From 8281230718855dc0485a7096c9050f753bd087b5 Mon Sep 17 00:00:00 2001 From: jowj Date: Tue, 22 Oct 2019 21:03:35 -0500 Subject: [PATCH] Remove ipsec stuf. --- deployments/serverBuild/before.rules | 76 ---------------------------- deployments/serverBuild/ipsec.conf | 23 --------- deployments/serverBuild/sysctl.conf | 46 ----------------- 3 files changed, 145 deletions(-) delete mode 100644 deployments/serverBuild/before.rules delete mode 100644 deployments/serverBuild/ipsec.conf delete mode 100644 deployments/serverBuild/sysctl.conf diff --git a/deployments/serverBuild/before.rules b/deployments/serverBuild/before.rules deleted file mode 100644 index df8d42b..0000000 --- a/deployments/serverBuild/before.rules +++ /dev/null @@ -1,76 +0,0 @@ -*nat --A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT --A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE -COMMIT - -*mangle --A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 -COMMIT - -# Don't delete these required lines, otherwise there will be errors -*filter -:ufw-before-input - [0:0] -:ufw-before-output - [0:0] -:ufw-before-forward - [0:0] -:ufw-not-local - [0:0] -# End required lines - --A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT --A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT - -# allow all on loopback --A ufw-before-input -i lo -j ACCEPT --A ufw-before-output -o lo -j ACCEPT - -# quickly process packets for which we already have a connection --A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -# drop INVALID packets (logs these in loglevel medium and higher) --A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny --A ufw-before-input -m conntrack --ctstate INVALID -j DROP - -# ok icmp codes for INPUT --A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT --A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT --A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT --A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT - -# ok icmp code for FORWARD --A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT --A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT --A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT --A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT - -# allow dhcp client to work --A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT - -# -# ufw-not-local -# --A ufw-before-input -j ufw-not-local - -# if LOCAL, RETURN --A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN - -# if MULTICAST, RETURN --A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN - -# if BROADCAST, RETURN --A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN - -# all other non-local packets are dropped --A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny --A ufw-not-local -j DROP - -# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above -# is uncommented) --A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT - -# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above -# is uncommented) --A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT - -# don't delete the 'COMMIT' line or these rules won't be processed -COMMIT diff --git a/deployments/serverBuild/ipsec.conf b/deployments/serverBuild/ipsec.conf deleted file mode 100644 index 3509e5f..0000000 --- a/deployments/serverBuild/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# basic configuration -config setup - charondebug="all" - uniqueids=yes - strictcrlpolicy=no - -# connection to amsterdam datacenter -conn home-to-digitalocean - authby=secret - left=%defaultroute - leftid=165.22.156.25 - leftsubnet=10.138.0.0/16 - right=0.0.0.0 - rightsubnet=192.168.1.0/24 - ike=aes256-sha2_256-modp1024! - esp=aes256-sha2_256! - keyingtries=0 - ikelifetime=1h - lifetime=8h - dpddelay=30 - dpdtimeout=120 - dpdaction=restart - auto=start diff --git a/deployments/serverBuild/sysctl.conf b/deployments/serverBuild/sysctl.conf deleted file mode 100644 index 95e34ae..0000000 --- a/deployments/serverBuild/sysctl.conf +++ /dev/null @@ -1,46 +0,0 @@ -# -# Configuration file for setting network variables. Please note these settings -# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use -# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See -# Documentation/networking/ip-sysctl.txt in the kernel source code for more -# information. -# - -# Uncomment this to allow this host to route packets between interfaces -net/ipv4/ip_forward=1 -#net/ipv6/conf/default/forwarding=1 -#net/ipv6/conf/all/forwarding=1 - -# Disable ICMP redirects. ICMP redirects are rarely used but can be used in -# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate -# traffic to those sites. -net/ipv4/conf/all/accept_redirects=0 -net/ipv4/conf/default/accept_redirects=0 -net/ipv6/conf/all/accept_redirects=0 -net/ipv6/conf/default/accept_redirects=0 - -# Ignore bogus ICMP errors -net/ipv4/icmp_echo_ignore_broadcasts=1 -net/ipv4/icmp_ignore_bogus_error_responses=1 -net/ipv4/icmp_echo_ignore_all=0 - -# Don't log Martian Packets (impossible addresses) -# packets -net/ipv4/conf/all/log_martians=0 -net/ipv4/conf/default/log_martians=0 - -#net/ipv4/tcp_fin_timeout=30 -#net/ipv4/tcp_keepalive_intvl=1800 - -# Uncomment this to turn off ipv6 autoconfiguration -#net/ipv6/conf/default/autoconf=1 -#net/ipv6/conf/all/autoconf=1 - -# Uncomment this to enable ipv6 privacy addressing -#net/ipv6/conf/default/use_tempaddr=2 -#net/ipv6/conf/all/use_tempaddr=2 - -# Do not send ICMP redirects (we are not a router) -# Add the following lines -net/ipv4/conf/all/send_redirects=0 -net/ipv4/ip_no_pmtu_disc=1