From 6e6038b837e0927d8d66ddc6c1ff04742d716a0f Mon Sep 17 00:00:00 2001 From: Flo Date: Sun, 21 Aug 2016 15:35:50 +0200 Subject: [PATCH] add gitconfig dotfile and iptables templates --- gitconfig | 12 +++++++++ iptables/rules.v4 | 62 +++++++++++++++++++++++++++++++++++++++++++++++ iptables/rules.v6 | 10 ++++++++ makesymlinks.sh | 2 +- 4 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 gitconfig create mode 100644 iptables/rules.v4 create mode 100644 iptables/rules.v6 diff --git a/gitconfig b/gitconfig new file mode 100644 index 0000000..cc74288 --- /dev/null +++ b/gitconfig @@ -0,0 +1,12 @@ +[user] + name = Flo + email = flo@fino.fr + +[color] + ui = auto + +[alias] + st = status + ci = commit + co = checkout + diff --git a/iptables/rules.v4 b/iptables/rules.v4 new file mode 100644 index 0000000..f9d72e0 --- /dev/null +++ b/iptables/rules.v4 @@ -0,0 +1,62 @@ +# rules.v4 template + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +#TODO local nat +COMMIT + +*filter +:INPUT DROP [0:0] +:FORWARD ACCEPT [121:69818] +:OUTPUT ACCEPT [7:580] + +# accept already established incoming connections +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow loopback, drop all traffic to local that isn't from lo +-A INPUT -i lo -j ACCEPT +-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT + +# Drop packets with invalid headers, checksums, flags, out of sequence, etc +-A INPUT -m conntrack --ctstate INVALID -j DROP + +# accept new ping requests. the rest is handled by related,established +-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT + +# TODO local nat + +# TODO local services +#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "allow ssh" +#-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -m comment --comment "allow dns" +#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "allow http" +#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "allow https" +#-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT -m comment --comment "allow ntp" +#-A INPUT -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT -m comment --comment "allow dhcp" + +# log denied +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 + +# reject TCP connections with TCP RST packets and UDP streams +# with ICMP unreachable messages if the ports are not opened +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -j REJECT --reject-with icmp-proto-unreachable + +# drop everything else with no error +-A INPUT -j DROP + +# TODO depends of local nat +-A FORWARD -j DROP + +COMMIT + +*mangle +:PREROUTING ACCEPT [133:70558] +:INPUT ACCEPT [12:740] +:FORWARD ACCEPT [121:69818] +:OUTPUT ACCEPT [10:825] +:POSTROUTING ACCEPT [128:70398] +COMMIT diff --git a/iptables/rules.v6 b/iptables/rules.v6 new file mode 100644 index 0000000..c8eadcd --- /dev/null +++ b/iptables/rules.v6 @@ -0,0 +1,10 @@ +# rules.v6 template + +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +COMMIT diff --git a/makesymlinks.sh b/makesymlinks.sh index c02ff67..da3f418 100755 --- a/makesymlinks.sh +++ b/makesymlinks.sh @@ -8,7 +8,7 @@ dir=~/dotfiles # dotfiles directory olddir=~/dotfiles_old # old dotfiles backup directory # list of files/folders to symlink in homedir -files="bashrc vimrc zshrc screenrc vim" +files="bashrc vimrc zshrc screenrc vim gitconfig" # create dotfiles_old in homedir echo "Creating $olddir for backup of any existing dotfiles in ~"