From 2279599a597e4dac6e5892670847ef977513b110 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Wed, 28 Nov 2018 02:09:22 +0100 Subject: [PATCH] WIP. --- all_new_2018/apt-mark/server | 4 ---- all_new_2018/letsencrypt_local_set.sh | 3 +++ .../mail/etc/iptables/rules.v4 | 22 +++++++++++++++++++ .../server/etc/iptables/rules.v4 | 12 ++-------- 4 files changed, 27 insertions(+), 14 deletions(-) create mode 100644 all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4 diff --git a/all_new_2018/apt-mark/server b/all_new_2018/apt-mark/server index d3a2333..4f7fc5d 100644 --- a/all_new_2018/apt-mark/server +++ b/all_new_2018/apt-mark/server @@ -2,10 +2,6 @@ openssh-server # provides /etc/inputrc and understanding of ctrl+arrow key combos readline-common -# provides letsencrypt -certbot -# for letsencrypt renewal -cron # provides systemd scripts that configure iptables via /etc/iptables/* iptables-persistent # this line is here because the shell "read" in install_for_target.sh ignores lines without final newline \ No newline at end of file diff --git a/all_new_2018/letsencrypt_local_set.sh b/all_new_2018/letsencrypt_local_set.sh index a308ddc..5fdf703 100755 --- a/all_new_2018/letsencrypt_local_set.sh +++ b/all_new_2018/letsencrypt_local_set.sh @@ -8,6 +8,9 @@ if [ $# -lt 1 ]; then fi mail_address="$1" +# We need certbot to get LetsEncrypt certificates. +apt install -y certbot + # If port 80 blocked by iptables, open it. set +e iptables -C INPUT -p tcp --dport 80 -j ACCEPT diff --git a/all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4 new file mode 100644 index 0000000..7fb4279 --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4 @@ -0,0 +1,22 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +# otherwise self-referential connections to local host will fail +-A INPUT -i lo -j ACCEPT +# this enables ping etc. +-A INPUT -p icmp -j ACCEPT +# tolerate any inbound connections requested by our server, no matter the port +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# SSH +-A INPUT -p tcp --dport 22 -j ACCEPT +# HTTPS in theory, in practice my second SSH port, see sshd_config +-A INPUT -p tcp --dport 443 -j ACCEPT +# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter +-A INPUT -p tcp --dport 25 -j ACCEPT +# SMTPS, for mail server to mail user agent communication +-A INPUT -p tcp --dport 465 -j ACCEPT +# IMAPS +-A INPUT -p tcp --dport 993 -j ACCEPT +COMMIT +# this last line is here because iptables-restore ignores the final command if no newline follows it \ No newline at end of file diff --git a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 index 7eff1b0..6899ef6 100644 --- a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 +++ b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 @@ -4,21 +4,13 @@ :OUTPUT ACCEPT [0:0] # otherwise self-referential connections to local host will fail -A INPUT -i lo -j ACCEPT +# tolerate any inbound connections requested by our server, no matter the port +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # this enables ping etc. -A INPUT -p icmp -j ACCEPT # SSH -A INPUT -p tcp --dport 22 -j ACCEPT -# HTTP; uncomment for creating LetsEncrypt certificates in standalone mode. -#-A INPUT -p tcp --dport 80 -j ACCEPT # HTTPS in theory, in practice my second SSH port, see sshd_config -A INPUT -p tcp --dport 443 -j ACCEPT -# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter --A INPUT -p tcp --dport 25 -j ACCEPT -# SMTPS, for mail server to mail user agent communication --A INPUT -p tcp --dport 465 -j ACCEPT -# IMAPS --A INPUT -p tcp --dport 993 -j ACCEPT -# tolerate any inbound connections requested by our server, no matter the port --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # this last line is here because iptables-restore ignores the final command if no newline follows it \ No newline at end of file -- 2.30.2