Freifunk Gera-Greiz

Pakete

# sudo apt-get install linux-headers-amd64
sudo apt-get install build-essential cmake bison libcap-dev libsodium-dev libjson-c-dev bridge-utils xz-utils wget pkg-config libnl-genl-3-dev libnl-3-dev
sudo apt-get remove batctl

batman-adv

cd /usr/local/src

wget https://downloads.open-mesh.org/batman/releases/batman-adv-2021.1/batman-adv-2021.1.tar.gz
tar -xf batman-adv-2021.1.tar.gz
cd batman-adv-2021.1/
make
sudo make install

batctl

cd /usr/local/src

wget https://downloads.open-mesh.org/batman/releases/batman-adv-2021.1/batctl-2021.1.tar.gz
tar -xf batctl-2021.1.tar.gz
cd batctl-2021.1/
make
sudo make install

alfred

libuecc

cd /usr/local/src

wget https://git.universe-factory.net/libuecc/snapshot/libuecc-7.tar
tar -xf libuecc-7.tar
cd libuecc-7/
cmake .
make
sudo make install
sudo ldconfig

alfred

{{{ cd /usr/local/src

wget https://downloads.open-mesh.org/batman/releases/batman-adv-2017.3/alfred-2017.3.tar.gz tar -xf alfred-2017.3.tar.gz cd alfred-2017.3/ make CONFIG_ALFRED_GPSD=n sudo make CONFIG_ALFRED_GPSD=n install }}}

Details
Kategorie: Server

Konfiguration

/usr/local/sbin/update-dnsmasq-hostsfile.sh:

#!/bin/bash

# dnsmasq configuration directory
CONF_DIR=/etc/dnsmasq.d/dhcp-dns-static

function getCurrentVersion() {
# Get hash from latest revision
git log --format=format:%H -1
}

function reverseIp6 { # https://gist.github.com/lsowen/4447d916fd19cbb7fce4
  while read -r host ip; do
    ptr=$(echo "$ip" | awk -F: 'BEGIN {OFS=""; }{addCount = 9 - NF; for(i=1; i<=NF;i++){if(length($i) == 0){ for(j=1;j<=addCount;j++){$i = ($i "0000");} } else { $i = substr(("0000" $i), length($i)+5-4);}}; print}' | rev | sed -e "s/./&./g")
    echo "ptr-record=${ptr}ip6.arpa,${host}"
  done
}

cd $CONF_DIR

# Get current version hash
GIT_REVISION=$(getCurrentVersion)

# Automagically commit local changes
# This preserves local changes
git commit -m "CRON: auto commit"

# Pull latest changes from upstream
git fetch
git merge origin/master -m "Auto Merge"

# Get new version hash
GIT_NEW_REVISION=$(getCurrentVersion)

echo "old: $GIT_REVISION"
echo "new: $GIT_NEW_REVISION"

if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then
  # Reload updated configuration
  echo "Reload dnsmasq configuration."
  cat $CONF_DIR/ffggrz-dns.conf | sed -r 's/^address=\\/([^\\/]*).*\\/([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)$/ptr-record=\\5.\\4.\\3.\\2.in-addr.arpa,\\1./' | grep '^ptr-record' > $CONF_DIR/ptr_records_from_static
  sed -r 's/^address=\\/([^\\/]*).*\\/([^\\/]*)$/\\1 \\2/' $CONF_DIR/ffggrz-dns.conf | grep -E ' (fdb5|2a03):' | reverseIp6 >> $CONF_DIR/ptr_records_from_static

  dnsmasq --test
  if [ $? -eq 0 ]; then
    systemctl restart dnsmasq
  else
    echo "dnsmasq not restartet!"
  fi
fi

/etc/cron.d/freifunk:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
*/15 * * * * root /usr/local/sbin/update-dnsmasq-hostsfile.sh > /dev/null

/etc/dnsmasq.conf:

conf-dir=/etc/dnsmasq.d/dhcp-dns-static,.md

Befehle

{{{ chmod 755 /usr/local/sbin/update-dnsmasq-hostsfile.sh mkdir /etc/dnsmasq.d/dhcp-dns-static/ cd /etc/dnsmasq.d/dhcp-dns-static/ git clone https://github.com/ffggrz/dhcp-dns-static.git . }}}
Details
Kategorie: Server

Beispiel einer einfache Firewall fuer den Mesh-Server.

Warnung: Die Firewall ist alles andere als optimal oder perfekt! Bei einen Update des Paketes iptables-presistent werden die Regeln erneut eingelesen wodurch z.B. die Kommentare raus fliegen!

Konfiguration

IPv4

/etc/iptables/rules.v4:

#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i mesh-vpn* -j DROP
-A INPUT -i bat0 -j DROP
-A INPUT -i eth1 -j DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 68 -m comment --comment "dhcp-client" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 32 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate NEW -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 50 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 137,138 -j DROP
-A INPUT -i eth0 -p igmp -j ACCEPT


-A INPUT -i br-client -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m comment --comment "dns local" -j ACCEPT
-A INPUT -i br-client -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m comment --comment "dns local" -j ACCEPT
-A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT
-A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT
-A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT

-A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT
-A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT

-A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT

#DHCP-Server
#DHCPDISCOVER
-A INPUT -i br-client -p udp --sport 68 --dport 67 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
# eigenes empfangen
-A INPUT -i br-client -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT
#DHCPREQUEST
-A INPUT -i br-client -p udp --dport 67 -j ACCEPT
-A INPUT -i br-client -p udp --sport 68 --dport 67 -d 255.255.255.255 -j ACCEPT


-A INPUT -i br-client -m pkttype --pkt-type multicast -j DROP
-A INPUT -i br-client -m pkttype --pkt-type broadcast -j DROP
-A INPUT -i br-anycast -j DROP
-A INPUT -p tcp -m hashlimit --hashlimit-above 10/min --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name log_level --hashlimit-htable-expire 3600000 -j LOG
-A INPUT ! -p tcp -j LOG
-A INPUT -p tcp -m state --state NEW -m limit --limit 1/sec --limit-burst 10 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j DROP

-A FORWARD -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -i br-client -o br-client -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RPFILTER - [0:0]
-A PREROUTING -i eth1 -j DROP
-A PREROUTING -i bat0 -j DROP
-A PREROUTING -i mesh-vpn* -j DROP

-A RPFILTER -m rpfilter -j RETURN
-A RPFILTER -m rpfilter --validmark -j RETURN
-A RPFILTER -m rpfilter --accept-local -j RETURN

-A RPFILTER -m pkttype --pkt-type broadcast -j RETURN
-A RPFILTER -m pkttype --pkt-type multicast -j RETURN

# Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client)
-A RPFILTER -i br-client -d 10.181.0.0/18 -j RETURN

-A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: "
-A RPFILTER -j DROP

-A PREROUTING -j RPFILTER
COMMIT

IPv6

/etc/iptables/rules.v6:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i mesh-vpn* -j DROP
-A INPUT -i eth1 -j DROP
-A INPUT -i bat0 -j DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP

# https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
-A INPUT -i br-client -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i br-client -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

-A INPUT -i eth0 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

-A INPUT -d fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT
-A INPUT -s ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT
-A INPUT -d ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT


-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 128 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT

-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -i br-client -p udp -m udp --dport 16962 -m state --state NEW -m comment --comment alfred -j ACCEPT
-A INPUT -i br-client -p tcp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT
-A INPUT -i br-client -p udp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT
-A INPUT -i br-client -p udp -m multiport --dports 1001 -m state --state NEW -m comment --comment "respondd" -j ACCEPT
-A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT
-A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT
-A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT

-A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT
-A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT

-A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT

-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -i br-client -o br-client -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
COMMIT


*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RPFILTER - [0:0]
-A PREROUTING -i eth1 -j DROP
-A PREROUTING -i bat0 -j DROP
-A PREROUTING -i mesh-vpn* -j DROP

-A RPFILTER -m rpfilter -j RETURN
-A RPFILTER -m rpfilter --validmark -j RETURN
-A RPFILTER -m rpfilter --accept-local -j RETURN

-A RPFILTER -m pkttype --pkt-type broadcast -j RETURN
-A RPFILTER -m pkttype --pkt-type multicast -j RETURN

# Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client)
-A RPFILTER -i br-client -d 2a03:2260:100b::/64 -j RETURN

-A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: "
-A RPFILTER -j DROP

-A PREROUTING -j RPFILTER
COMMIT

Kernel-Config

Reverse-Path-Filter erledigen wir in iptables damit wir flexibler sind.

/etc/sysctl.conf:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
#net.ipv6.conf.default.rp_filter=0
#net.ipv6.conf.all.rp_filter=0

Befehle

{{{ sudo apt-get install iptables-presistent sudo iptables-apply /etc/iptables/rules.v4 sudo ip6tables-apply /etc/iptables/rules.v6 }}}
Details
Kategorie: Server

Dies ist eine stark verkürzte Anleitung wie man Mesh auf seinen Server bekommt. Wichtig: die IPs anpassen!

Software

Tunneldigger

cd /opt/
git clone https://github.com/wlanslovenija/tunneldigger.git
cd tunneldigger/client/

cmake .
make

/etc/modules:

l2tp_eth

/etc/systemd/system/tunneldigger.service

[Unit]
Description=Tunneldigger-client
After=syslog.target network.target

[Service]
Type=simple
User=root
Group=root
PIDFile=/run/tunneldigger.pid
ExecStart=/opt/tunneldigger/client/tunneldigger -u "%H" -b 1.vpn.freifunk-gera-greiz.de:20181 -b 2.vpn.freifunk-gera-greiz.de:20181 -b 3.vpn.freifunk-gera-greiz.de:20181 -i mesh-vpn-l2tp-1 -a
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
{{{ systemctl daemon-reload systemctl enable tunneldigger.service systemctl start tunneldigger.service }}}

Respondd

cd /opt/
git clone https://github.com/ffggrz/ext-respondd.git
cd ext-respondd/
cp alias.json.example alias.json
cp config.json.example config.json

alias.json anpassen!

/opt/ext-respondd/config.json:

{
  "batman": "bat0",
  "bridge": "br-client",
  "wan": "eth0",
  "mesh-vpn": [ "mesh-vpn-l2tp-1", "mesh-vpn-l2tp-2", "mesh-vpn-l2tp-3"]
}

/etc/systemd/system/ext-respondd.service:

[Unit]
Description=ext-respondd (respondd Status for Servers)
After=syslog.target network.target

[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/opt/ext-respondd
ExecStart=/opt/ext-respondd/ext-respondd.py

[Install]
WantedBy=multi-user.target
{{{ systemctl daemon-reload systemctl enable ext-respondd.service }}}

Netzwerk

Interfaces

/etc/network/interfaces.d/freifunk:

{{{ auto br-client iface br-client inet static mtu 1380 bridge-stp no bridge-fd 0 bridge-hello 10 bridge_ports none address 10.181.0.161 netmask 255.255.192.0

iface br-client inet6 static address fdb5:78b:64cc::161/64 post-up sysctl net.ipv6.conf.$IFACE.accept_ra=0 post-up sysctl net.ipv6.conf.$IFACE.accept_redirects=0 post-up ip -6 addr add 2a03:2260:100b::161/64 dev $IFACE

allow-hotplug bat0 iface bat0 inet manual pre-up ip link set address $(cat /sys/class/net/eth0/address) dev $IFACE post-up ip link set up dev $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1

  1. prevent Gateway-Traffic

post-up batctl meshif $IFACE hop_penalty 100 post-up batctl meshif $IFACE bridge_loop_avoidance 1 post-up batctl gw client 45 post-up batctl orig_interval 5000 post-up batctl multicast_mode 0 post-up brctl addif br-client $IFACE

allow-hotplug mesh-vpn-l2tp-1 iface mesh-vpn-l2tp-1 inet manual post-up ip link set up dev $IFACE post-up ip link set mtu 1406 $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1

post-up batctl if add $IFACE

allow-hotplug mesh-vpn-l2tp-2 iface mesh-vpn-l2tp-2 inet manual post-up ip link set up dev $IFACE post-up ip link set mtu 1406 $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1

post-up batctl if add $IFACE

allow-hotplug mesh-vpn-l2tp-3 iface mesh-vpn-l2tp-3 inet manual post-up ip link set up dev $IFACE post-up ip link set mtu 1406 $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1

post-up batctl if add $IFACE }}}

Details
Kategorie: Server

Unterkategorien

Allgemein

Freifunkkommune Gera

FAQ

Öffentlichkeitsarbeit

Flohmarkt

Soziale Projekte

Organisation

Anleitungen

Dokumentation

Seite 44 von 44

<name>space
geschlossen seit 28.09.2023 16:10 Uhr

Weitere Informationen

RSS

Veranstaltungen / Ereignisse

Mi Okt. 04 @18:00 - 22:00
namespace geöffnet