Last active
February 14, 2017 07:01
-
-
Save casualjim/179cea0343e4a4f345d78c752ddeb0d5 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| tdnf distro-sync --refresh -y | |
| tdnf install -y tar linux-esx | |
| # install bash-it | |
| curl -sSL'#' https://github.com/Bash-it/bash-it/archive/master.tar.gz | tar -xzf - | |
| mv bash-it-master .bash_it | |
| .bash_it/install.sh -s | |
| . .bashrc | |
| bash-it enable alias git curl docker vim | |
| bash-it enable completion defaults dirs docker git kubectl | |
| bash-it enable plugin docker git | |
| # install docker | |
| groupadd docker | |
| echo '[Unit] | |
| Description=Docker Application Container Engine | |
| Documentation=https://docs.docker.com | |
| After=network.target docker.socket | |
| Requires=docker.socket | |
| [Service] | |
| Type=notify | |
| ExecStart=/usr/bin/dockerd -H fd:// -s overlay2 | |
| ExecReload=/bin/kill -s HUP $MAINPID | |
| LimitNOFILE=infinity | |
| LimitNPROC=infinity | |
| LimitCORE=infinity | |
| TasksMax=infinity | |
| TimeoutStartSec=0 | |
| Delegate=yes | |
| KillMode=process | |
| [Install] | |
| WantedBy=multi-user.target | |
| ' > /etc/systemd/system/docker.service | |
| echo '[Unit] | |
| Description=Docker Socket for the API | |
| PartOf=docker.service | |
| [Socket] | |
| ListenStream=/var/run/docker.sock | |
| SocketMode=0660 | |
| SocketUser=root | |
| SocketGroup=docker | |
| [Install] | |
| WantedBy=sockets.target | |
| ' > /etc/systemd/system/docker.socket | |
| # configure iptables | |
| echo ' | |
| #!/bin/sh | |
| # Begin /etc/systemd/scripts/iptables | |
| # Insert connection-tracking modules | |
| # (not needed if built into the kernel) | |
| modprobe nf_conntrack | |
| modprobe xt_LOG | |
| # Enable broadcast echo Protection | |
| echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| # Disable Source Routed Packets | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route | |
| echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route | |
| # Enable TCP SYN Cookie Protection | |
| echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
| # Disable ICMP Redirect Acceptance | |
| echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects | |
| # Do not send Redirect Messages | |
| echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects | |
| echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects | |
| # Drop Spoofed Packets coming in on an interface, where responses | |
| # would result in the reply going out a different interface. | |
| echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter | |
| echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter | |
| # Log packets with impossible addresses. | |
| echo 1 > /proc/sys/net/ipv4/conf/all/log_martians | |
| echo 1 > /proc/sys/net/ipv4/conf/default/log_martians | |
| # be verbose on dynamic ip-addresses (not needed in case of static IP) | |
| echo 2 > /proc/sys/net/ipv4/ip_dynaddr | |
| # disable Explicit Congestion Notification | |
| # too many routers are still ignorant | |
| echo 0 > /proc/sys/net/ipv4/tcp_ecn | |
| # Set a known state | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -P OUTPUT DROP | |
| # These lines are here in case rules are already in place and the | |
| # script is ever rerun on the fly. We want to remove all rules and | |
| # pre-existing user defined chains before we implement new rules. | |
| iptables -F | |
| iptables -X | |
| iptables -Z | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| ' > /etc/systemd/scripts/iptables | |
| chmod +x /etc/systemd/scripts/iptables | |
| echo -n > /etc/machine-id |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment