#!/bin/sh ### Network Configure. ### # Network Address 192.168.253. # Subnet Mask 255.255.255.0 # SSID1 RPi-SSID1 # wpa_passphrase1 YourPassPhrase1 # # [Uplink] # AccessPoint1SSID Tethering1 # AccessPoint1PASS AP1PASS # ###IfEnableAccessPoint2.RemoveThisTag### # AccessPoint2SSID Tethering2 # AccessPoint2PASS AP2PASS ############################### ## EXEC fstrim. sync /sbin/fstrim / sync ### Create ifcfg-wlan0 (Wireless Uplinks). ## Remove wlan0. ifdown wlan0 rm -f /etc/sysconfig/network-scripts/ifcfg-wlan0 ## SSID:Tethering1. cat < /etc/sysconfig/network-scripts/ifcfg-Tethering1 # wlan0 #DEVICE="wlan0" #HWADDR="`cat /sys/class/net/wlan0/address`" ESSID="Tethering1" MODE=Managed KEY_MGMT=WPA-PSK TYPE=Wireless BOOTPROTO=dhcp DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=Tethering1 #UUID="`uuidgen`" ONBOOT=yes MTU=1438 MAC_ADDRESS_RANDOMIZATION=default PEERDNS=no PEERROUTES=yes IPV6_PEERDNS=no IPV6_PEERROUTES=yes IPV6_PRIVACY=no DNS1=127.0.0.1 EOF echo "WPA_PSK='AP1PASS'" > /etc/sysconfig/network-scripts/keys-Tethering1 ###IfEnableAccessPoint2.RemoveThisTag##### SSID:Tethering2. ###IfEnableAccessPoint2.RemoveThisTag###cat < /etc/sysconfig/network-scripts/ifcfg-Tethering2 ###IfEnableAccessPoint2.RemoveThisTag#### wlan0 ###IfEnableAccessPoint2.RemoveThisTag####DEVICE="wlan0" ###IfEnableAccessPoint2.RemoveThisTag####HWADDR="`cat /sys/class/net/wlan0/address`" ###IfEnableAccessPoint2.RemoveThisTag###ESSID="Tethering2" ###IfEnableAccessPoint2.RemoveThisTag###MODE=Managed ###IfEnableAccessPoint2.RemoveThisTag###KEY_MGMT=WPA-PSK ###IfEnableAccessPoint2.RemoveThisTag###TYPE=Wireless ###IfEnableAccessPoint2.RemoveThisTag###BOOTPROTO=dhcp ###IfEnableAccessPoint2.RemoveThisTag###DEFROUTE=yes ###IfEnableAccessPoint2.RemoveThisTag###IPV4_FAILURE_FATAL=no ###IfEnableAccessPoint2.RemoveThisTag###IPV6INIT=yes ###IfEnableAccessPoint2.RemoveThisTag###IPV6_AUTOCONF=yes ###IfEnableAccessPoint2.RemoveThisTag###IPV6_DEFROUTE=yes ###IfEnableAccessPoint2.RemoveThisTag###IPV6_FAILURE_FATAL=no ###IfEnableAccessPoint2.RemoveThisTag###IPV6_ADDR_GEN_MODE=stable-privacy ###IfEnableAccessPoint2.RemoveThisTag###NAME=Tethering2 ###IfEnableAccessPoint2.RemoveThisTag####UUID="`uuidgen`" ###IfEnableAccessPoint2.RemoveThisTag###ONBOOT=yes ###IfEnableAccessPoint2.RemoveThisTag###MTU=1438 ###IfEnableAccessPoint2.RemoveThisTag###MAC_ADDRESS_RANDOMIZATION=default ###IfEnableAccessPoint2.RemoveThisTag###PEERDNS=no ###IfEnableAccessPoint2.RemoveThisTag###PEERROUTES=yes ###IfEnableAccessPoint2.RemoveThisTag###IPV6_PEERDNS=no ###IfEnableAccessPoint2.RemoveThisTag###IPV6_PEERROUTES=yes ###IfEnableAccessPoint2.RemoveThisTag###IPV6_PRIVACY=no ###IfEnableAccessPoint2.RemoveThisTag###DNS1=127.0.0.1 ###IfEnableAccessPoint2.RemoveThisTag###EOF ###IfEnableAccessPoint2.RemoveThisTag### ###IfEnableAccessPoint2.RemoveThisTag###echo "WPA_PSK='AP2PASS'" > /etc/sysconfig/network-scripts/keys-Tethering2 ## Create ifcfg-wlan1. touch /etc/sysconfig/network cat < /etc/sysconfig/network-scripts/ifcfg-wlan1 # wlan1 DEVICE="wlan1" NAME="wlan1" TYPE="Wireless" MODE="Auto" NM_CONTROLLED="no" BOOTPROTO="none" BROADCAST="192.168.253.255" IPADDR="192.168.253.1" NETMASK="255.255.255.0" NETWORK="192.168.253.0" DEFROUTE="no" ONBOOT="yes" #HWADDR="`cat /sys/class/net/wlan1/address`" UUID="`uuidgen`" EOF ## Restart network. service NetworkManager restart service network restart ## Enable IP Forward. echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/router.conf sysctl -p /etc/sysctl.d/router.conf ## Configure iptables. mkdir /root/sbin cat < /root/sbin/iptables.sh #! /bin/sh # Stop firewall. (Rule flush) /bin/systemctl stop iptables.service # Configure Default Rule. iptables -P INPUT DROP # Drop input. iptables -P OUTPUT ACCEPT # Allow send. iptables -P FORWARD DROP # Drop forward. # Allow localhost. iptables -A INPUT -i lo -j ACCEPT # Allow localnet and Trusted segment. iptables -A INPUT -s 192.168.253.0/255.255.255.0 -j ACCEPT # Allow established. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable SYN Cookies. # Mitigate for TCP SYN Flood attack. sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.d/router.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/router.conf # Reject echo for broadcast ping. # Mitigate for Smurf attack. sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.d/router.conf echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.d/router.conf # Drop ICMP Redirect. sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.d/router.conf for dev in \`ls /proc/sys/net/ipv4/conf/\` do sysctl -w net.ipv4.conf.\$dev.accept_redirects=0 > /dev/null echo "net.ipv4.conf.\$dev.accept_redirects=0" >> /etc/sysctl.d/router.conf done # Drop Source Routed. sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.d/router.conf for dev in \`ls /proc/sys/net/ipv4/conf/\` do sysctl -w net.ipv4.conf.\$dev.accept_source_route=0 > /dev/null echo "net.ipv4.conf.\$dev.accept_source_route=0" >> /etc/sysctl.d/router.conf done sysctl -p /etc/sysctl.d/router.conf # Drop fragmented packet. #iptables -A INPUT -f -j LOG --log-level debug --log-prefix '[IPTABLES FRAGMENT] : ' #iptables -A INPUT -f -j DROP # Drop NetBIOS packets. iptables -A INPUT ! -s 192.168.253.0/255.255.255.0 -p tcp -m multiport --dports 135,137,138,139,445 -j DROP iptables -A INPUT ! -s 192.168.253.0/255.255.255.0 -p udp -m multiport --dports 135,137,138,139,445 -j DROP iptables -A OUTPUT ! -d 192.168.253.0/255.255.255.0 -p tcp -m multiport --sports 135,137,138,139,445 -j DROP iptables -A OUTPUT ! -d 192.168.253.0/255.255.255.0 -p udp -m multiport --sports 135,137,138,139,445 -j DROP # Drop broadcast packets. iptables -A INPUT -d 255.255.255.255 -j DROP iptables -A INPUT -d 224.0.0.1 -j DROP # Configure for Router mode. iptables -N POSTROUTING iptables -t nat -A POSTROUTING -s 192.168.253.0/255.255.255.0 ! -d 192.168.253.0/255.255.255.0 -j MASQUERADE iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -d 192.168.253.0/255.255.255.0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.253.0/255.255.255.0 -i wlan1 -j ACCEPT iptables -A FORWARD -i wlan1 -o wlan1 -j ACCEPT iptables -A FORWARD -o wlan1 -j REJECT --reject-with icmp-port-unreachable iptables -A FORWARD -i wlan1 -j REJECT --reject-with icmp-port-unreachable # Drop other. iptables -A INPUT -m limit --limit 1/s -j LOG --log-level debug --log-prefix '[IPTABLES INPUT] : ' iptables -A INPUT -j DROP iptables -A FORWARD -m limit --limit 1/s -j LOG --log-level debug --log-prefix '[IPTABLES FORWARD] : ' iptables -A FORWARD -j DROP # Save rules. /usr/libexec/iptables/iptables.init save # Boot firewall. /bin/systemctl start iptables.service EOF chmod 700 /root/sbin/iptables.sh /root/sbin/iptables.sh systemctl enable iptables.service systemctl start iptables.service ## Install DHCP Server. yum -y install dhcp cp -piav /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.org echo "option domain-name \"`hostname -s`.private\";" >> /etc/dhcp/dhcpd.conf echo "option domain-name-servers 192.168.253.1;" >> /etc/dhcp/dhcpd.conf echo "default-lease-time 600;" >> /etc/dhcp/dhcpd.conf echo "max-lease-time 7200;" >> /etc/dhcp/dhcpd.conf echo "authoritative;" >> /etc/dhcp/dhcpd.conf echo "subnet 192.168.253.0 netmask 255.255.255.0 {" >> /etc/dhcp/dhcpd.conf echo " range dynamic-bootp 192.168.253.50 192.168.253.99;" >> /etc/dhcp/dhcpd.conf echo " option broadcast-address 192.168.253.255;" >> /etc/dhcp/dhcpd.conf echo " option routers 192.168.253.1;" >> /etc/dhcp/dhcpd.conf echo "}" >> /etc/dhcp/dhcpd.conf systemctl enable dhcpd.service systemctl start dhcpd.service ## Install DNS Server. yum -y install bind-chroot cp -piav /etc/named.conf /etc/named.conf.org cat < /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { version "unknown"; listen-on port 53 { any; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Those options should be used carefully because they disable port // randomization // query-source port 53; // query-source-v6 port 53; allow-query { any; }; allow-query-cache { any; }; max-cache-size 128M; max-ncache-ttl 15; // max-cache-ttl 3600; lame-ttl 15; notify no; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; recursive-clients 10240; clients-per-query 5120; max-clients-per-query 10240; empty-zones-enable yes; masterfile-format text; forward only; forwarders{ 8.8.8.8; 8.8.4.4; }; // filter-aaaa-on-v4 no; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; // /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; ////////////// // rndc key // ////////////// include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; // inet ::1 port 953 allow { ::1; } keys { "rndc-key"; }; }; ///////// // log // ///////// logging { channel default_syslog { syslog daemon; severity info; }; channel default_logfile { file "/var/log/bind/bind.log" versions 10; severity dynamic; print-category yes; print-severity yes; print-time yes; }; channel query_logfile { file "/var/log/bind/query.log" versions 10 size 10m; severity info; print-severity yes; print-time yes; }; channel notify_logfile { file "/var/log/bind/notify.log" versions 10 size 5m; severity dynamic; print-severity yes; print-time yes; }; channel xfer-in_logfile { file "/var/log/bind/xfer-in.log" versions 10 size 5m; severity dynamic; print-severity yes; print-time yes; }; channel xfer-out_logfile { file "/var/log/bind/xfer-out.log" versions 10 size 5m; severity dynamic; print-severity yes; print-time yes; }; channel security_logfile { file "/var/log/bind/security.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel update_logfile { file "/var/log/bind/update.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel update-security_logfile { file "/var/log/bind/update-security.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel lame-servers_logfile { file "/var/log/bind/lame-servers.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel dnssec_logfile { file "/var/log/bind/dnssec.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel edns-disabled_logfile { file "/var/log/bind/edns-disabled.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel null { null; }; category default { default_logfile; }; category general { default_logfile; }; category config { default_logfile; }; category queries { query_logfile; }; category notify { notify_logfile; }; category xfer-in { xfer-in_logfile; }; category xfer-out { xfer-out_logfile; }; category security { security_logfile; }; category update { update_logfile; }; category update-security { update-security_logfile; }; category lame-servers { lame-servers_logfile; }; category dnssec { dnssec_logfile; }; category edns-disabled { edns-disabled_logfile; }; category resolver { null; }; }; /////////////// // View List // /////////////// //zone "." IN { // type hint; // file "named.ca"; //}; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named/icann.zones"; include "/etc/named/block.zones"; EOF cat < /etc/named/icann.zones zone "." IN { type slave; file "/var/named/slaves/root.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "in-addr.arpa" IN { type slave; file "/var/named/slaves/in-addr.arpa"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "arpa" IN { type slave; file "/var/named/slaves/arpa.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "root-servers.net" IN { type slave; file "/var/named/slaves/root-servers.net.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "ip6.arpa" IN { type slave; file "/var/named/slaves/ip6.arpa.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "ip6-servers.arpa" IN { type slave; file "/var/named/slaves/ip6-servers.arpa.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "mcast.net" IN { type slave; file "/var/named/slaves/mcast.net.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; EOF cat < /etc/named/block.zones // TEMPLATE //zone "example.com" IN { // type master; // file "named.localhost"; // allow-update { none; }; //}; EOF mkdir /var/named/chroot/var/log/bind chown named. /var/named/chroot/var/log/bind ln -s /var/named/chroot/var/log/bind /var/log/bind cp -piav /etc/sysconfig/named /etc/sysconfig/named.org echo OPTIONS=\"-4 -S 10240\" >> /etc/sysconfig/named systemctl enable named-chroot systemctl start named-chroot ## Install Web Server. su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; yumdownloader --source httpd" su - admin -c "rpm -ivh /home/admin/rpmbuild/SRPMS/httpd*.src.rpm" sed -i -e 's/^%patch212 -p1 -b .cve8743/#%patch212 -p1 -b .cve8743/g' /home/admin/rpmbuild/SPECS/httpd.spec su - admin -c "rpmbuild -bs --define 'dist .el7.tsc' /home/admin/rpmbuild/SPECS/httpd.spec" yum-builddep -y /home/admin/rpmbuild/SPECS/httpd.spec su - admin -c "rpmbuild --rebuild --define 'dist .el7.tsc' /home/admin/rpmbuild/SRPMS/httpd*.el7.tsc*.src.rpm" su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; createrepo ." su - admin -c "cd /home/admin/rpmbuild/RPMS/ ; createrepo ." cp -piav /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.org sed -i -e 's/^\[base\]/[base]\nexclude=httpd\*/g' /etc/yum.repos.d/CentOS-Base.repo sed -i -e 's/^\[updates\]/[updates]\nexclude=httpd\*/g' /etc/yum.repos.d/CentOS-Base.repo yum --disablerepo=\* --enablerepo=tsc,tsc-source clean all yum -y install httpd perl-Net-SSLeay cp -piav /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.org sed -i -e 's/#AddHandler cgi-script .cgi/#AddHandler cgi-script .cgi\n AddHandler cgi-script .cgi/g' /etc/httpd/conf/httpd.conf sed -i -e 's/^AddDefaultCharset UTF-8/#AddDefaultCharset UTF-8/g' /etc/httpd/conf/httpd.conf systemctl enable httpd.service systemctl start httpd.service ## Set index.html. cat < /var/www/html/index.html

Web Proxy

EOF ## Set Web Proxy. cd /var/www/cgi-bin/ mkdir ./web_proxy cd ./web_proxy/ wget -N http://ftp.vector.co.jp/36/14/1344/web_proxy_1_7_8.zip unzip web_proxy_1_7_8.zip chmod 705 ./web_proxy.cgi chmod 707 ./sysdata/ chmod 707 ./sysdata/logs/ chmod 707 ./sysdata/session/ ## Install Package squid. su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; yumdownloader --source squid" su - admin -c "rpm -ivh /home/admin/rpmbuild/SRPMS/squid*.src.rpm" sed -i -e 's/^ --enable-ecap \\/ --enable-ecap \\\n --enable-internal-dns \\/g' /home/admin/rpmbuild/SPECS/squid.spec su - admin -c "rpmbuild -bs --define 'dist .el7.tsc' /home/admin/rpmbuild/SPECS/squid.spec" yum-builddep -y /home/admin/rpmbuild/SPECS/squid.spec su - admin -c "rpmbuild --rebuild --define 'dist .el7.tsc' /home/admin/rpmbuild/SRPMS/squid*.el7.tsc*.src.rpm" su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; createrepo ." su - admin -c "cd /home/admin/rpmbuild/RPMS/ ; createrepo ." sed -i -e 's/^exclude=/exclude=squid* /g' /etc/yum.repos.d/CentOS-Base.repo yum --disablerepo=\* --enablerepo=tsc,tsc-source clean all yum -y install squid cp -piav /etc/squid/squid.conf /etc/squid/squid.conf.org echo "" >> /etc/squid/squid.conf echo "# Add Config" >> /etc/squid/squid.conf echo "visible_hostname `hostname -s`" >> /etc/squid/squid.conf echo "" >> /etc/squid/squid.conf echo "# Anonymous" >> /etc/squid/squid.conf echo "#request_header_access Referer deny all" >> /etc/squid/squid.conf echo "request_header_access X-Forwarded-For deny all" >> /etc/squid/squid.conf echo "request_header_access Via deny all" >> /etc/squid/squid.conf echo "request_header_access Cache-Control deny all" >> /etc/squid/squid.conf echo "forwarded_for off" >> /etc/squid/squid.conf echo "" >> /etc/squid/squid.conf echo "# Tune" >> /etc/squid/squid.conf echo "#max_filedesc 4,096" >> /etc/squid/squid.conf echo "cache_mem 256 MB" >> /etc/squid/squid.conf echo "half_closed_clients off" >> /etc/squid/squid.conf echo "pipeline_prefetch on" >> /etc/squid/squid.conf echo "dns_nameservers 127.0.0.1" >> /etc/squid/squid.conf echo "" >> /etc/squid/squid.conf echo "# Requires: --enable-internal-dns" >> /etc/squid/squid.conf echo "dns_v4_first on" >> /etc/squid/squid.conf systemctl enable squid.service systemctl start squid.service ## Configure Forward Proxy. cat < /etc/httpd/conf.d/proxy.conf Listen 8080 ServerAdmin root@`hostname -s` DocumentRoot /var/www/html ServerName `hostname -s`:8080 ErrorLog logs/proxy-error_log CustomLog logs/proxy-access_log common KeepAlive On MaxKeepAliveRequests 1024 KeepAliveTimeout 300 ProxyRemote * http://127.0.0.1:3128/ NoProxy 192.168.253.0/24 ProxyRequests On Require all denied Require ip 127.0.0.1 ::1 192.168.253 AddDefaultCharset Off EOF cp -piav /etc/httpd/conf.modules.d/00-mpm.conf /etc/httpd/conf.modules.d/00-mpm.conf.org sed -i -e 's/^LoadModule mpm_prefork_module/#LoadModule mpm_prefork_module/g' /etc/httpd/conf.modules.d/00-mpm.conf sed -i -e 's/^#LoadModule mpm_worker_module/LoadModule mpm_worker_module/g' /etc/httpd/conf.modules.d/00-mpm.conf systemctl restart httpd.service ## Setup EPEL Repository. cat < /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux 7 - x86_64 #baseurl=http://download.fedoraproject.org/pub/epel/7/x86_64 mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64 failovermethod=priority enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [epel-debuginfo] name=Extra Packages for Enterprise Linux 7 - x86_64 - Debug #baseurl=http://download.fedoraproject.org/pub/epel/7/x86_64/debug mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=x86_64 failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 [epel-source] name=Extra Packages for Enterprise Linux 7 - x86_64 - Source #baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=x86_64 failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 EOF cd /etc/pki/rpm-gpg/ wget -N https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 ## Install Wi-Fi Access Point Server (hostapd). su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; yumdownloader --disablerepo=\* --enablerepo=epel-source --source hostapd" su - admin -c "rpm -ivh /home/admin/rpmbuild/SRPMS/hostapd*.src.rpm" yum-builddep -y /home/admin/rpmbuild/SPECS/hostapd.spec su - admin -c "rpmbuild --rebuild /home/admin/rpmbuild/SRPMS/hostapd*.src.rpm" su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; createrepo ." su - admin -c "cd /home/admin/rpmbuild/RPMS/ ; createrepo ." yum --disablerepo=\* --enablerepo=tsc,tsc-source clean all yum -y install hostapd cp -piav /etc/hostapd/hostapd.conf /etc/hostapd/hostapd.conf.org cat < /etc/hostapd/hostapd.conf # # This will give you a minimal, insecure wireless network. # # DO NOT BE SATISFIED WITH THAT!!! # # A complete, well commented example configuration file is # available here: # # /usr/share/doc/hostapd/hostapd.conf # # For more information, look here: # # http://wireless.kernel.org/en/users/Documentation/hostapd # ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel # Some usable default settings... macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 # Uncomment these for base WPA & WPA2 support with a pre-shared key #wpa=3 #wpa_key_mgmt=WPA-PSK #wpa_pairwise=TKIP #rsn_pairwise=CCMP wpa=2 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP # DO NOT FORGET TO SET A WPA PASSPHRASE!! #wpa_passphrase=YourPassPhrase wpa_passphrase=YourPassPhrase1 # Most modern wireless drivers in the kernel need driver=nl80211 driver=nl80211 # Customize these for your local configuration... interface=wlan1 hw_mode=g channel=7 #hw_mode=a #channel=36 ssid=RPi-SSID1 country_code=JP ieee80211d=1 ieee80211n=1 wmm_enabled=1 ht_capab=[SHORT-GI-20][SHORT-GI-40][RX-STBC1] logger_syslog=-1 logger_syslog_level=3 EOF systemctl enable hostapd.service systemctl start hostapd.service ## Install Package iftop. su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; yumdownloader --disablerepo=\* --enablerepo=epel-source --source iftop" su - admin -c "rpm -ivh /home/admin/rpmbuild/SRPMS/iftop*.src.rpm" yum-builddep -y /home/admin/rpmbuild/SPECS/iftop.spec su - admin -c "rpmbuild --rebuild /home/admin/rpmbuild/SRPMS/iftop*.src.rpm" su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; createrepo ." su - admin -c "cd /home/admin/rpmbuild/RPMS/ ; createrepo ." yum --disablerepo=\* --enablerepo=tsc,tsc-source clean all yum -y install iftop ## Install Package webmin. cat < /etc/yum.repos.d/webmin.repo [webmin] name=Webmin Packages baseurl=http://download.webmin.com/download/yum/ failovermethod=priority enabled=1 gpgcheck=0 EOF yum -y install webmin chkconfig webmin on cp -piav /etc/webmin/miniserv.conf /etc/webmin/miniserv.conf.org sed -i -e 's/^ssl=1/ssl=0/g' /etc/webmin/miniserv.conf echo "logouttime=60" >> /etc/webmin/miniserv.conf ### Fix for Mobile Networks. ## NTP step-tickers cat < /etc/ntp/step-tickers # List of NTP servers used by the ntpdate service. 133.243.238.163 133.243.238.243 133.243.238.164 133.243.238.244 210.173.160.27 210.173.160.57 210.173.160.87 EOF ## NTP Synchronization. sed -i -e 's/^server 3.jp.pool.ntp.org minpoll 6 maxpoll 8 iburst/server 3.jp.pool.ntp.org minpoll 6 maxpoll 8 iburst\nserver 210.173.160.27 minpoll 6 maxpoll 8 iburst\nserver 210.173.160.57 minpoll 6 maxpoll 8 iburst\nserver 210.173.160.87 minpoll 6 maxpoll 8 iburst/g' /etc/ntp.conf ## RPi3 CPU Frequency. sed -i -e 's/^arm_freq=1200/#arm_freq=1200\narm_freq=700/g' /boot/config.txt ## Create proxy.pac, wpad.dat and Modify dhcpd.conf. cat < /var/www/html/proxy.pac function FindProxyForURL(url,host) { return "PROXY 192.168.253.1:8080"; } EOF cp -piav /var/www/html/proxy.pac /var/www/html/wpad.dat sed -i -e 's/^default-lease-time 600;/option wpad-curl code 252 = text;\noption wpad-curl "http:\/\/192.168.253.1\/proxy.pac";\ndefault-lease-time 600;/g' /etc/dhcp/dhcpd.conf ## Forward to Upstream Proxy. echo "" >> /etc/squid/squid.conf echo "# Forward to Upstream Proxy." >> /etc/squid/squid.conf echo "# Example: cache_peer 192.0.2.1 parent 8080 0 no-query no-netdb-exchange login=ID:Password" >> /etc/squid/squid.conf echo "#cache_peer [PARENT_PROXY] parent [PORT] 0 no-query no-netdb-exchange login=[ProxyID]:[ProxyPassword] ssl" >> /etc/squid/squid.conf echo "#never_direct allow all" >> /etc/squid/squid.conf ## Renew script for named_blockzones. /bin/cat < /root/sbin/named_blockzones.sh #! /bin/sh ### Make AdBlock by ISC-BIND. ## Chenge dir. cd /tmp/ ## Get Blocklist. /usr/bin/wget -N http://www.sgv417.jp/~makopi/RaspberryPi/block.txt || exit 1 ## Make block.zones. /bin/cat < /etc/named/block.zones // TEMPLATE //zone "example.com" IN { // type master; // file "named.localhost"; // allow-update { none; }; //}; EOF /bin/cat block.txt | /bin/awk '{print "\nzone \""\$1"\" IN {\n\ttype master;\n\tfile \"named.localhost\";\n\tallow-update { none; };\n};"}' >> /etc/named/block.zones ## Apply block.zones. /usr/sbin/rndc reload EndOfFile chmod 700 /root/sbin/named_blockzones.sh echo "@reboot /bin/sleep 300 ; /root/sbin/named_blockzones.sh > /dev/null 2>&1" >> /var/spool/cron/root chmod 600 /var/spool/cron/root /root/sbin/named_blockzones.sh ## Enable tsc-kernel repository. yum-config-manager --enable tsc-kernel ## Update Kernel. yum -y update ## Network Tuning. cat < /etc/sysctl.d/proxy.conf # Tuning for Network. net.ipv4.tcp_fin_timeout = 7 net.ipv4.tcp_max_syn_backlog = 896 net.core.somaxconn = 896 net.core.netdev_max_backlog = 896 net.ipv4.tcp_tw_reuse = 1 net.ipv4.ip_local_port_range = 60000 61000 # Tuning for window size. net.core.rmem_default = 512000 net.core.wmem_default = 512000 net.core.rmem_max = 2048000 net.core.wmem_max = 2048000 EOF ## EXEC Poweroff. sync sync sync poweroff