Update sysctl.conf settings, and add IP6Tables rules
This commit is contained in:
parent
8f35af5646
commit
a15e502056
41
vpnsetup.sh
41
vpnsetup.sh
@ -248,12 +248,14 @@ cat >> /etc/sysctl.conf <<EOF
|
|||||||
# Added by hwdsl2 VPN script
|
# Added by hwdsl2 VPN script
|
||||||
kernel.sysrq = 0
|
kernel.sysrq = 0
|
||||||
kernel.core_uses_pid = 1
|
kernel.core_uses_pid = 1
|
||||||
net.ipv4.tcp_syncookies = 1
|
|
||||||
kernel.msgmnb = 65536
|
kernel.msgmnb = 65536
|
||||||
kernel.msgmax = 65536
|
kernel.msgmax = 65536
|
||||||
kernel.shmmax = 68719476736
|
kernel.shmmax = 68719476736
|
||||||
kernel.shmall = 4294967296
|
kernel.shmall = 4294967296
|
||||||
|
kernel.randomize_va_space = 1
|
||||||
|
|
||||||
net.ipv4.ip_forward = 1
|
net.ipv4.ip_forward = 1
|
||||||
|
net.ipv4.tcp_syncookies = 1
|
||||||
net.ipv4.conf.all.accept_source_route = 0
|
net.ipv4.conf.all.accept_source_route = 0
|
||||||
net.ipv4.conf.default.accept_source_route = 0
|
net.ipv4.conf.default.accept_source_route = 0
|
||||||
net.ipv4.conf.all.log_martians = 1
|
net.ipv4.conf.all.log_martians = 1
|
||||||
@ -266,13 +268,11 @@ net.ipv4.conf.all.rp_filter = 0
|
|||||||
net.ipv4.conf.default.rp_filter = 0
|
net.ipv4.conf.default.rp_filter = 0
|
||||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
net.ipv4.conf.all.secure_redirects = 0
|
|
||||||
net.ipv4.conf.default.secure_redirects = 0
|
net.core.wmem_max = 12582912
|
||||||
kernel.randomize_va_space = 1
|
net.core.rmem_max = 12582912
|
||||||
net.core.wmem_max=12582912
|
net.ipv4.tcp_rmem = 10240 87380 12582912
|
||||||
net.core.rmem_max=12582912
|
net.ipv4.tcp_wmem = 10240 87380 12582912
|
||||||
net.ipv4.tcp_rmem= 10240 87380 12582912
|
|
||||||
net.ipv4.tcp_wmem= 10240 87380 12582912
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
fi
|
fi
|
||||||
@ -344,12 +344,34 @@ echo "# Modified by hwdsl2 VPN script" >> /etc/iptables.rules
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
|
||||||
|
cat > /etc/ip6tables.rules <<EOF
|
||||||
|
# Added by hwdsl2 VPN script
|
||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
-A INPUT -m rt --rt-type 0 -j DROP
|
||||||
|
-A INPUT -s fe80::/10 -j ACCEPT
|
||||||
|
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||||
|
-A INPUT -j DROP
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
|
|
||||||
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
/sbin/iptables-restore < /etc/iptables.rules
|
/sbin/iptables-restore < /etc/iptables.rules
|
||||||
exit 0
|
exit 0
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF
|
||||||
|
#!/bin/sh
|
||||||
|
/sbin/ip6tables-restore < /etc/ip6tables.rules
|
||||||
|
exit 0
|
||||||
|
EOF
|
||||||
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||||
|
|
||||||
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
|
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
|
||||||
@ -375,8 +397,11 @@ fi
|
|||||||
/sbin/sysctl -p
|
/sbin/sysctl -p
|
||||||
/bin/chmod +x /etc/rc.local
|
/bin/chmod +x /etc/rc.local
|
||||||
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload
|
/bin/chmod +x /etc/network/if-pre-up.d/iptablesload
|
||||||
|
/bin/chmod +x /etc/network/if-pre-up.d/ip6tablesload
|
||||||
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
|
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
|
||||||
|
|
||||||
/sbin/iptables-restore < /etc/iptables.rules
|
/sbin/iptables-restore < /etc/iptables.rules
|
||||||
|
/sbin/ip6tables-restore < /etc/ip6tables.rules
|
||||||
|
|
||||||
/usr/sbin/service fail2ban stop >/dev/null 2>&1
|
/usr/sbin/service fail2ban stop >/dev/null 2>&1
|
||||||
/usr/sbin/service ipsec stop >/dev/null 2>&1
|
/usr/sbin/service ipsec stop >/dev/null 2>&1
|
||||||
|
@ -158,6 +158,11 @@ yum -y install ppp xl2tpd
|
|||||||
# Install Fail2Ban to protect SSH server
|
# Install Fail2Ban to protect SSH server
|
||||||
yum -y install fail2ban
|
yum -y install fail2ban
|
||||||
|
|
||||||
|
# Install IP6Tables for CentOS/RHEL 6
|
||||||
|
if grep -qs "release 6" /etc/redhat-release; then
|
||||||
|
yum -y install iptables-ipv6
|
||||||
|
fi
|
||||||
|
|
||||||
# Installed Libevent2. Use backported version for CentOS 6.
|
# Installed Libevent2. Use backported version for CentOS 6.
|
||||||
if grep -qs "release 6" /etc/redhat-release; then
|
if grep -qs "release 6" /etc/redhat-release; then
|
||||||
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
|
LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
|
||||||
@ -282,12 +287,14 @@ cat >> /etc/sysctl.conf <<EOF
|
|||||||
# Added by hwdsl2 VPN script
|
# Added by hwdsl2 VPN script
|
||||||
kernel.sysrq = 0
|
kernel.sysrq = 0
|
||||||
kernel.core_uses_pid = 1
|
kernel.core_uses_pid = 1
|
||||||
net.ipv4.tcp_syncookies = 1
|
|
||||||
kernel.msgmnb = 65536
|
kernel.msgmnb = 65536
|
||||||
kernel.msgmax = 65536
|
kernel.msgmax = 65536
|
||||||
kernel.shmmax = 68719476736
|
kernel.shmmax = 68719476736
|
||||||
kernel.shmall = 4294967296
|
kernel.shmall = 4294967296
|
||||||
|
kernel.randomize_va_space = 1
|
||||||
|
|
||||||
net.ipv4.ip_forward = 1
|
net.ipv4.ip_forward = 1
|
||||||
|
net.ipv4.tcp_syncookies = 1
|
||||||
net.ipv4.conf.all.accept_source_route = 0
|
net.ipv4.conf.all.accept_source_route = 0
|
||||||
net.ipv4.conf.default.accept_source_route = 0
|
net.ipv4.conf.default.accept_source_route = 0
|
||||||
net.ipv4.conf.all.log_martians = 1
|
net.ipv4.conf.all.log_martians = 1
|
||||||
@ -300,13 +307,11 @@ net.ipv4.conf.all.rp_filter = 0
|
|||||||
net.ipv4.conf.default.rp_filter = 0
|
net.ipv4.conf.default.rp_filter = 0
|
||||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
net.ipv4.conf.all.secure_redirects = 0
|
|
||||||
net.ipv4.conf.default.secure_redirects = 0
|
net.core.wmem_max = 12582912
|
||||||
kernel.randomize_va_space = 1
|
net.core.rmem_max = 12582912
|
||||||
net.core.wmem_max=12582912
|
net.ipv4.tcp_rmem = 10240 87380 12582912
|
||||||
net.core.rmem_max=12582912
|
net.ipv4.tcp_wmem = 10240 87380 12582912
|
||||||
net.ipv4.tcp_rmem= 10240 87380 12582912
|
|
||||||
net.ipv4.tcp_wmem= 10240 87380 12582912
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
fi
|
fi
|
||||||
@ -377,6 +382,22 @@ echo "# Modified by hwdsl2 VPN script" >> /etc/sysconfig/iptables
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
|
||||||
|
cat > /etc/sysconfig/ip6tables <<EOF
|
||||||
|
# Added by hwdsl2 VPN script
|
||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
-A INPUT -m rt --rt-type 0 -j DROP
|
||||||
|
-A INPUT -s fe80::/10 -j ACCEPT
|
||||||
|
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||||
|
-A INPUT -j DROP
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
|
|
||||||
if [ ! -f /etc/fail2ban/jail.local ] ; then
|
if [ ! -f /etc/fail2ban/jail.local ] ; then
|
||||||
|
|
||||||
cat > /etc/fail2ban/jail.local <<EOF
|
cat > /etc/fail2ban/jail.local <<EOF
|
||||||
@ -403,6 +424,7 @@ cat >> /etc/rc.local <<EOF
|
|||||||
|
|
||||||
# Added by hwdsl2 VPN script
|
# Added by hwdsl2 VPN script
|
||||||
/sbin/iptables-restore < /etc/sysconfig/iptables
|
/sbin/iptables-restore < /etc/sysconfig/iptables
|
||||||
|
/sbin/ip6tables-restore < /etc/sysconfig/ip6tables
|
||||||
/sbin/service fail2ban restart
|
/sbin/service fail2ban restart
|
||||||
/sbin/service ipsec start
|
/sbin/service ipsec start
|
||||||
/sbin/service xl2tpd start
|
/sbin/service xl2tpd start
|
||||||
@ -425,7 +447,9 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
|||||||
/sbin/sysctl -p
|
/sbin/sysctl -p
|
||||||
/bin/chmod +x /etc/rc.local
|
/bin/chmod +x /etc/rc.local
|
||||||
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
|
/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
|
||||||
|
|
||||||
/sbin/iptables-restore < /etc/sysconfig/iptables
|
/sbin/iptables-restore < /etc/sysconfig/iptables
|
||||||
|
/sbin/ip6tables-restore < /etc/sysconfig/ip6tables
|
||||||
|
|
||||||
/sbin/service fail2ban stop >/dev/null 2>&1
|
/sbin/service fail2ban stop >/dev/null 2>&1
|
||||||
/sbin/service ipsec stop >/dev/null 2>&1
|
/sbin/service ipsec stop >/dev/null 2>&1
|
||||||
|
Loading…
Reference in New Issue
Block a user