From 9b1803889badac436b2c2a0dc685545337dff912 Mon Sep 17 00:00:00 2001 From: Christian Battaglia Date: Fri, 28 May 2021 11:58:58 -0400 Subject: [PATCH] WIP --- .gitignore | 4 + Dockerfile | 1 - Makefile | 2 +- PLAYBOOK.md | 9 ++ alpine/syslinux.cfg | 2 +- create_image.sh | 9 +- debian/Dockerfile | 27 ++++- debian/Dockerfile.bridge | 34 ++++++ debian/etc-bridge/networks/interfaces.d/br0 | 11 ++ debian/etc/dhcp/dhclient.conf | 54 +++++++++ debian/etc/fstab | 0 debian/etc/hostname | 1 + debian/etc/hosts | 10 ++ debian/etc/network/if-down.d/resolvconf | 16 +++ debian/etc/network/if-up.d/000resolvconf | 47 ++++++++ debian/etc/network/interfaces | 8 ++ debian/etc/networks | 4 + debian/etc/ssh/ssh_config | 52 +++++++++ debian/etc/ssh/sshd_config | 122 ++++++++++++++++++++ debian/etc/systemd/resolved.conf | 11 ++ debian/etc/ufw/user.rules | 47 ++++++++ debian/etc/ufw/user6.rules | 47 ++++++++ debian/syslinux.cfg | 1 - start_qemu.sh | 9 ++ 24 files changed, 520 insertions(+), 8 deletions(-) create mode 100644 PLAYBOOK.md create mode 100644 debian/Dockerfile.bridge create mode 100644 debian/etc-bridge/networks/interfaces.d/br0 create mode 100644 debian/etc/dhcp/dhclient.conf create mode 100644 debian/etc/fstab create mode 100644 debian/etc/hostname create mode 100644 debian/etc/hosts create mode 100755 debian/etc/network/if-down.d/resolvconf create mode 100755 debian/etc/network/if-up.d/000resolvconf create mode 100644 debian/etc/network/interfaces create mode 100644 debian/etc/networks create mode 100644 debian/etc/ssh/ssh_config create mode 100644 debian/etc/ssh/sshd_config create mode 100644 debian/etc/systemd/resolved.conf create mode 100644 debian/etc/ufw/user.rules create mode 100644 debian/etc/ufw/user6.rules create mode 100644 start_qemu.sh diff --git a/.gitignore b/.gitignore index 0a6ae78..fec0d77 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,7 @@ *.swp .DS_store +*.img +*.dir +mnt +*.tar diff --git a/Dockerfile b/Dockerfile index 9f1af5c..e8c94ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,4 +2,3 @@ FROM amd64/debian:bullseye LABEL com.iximiuz-project="docker-to-linux" RUN apt-get -y update RUN apt-get -y install extlinux fdisk - diff --git a/Makefile b/Makefile index e68a65e..d114f5c 100644 --- a/Makefile +++ b/Makefile @@ -39,7 +39,7 @@ alpine.img: linux.tar: @echo ${COL_GRN}"[Dump ${DISTR} directory structure to tar archive]"${COL_END} - docker build -f ${DISTR}/Dockerfile -t ${REPO}/${DISTR} . + docker build -f ${DISTR}/Dockerfile -t ${REPO}/${DISTR} ${DISTR} docker export -o linux.tar `docker run -d ${REPO}/${DISTR} /bin/true` linux.dir: linux.tar diff --git a/PLAYBOOK.md b/PLAYBOOK.md new file mode 100644 index 0000000..f98be33 --- /dev/null +++ b/PLAYBOOK.md @@ -0,0 +1,9 @@ +```bash +make debian # or ubuntu, or alpine + +bash start-qemu.sh + +mount -o remount,rw / + +make clean +``` diff --git a/alpine/syslinux.cfg b/alpine/syslinux.cfg index aed381c..04046bf 100644 --- a/alpine/syslinux.cfg +++ b/alpine/syslinux.cfg @@ -2,5 +2,5 @@ DEFAULT linux SAY Now booting the kernel from SYSLINUX... LABEL linux KERNEL /boot/vmlinuz-virt - APPEND ro root=/dev/sda1 rootfstype=ext3 initrd=/boot/initramfs-virt + APPEND ro root=/dev/sda1 rootfstype=ext4 initrd=/boot/initramfs-virt diff --git a/create_image.sh b/create_image.sh index 82562ff..1b22af3 100755 --- a/create_image.sh +++ b/create_image.sh @@ -8,13 +8,13 @@ dd if=/dev/zero of=/os/linux.img bs=$(expr 1024 \* 1024 \* 1024) count=1 echo -e "\n[Make partition]" sfdisk /os/linux.img < /os/partition.txt -echo -e "\n[Format partition with ext3]" +echo -e "\n[Format partition with ext4]" losetup -D LOOPDEVICE=$(losetup -f) echo -e "\n[Using ${LOOPDEVICE} loop device]" losetup -o $(expr 512 \* 2048) ${LOOPDEVICE} /os/linux.img -mkfs.ext3 ${LOOPDEVICE} +mkfs.ext4 ${LOOPDEVICE} echo -e "\n[Copy linux directory structure to partition]" mkdir -p /os/mnt @@ -24,6 +24,11 @@ cp -R /os/linux.dir/. /os/mnt/ echo -e "\n[Setup extlinux]" extlinux --install /os/mnt/boot/ cp /os/${DISTR}/syslinux.cfg /os/mnt/boot/syslinux.cfg +echo " APPEND root=UUID=$(blkid -o value -s UUID | tail -2 | head -1) initrd=/initrd.img rw nosplash text biosdevname=0 net.ifnames=0 console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 consoleblank=0 systemd.show_status=true" >> /os/mnt/boot/syslinux.cfg +cat /os/mnt/boot/syslinux.cfg +echo "UUID=$(blkid -o value -s UUID | tail -2 | head -1) /dev/sda1 ext4 errors=remount-ro 0 1" >> /os/mnt/etc/fstab +# echo "LABEL=linux / ext4 defaults 0 0" >> /os/mnt/etc/fstab +# echo "BOOT_IMAGE=/vmlinuz root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0" >> /os/mnt/proc/cmdline echo -e "\n[Unmount]" umount /os/mnt diff --git a/debian/Dockerfile b/debian/Dockerfile index 6b72e4a..46ff0c1 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -1,8 +1,31 @@ -FROM amd64/debian:bullseye +FROM amd64/debian:buster LABEL com.iximiuz-project="docker-to-linux" RUN apt-get -y update RUN apt-get -y install --no-install-recommends \ + # base linux-image-amd64 \ - systemd-sysv + systemd \ + systemd-sysv \ + \ + # install networking + cloud-init \ + ethtool \ + ntp \ + isc-dhcp-client \ + \ + # ssh + openssh-server \ + \ + # developer tools + vim \ + aptitude \ + cron \ + iputils-ping \ + man \ + less \ + curl + +COPY ./etc/. /etc/ + RUN echo "root:root" | chpasswd diff --git a/debian/Dockerfile.bridge b/debian/Dockerfile.bridge new file mode 100644 index 0000000..652e241 --- /dev/null +++ b/debian/Dockerfile.bridge @@ -0,0 +1,34 @@ +FROM amd64/debian:buster +LABEL com.iximiuz-project="docker-to-linux" +RUN apt-get -y update +RUN apt-get -y install --no-install-recommends \ + # base + linux-image-amd64 \ + systemd \ + systemd-sysv \ + \ + # install networking + cloud-init \ + ethtool \ + ntp \ + isc-dhcp-client \ + \ + # ssh + openssh-server \ + \ + # developer tools + vim \ + aptitude \ + cron \ + iputils-ping \ + man \ + less \ + curl \ + # bridge + bridge-utils + +COPY ./etc/. /etc/ +# COPY ./etc-bridge/. /etc/ + +RUN echo "root:root" | chpasswd + diff --git a/debian/etc-bridge/networks/interfaces.d/br0 b/debian/etc-bridge/networks/interfaces.d/br0 new file mode 100644 index 0000000..21f917a --- /dev/null +++ b/debian/etc-bridge/networks/interfaces.d/br0 @@ -0,0 +1,11 @@ +auto br0 +iface br0 inet dhcp + pre-up ip tuntap add dev tap0 mode tap user root + pre-up ip link set tap0 up + bridge_ports all tap0 + # bridge_ports eno1 + bridge_stp off + bridge_maxwait 0 + bridge_fd 0 + post-down ip link set tap0 down + post-down ip tuntap del dev tap0 mode tap diff --git a/debian/etc/dhcp/dhclient.conf b/debian/etc/dhcp/dhclient.conf new file mode 100644 index 0000000..d9493b9 --- /dev/null +++ b/debian/etc/dhcp/dhclient.conf @@ -0,0 +1,54 @@ +# Configuration file for /sbin/dhclient. +# +# This is a sample configuration file for dhclient. See dhclient.conf's +# man page for more information about the syntax of this file +# and a more comprehensive list of the parameters understood by +# dhclient. +# +# Normally, if the DHCP server provides reasonable information and does +# not leave anything out (like the domain name, for example), then +# few changes must be made to this file, if any. +# + +option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; + +send host-name = gethostname(); +request subnet-mask, broadcast-address, time-offset, routers, + domain-name, domain-name-servers, domain-search, host-name, + dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers, + netbios-name-servers, netbios-scope, interface-mtu, + rfc3442-classless-static-routes, ntp-servers; + +#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c; +#send dhcp-lease-time 3600; +#supersede domain-name "fugue.com home.vix.com"; +#prepend domain-name-servers 127.0.0.1; +#require subnet-mask, domain-name-servers; +#timeout 60; +#retry 60; +#reboot 10; +#select-timeout 5; +#initial-interval 2; +#script "/sbin/dhclient-script"; +#media "-link0 -link1 -link2", "link0 link1"; +#reject 192.33.137.209; + +#alias { +# interface "eth0"; +# fixed-address 192.5.5.213; +# option subnet-mask 255.255.255.255; +#} + +#lease { +# interface "eth0"; +# fixed-address 192.33.137.200; +# medium "link0 link1"; +# option host-name "andare.swiftmedia.com"; +# option subnet-mask 255.255.255.0; +# option broadcast-address 192.33.137.255; +# option routers 192.33.137.250; +# option domain-name-servers 127.0.0.1; +# renew 2 2000/1/12 00:00:01; +# rebind 2 2000/1/12 00:00:01; +# expire 2 2000/1/12 00:00:01; +#} diff --git a/debian/etc/fstab b/debian/etc/fstab new file mode 100644 index 0000000..e69de29 diff --git a/debian/etc/hostname b/debian/etc/hostname new file mode 100644 index 0000000..579dd55 --- /dev/null +++ b/debian/etc/hostname @@ -0,0 +1 @@ +terna diff --git a/debian/etc/hosts b/debian/etc/hosts new file mode 100644 index 0000000..f9f0f22 --- /dev/null +++ b/debian/etc/hosts @@ -0,0 +1,10 @@ +127.0.1.1 terna +127.0.0.1 localhost + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts diff --git a/debian/etc/network/if-down.d/resolvconf b/debian/etc/network/if-down.d/resolvconf new file mode 100755 index 0000000..66e3a9f --- /dev/null +++ b/debian/etc/network/if-down.d/resolvconf @@ -0,0 +1,16 @@ +#!/bin/sh +# +# ifdown hook script for resolvconf +# +# This file is part of the resolvconf package. +# + +[ -x /sbin/resolvconf ] || exit 0 + +case "$ADDRFAM" in + inet|inet6) : ;; + *) exit 0 ;; +esac + +/sbin/resolvconf -d "${IFACE}.${ADDRFAM}" || : + diff --git a/debian/etc/network/if-up.d/000resolvconf b/debian/etc/network/if-up.d/000resolvconf new file mode 100755 index 0000000..f799371 --- /dev/null +++ b/debian/etc/network/if-up.d/000resolvconf @@ -0,0 +1,47 @@ +#!/bin/sh +# +# ifup hook script for resolvconf +# +# This file is part of the resolvconf package. +# + +[ -x /sbin/resolvconf ] || exit 0 + +case "$ADDRFAM" in + inet|inet6) : ;; + *) exit 0 ;; +esac + +R="" +if [ "$IF_DNS_DOMAIN" ] ; then + R="${R}domain $IF_DNS_DOMAIN +" +fi +if [ "$IF_DNS_SEARCH" ] ; then + R="${R}search $IF_DNS_SEARCH +" +fi +if [ "$IF_DNS_SORTLIST" ] ; then + R="${R}sortlist $IF_DNS_SORTLIST +" +fi +for NS in $IF_DNS_NAMESERVERS ; do + R="${R}nameserver $NS +" +done + +# Note: arguments of multiple instances of options are separated by newlines +set_NS_to_first_arg() { NS="$1" ; } +STANDARD_IFS="$IFS" +IFS=' +' +for OPT in $IF_DNS_NAMESERVER ; do + IFS="$STANDARD_IFS" + set_NS_to_first_arg $OPT + [ "$NS" ] && R="${R}nameserver $NS +" +done +IFS="$STANDARD_IFS" + +echo -n "$R" | /sbin/resolvconf -a "${IFACE}.${ADDRFAM}" || : + diff --git a/debian/etc/network/interfaces b/debian/etc/network/interfaces new file mode 100644 index 0000000..97589ca --- /dev/null +++ b/debian/etc/network/interfaces @@ -0,0 +1,8 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback diff --git a/debian/etc/networks b/debian/etc/networks new file mode 100644 index 0000000..cdf6ffd --- /dev/null +++ b/debian/etc/networks @@ -0,0 +1,4 @@ +default 0.0.0.0 +loopback 127.0.0.0 +link-local 169.254.0.0 + diff --git a/debian/etc/ssh/ssh_config b/debian/etc/ssh/ssh_config new file mode 100644 index 0000000..67bd0f3 --- /dev/null +++ b/debian/etc/ssh/ssh_config @@ -0,0 +1,52 @@ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes +# PermitRootLogin yes diff --git a/debian/etc/ssh/sshd_config b/debian/etc/ssh/sshd_config new file mode 100644 index 0000000..e16a3fa --- /dev/null +++ b/debian/etc/ssh/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +PasswordAuthentication no diff --git a/debian/etc/systemd/resolved.conf b/debian/etc/systemd/resolved.conf new file mode 100644 index 0000000..b1fa9f5 --- /dev/null +++ b/debian/etc/systemd/resolved.conf @@ -0,0 +1,11 @@ +[Resolve] +DNS=1.1.1.1 8.8.8.8 +FallbackDNS=8.8.4.4 +#Domains= +#LLMNR=yes +#MulticastDNS=yes +#DNSSEC=allow-downgrade +#DNSOverTLS=no +#Cache=yes +#DNSStubListener=yes +#ReadEtcHosts=yes diff --git a/debian/etc/ufw/user.rules b/debian/etc/ufw/user.rules new file mode 100644 index 0000000..790df46 --- /dev/null +++ b/debian/etc/ufw/user.rules @@ -0,0 +1,47 @@ +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-before-logging-input - [0:0] +:ufw-before-logging-output - [0:0] +:ufw-before-logging-forward - [0:0] +:ufw-user-logging-input - [0:0] +:ufw-user-logging-output - [0:0] +:ufw-user-logging-forward - [0:0] +:ufw-after-logging-input - [0:0] +:ufw-after-logging-output - [0:0] +:ufw-after-logging-forward - [0:0] +:ufw-logging-deny - [0:0] +:ufw-logging-allow - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 22 -j ACCEPT + +### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 443 -j ACCEPT + +### tuple ### allow tcp 2222 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 2222 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/debian/etc/ufw/user6.rules b/debian/etc/ufw/user6.rules new file mode 100644 index 0000000..6e0ed47 --- /dev/null +++ b/debian/etc/ufw/user6.rules @@ -0,0 +1,47 @@ +*filter +:ufw6-user-input - [0:0] +:ufw6-user-output - [0:0] +:ufw6-user-forward - [0:0] +:ufw6-before-logging-input - [0:0] +:ufw6-before-logging-output - [0:0] +:ufw6-before-logging-forward - [0:0] +:ufw6-user-logging-input - [0:0] +:ufw6-user-logging-output - [0:0] +:ufw6-user-logging-forward - [0:0] +:ufw6-after-logging-input - [0:0] +:ufw6-after-logging-output - [0:0] +:ufw6-after-logging-forward - [0:0] +:ufw6-logging-deny - [0:0] +:ufw6-logging-allow - [0:0] +:ufw6-user-limit - [0:0] +:ufw6-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp 22 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 22 -j ACCEPT + +### tuple ### allow tcp 80 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow tcp 443 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 443 -j ACCEPT + +### tuple ### allow tcp 2222 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 2222 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw6-user-limit -j REJECT +-A ufw6-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/debian/syslinux.cfg b/debian/syslinux.cfg index 9bf292d..082de7a 100644 --- a/debian/syslinux.cfg +++ b/debian/syslinux.cfg @@ -2,5 +2,4 @@ DEFAULT linux SAY Now booting the kernel from SYSLINUX... LABEL linux KERNEL /vmlinuz - APPEND ro root=/dev/sda1 initrd=/initrd.img diff --git a/start_qemu.sh b/start_qemu.sh new file mode 100644 index 0000000..8819ca2 --- /dev/null +++ b/start_qemu.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -xe + +qemu-system-x86_64 \ + -drive file=linux.img,index=0,media=disk,format=raw \ + -m 4096 \ + -net user,id=mynet0,hostfwd=tcp::10022-:22 \ + -net nic