Add internal routing

Add supernode specific MAC to bridge
Add persistent netfilter rules

files/interfaces-troisdorf5

@@ -15,6 +15,8 @@ iface lo inet6 loopback
 # The primary network interface
 allow-hotplug eth0
 iface eth0 inet dhcp
+	post-up ip route add 185.66.193.106/32 via 10.188.255.6 table 42
+	post-up ip route add 185.66.193.106/32 via 10.188.255.6
 allow-hotplug eth1
 iface eth1 inet6 static
         address 2a01:4f8:161:62a9::5

files/interfaces-troisdorf6

@@ -20,6 +20,8 @@ iface eth0 inet static
         netmask 255.255.255.192
         gateway 46.4.138.129
         dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98
+	post-up ip route add 185.66.193.105/32 via 10.188.255.5 table 42
+	post-up ip route add 185.66.193.105/32 via 10.188.255.5
 
 iface eth0 inet6 static
         address 2a01:4f8:11d:600::189

files/sn_startup.exit.sh.j2

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Version 1.7
+# Version 1.9
 
 curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
 
@@ -25,14 +25,12 @@ done
 
 # Set mark 4 to Freifunk traffic
 /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
-#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
 /sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
 
 # NAT on eth0
 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 # NAT on GRE Freifunk interface
-#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105
 /sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }}
 
 # MTU
@@ -48,36 +46,12 @@ done
 
 # Create Tunneldigger Bridge
 /sbin/brctl addbr br-nodes
-/sbin/ip link set dev br-nodes up
+/sbin/ip link set dev br-nodes up address 2E:9D:FA:A1:6B:0{{ sn_number }}
 /sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
 /usr/local/sbin/batctl if add br-nodes
 
 sleep 5
 
-# Fixing the nf_conntrack … dropping packets error
-# hashsize = nf_conntrack_max / 4
-sysctl -w net.netfilter.nf_conntrack_max=262144
-echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
-
-# Against Denial of Service attacks from internal network
-# Check with: sysctl -a | grep conntrack | grep timeout
-sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
-sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
-
-# restart bird
-#/bin/systemctl start bird
-#/bin/systemctl start bird6
-#/bin/systemctl enable bird
-#/bin/systemctl enable bird6
-
-# Start tunneldigger
-#/bin/systemctl restart tunneldigger
-#/bin/systemctl enable tunneldigger
-
-# radvd restart
-#/bin/systemctl restart radvd
-#/bin/systemctl enable radvd
-
 #Stop all Services - Started from keepalive.sh
 /bin/systemctl stop radvd
 /bin/systemctl stop tunneldigger

install.sn.yml

@@ -9,7 +9,7 @@
   user: root
   gather_facts: False
   vars:
-    snversion: master_v3.0.1
+    snversion: master_v3.0.3
     batmanversion: v2015.2
     common_required_packages:
       - git
@@ -277,6 +277,13 @@
     - name: Bird configuration
       copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444
       when: sn_exit is defined
+    - name: set netfilter rules
+      lineinfile: dest=/etc/sysctl.conf line={{ item }}
+      with_items:
+                  - "net.ipv4.netfilter.ip_conntrack_generic_timeout = 240"
+                  - "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000"
+                  - "net.netfilter.nf_conntrack_max = 262144"
+    - lineinfile: dest=/etc/modprobe.conf line="options ip_conntrack hashsize=65536"
     - name: Reboot the server finally
       shell: sleep 2 && shutdown -r now "Ansible updates triggered"
       async: 1