From a934e22f0ea1bf0420351fb1063aa9a559fa71d7 Mon Sep 17 00:00:00 2001
From: xdrm-brackets <doowap31@gmail.com>
Date: Wed, 10 May 2017 15:37:34 +0200
Subject: [PATCH] [update] added firewall rules

---
 clone/clone                |  5 ++++
 clone/utility/iptables     | 23 ++++++++++++++++++
 clone/utility/sats-install | 48 +++++++++++++++++++++-----------------
 3 files changed, 55 insertions(+), 21 deletions(-)
 create mode 100644 clone/utility/iptables

diff --git a/clone/clone b/clone/clone
index 567fab5..b750f04 100755
--- a/clone/clone
+++ b/clone/clone
@@ -238,6 +238,11 @@ step6(){
 	sudo chown 666:666 /mnt/home/sats/.ssh/config;
 	sudo chmod 444 /mnt/home/sats/.ssh/config;
 
+	# (9) Copy firewall rules
+	echo "    (.) Copying firewall rules";
+	sudo cp ./utility/iptables /mnt/home/pi/iptables;
+	sudo chown 1000:1000 /mnt/home/pi/iptables;
+	sudo chmod 550 /mnt/home/pi/iptables;
 	echo "<<< done";
 
 	step7;
diff --git a/clone/utility/iptables b/clone/utility/iptables
new file mode 100644
index 0000000..d19c647
--- /dev/null
+++ b/clone/utility/iptables
@@ -0,0 +1,23 @@
+# reset defaults
+iptables -F;
+iptables -P OUTPUT DROP;
+iptables -P FORWARD DROP;
+iptables -P INPUT DROP;
+
+# maintenance
+iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
+iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT;
+
+# SMMP-server
+iptables -A INPUT -p tcp -m tcp --sport 22 -j ACCEPT;
+iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT;
+
+# SMMP
+iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT;
+iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT;
+
+# dns
+iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT;
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED     -j ACCEPT;
+iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT;
+iptables -A INPUT  -p tcp --sport 53 -m state --state ESTABLISHED     -j ACCEPT;
\ No newline at end of file
diff --git a/clone/utility/sats-install b/clone/utility/sats-install
index 6d93656..fc417b4 100644
--- a/clone/utility/sats-install
+++ b/clone/utility/sats-install
@@ -2,27 +2,33 @@
 
 #@@@@#
 
-# [1] Set random passwords for 'sats'
-test ! -e /target/install && sudo -u sats echo "First Boot" >> /home/sats/satsd/log/sats-install || sudo -u sats echo "Normal Boot" >> /home/sats/satsd/log/sats-install;
-sudo -u sats echo "============" >> /home/sats/satsd/log/sats-install;
+
+# [1] Set up firewall
+sudo sh /home/pi/iptables;
+echo "Set firewall rules" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
+
+# [2] Start ssh service
+sudo systemctl start ssh;
+echo "started ssh service" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
+
+# [3] Set random passwords for 'sats'
+test ! -e /target/install && echo "First Boot" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
+test   -e /target/install && echo "Normal Boot" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
+echo "============" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
 echo "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd sats;
-sudo -u sats echo "sats password changed" >> /home/sats/satsd/log/sats-install;
+echo "sats password changed" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 
-# [2] Set random passwords for 'pi' itself
+# [4] Set random passwords for 'pi' itself
 RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
 echo "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd pi;
-sudo -u sats echo "pi password changed" >> /home/sats/satsd/log/sats-install;
+echo "pi password changed" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 
-# [3] Start ssh service
-sudo systemctl start ssh;
-sudo -u sats echo "started ssh service" >> /home/sats/satsd/log/sats-install;
-
-# [4] Try to install necessary packages
+# [5] Try to install necessary packages
 sudo apt-get update;
-sudo -u sats echo "package update done" >> /home/sats/satsd/log/sats-install;
+echo "package update done" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 sudo apt-get -y install git php5 php5-cli php5-curl python-dev;
-sudo -u sats echo "package install done" >> /home/sats/satsd/log/sats-install;
+echo "package install done" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 
 
 
@@ -34,17 +40,17 @@ if [ ! -e /target/install ]; then
 
 	dpkg -s git 2>/dev/null >/dev/null && gitinstalled=1 || gitinstalled=0;
 
-	BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch);
+	BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch) > /dev/null;
 
 	# (1) With git if installed #
 	if [ $gitinstalled -eq 1 ]; then
 
-		echo "cloning source.." >> /home/sats/satsd/log/sats-install;
+		echo "cloning source.." | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 		sudo -u sats git clone -b $BRANCH ssh://smmp-server/satsd/git /home/sats/satsd/source \
 			&& sudo -u sats touch /target/install \
 			|| exit;
 
-		echo "..done" >> /home/sats/satsd/log/sats-install;
+		echo "..done" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 	fi;
 
 
@@ -52,22 +58,22 @@ if [ ! -e /target/install ]; then
 	# (2) Enable SPI device #
 	echo "dtparam=spi=on" | sudo tee -a /boot/config.txt > /dev/null;
 	echo "dtoverlay=spi-bcm2708" | sudo tee -a /boot/config.txt > /dev/null;
-	sudo -u sats echo "enabled SPI device" >> /home/sats/satsd/log/sats-install;
+	echo "enabled SPI device" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 
 	# (3) Clone SPI python library #
 	sudo git clone https://github.com/lthiery/SPI-Py.git /home/pi/spi-lib;
-	sudo -u sats echo "Cloned SPI-Py lib" >> /home/sats/satsd/log/sats-install;
+	echo "Cloned SPI-Py lib" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 
 	# (4) Install SPI python library #
 	cd /home/pi/spi-lib;
 	sudo python setup.py build;
 	sudo python setup.py install;
-	sudo -u sats echo "Built SPI-Py lib" >> /home/sats/satsd/log/sats-install;
+	echo "Built SPI-Py lib" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 
 	# (4) Reboot to activate SPI #
 	sudo -u sats touch /target/install;
-	sudo -u sats echo "Created target file" >> /home/sats/satsd/log/sats-install;
-	sudo -u sats echo "Launching first reboot" >> /home/sats/satsd/log/sats-install;
+	echo "Created target file" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
+	echo "Launching first reboot" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
 	sudo reboot;
 
 fi;