From 6e9eea7f62764f811301793aadb5424a04a73cfb Mon Sep 17 00:00:00 2001 From: Roman Katrincak Date: Thu, 3 Dec 2015 22:01:23 +0100 Subject: [PATCH] Minor fixes Split traffic ICMP & TCP/UDP <1024 with local exit TCP/UDP =>1024 exit @ Freifunk backbone Start script now in cron @reboot --- files/bataddif.sh.j2 | 1 + files/collectd.conf.j2 | 2 +- files/gre_backbone.sh | 28 ++++++++++++------------ files/l2tp_broker.cfg.j2 | 2 +- files/sn_startup.sh.j2 | 41 +++++++++++++++++++++++++++++++++++ install.sn.yml | 47 +++++++++++++++------------------------- 6 files changed, 75 insertions(+), 46 deletions(-) create mode 100644 files/sn_startup.sh.j2 diff --git a/files/bataddif.sh.j2 b/files/bataddif.sh.j2 index c88786e..156b54e 100644 --- a/files/bataddif.sh.j2 +++ b/files/bataddif.sh.j2 @@ -23,5 +23,6 @@ INTERFACE="$3" #ip link set address {{ sn_mesh_MAC }} dev $INTERFACE ifconfig $INTERFACE hw ether {{ sn_mesh_MAC }} ip link set dev $INTERFACE up mtu 1312 +/sbin/sysctl net.ipv4.conf.$INTERFACE.rp_filter=0 /usr/sbin/batctl if add $INTERFACE diff --git a/files/collectd.conf.j2 b/files/collectd.conf.j2 index e0334b8..fdc8ff8 100644 --- a/files/collectd.conf.j2 +++ b/files/collectd.conf.j2 @@ -35,7 +35,7 @@ LoadPlugin entropy LoadPlugin irq LoadPlugin load LoadPlugin memory -LoadPlugin openvpn +#LoadPlugin openvpn LoadPlugin processes LoadPlugin swap LoadPlugin rrdtool diff --git a/files/gre_backbone.sh b/files/gre_backbone.sh index 9a5683d..940b248 100644 --- a/files/gre_backbone.sh +++ b/files/gre_backbone.sh @@ -13,7 +13,7 @@ communitynetworkv6="fda0:747e:ab29:7405:255::" # Third octet from the server range octet3rd="255" # CIDR muss /16 sein -localserver=$(hostname) +localserver=$(/bin/hostname) for i in $server; do @@ -21,12 +21,12 @@ for i in $server; do for j in $server; do if [ $i != $j ]; then - if [ $i = $(hostname) ]; then - ip link add $j type gretap local $(hostname -I | cut -f1 -d' ') remote $(dig +short $j.$domain) dev eth0 nopmtudisc - ip link set dev $j mtu $mtu - ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j - ip link set $j up - batctl if add $j + if [ $i = $(/bin/hostname) ]; then + /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 nopmtudisc + /sbin/ip link set dev $j mtu $mtu + /sbin/ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j + /sbin/ip link set $j up + /usr/sbin/batctl if add $j fi fi @@ -36,10 +36,10 @@ for i in $server; do done # configure bat0 -ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0 -ip link set up dev bat0 -ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 -ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0 -alfred -i bat0 > /dev/null 2>&1 & -batadv-vis -i bat0 -s > /dev/null 2>&1 & -service bind9 restart +/sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0 +/sbin/ip link set up dev bat0 +/sbin/ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 +/sbin/ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0 +/usr/sbin/alfred -i bat0 > /dev/null 2>&1 & +/usr/sbin/batadv-vis -i bat0 -s > /dev/null 2>&1 & +/usr/sbin/service bind9 restart diff --git a/files/l2tp_broker.cfg.j2 b/files/l2tp_broker.cfg.j2 index c9a0cf8..78a14f6 100644 --- a/files/l2tp_broker.cfg.j2 +++ b/files/l2tp_broker.cfg.j2 @@ -9,7 +9,7 @@ interface=eth0 ; session with the broker max_cookies=1024 ; Maximum number of tunnels that will be allowed by the broker -max_tunnels=100 +max_tunnels=50 ; Tunnel port base port_base=15000 ; Tunnel id base diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2 new file mode 100644 index 0000000..4eeb555 --- /dev/null +++ b/files/sn_startup.sh.j2 @@ -0,0 +1,41 @@ +#!/bin/sh + +# Stop tunneldigger until bat0 is up +/usr/sbin/service tunneldigger stop + +# Set unreachable for table 200 +/bin/ip route add unreachable 0.0.0.0/0 table iffy + +while ! ping -c 1 -W 1 {{ sn_iffy_traffic }}; do + echo "Waiting for {{ sn_iffy_traffic }} - network interface might be down..." + sleep 5 +done + + +# Activate IP forwarding +/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 +/sbin/sysctl -w net.ipv4.ip_forward=1 + +# Routing table 200 for traffic above port 1023 +/bin/grep 200 /etc/iproute2/rt_tables || /bin/echo 200 iffy >> /etc/iproute2/rt_tables + +# Set table for traffice with mark 4 +/bin/ip rule add fwmark 0x4 table iffy + +# Set mark 4 to traffic above port 1023 +/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +/sbin/iptables -t mangle -A PREROUTING -p udp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 + +# NAT on eth0 +/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +# Allow MAC address spoofing +/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0 + +# Set gateway for table 200 +/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy + +# Start tunneldigger +/usr/sbin/service tunneldigger start + +exit 0 diff --git a/install.sn.yml b/install.sn.yml index e4a7214..57f6dab 100644 --- a/install.sn.yml +++ b/install.sn.yml @@ -63,22 +63,6 @@ - keepalive.sh backbone_script: - gre_backbone.sh - system_startup: - - "# Routing einschalten" - - /sbin/sysctl -w net.ipv6.conf.all.forwarding=1 - - /sbin/sysctl -w net.ipv4.ip_forward=1 -# - "# Routing Tabelle 42 fuer Freifunk anlegen, wenn noch nicht vorhanden" -# - #/bin/grep 42 /etc/iproute2/rt_tables || echo '42 42' >> /etc/iproute2/rt_tables" -# - "# Freifunk Daten sollen mit 0x1 markiert werden" -# - /sbin/iptables -t mangle -A PREROUTING -i bat0 -j MARK --set-xmark 0x1 -# - "# Erstmal unreachable melden, ausser OpenVPN ist aufgebaut" -# - "#/sbin/ip route add unreachable default table 42" -# - "# Alles was mit 0x1 markiert ist soll nach Routing Tabelle 42 behandelt werden" -# - "/sbin/ip rule add from all fwmark 0x1 table 42 priority 4" - - "#NAT auf eth0 aktivieren" - - /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - - "#GRE Backbone aufbauen" - - /opt/freifunk/gre_backbone.sh authorized_keys: - authorized_keys @@ -103,14 +87,13 @@ when: ansible_default_ipv6.address is defined - name: set hostname hostname: name='{{ sn_hostname }}' - register: hostname + register: sethostname - name: Reboot the server shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 ignore_errors: true - when: hosts.changed - when: hostname.changed + when: sethostname.changed - name: disable multi CPU Kernel (SMP) lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present register: grubnosmp @@ -125,7 +108,7 @@ delay=15 timeout=300 when: hosts.changed - when: hostname.changed + when: sethostname.changed - name: Install common required packages apt: state=installed pkg={{ item }} with_items: common_required_packages @@ -205,6 +188,10 @@ when: check_gw.changed - name: Copy dhcpd template file template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444 + - name: Add cron backbone script + cron: name=backbone special_time=reboot job="/opt/freifunk/gre_backbone.sh" + - name: Add cron startup script + cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh" - name: Copy backbone script copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 with_items: backbone_script @@ -214,16 +201,8 @@ - name: Restart collectd service: name=collectd state=restarted when: collectd.changed - - name: configure rc.local 1st - lineinfile: dest=/etc/rc.local line="{{ item }}" state=present - with_items: system_startup - register: rc - - name: configure rc.local 2nd - lineinfile: dest=/etc/rc.local line="exit 0" state=absent - when: rc.changed - - name: configure rc.local 3rd - lineinfile: dest=/etc/rc.local line="exit 0" state=present - when: rc.changed + - name: configure startup script + template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 - name: SSH authorized_keys copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400 with_items: authorized_keys @@ -252,3 +231,11 @@ template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544 - name: Add cron job with alfred info script cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root" + - name: Send notification message via Slack + local_action: + module: slack + token: + msg: "{{ inventory_hostname }} completed" + channel: "#technik" + username: "Ansible on {{ inventory_hostname }}" + parse: 'none'