From a9da1ed669c3310af627ed50c7d69da0ea265680 Mon Sep 17 00:00:00 2001 From: rojoka Date: Tue, 12 Apr 2016 22:36:55 +0200 Subject: [PATCH 1/8] Update interfaces-troisdorf5 --- files/interfaces-troisdorf5 | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/files/interfaces-troisdorf5 b/files/interfaces-troisdorf5 index 37a0421..a384d56 100644 --- a/files/interfaces-troisdorf5 +++ b/files/interfaces-troisdorf5 @@ -15,6 +15,12 @@ iface lo inet6 loopback # The primary network interface allow-hotplug eth0 iface eth0 inet dhcp + post-up iptables -P OUTPUT ACCEPT + post-up iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP + post-up iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP + post-up iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP + post-up iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP + post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE allow-hotplug eth1 iface eth1 inet6 static address 2a01:4f8:161:62a9::5 @@ -30,7 +36,11 @@ iface gre-bb-a.ak.ber inet static address 100.64.2.151 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 5.9.76.198 remote 185.66.195.0 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 post-down ip tunnel del $IFACE iface gre-bb-a.ak.ber inet6 static @@ -43,7 +53,11 @@ iface gre-bb-b.ak.ber inet static address 100.64.2.153 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 5.9.76.198 remote 185.66.195.1 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 post-down ip tunnel del $IFACE iface gre-bb-b.ak.ber inet6 static @@ -57,7 +71,11 @@ iface gre-bb-a.ix.dus inet static address 100.64.2.155 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 5.9.76.198 remote 185.66.193.0 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 post-down ip tunnel del $IFACE iface gre-bb-a.ix.dus inet6 static @@ -71,7 +89,11 @@ iface gre-bb-b.ix.dus inet static address 100.64.2.157 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 5.9.76.198 remote 185.66.193.1 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105 post-down ip tunnel del $IFACE iface gre-bb-b.ix.dus inet6 static From 6bcb6faf61100e96ca546ce5eb714a2d5ff2bd5a Mon Sep 17 00:00:00 2001 From: rojoka Date: Tue, 12 Apr 2016 22:44:15 +0200 Subject: [PATCH 2/8] Update sn_startup.exit.sh.j2 --- files/sn_startup.exit.sh.j2 | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/files/sn_startup.exit.sh.j2 b/files/sn_startup.exit.sh.j2 index c5befcc..2c7dd64 100644 --- a/files/sn_startup.exit.sh.j2 +++ b/files/sn_startup.exit.sh.j2 @@ -3,12 +3,6 @@ curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} -# Block RFC1918 and APIPA destination via WAN -/sbin/iptables -P OUTPUT ACCEPT -for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do -/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP -done - # Activate IP forwarding /sbin/sysctl -w net.ipv6.conf.all.forwarding=1 /sbin/sysctl -w net.ipv4.ip_forward=1 @@ -27,16 +21,6 @@ done /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 /sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4 -# NAT on eth0 -/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - -# NAT on GRE Freifunk interface -/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }} - -# MTU -/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312 -/sbin/ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312 - # All from FF IPv4 via routing table 42 /bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42 /bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42 From 94965e40a57e3776d2fe0c5743d46f448c57ec51 Mon Sep 17 00:00:00 2001 From: rojoka Date: Tue, 12 Apr 2016 22:45:21 +0200 Subject: [PATCH 3/8] Update logrotate.conf --- files/logrotate.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/logrotate.conf b/files/logrotate.conf index b31a038..c9c8d2a 100644 --- a/files/logrotate.conf +++ b/files/logrotate.conf @@ -5,7 +5,7 @@ daily # keep 4 weeks worth of backlogs #rotate 4 -rotate 0 +rotate 1 # create new (empty) log files after rotating old ones create From 788e532e2454817af0f0d36d6e7c8fea559fe653 Mon Sep 17 00:00:00 2001 From: stebifan Date: Tue, 12 Apr 2016 22:50:38 +0200 Subject: [PATCH 4/8] Delete keepalive.sh --- files/keepalive.sh | 51 ---------------------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 files/keepalive.sh diff --git a/files/keepalive.sh b/files/keepalive.sh deleted file mode 100644 index 19c28dc..0000000 --- a/files/keepalive.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -# Version 1.6 -# Parameter setzen -GATEWAY1ext=185.66.193.105 -GATEWAY2ext=185.66.193.106 -GATEWAY1=10.188.255.5 -GATEWAY2=10.188.255.6 -GATEWAY1v6=2a03:2260:121::255:5 -GATEWAY2v6=2a03:2260:121::255:6 -IP=/sbin/ip -PING=/bin/ping -BATCTL=/usr/local/sbin/batctl - -#if [ "hostname = troisdorf1 | troisdorf2" ] -if [ $(hostname) = "troisdorf1" ] || [ $(hostname) = "troisdorf2" ] - then - DEFAULT_GATEWAY=$GATEWAY1 - DEFAULT_GATEWAYext=$GATEWAY1ext - FALLBACK_GATEWAY=$GATEWAY2 - FALLBACK_GATEWAYext=$GATEWAY2ext - DEFAULT_GATEWAYv6=$GATEWAY1v6 - FALLBACK_GATEWAYv6=$GATEWAY2v6 - else - DEFAULT_GATEWAY=$GATEWAY2 - DEFAULT_GATEWAYext=$GATEWAY2ext - FALLBACK_GATEWAY=$GATEWAY1 - FALLBACK_GATEWAYext=$GATEWAY1ext - DEFAULT_GATEWAYv6=$GATEWAY2v6 - FALLBACK_GATEWAYv6=$GATEWAY1v6 - -fi - -if $PING -c 1 $DEFAULT_GATEWAYext - then - $IP route replace default via $DEFAULT_GATEWAY table 42 - $IP -6 route replace default via $DEFAULT_GATEWAYv6 table 42 - $BATCTL gw server 100Mbit/100Mbit - echo "Gateway erreichbar" - else - if $PING -c 1 $FALLBACK_GATEWAYext - then - $IP route replace default via $FALLBACK_GATEWAY table 42 - $IP -6 route replace default via $FALLBACK_GATEWAYv6 table 42 - $BATCTL gw server 80Mbit/80Mbit - echo "Nun FALLBACK_GATEWAY" - else - $BATCTL gw off - #Kein Gateway erreichbar, batctl gw off - fi -fi - From 87eed57ae0e210dd1830c445d4c945cccc3341b1 Mon Sep 17 00:00:00 2001 From: stebifan Date: Tue, 12 Apr 2016 22:50:51 +0200 Subject: [PATCH 5/8] Delete l2tp_backbone.sh.j2 --- files/l2tp_backbone.sh.j2 | 55 --------------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 files/l2tp_backbone.sh.j2 diff --git a/files/l2tp_backbone.sh.j2 b/files/l2tp_backbone.sh.j2 deleted file mode 100644 index 82dd19c..0000000 --- a/files/l2tp_backbone.sh.j2 +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/sh -# Version 6 -# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!! -communityname="troisdorf" -server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9" -#server="troisdorf7 {{ sn_hostname }}" -domain="freifunk-troisdorf.de" -mtu={{ sn_mtu }} -# community MAC address, without the last Byte (:)! -communitymacaddress="a2:8c:ae:6f:f6" -tunnelPrefix=10 -sessionPrefix=1 -# Netzwerkteil des Netzes, ohne abschliessenden Punkt -communitynetwork="10.188" -# IPv6 network -#communitynetworkv6="fda0:747e:ab29:7405:255::" -communitynetworkv6="2a03:2260:121::" -# Drittes Octet des serverbereichs -octet3rd="255" -# CIDR muss /16 sein -localserver=$(/bin/hostname) -batadv=/usr/local/sbin/batadv-vis -batctl=/usr/local/sbin/batctl -ip=/sbin/ip -dig=/usr/bin/dig - -for i in $server; do -( - for j in $server; do - if [ $i != $j ]; then - if [ $i = $localserver ]; then - ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname} - ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname} - #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j - ip link set dev l2tp-$j mtu $mtu - ip link set up l2tp-$j - $batctl if add l2tp-$j - fi - fi - done -) -done - -# Rest starten -$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0 -#$ip link set address $communitymacaddress:ff dev bat0 -$ip link set up dev bat0 -$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 -$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0 - -/usr/bin/killall batadv-vis -/bin/sleep 15 -$batadv -i bat0 -s > /dev/null 2>&1 & -/usr/sbin/service bind9 restart -/usr/local/sbin/batctl gw server 100Mbit/100Mbit From c7eace1f66993caa3b43ffdc0b46093e74da8c65 Mon Sep 17 00:00:00 2001 From: stebifan Date: Tue, 12 Apr 2016 22:51:02 +0200 Subject: [PATCH 6/8] Delete l2tp_backbone_ffswitch.sh.j2 --- files/l2tp_backbone_ffswitch.sh.j2 | 56 ------------------------------ 1 file changed, 56 deletions(-) delete mode 100644 files/l2tp_backbone_ffswitch.sh.j2 diff --git a/files/l2tp_backbone_ffswitch.sh.j2 b/files/l2tp_backbone_ffswitch.sh.j2 deleted file mode 100644 index abb5702..0000000 --- a/files/l2tp_backbone_ffswitch.sh.j2 +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/sh -# Version 5 -# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!! -communityname="troisdorf" -server="troisdorf0 troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9" -#server="troisdorf0 {{ sn_hostname }}" -domain="freifunk-troisdorf.de" -mtu={{ sn_mtu }} -# community MAC address, without the last Byte (:)! -communitymacaddress="a2:8c:ae:6f:f6" -tunnelPrefix=10 -sessionPrefix=1 -# Netzwerkteil des Netzes, ohne abschliessenden Punkt -communitynetwork="10.188" -# IPv6 network -communitynetworkv6="fda0:747e:ab29:7405:255::" -# Drittes Octet des serverbereichs -octet3rd="255" -# CIDR muss /16 sein -localserver=$(/bin/hostname) -batadv=/usr/local/sbin/batadv-vis -alfred=/usr/local/sbin/alfred -batctl=/usr/local/sbin/batctl -ip=/sbin/ip -dig=/usr/bin/dig - -for i in $server; do -( - for j in $server; do - if [ $i != $j ]; then - if [ $i = $localserver ]; then - ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname} - ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname} - #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j - ip link set dev l2tp-$j mtu $mtu - ip link set up l2tp-$j - $batctl if add l2tp-$j - fi - fi - done -) -done - -# Rest starten -$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0 -#$ip link set address $communitymacaddress:ff dev bat0 -$ip link set up dev bat0 -$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 -$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0 - -/usr/bin/killall alfred -/usr/bin/killall batadv-vis -/bin/sleep 5 -$alfred -i bat0 > /dev/null 2>&1 & -/bin/sleep 15 -$batadv -i bat0 -s > /dev/null 2>&1 & From 1afaeb92e0731fadcd8d71f9ff898e6dff52f0b2 Mon Sep 17 00:00:00 2001 From: stebifan Date: Tue, 12 Apr 2016 22:51:16 +0200 Subject: [PATCH 7/8] Delete sn_startup.sh.j2 --- files/sn_startup.sh.j2 | 74 ------------------------------------------ 1 file changed, 74 deletions(-) delete mode 100644 files/sn_startup.sh.j2 diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2 deleted file mode 100644 index 276e10e..0000000 --- a/files/sn_startup.sh.j2 +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh -# Version 1.7 - -curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} - -# Block RFC1918 and APIPA destination via WAN -/sbin/iptables -P OUTPUT ACCEPT -for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do -/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP -done - -# Activate IP forwarding -/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 -/sbin/sysctl -w net.ipv4.ip_forward=1 - -# restart when kernel panic -/sbin/sysctl kernel.panic=1 - -# Stop tunneldigger until bat0 is up -/usr/sbin/service tunneldigger stop - -# Routing table 42 -/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables - -# Set table for traffice with mark 4 -/bin/ip rule add fwmark 0x4 table 42 -/bin/ip -6 rule add fwmark 0x4 table 42 - -# Set mark 4 to Freifunk traffic -/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 -/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4 -/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4 - -# NAT on eth0 -/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - -# All from FF IPv4 via routing table 42 -/bin/ip rule add from 185.66.193.104/30 lookup 42 -/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42 - -# Allow MAC address spoofing -/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0 - -# Create Tunneldigger Bridge -/sbin/brctl addbr br-nodes -/sbin/ip link set dev br-nodes up -/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP -/usr/local/sbin/batctl if add br-nodes - -sleep 5 - -# Fixing the nf_conntrack … dropping packets error -# hashsize = nf_conntrack_max / 4 -sysctl -w net.netfilter.nf_conntrack_max=131072 -echo 32768 > /sys/module/nf_conntrack/parameters/hashsize - -# Against Denial of Service attacks from internal network -# Check with: sysctl -a | grep conntrack | grep timeout -sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240 -sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000 - -# Start tunneldigger -/bin/systemctl restart tunneldigger -/bin/systemctl enable tunneldigger - -# radvd restart -/bin/systemctl restart radvd -/bin/systemctl enable radvd - -# restart DHCP -/bin/systemctl restart isc-dhcp-server -/bin/systemctl enable isc-dhcp-server - -exit 0 From f514fa532b6be1453dd3127d3e65e000b991d1ac Mon Sep 17 00:00:00 2001 From: Ansible Admin Date: Tue, 12 Apr 2016 23:16:15 +0200 Subject: [PATCH 8/8] Alfred removed --- install.sn.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/install.sn.yml b/install.sn.yml index e4389dc..61b525a 100644 --- a/install.sn.yml +++ b/install.sn.yml @@ -9,7 +9,7 @@ user: root gather_facts: False vars: - snversion: master_v3.0.4 + snversion: master_v3.0.7 batmanversion: v2015.2 common_required_packages: - git @@ -252,10 +252,6 @@ template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644 - name: Copy radvd config template template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444 - - name: Alfed message - template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544 - - name: Add cron job with alfred info script - cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root" - name: Interface configuration with ffrl gre tunnel copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544 when: sn_exit is defined