Search

Simple iptables

setup iptables for ssh, zabbix, ping, http

cat /etc/network/if-pre-up.d/*
 
echo -e '#!/bin/bash
 
/sbin/iptables-restore < /etc/iptables.up.rules' > /etc/network/if-pre-up.d/iptables
 
chmod +x /etc/network/if-pre-up.d/iptables
 
echo -e '*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:844]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10050 -s SERVERIP -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT' > /etc/iptables.up.rules

My Debian wheezy minimal postinst

nano /etc/apt/sources.list
deb http://ftp.fi.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.fi.debian.org/debian/ wheezy main contrib non-free
 
deb http://ftp.fi.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.fi.debian.org/debian/ wheezy-updates main contrib non-free
 
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
 
deb http://ftp.fi.debian.org/debian/ wheezy-backports main contrib non-free
deb-src http://ftp.fi.debian.org/debian/ wheezy-backports main contrib non-free
aptitude update
aptitude upgrade
 
nano /etc/locale.gen
locale-gen
 
aptitude install screen vim ntp
vim /etc/screenrc
vim /etc/fstab
 
reboot

Redmine from wheezy-backports, autocreate repos and access control

I had some trouble getting Redmine with subversion installed on debian wheezy. The main problem was the outdated version in the default repositories. I decided to use wheezy-backports repo to get a fresh but reliable version installed.

I also wanted automatic repository creation and redmine usernames and passwords to control the access to the repositories. Below is the result.. 🙂

aptitude install mysql-server
aptitude -t wheezy-backports install redmine redmine-mysql
aptitude -t wheezy-backports install apache2 libapache2-mod-passenger
ln -s /usr/share/redmine/public /var/www/redmine
vim /etc/apache2/mods-available/passenger.conf
PassengerDefaultUser www-data
a2enmod passenger
vim /etc/apache2/sites-available/default
<Directory /var/www/redmine>
RailsBaseURI /redmine
PassengerResolveSymlinksInDocumentRoot on
</Directory>
a2enmod passenger
/etc/init.d/apache2 restart

after login

ln -s /var/cache/redmine/default/plugin_assets /usr/share/redmine/public/
aptitude install subversion libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libauthen-simple-ldap-perl ruby-dev make
 
mkdir /var/svn
chown root:www-data /var/svn
chmod 0750 /var/svn
 
gem install activeresource
ln -s /usr/share/redmine/extra/svn/Redmine.pm /usr/lib/perl5/Apache
vim /etc/apache2/mods-available/dav_svn.conf
   PerlLoadModule Apache::Redmine
   <Location /svn>
     DAV svn
     SVNParentPath "/var/svn"
     Order deny,allow
     Deny from all
     Satisfy any
     # If a client tries to svn update which involves updating many files,
     # the update request might result in an error Server sent unexpected
     # return value (413 Request  Entity Too Large) in response to REPORT
     # request,because the size of the update request exceeds the limit
     # allowed by the server. You can avoid this error by disabling the
     # request size limit by adding the line LimitXMLRequestBody 0
     # between the <Location...> and </Location> lines.
     LimitXMLRequestBody 0
 
     # Only check Authentication for root path, nor again for recursive
     # folder.
     # Redmine core does only permit access on repository level, so this
     # doesn't hurt security. On the other hand it does boost performance
     # a lot!
     SVNPathAuthz off
 
     PerlAccessHandler Apache::Authn::Redmine::access_handler
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
     AuthType Basic
     AuthName "Redmine SVN Repository"
     AuthUserFile /dev/null
 
     #read-only access
     <Limit GET PROPFIND OPTIONS REPORT>
        Require valid-user
        Allow from SERVER_IP
        # Allow from another-ip
        Satisfy any
     </Limit>
     # write access
     <LimitExcept GET PROPFIND OPTIONS REPORT>
       Require valid-user
     </LimitExcept>
 
     ## for mysql
     RedmineDSN "DBI:mysql:database=redmine_default;host=localhost"
     ## for postgres
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
     ## for SQLite3
     # RedmineDSN "DBI:SQLite:dbname=database.db"
 
     RedmineDbUser "redmine_default"
     RedmineDbPass "PASSWORD"
  </Location>
a2enmod dav_svn

Add to cron:

* * * * * root ruby /usr/share/redmine/extra/svn/reposman.rb --redmine my.redmine.host --svn-dir /var/svn --owner www-data --url http://my.svn.server/svn/ --key=my_api_key >> /var/log/reposman.log

DONE!