Remove ipsec stuf.
This commit is contained in:
parent
a4906b948d
commit
8281230718
@ -1,76 +0,0 @@
|
||||
*nat
|
||||
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
|
||||
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
|
||||
COMMIT
|
||||
|
||||
*mangle
|
||||
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
|
||||
COMMIT
|
||||
|
||||
# Don't delete these required lines, otherwise there will be errors
|
||||
*filter
|
||||
:ufw-before-input - [0:0]
|
||||
:ufw-before-output - [0:0]
|
||||
:ufw-before-forward - [0:0]
|
||||
:ufw-not-local - [0:0]
|
||||
# End required lines
|
||||
|
||||
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
|
||||
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
|
||||
|
||||
# allow all on loopback
|
||||
-A ufw-before-input -i lo -j ACCEPT
|
||||
-A ufw-before-output -o lo -j ACCEPT
|
||||
|
||||
# quickly process packets for which we already have a connection
|
||||
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# drop INVALID packets (logs these in loglevel medium and higher)
|
||||
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
|
||||
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
|
||||
|
||||
# ok icmp codes for INPUT
|
||||
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
|
||||
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
|
||||
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
|
||||
|
||||
# ok icmp code for FORWARD
|
||||
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
|
||||
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
|
||||
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
|
||||
|
||||
# allow dhcp client to work
|
||||
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
|
||||
|
||||
#
|
||||
# ufw-not-local
|
||||
#
|
||||
-A ufw-before-input -j ufw-not-local
|
||||
|
||||
# if LOCAL, RETURN
|
||||
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
|
||||
|
||||
# if MULTICAST, RETURN
|
||||
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
|
||||
|
||||
# if BROADCAST, RETURN
|
||||
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
|
||||
|
||||
# all other non-local packets are dropped
|
||||
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
|
||||
-A ufw-not-local -j DROP
|
||||
|
||||
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
|
||||
# is uncommented)
|
||||
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
|
||||
|
||||
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
|
||||
# is uncommented)
|
||||
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
|
||||
|
||||
# don't delete the 'COMMIT' line or these rules won't be processed
|
||||
COMMIT
|
||||
@ -1,23 +0,0 @@
|
||||
# basic configuration
|
||||
config setup
|
||||
charondebug="all"
|
||||
uniqueids=yes
|
||||
strictcrlpolicy=no
|
||||
|
||||
# connection to amsterdam datacenter
|
||||
conn home-to-digitalocean
|
||||
authby=secret
|
||||
left=%defaultroute
|
||||
leftid=165.22.156.25
|
||||
leftsubnet=10.138.0.0/16
|
||||
right=0.0.0.0
|
||||
rightsubnet=192.168.1.0/24
|
||||
ike=aes256-sha2_256-modp1024!
|
||||
esp=aes256-sha2_256!
|
||||
keyingtries=0
|
||||
ikelifetime=1h
|
||||
lifetime=8h
|
||||
dpddelay=30
|
||||
dpdtimeout=120
|
||||
dpdaction=restart
|
||||
auto=start
|
||||
@ -1,46 +0,0 @@
|
||||
#
|
||||
# Configuration file for setting network variables. Please note these settings
|
||||
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
|
||||
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
|
||||
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
|
||||
# information.
|
||||
#
|
||||
|
||||
# Uncomment this to allow this host to route packets between interfaces
|
||||
net/ipv4/ip_forward=1
|
||||
#net/ipv6/conf/default/forwarding=1
|
||||
#net/ipv6/conf/all/forwarding=1
|
||||
|
||||
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
|
||||
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
|
||||
# traffic to those sites.
|
||||
net/ipv4/conf/all/accept_redirects=0
|
||||
net/ipv4/conf/default/accept_redirects=0
|
||||
net/ipv6/conf/all/accept_redirects=0
|
||||
net/ipv6/conf/default/accept_redirects=0
|
||||
|
||||
# Ignore bogus ICMP errors
|
||||
net/ipv4/icmp_echo_ignore_broadcasts=1
|
||||
net/ipv4/icmp_ignore_bogus_error_responses=1
|
||||
net/ipv4/icmp_echo_ignore_all=0
|
||||
|
||||
# Don't log Martian Packets (impossible addresses)
|
||||
# packets
|
||||
net/ipv4/conf/all/log_martians=0
|
||||
net/ipv4/conf/default/log_martians=0
|
||||
|
||||
#net/ipv4/tcp_fin_timeout=30
|
||||
#net/ipv4/tcp_keepalive_intvl=1800
|
||||
|
||||
# Uncomment this to turn off ipv6 autoconfiguration
|
||||
#net/ipv6/conf/default/autoconf=1
|
||||
#net/ipv6/conf/all/autoconf=1
|
||||
|
||||
# Uncomment this to enable ipv6 privacy addressing
|
||||
#net/ipv6/conf/default/use_tempaddr=2
|
||||
#net/ipv6/conf/all/use_tempaddr=2
|
||||
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
# Add the following lines
|
||||
net/ipv4/conf/all/send_redirects=0
|
||||
net/ipv4/ip_no_pmtu_disc=1
|
||||
Loading…
Reference in New Issue
Block a user