restructure

I've created a new structure to better differentiate between desktop, server and general scripts.
2016-08-24 13:57:08 +02:00 · 2016-08-24 13:57:08 +02:00 · 6351ed5f8b
parent 6f48807b22
commit 6351ed5f8b
11 changed files with 121 additions and 8 deletions
--- a/backup/backup-to-fileserver.sh
+++ b/backup/backup-to-fileserver.sh
@ -1,8 +0,0 @@
-#!/bin/bash
-
-export BORG_REPO='borg@192.168.1.1:/mnt/sda/backup/python'
-export BORG_PASSPHRASE=Password
-
-borg create -v --stats ::$(hostusename)_$(date +%Y-%m-%d) /home/user/
-
-borg prune --prefix $(hostname)_201* --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=1
--- a/desktop/scripts_for_i3/dmenu-bind
+++ b/desktop/scripts_for_i3/dmenu-bind
--- a/desktop/scripts_for_i3/exit_script
+++ b/desktop/scripts_for_i3/exit_script
--- a/desktop/scripts_for_i3/search
+++ b/desktop/scripts_for_i3/search
--- a/general/backup/borg-backup.sh
+++ b/general/backup/borg-backup.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+export BORG_REPO='borg@finoglio.2li.local:/mnt/sda/backup/python'
+export BORG_PASSPHRASE=Password
+
+borg create -v --stats ::$(hostname)_$(date -I) /home/andreas/
+
+borg prune --prefix $(hostname)_201 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=1
--- a/general/backup/rsync-backup.sh
+++ b/general/backup/rsync-backup.sh
--- a/general/journal/journal_readme.md
+++ b/general/journal/journal_readme.md
--- a/general/journal/mcj.sh
+++ b/general/journal/mcj.sh
--- a/general/journal/nje.sh
+++ b/general/journal/nje.sh
--- a/server/firewall/iptables
+++ b/server/firewall/iptables
@ -0,0 +1,101 @@
+#!/bin/bash
+IPT=/sbin/iptables
+WAN="eth0"
+LAN="eth1"
+WANIP="5.172.137.57"
+GITIP="10.7.89.109"
+APACHEIP="10.7.89.100"
+PYTHONIP="10.7.89.106"
+
+/sbin/iptables-restore <<-EOF;
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# eth0 is WAN interface, #eth1 is LAN interface
+-A POSTROUTING -o $WAN -j MASQUERADE
+
+# NAT pinhole: SSH for git server from WAN to LAN
+-A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to-destination $GITIP:22
+
+# NAT pinhole: HTTP from WAN to LAN
+-A PREROUTING -p tcp -m tcp -d $WANIP --dport 80 -j DNAT --to-destination $APACHEIP:80
+
+# NAT pinhole: HTTPS from WAN to LAN
+-A PREROUTING -p tcp -m tcp -d $WANIP --dport 443 -j DNAT --to-destination $APACHEIP:443
+
+# NAT pinhole: SSH for python server from WAN to LAN
+-A PREROUTING -p tcp -m tcp -d $WANIP --dport 2323 -j DNAT --to-destination $PYTHONIP:2323
+
+# NAT pinhole: Mosh UDP on port 60000-60010 from WAN to LAN
+-A PREROUTING -p udp -m udp -d $WANIP --dport 60000:60010 -j DNAT --to-destination $PYTHONIP:60000-60010
+
+# Rules to be able to use all the services from inside the LAN otherwise they only
+# work from outside
+-A POSTROUTING -p tcp -d $GITIP --dport 22 -j SNAT --to-source $WANIP
+-A POSTROUTING -p tcp -d $APACHEIP --dport 80 -j SNAT --to-source $WANIP
+-A POSTROUTING -p tcp -d $APACHEIP --dport 443 -j SNAT --to-source $WANIP
+-A POSTROUTING -p tcp -d $PYTHONIP --dport 2323 -j SNAT --to-source $WANIP
+-A POSTROUTING -p tcp -d $PYTHONIP --dport 60000:60010 -j SNAT --to-source $WANIP
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+#### Service rules ####
+# basic global accept rules - ICMP, loopback, traceroute, established all accepted
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+
+# Open port 1194 to reach the OpenVPN service on the firewall
+-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
+
+# enable traceroute rejections to get sent out
+-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
+
+# SSH - accept from LAN
+-A INPUT -i $LAN -p tcp --dport 2222 -j ACCEPT
+
+# drop all other inbound traffic
+-A INPUT -j DROP
+
+#### Forwarding rules ####
+
+# forward packets along established/related connections
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# forward from LAN (eth1) to WAN (eth0)
+-A FORWARD -i $LAN -o $WAN -j ACCEPT
+
+# forward from the VPN (tun0) to WAN (eth0)
+-A FORWARD -i tun0 -o $WAN -j ACCEPT
+# allow traffic from the LAN trough the VPN to the outside world
+-A FORWARD -i tun0 -o $LAN -j ACCEPT
+
+# allow traffic from port 22
+-A FORWARD -p tcp -d $GITIP --dport 22 -j ACCEPT
+
+# allow traffic from port 80
+-A FORWARD -p tcp -d $APACHEIP --dport 80 -j ACCEPT
+
+# allow traffic from port 443
+-A FORWARD -p tcp -d $APACHEIP --dport 443 -j ACCEPT
+
+# allow traffic from port 2323
+-A FORWARD -p tcp -d $PYTHONIP --dport 2323 -j ACCEPT
+
+# allow traffic from port 60000-60010
+-A FORWARD -p udp -d $PYTHONIP --dport 60000:60010 -j ACCEPT
+
+# drop all other forwarded traffic
+-A FORWARD -j DROP
+COMMIT
+EOF
+
+echo "done."
--- a/server/management/backup-all-servers.sh
+++ b/server/management/backup-all-servers.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+
+/usr/bin/ssh -i /home/andreas/.ssh/control borg@owncloud.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh -i /home/andreas/.ssh/control borg@ttrss.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh -i /home/andreas/.ssh/control borg@wiki.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh -i /home/andreas/.ssh/control borg@cms.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh -i /home/andreas/.ssh/control -p 2323 andreas@python.2li.local '/home/borg/backup-to-fileserver.sh'
+/usr/bin/ssh -i /home/andreas/.ssh/control borg@forum.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh -i /home/andreas/.ssh/control borg@git.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh borg@project.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh borg@mariadb.2li.local '~/backup-to-fileserver.sh'
+/usr/bin/ssh borg@fileserver.2li.local '~/backup-to-fileserver.sh'