restructure
I've created a new structure to better differentiate between desktop, server and general scripts.
This commit is contained in:
parent
6f48807b22
commit
6351ed5f8b
|
@ -1,8 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
export BORG_REPO='borg@192.168.1.1:/mnt/sda/backup/python'
|
||||
export BORG_PASSPHRASE=Password
|
||||
|
||||
borg create -v --stats ::$(hostusename)_$(date +%Y-%m-%d) /home/user/
|
||||
|
||||
borg prune --prefix $(hostname)_201* --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=1
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
export BORG_REPO='borg@finoglio.2li.local:/mnt/sda/backup/python'
|
||||
export BORG_PASSPHRASE=Password
|
||||
|
||||
borg create -v --stats ::$(hostname)_$(date -I) /home/andreas/
|
||||
|
||||
borg prune --prefix $(hostname)_201 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=1
|
|
@ -0,0 +1,101 @@
|
|||
#!/bin/bash
|
||||
IPT=/sbin/iptables
|
||||
WAN="eth0"
|
||||
LAN="eth1"
|
||||
WANIP="5.172.137.57"
|
||||
GITIP="10.7.89.109"
|
||||
APACHEIP="10.7.89.100"
|
||||
PYTHONIP="10.7.89.106"
|
||||
|
||||
/sbin/iptables-restore <<-EOF;
|
||||
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
|
||||
# eth0 is WAN interface, #eth1 is LAN interface
|
||||
-A POSTROUTING -o $WAN -j MASQUERADE
|
||||
|
||||
# NAT pinhole: SSH for git server from WAN to LAN
|
||||
-A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to-destination $GITIP:22
|
||||
|
||||
# NAT pinhole: HTTP from WAN to LAN
|
||||
-A PREROUTING -p tcp -m tcp -d $WANIP --dport 80 -j DNAT --to-destination $APACHEIP:80
|
||||
|
||||
# NAT pinhole: HTTPS from WAN to LAN
|
||||
-A PREROUTING -p tcp -m tcp -d $WANIP --dport 443 -j DNAT --to-destination $APACHEIP:443
|
||||
|
||||
# NAT pinhole: SSH for python server from WAN to LAN
|
||||
-A PREROUTING -p tcp -m tcp -d $WANIP --dport 2323 -j DNAT --to-destination $PYTHONIP:2323
|
||||
|
||||
# NAT pinhole: Mosh UDP on port 60000-60010 from WAN to LAN
|
||||
-A PREROUTING -p udp -m udp -d $WANIP --dport 60000:60010 -j DNAT --to-destination $PYTHONIP:60000-60010
|
||||
|
||||
# Rules to be able to use all the services from inside the LAN otherwise they only
|
||||
# work from outside
|
||||
-A POSTROUTING -p tcp -d $GITIP --dport 22 -j SNAT --to-source $WANIP
|
||||
-A POSTROUTING -p tcp -d $APACHEIP --dport 80 -j SNAT --to-source $WANIP
|
||||
-A POSTROUTING -p tcp -d $APACHEIP --dport 443 -j SNAT --to-source $WANIP
|
||||
-A POSTROUTING -p tcp -d $PYTHONIP --dport 2323 -j SNAT --to-source $WANIP
|
||||
-A POSTROUTING -p tcp -d $PYTHONIP --dport 60000:60010 -j SNAT --to-source $WANIP
|
||||
COMMIT
|
||||
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
|
||||
#### Service rules ####
|
||||
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
# Open port 1194 to reach the OpenVPN service on the firewall
|
||||
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
|
||||
|
||||
# enable traceroute rejections to get sent out
|
||||
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
# SSH - accept from LAN
|
||||
-A INPUT -i $LAN -p tcp --dport 2222 -j ACCEPT
|
||||
|
||||
# drop all other inbound traffic
|
||||
-A INPUT -j DROP
|
||||
|
||||
#### Forwarding rules ####
|
||||
|
||||
# forward packets along established/related connections
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# forward from LAN (eth1) to WAN (eth0)
|
||||
-A FORWARD -i $LAN -o $WAN -j ACCEPT
|
||||
|
||||
# forward from the VPN (tun0) to WAN (eth0)
|
||||
-A FORWARD -i tun0 -o $WAN -j ACCEPT
|
||||
# allow traffic from the LAN trough the VPN to the outside world
|
||||
-A FORWARD -i tun0 -o $LAN -j ACCEPT
|
||||
|
||||
# allow traffic from port 22
|
||||
-A FORWARD -p tcp -d $GITIP --dport 22 -j ACCEPT
|
||||
|
||||
# allow traffic from port 80
|
||||
-A FORWARD -p tcp -d $APACHEIP --dport 80 -j ACCEPT
|
||||
|
||||
# allow traffic from port 443
|
||||
-A FORWARD -p tcp -d $APACHEIP --dport 443 -j ACCEPT
|
||||
|
||||
# allow traffic from port 2323
|
||||
-A FORWARD -p tcp -d $PYTHONIP --dport 2323 -j ACCEPT
|
||||
|
||||
# allow traffic from port 60000-60010
|
||||
-A FORWARD -p udp -d $PYTHONIP --dport 60000:60010 -j ACCEPT
|
||||
|
||||
# drop all other forwarded traffic
|
||||
-A FORWARD -j DROP
|
||||
COMMIT
|
||||
EOF
|
||||
|
||||
echo "done."
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control borg@owncloud.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control borg@ttrss.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control borg@wiki.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control borg@cms.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control -p 2323 andreas@python.2li.local '/home/borg/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control borg@forum.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh -i /home/andreas/.ssh/control borg@git.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh borg@project.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh borg@mariadb.2li.local '~/backup-to-fileserver.sh'
|
||||
/usr/bin/ssh borg@fileserver.2li.local '~/backup-to-fileserver.sh'
|
Reference in New Issue