logauth
/
setup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[update] added firewall rules

This commit is contained in:
xdrm-brackets 2017-05-10 15:37:34 +02:00
parent 6754723fe0
commit a934e22f0e
3 changed files with 55 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
clone/clone
View File

@ -238,6 +238,11 @@ step6(){
sudo chown 666:666 /mnt/home/sats/.ssh/config;
sudo chmod 444 /mnt/home/sats/.ssh/config;
# (9) Copy firewall rules
echo " (.) Copying firewall rules";
sudo cp ./utility/iptables /mnt/home/pi/iptables;
sudo chown 1000:1000 /mnt/home/pi/iptables;
sudo chmod 550 /mnt/home/pi/iptables;
echo "<<< done";
step7;

23
clone/utility/iptables Normal file
View File

@ -0,0 +1,23 @@
# reset defaults
iptables -F;
iptables -P OUTPUT DROP;
iptables -P FORWARD DROP;
iptables -P INPUT DROP;
# maintenance
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT;
# SMMP-server
iptables -A INPUT -p tcp -m tcp --sport 22 -j ACCEPT;
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT;
# SMMP
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT;
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT;
# dns
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT;
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT;
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT;
iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT;

48
clone/utility/sats-install
View File

@ -2,27 +2,33 @@
#@@@@#
# [1] Set random passwords for 'sats'
test ! -e /target/install && sudo -u sats echo "First Boot" >> /home/sats/satsd/log/sats-install || sudo -u sats echo "Normal Boot" >> /home/sats/satsd/log/sats-install;
sudo -u sats echo "============" >> /home/sats/satsd/log/sats-install;
# [1] Set up firewall
sudo sh /home/pi/iptables;
echo "Set firewall rules" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# [2] Start ssh service
sudo systemctl start ssh;
echo "started ssh service" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# [3] Set random passwords for 'sats'
test ! -e /target/install && echo "First Boot" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
test -e /target/install && echo "Normal Boot" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
echo "============" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
echo "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd sats;
sudo -u sats echo "sats password changed" >> /home/sats/satsd/log/sats-install;
echo "sats password changed" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# [2] Set random passwords for 'pi' itself
# [4] Set random passwords for 'pi' itself
RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
echo "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd pi;
sudo -u sats echo "pi password changed" >> /home/sats/satsd/log/sats-install;
echo "pi password changed" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# [3] Start ssh service
sudo systemctl start ssh;
sudo -u sats echo "started ssh service" >> /home/sats/satsd/log/sats-install;
# [4] Try to install necessary packages
# [5] Try to install necessary packages
sudo apt-get update;
sudo -u sats echo "package update done" >> /home/sats/satsd/log/sats-install;
echo "package update done" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
sudo apt-get -y install git php5 php5-cli php5-curl python-dev;
sudo -u sats echo "package install done" >> /home/sats/satsd/log/sats-install;
echo "package install done" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
@ -34,17 +40,17 @@ if [ ! -e /target/install ]; then
dpkg -s git 2>/dev/null >/dev/null && gitinstalled=1 || gitinstalled=0;
BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch);
BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch) > /dev/null;
# (1) With git if installed #
if [ $gitinstalled -eq 1 ]; then
echo "cloning source.." >> /home/sats/satsd/log/sats-install;
echo "cloning source.." | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
sudo -u sats git clone -b $BRANCH ssh://smmp-server/satsd/git /home/sats/satsd/source \
&& sudo -u sats touch /target/install \
|| exit;
echo "..done" >> /home/sats/satsd/log/sats-install;
echo "..done" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
fi;
@ -52,22 +58,22 @@ if [ ! -e /target/install ]; then
# (2) Enable SPI device #
echo "dtparam=spi=on" | sudo tee -a /boot/config.txt > /dev/null;
echo "dtoverlay=spi-bcm2708" | sudo tee -a /boot/config.txt > /dev/null;
sudo -u sats echo "enabled SPI device" >> /home/sats/satsd/log/sats-install;
echo "enabled SPI device" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# (3) Clone SPI python library #
sudo git clone https://github.com/lthiery/SPI-Py.git /home/pi/spi-lib;
sudo -u sats echo "Cloned SPI-Py lib" >> /home/sats/satsd/log/sats-install;
echo "Cloned SPI-Py lib" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# (4) Install SPI python library #
cd /home/pi/spi-lib;
sudo python setup.py build;
sudo python setup.py install;
sudo -u sats echo "Built SPI-Py lib" >> /home/sats/satsd/log/sats-install;
echo "Built SPI-Py lib" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
# (4) Reboot to activate SPI #
sudo -u sats touch /target/install;
sudo -u sats echo "Created target file" >> /home/sats/satsd/log/sats-install;
sudo -u sats echo "Launching first reboot" >> /home/sats/satsd/log/sats-install;
echo "Created target file" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
echo "Launching first reboot" | sudo -u sats tee -a /home/sats/satsd/log/install.log > /dev/null;
sudo reboot;
fi;