From 6351ed5f8bd0f49e23e62814849ee8de8b25aecf Mon Sep 17 00:00:00 2001 From: Andreas Date: Wed, 24 Aug 2016 13:57:08 +0200 Subject: [PATCH] restructure I've created a new structure to better differentiate between desktop, server and general scripts. --- backup/backup-to-fileserver.sh | 8 -- .../scripts_for_i3}/dmenu-bind | 0 .../scripts_for_i3}/exit_script | 0 .../scripts_for_i3}/search | 0 general/backup/borg-backup.sh | 8 ++ .../backup/rsync-backup.sh | 0 .../journal}/journal_readme.md | 0 {journal => general/journal}/mcj.sh | 0 {journal => general/journal}/nje.sh | 0 server/firewall/iptables | 101 ++++++++++++++++++ server/management/backup-all-servers.sh | 12 +++ 11 files changed, 121 insertions(+), 8 deletions(-) delete mode 100755 backup/backup-to-fileserver.sh rename {scripts_for_i3 => desktop/scripts_for_i3}/dmenu-bind (100%) rename {scripts_for_i3 => desktop/scripts_for_i3}/exit_script (100%) rename {scripts_for_i3 => desktop/scripts_for_i3}/search (100%) create mode 100755 general/backup/borg-backup.sh rename backup/backup.sh => general/backup/rsync-backup.sh (100%) rename {journal => general/journal}/journal_readme.md (100%) rename {journal => general/journal}/mcj.sh (100%) rename {journal => general/journal}/nje.sh (100%) create mode 100755 server/firewall/iptables create mode 100755 server/management/backup-all-servers.sh diff --git a/backup/backup-to-fileserver.sh b/backup/backup-to-fileserver.sh deleted file mode 100755 index 7b683b1..0000000 --- a/backup/backup-to-fileserver.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -export BORG_REPO='borg@192.168.1.1:/mnt/sda/backup/python' -export BORG_PASSPHRASE=Password - -borg create -v --stats ::$(hostusename)_$(date +%Y-%m-%d) /home/user/ - -borg prune --prefix $(hostname)_201* --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=1 diff --git a/scripts_for_i3/dmenu-bind b/desktop/scripts_for_i3/dmenu-bind similarity index 100% rename from scripts_for_i3/dmenu-bind rename to desktop/scripts_for_i3/dmenu-bind diff --git a/scripts_for_i3/exit_script b/desktop/scripts_for_i3/exit_script similarity index 100% rename from scripts_for_i3/exit_script rename to desktop/scripts_for_i3/exit_script diff --git a/scripts_for_i3/search b/desktop/scripts_for_i3/search similarity index 100% rename from scripts_for_i3/search rename to desktop/scripts_for_i3/search diff --git a/general/backup/borg-backup.sh b/general/backup/borg-backup.sh new file mode 100755 index 0000000..3390642 --- /dev/null +++ b/general/backup/borg-backup.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +export BORG_REPO='borg@finoglio.2li.local:/mnt/sda/backup/python' +export BORG_PASSPHRASE=Password + +borg create -v --stats ::$(hostname)_$(date -I) /home/andreas/ + +borg prune --prefix $(hostname)_201 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=1 diff --git a/backup/backup.sh b/general/backup/rsync-backup.sh similarity index 100% rename from backup/backup.sh rename to general/backup/rsync-backup.sh diff --git a/journal/journal_readme.md b/general/journal/journal_readme.md similarity index 100% rename from journal/journal_readme.md rename to general/journal/journal_readme.md diff --git a/journal/mcj.sh b/general/journal/mcj.sh similarity index 100% rename from journal/mcj.sh rename to general/journal/mcj.sh diff --git a/journal/nje.sh b/general/journal/nje.sh similarity index 100% rename from journal/nje.sh rename to general/journal/nje.sh diff --git a/server/firewall/iptables b/server/firewall/iptables new file mode 100755 index 0000000..a35b072 --- /dev/null +++ b/server/firewall/iptables @@ -0,0 +1,101 @@ +#!/bin/bash +IPT=/sbin/iptables +WAN="eth0" +LAN="eth1" +WANIP="5.172.137.57" +GITIP="10.7.89.109" +APACHEIP="10.7.89.100" +PYTHONIP="10.7.89.106" + +/sbin/iptables-restore <<-EOF; + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] + +# eth0 is WAN interface, #eth1 is LAN interface +-A POSTROUTING -o $WAN -j MASQUERADE + +# NAT pinhole: SSH for git server from WAN to LAN +-A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to-destination $GITIP:22 + +# NAT pinhole: HTTP from WAN to LAN +-A PREROUTING -p tcp -m tcp -d $WANIP --dport 80 -j DNAT --to-destination $APACHEIP:80 + +# NAT pinhole: HTTPS from WAN to LAN +-A PREROUTING -p tcp -m tcp -d $WANIP --dport 443 -j DNAT --to-destination $APACHEIP:443 + +# NAT pinhole: SSH for python server from WAN to LAN +-A PREROUTING -p tcp -m tcp -d $WANIP --dport 2323 -j DNAT --to-destination $PYTHONIP:2323 + +# NAT pinhole: Mosh UDP on port 60000-60010 from WAN to LAN +-A PREROUTING -p udp -m udp -d $WANIP --dport 60000:60010 -j DNAT --to-destination $PYTHONIP:60000-60010 + +# Rules to be able to use all the services from inside the LAN otherwise they only +# work from outside +-A POSTROUTING -p tcp -d $GITIP --dport 22 -j SNAT --to-source $WANIP +-A POSTROUTING -p tcp -d $APACHEIP --dport 80 -j SNAT --to-source $WANIP +-A POSTROUTING -p tcp -d $APACHEIP --dport 443 -j SNAT --to-source $WANIP +-A POSTROUTING -p tcp -d $PYTHONIP --dport 2323 -j SNAT --to-source $WANIP +-A POSTROUTING -p tcp -d $PYTHONIP --dport 60000:60010 -j SNAT --to-source $WANIP +COMMIT + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +#### Service rules #### +# basic global accept rules - ICMP, loopback, traceroute, established all accepted +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -m state --state ESTABLISHED -j ACCEPT + +# Open port 1194 to reach the OpenVPN service on the firewall +-A INPUT -p udp -m udp --dport 1194 -j ACCEPT + +# enable traceroute rejections to get sent out +-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable + +# SSH - accept from LAN +-A INPUT -i $LAN -p tcp --dport 2222 -j ACCEPT + +# drop all other inbound traffic +-A INPUT -j DROP + +#### Forwarding rules #### + +# forward packets along established/related connections +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# forward from LAN (eth1) to WAN (eth0) +-A FORWARD -i $LAN -o $WAN -j ACCEPT + +# forward from the VPN (tun0) to WAN (eth0) +-A FORWARD -i tun0 -o $WAN -j ACCEPT +# allow traffic from the LAN trough the VPN to the outside world +-A FORWARD -i tun0 -o $LAN -j ACCEPT + +# allow traffic from port 22 +-A FORWARD -p tcp -d $GITIP --dport 22 -j ACCEPT + +# allow traffic from port 80 +-A FORWARD -p tcp -d $APACHEIP --dport 80 -j ACCEPT + +# allow traffic from port 443 +-A FORWARD -p tcp -d $APACHEIP --dport 443 -j ACCEPT + +# allow traffic from port 2323 +-A FORWARD -p tcp -d $PYTHONIP --dport 2323 -j ACCEPT + +# allow traffic from port 60000-60010 +-A FORWARD -p udp -d $PYTHONIP --dport 60000:60010 -j ACCEPT + +# drop all other forwarded traffic +-A FORWARD -j DROP +COMMIT +EOF + +echo "done." diff --git a/server/management/backup-all-servers.sh b/server/management/backup-all-servers.sh new file mode 100755 index 0000000..6617aaf --- /dev/null +++ b/server/management/backup-all-servers.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +/usr/bin/ssh -i /home/andreas/.ssh/control borg@owncloud.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh -i /home/andreas/.ssh/control borg@ttrss.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh -i /home/andreas/.ssh/control borg@wiki.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh -i /home/andreas/.ssh/control borg@cms.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh -i /home/andreas/.ssh/control -p 2323 andreas@python.2li.local '/home/borg/backup-to-fileserver.sh' +/usr/bin/ssh -i /home/andreas/.ssh/control borg@forum.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh -i /home/andreas/.ssh/control borg@git.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh borg@project.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh borg@mariadb.2li.local '~/backup-to-fileserver.sh' +/usr/bin/ssh borg@fileserver.2li.local '~/backup-to-fileserver.sh'