Pakete
# sudo apt-get install linux-headers-amd64 sudo apt-get install build-essential cmake bison libcap-dev libsodium-dev libjson-c-dev bridge-utils xz-utils wget pkg-config libnl-genl-3-dev libnl-3-dev sudo apt-get remove batctl
batman-adv
cd /usr/local/src wget https://downloads.open-mesh.org/batman/releases/batman-adv-2021.1/batman-adv-2021.1.tar.gz tar -xf batman-adv-2021.1.tar.gz cd batman-adv-2021.1/ make sudo make install
batctl
cd /usr/local/src wget https://downloads.open-mesh.org/batman/releases/batman-adv-2021.1/batctl-2021.1.tar.gz tar -xf batctl-2021.1.tar.gz cd batctl-2021.1/ make sudo make install
alfred
libuecc
cd /usr/local/src wget https://git.universe-factory.net/libuecc/snapshot/libuecc-7.tar tar -xf libuecc-7.tar cd libuecc-7/ cmake . make sudo make install sudo ldconfig
alfred
{{{ cd /usr/local/src
wget https://downloads.open-mesh.org/batman/releases/batman-adv-2017.3/alfred-2017.3.tar.gz tar -xf alfred-2017.3.tar.gz cd alfred-2017.3/ make CONFIG_ALFRED_GPSD=n sudo make CONFIG_ALFRED_GPSD=n install }}}
- Details
- Geschrieben von: Eric
- Kategorie: Server
Konfiguration
/usr/local/sbin/update-dnsmasq-hostsfile.sh:
#!/bin/bash # dnsmasq configuration directory CONF_DIR=/etc/dnsmasq.d/dhcp-dns-static function getCurrentVersion() { # Get hash from latest revision git log --format=format:%H -1 } function reverseIp6 { # https://gist.github.com/lsowen/4447d916fd19cbb7fce4 while read -r host ip; do ptr=$(echo "$ip" | awk -F: 'BEGIN {OFS=""; }{addCount = 9 - NF; for(i=1; i<=NF;i++){if(length($i) == 0){ for(j=1;j<=addCount;j++){$i = ($i "0000");} } else { $i = substr(("0000" $i), length($i)+5-4);}}; print}' | rev | sed -e "s/./&./g") echo "ptr-record=${ptr}ip6.arpa,${host}" done } cd $CONF_DIR # Get current version hash GIT_REVISION=$(getCurrentVersion) # Automagically commit local changes # This preserves local changes git commit -m "CRON: auto commit" # Pull latest changes from upstream git fetch git merge origin/master -m "Auto Merge" # Get new version hash GIT_NEW_REVISION=$(getCurrentVersion) echo "old: $GIT_REVISION" echo "new: $GIT_NEW_REVISION" if [ $GIT_REVISION != $GIT_NEW_REVISION ] then # Reload updated configuration echo "Reload dnsmasq configuration." cat $CONF_DIR/ffggrz-dns.conf | sed -r 's/^address=\\/([^\\/]*).*\\/([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)$/ptr-record=\\5.\\4.\\3.\\2.in-addr.arpa,\\1./' | grep '^ptr-record' > $CONF_DIR/ptr_records_from_static sed -r 's/^address=\\/([^\\/]*).*\\/([^\\/]*)$/\\1 \\2/' $CONF_DIR/ffggrz-dns.conf | grep -E ' (fdb5|2a03):' | reverseIp6 >> $CONF_DIR/ptr_records_from_static dnsmasq --test if [ $? -eq 0 ]; then systemctl restart dnsmasq else echo "dnsmasq not restartet!" fi fi
/etc/cron.d/freifunk:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin */15 * * * * root /usr/local/sbin/update-dnsmasq-hostsfile.sh > /dev/null
/etc/dnsmasq.conf:
conf-dir=/etc/dnsmasq.d/dhcp-dns-static,.md
Befehle
{{{ chmod 755 /usr/local/sbin/update-dnsmasq-hostsfile.sh mkdir /etc/dnsmasq.d/dhcp-dns-static/ cd /etc/dnsmasq.d/dhcp-dns-static/ git clone https://github.com/ffggrz/dhcp-dns-static.git . }}}- Details
- Geschrieben von: Marcus
- Kategorie: Server
Beispiel einer einfache Firewall fuer den Mesh-Server.
Warnung: Die Firewall ist alles andere als optimal oder perfekt! Bei einen Update des Paketes iptables-presistent werden die Regeln erneut eingelesen wodurch z.B. die Kommentare raus fliegen!
Konfiguration
IPv4
/etc/iptables/rules.v4:
# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i mesh-vpn* -j DROP -A INPUT -i bat0 -j DROP -A INPUT -i eth1 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 68 -m comment --comment "dhcp-client" -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP -A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 32 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT -A INPUT -p icmp -m conntrack --ctstate NEW -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 50 -j ACCEPT -A INPUT -i eth0 -p udp -m multiport --dports 137,138 -j DROP -A INPUT -i eth0 -p igmp -j ACCEPT -A INPUT -i br-client -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m comment --comment "dns local" -j ACCEPT -A INPUT -i br-client -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m comment --comment "dns local" -j ACCEPT -A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT -A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT #DHCP-Server #DHCPDISCOVER -A INPUT -i br-client -p udp --sport 68 --dport 67 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT # eigenes empfangen -A INPUT -i br-client -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT #DHCPREQUEST -A INPUT -i br-client -p udp --dport 67 -j ACCEPT -A INPUT -i br-client -p udp --sport 68 --dport 67 -d 255.255.255.255 -j ACCEPT -A INPUT -i br-client -m pkttype --pkt-type multicast -j DROP -A INPUT -i br-client -m pkttype --pkt-type broadcast -j DROP -A INPUT -i br-anycast -j DROP -A INPUT -p tcp -m hashlimit --hashlimit-above 10/min --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name log_level --hashlimit-htable-expire 3600000 -j LOG -A INPUT ! -p tcp -j LOG -A INPUT -p tcp -m state --state NEW -m limit --limit 1/sec --limit-burst 10 -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -j DROP -A FORWARD -i lo -j ACCEPT -A FORWARD -o lo -j ACCEPT -A FORWARD -i br-client -o br-client -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RPFILTER - [0:0] -A PREROUTING -i eth1 -j DROP -A PREROUTING -i bat0 -j DROP -A PREROUTING -i mesh-vpn* -j DROP -A RPFILTER -m rpfilter -j RETURN -A RPFILTER -m rpfilter --validmark -j RETURN -A RPFILTER -m rpfilter --accept-local -j RETURN -A RPFILTER -m pkttype --pkt-type broadcast -j RETURN -A RPFILTER -m pkttype --pkt-type multicast -j RETURN # Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client) -A RPFILTER -i br-client -d 10.181.0.0/18 -j RETURN -A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: " -A RPFILTER -j DROP -A PREROUTING -j RPFILTER COMMIT
IPv6
/etc/iptables/rules.v6:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i mesh-vpn* -j DROP -A INPUT -i eth1 -j DROP -A INPUT -i bat0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP -A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP # https://www.cert.org/downloads/IPv6/ip6tables_rules.txt -A INPUT -i br-client -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i br-client -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT -A INPUT -d fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -s fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -s ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -d ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 128 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A INPUT -i br-client -p udp -m udp --dport 16962 -m state --state NEW -m comment --comment alfred -j ACCEPT -A INPUT -i br-client -p tcp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT -A INPUT -i br-client -p udp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT -A INPUT -i br-client -p udp -m multiport --dports 1001 -m state --state NEW -m comment --comment "respondd" -j ACCEPT -A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT -A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT -A INPUT -j LOG -A INPUT -j DROP -A FORWARD -i br-client -o br-client -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -j DROP COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RPFILTER - [0:0] -A PREROUTING -i eth1 -j DROP -A PREROUTING -i bat0 -j DROP -A PREROUTING -i mesh-vpn* -j DROP -A RPFILTER -m rpfilter -j RETURN -A RPFILTER -m rpfilter --validmark -j RETURN -A RPFILTER -m rpfilter --accept-local -j RETURN -A RPFILTER -m pkttype --pkt-type broadcast -j RETURN -A RPFILTER -m pkttype --pkt-type multicast -j RETURN # Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client) -A RPFILTER -i br-client -d 2a03:2260:100b::/64 -j RETURN -A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: " -A RPFILTER -j DROP -A PREROUTING -j RPFILTER COMMIT
Kernel-Config
Reverse-Path-Filter erledigen wir in iptables damit wir flexibler sind.
/etc/sysctl.conf:
net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 #net.ipv6.conf.default.rp_filter=0 #net.ipv6.conf.all.rp_filter=0
Befehle
{{{ sudo apt-get install iptables-presistent sudo iptables-apply /etc/iptables/rules.v4 sudo ip6tables-apply /etc/iptables/rules.v6 }}}- Details
- Geschrieben von: Eric
- Kategorie: Server
Dies ist eine stark verkürzte Anleitung wie man Mesh auf seinen Server bekommt. Wichtig: die IPs anpassen!
Software
Tunneldigger
cd /opt/ git clone https://github.com/wlanslovenija/tunneldigger.git cd tunneldigger/client/ cmake . make
/etc/modules:
l2tp_eth
/etc/systemd/system/tunneldigger.service
[Unit] Description=Tunneldigger-client After=syslog.target network.target [Service] Type=simple User=root Group=root PIDFile=/run/tunneldigger.pid ExecStart=/opt/tunneldigger/client/tunneldigger -u "%H" -b 1.vpn.freifunk-gera-greiz.de:20181 -b 2.vpn.freifunk-gera-greiz.de:20181 -b 3.vpn.freifunk-gera-greiz.de:20181 -i mesh-vpn-l2tp-1 -a Restart=always RestartSec=5 [Install] WantedBy=multi-user.target{{{ systemctl daemon-reload systemctl enable tunneldigger.service systemctl start tunneldigger.service }}}
Respondd
cd /opt/ git clone https://github.com/ffggrz/ext-respondd.git cd ext-respondd/ cp alias.json.example alias.json cp config.json.example config.json
alias.json anpassen!
/opt/ext-respondd/config.json:
{ "batman": "bat0", "bridge": "br-client", "wan": "eth0", "mesh-vpn": [ "mesh-vpn-l2tp-1", "mesh-vpn-l2tp-2", "mesh-vpn-l2tp-3"] }
/etc/systemd/system/ext-respondd.service:
[Unit] Description=ext-respondd (respondd Status for Servers) After=syslog.target network.target [Service] Type=simple User=root Group=root WorkingDirectory=/opt/ext-respondd ExecStart=/opt/ext-respondd/ext-respondd.py [Install] WantedBy=multi-user.target{{{ systemctl daemon-reload systemctl enable ext-respondd.service }}}
Netzwerk
Interfaces
/etc/network/interfaces.d/freifunk:
{{{ auto br-client iface br-client inet static mtu 1380 bridge-stp no bridge-fd 0 bridge-hello 10 bridge_ports none address 10.181.0.161 netmask 255.255.192.0
iface br-client inet6 static address fdb5:78b:64cc::161/64 post-up sysctl net.ipv6.conf.$IFACE.accept_ra=0 post-up sysctl net.ipv6.conf.$IFACE.accept_redirects=0 post-up ip -6 addr add 2a03:2260:100b::161/64 dev $IFACE
allow-hotplug bat0 iface bat0 inet manual pre-up ip link set address $(cat /sys/class/net/eth0/address) dev $IFACE post-up ip link set up dev $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1
- prevent Gateway-Traffic
post-up batctl meshif $IFACE hop_penalty 100 post-up batctl meshif $IFACE bridge_loop_avoidance 1 post-up batctl gw client 45 post-up batctl orig_interval 5000 post-up batctl multicast_mode 0 post-up brctl addif br-client $IFACE
allow-hotplug mesh-vpn-l2tp-1 iface mesh-vpn-l2tp-1 inet manual post-up ip link set up dev $IFACE post-up ip link set mtu 1406 $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1
post-up batctl if add $IFACE
allow-hotplug mesh-vpn-l2tp-2 iface mesh-vpn-l2tp-2 inet manual post-up ip link set up dev $IFACE post-up ip link set mtu 1406 $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1
post-up batctl if add $IFACE
allow-hotplug mesh-vpn-l2tp-3 iface mesh-vpn-l2tp-3 inet manual post-up ip link set up dev $IFACE post-up ip link set mtu 1406 $IFACE post-up sysctl net.ipv6.conf.$IFACE.disable_ipv6=1
post-up batctl if add $IFACE }}}
- Details
- Geschrieben von: Eric
- Kategorie: Server