.inet.tcp.sendspace=131072
net.inet.udp.recvspace=139264
net.inet.udp.sendspace=32768
net.inet.ip.forwarding=1

/var/named/named.conf

//...
options {
        version "";     // remove this to allow version queries

        listen-on    { any; };
        listen-on-v6 { none; };

        empty-zones-enable yes;

        //allow-recursion { clients; };
        allow-recursion { 127.0.0.1; 3.0.1.0/24; };
};

logging {
        category lame-servers { null; };
};

include "/etc/named.conf.local";

//...

etc/named.conf.local

acl trusted-servers {
    79.98.145.34;
};

zone "sicosoft.es" {
        type master;
        file "/zones/sicosoft.es.db";
        allow-transfer { 79.98.145.34; };
        also-notify { 79.98.145.34; };
};

 zones/sicosoft.es.db

$TTL 86400
sicosoft.es. IN SOA ns1.sicosoft.es. hostmaster.sicosoft.es. 2014022101 7200 1800 2419200 5400

sicosoft.es. IN  NS      ns1.sicosoft.es.
sicosoft.es. IN  NS      ns2.sicosoft.es.
sicosoft.es. IN  NS      ns3.sicosoft.es.
sicosoft.es. IN  MX      10      mail.sicosoft.es.
sicosoft.es. IN  MX      20      mail2.sicosoft.es.

mail    IN      A       80.28.211.112
mail2   IN      A       80.28.221.188
sico    IN      A       80.28.221.188
sico2   IN      A       80.28.211.112

ns1     86400 IN        A       80.28.211.112
ns2     86400 IN        A       80.28.221.188
ns3     86400 IN        A       79.98.145.34

/etc/rc.conf.local

#!/bin/sh -
multicast_router=YES
named_flags=""

pkill named
 named

 /etc/rc.conf.local
 #named_flags=""

 /etc/rc.local
 sh -c "sleep 20 ; exec named" &

net.inet.tcp.mssdflt=1452
net.inet.tcp.recvspace=131072
net.inet.tcp.sendspace=131072
net.inet.udp.recvspace=139264
net.inet.udp.sendspace=32768

multicast_router=YES

• PF: Network Address Translation (NAT)
• PF: Redirection (Port Forwarding)
• Newbie guide to setting up a PF firewall
• firewall example for small office
• Antiguo: OpenBSD as a simple NAT router

net.inet.ip.forwarding=1

 # sysctl net.inet.ip.forwarding=1

• instalar rp-pppoe, vlan y ppp
• configurar el interfaz ppp para que arranque (con las claves corespondientes en /etc/ppp/chap-secrets y /etc/ppp/pap-secrets )

• poner el .ssh/authorized_keys de la clave de metro@shirka
• poner el .hushlogin
• cambiar la script de connect para que se conecte al sitio requerido
• cambiar el /etc/passwd para que el shell sea /home/nombreusuario/connect

#!/bin/sh
#
# start/stop maintdserver forward daemon.

### BEGIN INIT INFO
# Provides:          maintdserver
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     S 2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start maintdserver port forward
# Description:       maintdserver port forward
#                    (does an ssh to maintd@16.0.62.18)
### END INIT INFO

test -f /usr/bin/socat || exit 0

/usr/bin/sudo -u metro /usr/bin/socat TCP4-LISTEN:9510,fork EXEC:"/usr/bin/ssh maintd@16.0.62.18" &

 /chroot/etc/rcS.d/S47sico_maintdserver

#!/bin/sh
exec /usr/local/bin/nc localhost 9510

 /chroot/etc/rcS.d/S47sico_maintdserver

%	SOA % hostmaster@% 2011121301 7200 3600 604800 1800 ~

%	NS dns1.% ~
%	NS dns2.% ~

dns1.%		A 80.28.221.188 ~
dns2.%		A 80.37.72.228 ~

internetti.%	A 80.28.221.188 ~
sico.%		A 80.28.221.188 ~
sico2.%		A 80.37.72.228 ~
shirka.%	A 80.37.72.228 ~

mail.%		CNAME sico.% ~
mail2.%		CNAME sico.% ~

%		MX 10 mail2.% ~

• Security by default: Como suprimir el router de Telefónica en FTTH (para CentOS).
• para el /etc/network/interfaces: Cómo usar VLANs en Debian/Ubuntu.
• para cómo levantarlo "manualmente" Debian Wiki: NetworkConfiguration
• En caso de tener problemas con los módulos de pppoe en el núcleo, ver aquí

 /etc/maradns/db.sicosoft.es

 hostlist dont_relay_from_hosts = ; 3.0.1.51/32 ; 3.0.1.45/32

• Se ha conectado dicho ADSL a la interfaz de red recundaria de shirka.
• Añadido al /etc/network/interfaces de shirka de la eth1 con la IP 192.168.0.1 y el default gateway 192.168.0.2 (el adsl, vamos).
• Se ha añadido el usuario ana
• Se ha configurado el /etc/security/access.conf para inhibir el acceso desde el exterior a los usuarios root, isa y metro.
• Se ha descomentado en /etc/pam.d la línea del pam_access.so de login y de sshd.

• un bucket por cada IP de la ofi
• marcar cada paquete saliente con la IP de origen de la ofi
• llevar el paquete a su bucket (esto lo hace solo, se supone)
• que todos los buckets tenga la misma prioridad (que haga un round-robin, vamos).

internetti# /etc/init.d/rutas.infoglobal on

internetti# /etc/init.d/rutas.infoglobal off

1. Añadir al firewall de internetti la nueva "RED_CIPE" a la lista (en el caso de ana es la 6).
2. Reiniciar el firewall
3. Añadir en internetti a /etc/vtund.conf una nueva conxión (tipo tcp, etc, etc).
4. Instalar en iris el vtun
5. Instalar en un fichero de arranque de iris el que cargue el módulo tun (en iris lo he puesto en /etc/rc.boot, pero lo normal es añadirlo a /etc/modules)
6. poner en iris un /etc/vtun.conf con la nueva conexión (copiada del de internetti pero cambiando el peer y añadiendo otro route para la red 3.0.1.x)
7. poner en iris un /etc/vtund-start.conf con la siguiente línea:
   internetti-anaportatil 80.37.72.228 -P 6544
8. Hacer en iris un /etc/init.d/vtun restart

1. editar en guagua el /etc/vtund-start.conf para que ponga la ip de sico2 en vez de la de sicoold
2. reiniciar en guagua el tunel con un /etc/init.d/vtun restart

1. Habilitar que el adsl1 (sico2) forwardee el puerto 6544 a internetti
2. cambiar en portalico la ip del peer a la de sico2
3. hacer el enlace en internetti desde /dev/misc/net/tun a /dev/net/tun (ya que faltaba, y resulta que es ese el que usa el vtun)
4. reiniciar el vtun en internetti
5. reiniciar el vtun en portalico

• "modprobe slhc", y si ese no funciona "insmod slhc.o"
• "modprobe hisax"
• "/etc/init.d/isdnutils stop"
• "/etc/init.d/isdnutils start"

• Copiar de internetti /home/ana/vtun (que también dejo aquí: vtun-sico.tar.gz)
• Instalar el vtun*.deb
• copiar el vtund a /usr/sbin y darle permisos de ejecución, copiar el tun.o al directorio de módulos (/lib/modules/2.2.18/misc/)
• poner en /etc/modutils/vtun la línea (sin comillas) "alias char-major-90 tun" y hacer un update-modules
• hacer un "depmod -a"
• usar el firewall.guagua como ejemplo y hacer un /etc/init.d/firewall.nombreordenador con él.
• usar el vtund.conf y el vtund-start.conf como puntos de partida para los ficheros homónimos de /etc
• poner en internetti ese nuevo túnel en el /etc/vtund.conf
• reiniciar el demorio de internetti (matando los vtund y ejecutando "vtund-start start")
• reiniciar el demonio en el ordenador satélite (de la misma manera que en internetti)
• ver si ha habido algún error en /var/log/daemon.log

• http://linux.oreillynet.com/pub/a/linux/2001/09/27/pamintro.html
• http://linux.oreillynet.com/lpt/a/1263

Descripción del proyecto

• Securing Linux, Part 3: Hardening the system (IBM developerWorls)
• Bastille Linux

Attachs

Link to this Page

• Mantenimiento de DNS y correo de sico last edited on 19 January 2026 at 9:20:05 am by 3.0.1.3