Initial commit of scripts

9 years ago · d83eee2daa
7 changed files with 842 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,13 @@
 *~
 \#*\#
 /.emacs.desktop
 /.emacs.desktop.lock
 *.elc
 auto-save-list
 tramp
 .\#*
 .org-id-locations
 *_archive
 *_flymake.*
 *.rel
 /auto/
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 The MIT License (MIT)
 Copyright (c) 2015 Taylor Bockman
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,13 @@
 # Slackware VPS Configuration
 This is a set of files that I use to configure a remote development VPS. These kinds of boxes are
 handy when you don't want to haul a laptop around.
 Here's a list of VPS providers that have Slackware images available:
 *Put list here*
 **These scripts are untested**. They are currently built mostly from my memory of how I configured
 the systems before. There are many places commented where I have to devise a good solution on
 how to make them work. I would love to have help.
--- a/iptables-config/allow_ssh.sh
+++ b/iptables-config/allow_ssh.sh
@ -0,0 +1,23 @@
 ##############################################
 #                                            #
 #       Allow SSH in IPTables                #
 #       Author: Taylor Bockman               #
 #               <tbockman@taylorbockman.com> #
 #                                            #
 ##############################################
 echo "SSH Port:"
 read sshport
 echo "Interface: "
 read interface
 # Allow incoming SSH
 sudo iptables -A INPUT -i $interface -p tcp --dport $sshport -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "SSH Incoming"
 sudo iptables -A OUTPUT -o $interface -p tcp --sport $sshport -m state --state ESTABLISHED -j ACCEPT -m comment --comment "SSH Incoming"
 # Allow outgoing SSH
 sudo iptables -A OUTPUT -o $interface -p tcp --dport $sshport -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "SSH Outgoing"
 sudo iptables -A INPUT -i $interface -p tcp --sport $sshport -m state --state ESTABLISHED -j ACCEPT -m comment --comment "SSH Outgoing"
 echo "Completed opening up SSH on interface $interface, port $sshport."
--- a/iptables-config/chain-setup.sh
+++ b/iptables-config/chain-setup.sh
@ -0,0 +1,34 @@
 ############################################
 #                                          #
 #  Setup default chains in IPTables        #
 #    Author: Taylor Bockman                #
 #            <tbockman@taylorbockman.com>  #
 #                                          #
 #                                          #
 ############################################
 echo "Are you on a VPS? [Y/N]"
 read onvps
 if [ $onvps=="Y" ];
 then
  echo "Did you open your SSH ports on iptables? Otherwise this will kill your access. [Y/N]"
  read openedssh
  if [ $openedssh=="Y" ];
  then
    echo "Dropping INPUT and FORWARD..."
    sudo iptables -P INPUT DROP  
    sudo iptables -P FORWARD DROP
    echo "INPUT and FORWARD are now dropping traffic. You will have to configure a source and destination for each rule"
  else
    echo "Please configure your SSH access with IPTables and run this script again"
  fi
 else
  echo "Dropping INPUT and FORWARD..."
  sudo iptables -P INPUT DROP
  sudo iptables -P FORWARD DROP
  echo "INPUT and FORWARD are now dropping traffic. You will have to configure a source and destination for each rule."
 fi
--- a/rc.firewall
+++ b/rc.firewall
@ -0,0 +1,655 @@
 #!/bin/sh
 #
 # Generated iptables firewall script for the Linux 2.4 kernel and later.
 # Script generated by Easy Firewall Generator for IPTables 1.15
 # copyright 2002 Timothy Scott Morizot
 # Modified for Slackware Linux by Eric Hameleers <alien@slackware.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 # Special notes:
 #   - This firewall script uses the output of "hostname -i" to set the right
 #     interface. This will only work if the hostname can be resolved.
 #     Further, you may need to use "hostname -I" and parse the output, or
 #     write a secondary script, to handle this part if you have multiple
 #     interfaces.
 #
 #   - This also uses route for compatibility with systems that are running
 #     without the ip command. You may need to adjust the INET_IFACE script to
 #     grab an interface if you are using one different than the one with the
 #     default gateway.
 #
 ###############################################################################
 # 
 # Local Settings
 #
 # sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
 # If this is set to the empty string (or is unset), the use of sysctl
 # is disabled.
 SYSCTL="/sbin/sysctl -w" 
 # To echo the value directly to the /proc file instead
 # SYSCTL=""
 # IPTables Location - adjust if needed
 IPT="/usr/sbin/iptables"
 IPTS="/usr/sbin/iptables-save"
 IPTR="/usr/sbin/iptables-restore"
 # Internet Interface
 INET_IFACE="$(route -n | awk '$1 ~ /0.0.0.0/ {print $NF}')"
 INET_ADDRESS="$(hostname -i)"
 echo "Configured for interface $INET_IFACE on IP address $INET_ADDRESS"
 # Localhost Interface
 LO_IFACE="lo"
 LO_IP="127.0.0.1"
 # Save and Restore arguments handled here
 if [ "$1" = "save" ]
 then
 	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
 	$IPTS > /etc/sysconfig/iptables
 	echo "done"
 	exit 0
 elif [ "$1" = "restore" ]
 then
 	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
 	$IPTR < /etc/sysconfig/iptables
 	echo "done"
 	exit 0
 fi
 ###############################################################################
 #
 # Load Modules
 #
 echo "Loading kernel modules ..."
 # You should uncomment the line below and run it the first time just to
 # ensure all kernel module dependencies are OK.  There is no need to run
 # every time, however.
 # /sbin/depmod -a
 # Unless you have kernel module auto-loading disabled, you should not
 # need to manually load each of these modules.  Other than ip_tables,
 # ip_conntrack, and some of the optional modules, I've left these
 # commented by default.  Uncomment if you have any problems or if
 # you have disabled module autoload.  Note that some modules must
 # be loaded by another kernel module.
 # core netfilter module
 /sbin/modprobe ip_tables
 # the stateful connection tracking module
 /sbin/modprobe ip_conntrack
 # filter table module
 # /sbin/modprobe iptable_filter
 # mangle table module
 # /sbin/modprobe iptable_mangle
 # nat table module
 # /sbin/modprobe iptable_nat
 # LOG target module
 # /sbin/modprobe ipt_LOG
 # This is used to limit the number of packets per sec/min/hr
 # /sbin/modprobe ipt_limit
 # masquerade target module
 # /sbin/modprobe ipt_MASQUERADE
 # filter using owner as part of the match
 # /sbin/modprobe ipt_owner
 # REJECT target drops the packet and returns an ICMP response.
 # The response is configurable.  By default, connection refused.
 # /sbin/modprobe ipt_REJECT
 # This target allows packets to be marked in the mangle table
 # /sbin/modprobe ipt_mark
 # This target affects the TCP MSS
 # /sbin/modprobe ipt_tcpmss
 # This match allows multiple ports instead of a single port or range
 # /sbin/modprobe multiport
 # This match checks against the TCP flags
 # /sbin/modprobe ipt_state
 # This match catches packets with invalid flags
 # /sbin/modprobe ipt_unclean
 # The ftp nat module is required for non-PASV ftp support
 /sbin/modprobe ip_nat_ftp
 # the module for full ftp connection tracking
 /sbin/modprobe ip_conntrack_ftp
 # the module for full irc connection tracking
 /sbin/modprobe ip_conntrack_irc
 ###############################################################################
 #
 # Kernel Parameter Configuration
 #
 # See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
 # for a detailed tutorial on sysctl and the various settings
 # available.
 # Required to enable IPv4 forwarding.
 # Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
 # Alternatively, it can be set in /etc/sysctl.conf
 #if [ "$SYSCTL" = "" ]
 #then
 #    echo "1" > /proc/sys/net/ipv4/ip_forward
 #else
 #    $SYSCTL net.ipv4.ip_forward="1"
 #fi
 # This enables dynamic address hacking.
 # This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
 #if [ "$SYSCTL" = "" ]
 #then
 #    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
 #else
 #    $SYSCTL net.ipv4.ip_dynaddr="1"
 #fi
 # This enables SYN flood protection.
 # The SYN cookies activation allows your system to accept an unlimited
 # number of TCP connections while still trying to give reasonable
 # service during a denial of service attack.
 if [ "$SYSCTL" = "" ]
 then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
 else
    $SYSCTL net.ipv4.tcp_syncookies="1"
 fi
 # This enables source validation by reversed path according to RFC1812.
 # In other words, did the response packet originate from the same interface
 # through which the source packet was sent?  It's recommended for single-homed
 # systems and routers on stub networks.  Since those are the configurations
 # this firewall is designed to support, I turn it on by default.
 # Turn it off if you use multiple NICs connected to the same network.
 if [ "$SYSCTL" = "" ]
 then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
 else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
 fi
 # This option allows a subnet to be firewalled with a single IP address.
 # It's used to build a DMZ.  Since that's not a focus of this firewall
 # script, it's not enabled by default, but is included for reference.
 # See: http://www.sjdjweis.com/linux/proxyarp/ 
 #if [ "$SYSCTL" = "" ]
 #then
 #    echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
 #else
 #    $SYSCTL net.ipv4.conf.all.proxy_arp="1"
 #fi
 # The following kernel settings were suggested by Alex Weeks. Thanks!
 # This kernel parameter instructs the kernel to ignore all ICMP
 # echo requests sent to the broadcast address.  This prevents
 # a number of smurfs and similar DoS nasty attacks.
 if [ "$SYSCTL" = "" ]
 then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
 fi
 # This option can be used to accept or refuse source routed
 # packets.  It is usually on by default, but is generally
 # considered a security risk.  This option turns it off.
 if [ "$SYSCTL" = "" ]
 then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
 else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
 fi
 # This option can disable ICMP redirects.  ICMP redirects
 # are generally considered a security risk and shouldn't be
 # needed by most systems using this generator.
 #if [ "$SYSCTL" = "" ]
 #then
 #    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
 #else
 #    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
 #fi
 # However, we'll ensure the secure_redirects option is on instead.
 # This option accepts only from gateways in the default gateways list.
 if [ "$SYSCTL" = "" ]
 then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
 else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
 fi
 # This option logs packets from impossible addresses.
 if [ "$SYSCTL" = "" ]
 then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
 else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
 fi
 ###############################################################################
 #
 # Flush Any Existing Rules or Chains
 #
 echo "Flushing Tables ..."
 # Reset Default Policies
 $IPT -P INPUT ACCEPT
 $IPT -P FORWARD ACCEPT
 $IPT -P OUTPUT ACCEPT
 $IPT -t nat -P PREROUTING ACCEPT
 $IPT -t nat -P POSTROUTING ACCEPT
 $IPT -t nat -P OUTPUT ACCEPT
 $IPT -t mangle -P PREROUTING ACCEPT
 $IPT -t mangle -P OUTPUT ACCEPT
 # Flush all rules
 $IPT -F
 $IPT -t nat -F
 $IPT -t mangle -F
 # Erase all non-default chains
 $IPT -X
 $IPT -t nat -X
 $IPT -t mangle -X
 if [ "$1" = "stop" ]
 then
 	echo "Firewall completely flushed!  Now running with no firewall."
 	exit 0
 fi
 ###############################################################################
 #
 # Rules Configuration
 #
 ###############################################################################
 #
 # Filter Table
 #
 ###############################################################################
 # Set Policies
 $IPT -P INPUT DROP
 $IPT -P OUTPUT DROP
 $IPT -P FORWARD DROP
 ###############################################################################
 #
 # User-Specified Chains
 #
 # Create user chains to reduce the number of rules each packet
 # must traverse.
 echo "Create and populate custom rule chains ..."
 # Create a chain to filter INVALID packets
 $IPT -N bad_packets
 # Create another chain to filter bad tcp packets
 $IPT -N bad_tcp_packets
 # Create separate chains for icmp, tcp (incoming and outgoing),
 # and incoming udp packets.
 $IPT -N icmp_packets
 # Used for UDP packets inbound from the Internet
 $IPT -N udp_inbound
 # Used to block outbound UDP services from internal network
 # Default to allow all
 $IPT -N udp_outbound
 # Used to allow inbound services if desired
 # Default fail except for established sessions
 $IPT -N tcp_inbound
 # Used to block outbound services from internal network
 # Default to allow all
 $IPT -N tcp_outbound
 ###############################################################################
 #
 # Populate User Chains
 #
 # bad_packets chain
 #
 # Drop INVALID packets immediately
 $IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j LOG \
    --log-prefix "fp=bad_packets:1 a=DROP "
 $IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j DROP
 # Then check the tcp packets for additional problems
 $IPT -A bad_packets -p tcp -j bad_tcp_packets
 # All good, so return
 $IPT -A bad_packets -p ALL -j RETURN
 # bad_tcp_packets chain
 #
 # All tcp packets will traverse this chain.
 # Every new connection attempt should begin with
 # a syn packet.  If it doesn't, it is likely a
 # port scan.  This drops packets in state
 # NEW that are not flagged as syn packets.
 $IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG \
    --log-prefix "fp=bad_tcp_packets:1 a=DROP "
 $IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "fp=bad_tcp_packets:2 a=DROP "
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "fp=bad_tcp_packets:3 a=DROP "
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "fp=bad_tcp_packets:4 a=DROP "
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "fp=bad_tcp_packets:5 a=DROP "
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "fp=bad_tcp_packets:6 a=DROP "
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "fp=bad_tcp_packets:7 a=DROP "
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 # All good, so return
 $IPT -A bad_tcp_packets -p tcp -j RETURN
 # icmp_packets chain
 #
 # This chain is for inbound (from the Internet) icmp packets only.
 # Type 8 (Echo Request) is not accepted by default
 # Enable it if you want remote hosts to be able to reach you.
 # 11 (Time Exceeded) is the only one accepted
 # that would not already be covered by the established
 # connection rule.  Applied to INPUT on the external interface.
 # 
 # See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
 # for more info on ICMP types.
 #
 # Note that the stateful settings allow replies to ICMP packets.
 # These rules allow new packets of the specified types.
 # ICMP packets should fit in a Layer 2 frame, thus they should
 # never be fragmented.  Fragmented ICMP packets are a typical sign
 # of a denial of service attack.
 $IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "fp=icmp_packets:1 a=DROP "
 $IPT -A icmp_packets --fragment -p ICMP -j DROP
 # Echo - uncomment to allow your system to be pinged.
 # Uncomment the LOG command if you also want to log PING attempts
 # 
 # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
 #    --log-prefix "fp=icmp_packets:2 a=ACCEPT "
 # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
 # By default, however, drop pings without logging. Blaster
 # and other worms have infected systems blasting pings.
 # Comment the line below if you want pings logged, but it
 # will likely fill your logs.
 $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
 # Time Exceeded
 $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
 # Not matched, so return so it will be logged
 $IPT -A icmp_packets -p ICMP -j RETURN
 # TCP & UDP
 # Identify ports at:
 #    http://www.chebucto.ns.ca/~rakerman/port-table.html
 #    http://www.iana.org/assignments/port-numbers
 # udp_inbound chain
 #
 # This chain describes the inbound UDP packets it will accept.
 # It's applied to INPUT on the external or Internet interface.
 # Note that the stateful settings allow replies.
 # These rules are for new requests.
 # It drops netbios packets (windows) immediately without logging.
 # Drop netbios calls
 # Please note that these rules do not really change the way the firewall
 # treats netbios connections.  Connections from the localhost and
 # internal interface (if one exists) are accepted by default.
 # Responses from the Internet to requests initiated by or through
 # the firewall are also accepted by default.  To get here, the
 # packets would have to be part of a new request received by the
 # Internet interface.  You would have to manually add rules to
 # accept these.  I added these rules because some network connections,
 # such as those via cable modems, tend to be filled with noise from
 # unprotected Windows machines.  These rules drop those packets
 # quickly and without logging them.  This prevents them from traversing
 # the whole chain and keeps the log from getting cluttered with
 # chatter from Windows systems.
 $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
 $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
 # Ident requests (Port 113) must have a REJECT rule rather than the
 # default DROP rule.  This is the minimum requirement to avoid
 # long delays while connecting.  Also see the tcp_inbound rule.
 $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
 # A more sophisticated configuration could accept the ident requests.
 # $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
 # Not matched, so return for logging
 $IPT -A udp_inbound -p UDP -j RETURN
 # udp_outbound chain
 #
 # This chain is used with a private network to prevent forwarding for
 # UDP requests on specific protocols.  Applied to the FORWARD rule from
 # the internal network.  Ends with an ACCEPT
 # No match, so ACCEPT
 $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
 # tcp_inbound chain
 #
 # This chain is used to allow inbound connections to the
 # system/gateway.  Use with care.  It defaults to none.
 # It's applied on INPUT from the external or Internet interface.
 # Ident requests (Port 113) must have a REJECT rule rather than the
 # default DROP rule.  This is the minimum requirement to avoid
 # long delays while connecting.  Also see the tcp_inbound rule.
 $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
 # A more sophisticated configuration could accept the ident requests.
 # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
 # sshd
 $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3938 -j ACCEPT
 # Not matched, so return so it will be logged
 $IPT -A tcp_inbound -p TCP -j RETURN
 # tcp_outbound chain
 #
 # This chain is used with a private network to prevent forwarding for
 # requests on specific protocols.  Applied to the FORWARD rule from
 # the internal network.  Ends with an ACCEPT
 # No match, so ACCEPT
 $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
 ###############################################################################
 #
 # INPUT Chain
 #
 echo "Process INPUT chain ..."
 # Allow all on localhost interface
 $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
 # Drop bad packets
 $IPT -A INPUT -p ALL -j bad_packets
 # DOCSIS compliant cable modems
 # Some DOCSIS compliant cable modems send IGMP multicasts to find
 # connected PCs.  The multicast packets have the destination address
 # 224.0.0.1.  You can accept them.  If you choose to do so,
 # Uncomment the rule to ACCEPT them and comment the rule to DROP
 # them  The firewall will drop them here by default to avoid
 # cluttering the log.  The firewall will drop all multicasts
 # to the entire subnet (224.0.0.1) by default.  To only affect
 # IGMP multicasts, change '-p ALL' to '-p 2'.  Of course,
 # if they aren't accepted elsewhere, it will only ensure that
 # multicasts on other protocols are logged.
 # Drop them without logging.
 $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
 # The rule to accept the packets.
 # $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
 # Inbound Internet Packet Rules
 # Accept Established Connections
 $IPT -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \
     -j ACCEPT
 # Route the rest to the appropriate user chain
 $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
 $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
 $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
 # Drop without logging broadcasts that get this far.
 # Cuts down on log clutter.
 # Comment this line if testing new rules that impact
 # broadcast protocols.
 $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
 # Log packets that still don't match
 $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
 ###############################################################################
 #
 # FORWARD Chain
 #
 echo "Process FORWARD chain ..."
 # Used if forwarding for a private network
 ###############################################################################
 #
 # OUTPUT Chain
 #
 echo "Process OUTPUT chain ..."
 # Generally trust the firewall on output
 # However, invalid icmp packets need to be dropped
 # to prevent a possible exploit.
 $IPT -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
 # Localhost
 $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
 $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
 # To internet
 $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
 # Log packets that still don't match
 $IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
 ###############################################################################
 #
 # nat table
 #
 ###############################################################################
 # The nat table is where network address translation occurs if there
 # is a private network.  If the gateway is connected to the Internet
 # with a static IP, snat is used.  If the gateway has a dynamic address,
 # masquerade must be used instead.  There is more overhead associated
 # with masquerade, so snat is better when it can be used.
 # The nat table has a builtin chain, PREROUTING, for dnat and redirects.
 # Another, POSTROUTING, handles snat and masquerade.
 echo "Load rules for nat table ..."
 ###############################################################################
 #
 # PREROUTING chain
 #
 ###############################################################################
 #
 # POSTROUTING chain
 #
 ###############################################################################
 #
 # mangle table
 #
 ###############################################################################
 # The mangle table is used to alter packets.  It can alter or mangle them in
 # several ways.  For the purposes of this generator, we only use its ability
 # to alter the TTL in packets.  However, it can be used to set netfilter
 # mark values on specific packets.  Those marks could then be used in another
 # table like filter, to limit activities associated with a specific host, for
 # instance.  The TOS target can be used to set the Type of Service field in
 # the IP header.  Note that the TTL target might not be included in the
 # distribution on your system.  If it is not and you require it, you will
 # have to add it.  That may require that you build from source.
 echo "Load rules for mangle table ..."
--- a/sw_sysinstall.sh
+++ b/sw_sysinstall.sh
@ -0,0 +1,83 @@
 #!/bin/bash
 #######################################################
 #                                                     #
 #       An install script for zero-to-ready           #
 #      remote development boxes on Slackware          #
 #           !!! CURRENTLY UNTESTED !!!                #
 #                                                     #
 #      This assumes SSH Port is 3938, change this     #
 #       in the rc.firewall file to make sure          #
 #         iptables leaves it open for you.            #
 #                                                     #
 #                                                     #
 # Author: Taylor Bockman <tbockman@taylorbockman.com> #
 #                                                     #
 #                                                     #
 #######################################################
 # Add user
 echo "Enter desired username:"
 read $newuser
 useradd -m -g users -G wheel,floppy,audio,video,cdrom,plugdev,power,netdev,lp,scanner -s /bin/bash $newuser
 # Modify sudoers to enable wheel group
 # Install some critical packages
 mkdir packages
 cd packages
 # Install Curl
 wget http://slackware.cs.utah.edu/pub/slackware/slackware64-14.1/slackware64/n/cyrus-sasl-2.1.23-x86_64-5.txz
 wget http://slackware.cs.utah.edu/pub/slackware/slackware64-14.1/slackware64/n/curl-7.31.0-x86_64-1.txz
 upgradepkg --install-new cyrus-sasl-2.1.23-x86-64-5.txz
 upgradepkg --install-new curl-7.31.0-x86_64-1.txz
 # Install libpcap and libnl for iptables
 wget libpcap-1.4.0-x86_64-1.txz
 wget libnl3-3.2.21-x86_64-1.txz
 upgradepkg --install-new libpcap-1.4.0-x86_64-1.txz
 upgradepkg --install-new libnl3-3.2.21-x86_64-1.txz
 cd ..
 # Become user to install nix
 echo "Becoming $newuser to install nix and packages..." 
 su $newuser
 cd /home/$newuser
 # Install Nix
 curl https://nixos.org/nix/install | sh
 # Append the right stuff to the ~/.profiles file so nix is ready
 # Install various nix packages
 packages=("emacs", "vim", "zsh", "git", "tmux", "libpcap")
 for package in "${packages[@]}"
 do
    :
    nix-env -i $package
 done
 # Symlink the rc.firewall to the right place
 # !!!! THIS PART IS SUPER UNTESTED !!!!!
 sudo ln -s /slackware-sysconfig/rc.firewall /etc/rc.d/rc.firewall
 sudo chmod +x /etc/rc.d/rc.firewall
 # Use sed to configure /etc/ssh/sshd_config to be more secure
 # Make zsh the default shell
 command -v zsh | sudo tee -a /etc/shells
 sudo chsh -s "$(command -v zsh)" "$USER"
 # cd into ~, git clone essentials
 # Run essentials dotfile install script
 # Restart sshd