WIP.

diff --git a/all_new_2018/apt-mark/server b/all_new_2018/apt-mark/server
index d3a23331484938fd97d85f3f878490ff0f17ad15..4f7fc5d2e1beb415593090dee906edcf540ee400 100644 (file)
--- a/all_new_2018/apt-mark/server
+++ b/all_new_2018/apt-mark/server
@@ -2,10 +2,6 @@
 openssh-server
 # provides /etc/inputrc and understanding of ctrl+arrow key combos
 readline-common
-# provides letsencrypt
-certbot
-# for letsencrypt renewal
-cron
 # provides systemd scripts that configure iptables via /etc/iptables/*
 iptables-persistent
 # this line is here because the shell "read" in install_for_target.sh ignores lines without final newline
\ No newline at end of file

diff --git a/all_new_2018/letsencrypt_local_set.sh b/all_new_2018/letsencrypt_local_set.sh
index a308ddcc444c58eba27d9ca7130ea393e2fab729..5fdf7036b5596c5267f653094826e2e6cb028357 100755 (executable)
--- a/all_new_2018/letsencrypt_local_set.sh
+++ b/all_new_2018/letsencrypt_local_set.sh
@@ -8,6 +8,9 @@ if [ $# -lt 1 ]; then
 fi
 mail_address="$1"
 
+# We need certbot to get LetsEncrypt certificates.
+apt install -y certbot
+
 # If port 80 blocked by iptables, open it.
 set +e
 iptables -C INPUT -p tcp --dport 80 -j ACCEPT

diff --git a/all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4
new file mode 100644 (file)
index 0000000..7fb4279
--- /dev/null
+++ b/all_new_2018/linkable_etc_files/mail/etc/iptables/rules.v4
@@ -0,0 +1,22 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+# otherwise self-referential connections to local host will fail
+-A INPUT -i lo -j ACCEPT
+# this enables ping etc.
+-A INPUT -p icmp -j ACCEPT
+# tolerate any inbound connections requested by our server, no matter the port
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# HTTPS in theory, in practice my second SSH port, see sshd_config
+-A INPUT -p tcp --dport 443 -j ACCEPT
+# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
+-A INPUT -p tcp --dport 25 -j ACCEPT
+# SMTPS, for mail server to mail user agent communication
+-A INPUT -p tcp --dport 465 -j ACCEPT
+# IMAPS
+-A INPUT -p tcp --dport 993 -j ACCEPT
+COMMIT
+# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file

diff --git a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
index 7eff1b0d1f969f7cec333eca9a65d96fadb77d66..6899ef68078f8ff4aacf9819a04d516858b91e19 100644 (file)
--- a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
+++ b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
@@ -4,21 +4,13 @@
 :OUTPUT ACCEPT [0:0]
 # otherwise self-referential connections to local host will fail
 -A INPUT -i lo -j ACCEPT
+# tolerate any inbound connections requested by our server, no matter the port
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 # this enables ping etc.
 -A INPUT -p icmp -j ACCEPT
 # SSH
 -A INPUT -p tcp --dport 22 -j ACCEPT
-# HTTP; uncomment for creating LetsEncrypt certificates in standalone mode.
-#-A INPUT -p tcp --dport 80 -j ACCEPT
 # HTTPS in theory, in practice my second SSH port, see sshd_config
 -A INPUT -p tcp --dport 443 -j ACCEPT
-# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
--A INPUT -p tcp --dport 25 -j ACCEPT
-# SMTPS, for mail server to mail user agent communication
--A INPUT -p tcp --dport 465 -j ACCEPT
-# IMAPS
--A INPUT -p tcp --dport 993 -j ACCEPT
-# tolerate any inbound connections requested by our server, no matter the port
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 COMMIT
 # this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file