update nftables torrc host config read me add sshd config
This commit is contained in:
parent
7e86c93941
commit
0ed65c2091
@ -2,9 +2,9 @@
|
||||
|
||||
## Debian
|
||||
|
||||
### Create VM
|
||||
### Create VM (from local computer/workstation)
|
||||
- `ssh-keygen -t ed25519 -f ~/.ssh/myhub`
|
||||
- Create VM and use public key from `~/.ssh/myhub.pub`
|
||||
- Create VM (however you need to) and use public key from `~/.ssh/myhub.pub`
|
||||
- `ssh-keyscan <ip_address_of_vm> >> ~/.ssh/known_hosts`
|
||||
- create `~/.ssh/config` and add the following
|
||||
|
||||
@ -49,7 +49,8 @@ Host myhub
|
||||
- `cd docker-hybrid/host`
|
||||
|
||||
### Packages
|
||||
- `sudo apt -y install docker.io nftables tcpdump mtr tor git`
|
||||
- `sudo apt -y install docker.io nftables tcpdump mtr tor git python3-pip`
|
||||
- `pip3 install docker-compose`
|
||||
|
||||
### Configuration files
|
||||
- `cp tor/torrc /etc/tor/torrc`
|
||||
@ -67,8 +68,19 @@ Host myhub
|
||||
- `ip link add docker0 type bridge`
|
||||
- `ip link set docker0 up`
|
||||
- `ip addr add 100.64.63.129/25 dev docker0`
|
||||
#### Enable docker service at boot
|
||||
- `systemctl enable docker`
|
||||
- `systemctl start docker`
|
||||
|
||||
#### Harden SSH daemon
|
||||
- `cp ssh/sshd_config /etc/sshd_config`
|
||||
- `chattr +i /etc/ssh/sshd_config`
|
||||
- `echo "authorized access only" > /etc/issue.net`
|
||||
- `chattr +i /etc/issue.net`
|
||||
- `systemctl restart sshd`
|
||||
|
||||
#### Boot network configuration
|
||||
- This step ensures that the WAN interface name will match the pre-defined values in the provided nftables scripts
|
||||
- create `/etc/systemd/network/50-WAN.link` and add the following
|
||||
|
||||
```
|
||||
@ -130,7 +142,6 @@ LLMNR=false
|
||||
- `chattr +i /etc/systemd/network/50-WAN.link`
|
||||
- `chattr +i /etc/systemd/network/51-WAN.network`
|
||||
- `systemctl enable systemd-networkd`
|
||||
- `sync ; sync ; /sbin/reboot -f`
|
||||
- Re-SSH the host, CWD to `docker-hybrid/host`
|
||||
- `cp nftables/nftables.rules /etc/nftables.conf`
|
||||
- `chattr +i /etc/nftables.conf`
|
||||
- reboot (smoke test)
|
||||
|
@ -1 +1 @@
|
||||
DOCKER_OPTS="--iptables=false --ip-masq=false --bip=100.64.63.129/25 --fixed-cidr=100.64.63.128/25 --default-address-pool base=100.64.15.128/25,size=29"
|
||||
DOCKER_OPTS="--userns-remap=default --iptables=false --ip-masq=false --bip=100.64.63.129/25 --fixed-cidr=100.64.63.128/25 --default-address-pool base=100.64.15.128/25,size=29"
|
||||
|
@ -1,4 +1,4 @@
|
||||
table ip hybrid {
|
||||
table ip filter {
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority 0; policy accept;
|
||||
oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
|
||||
@ -50,13 +50,13 @@ table ip hybrid {
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFFWD: " comment "forward unmatched log";
|
||||
counter drop comment "forward dropped";
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
oifname "WAN" counter accept comment "* via default interface";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log";
|
||||
counter drop comment "output dropped";
|
||||
oifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept comment "* via loop-back";
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
oifname "WAN" counter accept comment "* via default interface";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log";
|
||||
counter drop comment "output dropped";
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
table ip hybrid {
|
||||
table ip filter {
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority 0; policy accept;
|
||||
oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
|
||||
@ -44,13 +44,13 @@ table ip hybrid {
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFFWD: " comment "forward unmatched log";
|
||||
counter drop comment "forward dropped";
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy drop;
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
oifname "WAN" counter accept comment "* via default interface";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log";
|
||||
counter drop comment "output dropped";
|
||||
oifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept comment "* via loop-back";
|
||||
ct state invalid counter jump INVALID comment "(CT) invalid on OUTPUT chain";
|
||||
udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)";
|
||||
oifname "WAN" counter accept comment "* via default interface";
|
||||
limit rate 15/second burst 3 packets counter log prefix "NFOUT: " comment "output unmatched log";
|
||||
counter drop comment "output dropped";
|
||||
}
|
||||
}
|
||||
|
28
host/ssh/sshd_config
Normal file
28
host/ssh/sshd_config
Normal file
@ -0,0 +1,28 @@
|
||||
Port 22
|
||||
AddressFamily any
|
||||
ListenAddress ::
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
LoginGraceTime 10s
|
||||
PermitRootLogin yes
|
||||
StrictModes yes
|
||||
MaxAuthTries 1
|
||||
MaxSessions 5
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
GatewayPorts no
|
||||
X11Forwarding no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
PermitTunnel no
|
||||
Banner /etc/issue.net
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
@ -1 +1,3 @@
|
||||
DNSPort 53
|
||||
DNSPort 53
|
||||
HiddenServiceDir /var/lib/tor/ssh/
|
||||
HiddenServicePort 22 127.0.0.1:22
|
Loading…
Reference in New Issue
Block a user