This page chronicles the administrative changes to honesty.progclub.net. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.

John 2011-07-30 19:30

Configuring IPSec

jj5@honesty:~$ sudo -s
[sudo] password for jj5:
root@honesty:~# cd /etc/network/if-pre-up.d/
root@honesty:/etc/network/if-pre-up.d# ll
total 12
drwxr-xr-x 2 root root 4096 Apr 22  2010 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
root@honesty:/etc/network/if-pre-up.d# vim iptables

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

root@honesty:/etc/network/if-pre-up.d# chmod +x iptables
root@honesty:/etc/network/if-pre-up.d# cd ../if-up.d/
root@honesty:/etc/network/if-up.d# vim ip

#!/bin/sh
# Charity
ip route add 67.207.128.184 dev eth0 advmss 200
# Hope
ip route add 67.207.130.204 dev eth0 advmss 200

root@honesty:/etc/network/if-up.d# chmod +x ip
root@honesty:/etc/network/if-up.d# cd /etc/
root@honesty:/etc# vim iptables.up.rules

*filter
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from charity
-A INPUT -s 67.207.128.184 -j ACCEPT
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

root@honesty:/etc# vim ipsec-tools.conf

#!/usr/sbin/setkey -f
## Flush the SAD and SPD
flush;
spdflush;
# Charity/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.129.103 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.128.184 67.207.129.103 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Hope/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.129.103 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.129.103 any -P in ipsec
        esp/transport//require
        ah/transport//require;

root@honesty:/etc# ll ipsec-tools.conf
-rwxr-xr-x 1 root root 1661 Jul 30 09:46 ipsec-tools.conf*
root@honesty:/etc# chmod 700 ipsec-tools.conf
root@honesty:/etc# ll ipsec-tools.conf
-rwx------ 1 root root 1661 Jul 30 09:46 ipsec-tools.conf*
root@honesty:~# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added iptables.up.rules
added network/if-pre-up.d/iptables
added network/if-up.d/ip
Committed revision 5.
root@honesty:/etc# reboot

Phew, that ought to do it.

John 2011-07-30 13:57

Adding user jj5

Didn't want to have to do this, but need to ssh in a fair bit.

root@honesty:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
       Full Name []: John Elliot
       Room Number []:
       Work Phone []:
       Home Phone []:
       Other []:
Is the information correct? [Y/n]
root@honesty:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

John 2011-07-29 02:54

Installing Etckeeper

# apt-get install etckeeper
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bzr bzrtools patch python-configobj python-crypto python-paramiko
  python-support rsync
Suggested packages:
  bzr-gtk bzr-svn python-pycurl xdg-utils python-kerberos bzr-doc librsvg2-bin
  graphviz ed diffutils-doc python-crypto-dbg
The following NEW packages will be installed:
  bzr bzrtools etckeeper patch python-configobj python-crypto python-paramiko
  python-support rsync
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 4787kB of archives.
After this operation, 27.8MB of additional disk space will be used.
Do you want to continue [Y/n]?

Just like that.

Installing IPSec

# apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (153kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 15571 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 2.

John 2011-07-28 21:15

The honesty.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.