Add internal routing

Add supernode specific MAC to bridge
Add persistent netfilter rules
This commit is contained in:
Ansible Admin 2016-03-06 01:55:12 +01:00
parent 25a0dfb812
commit d6dde73fff
4 changed files with 14 additions and 29 deletions

View File

@ -15,6 +15,8 @@ iface lo inet6 loopback
# The primary network interface # The primary network interface
allow-hotplug eth0 allow-hotplug eth0
iface eth0 inet dhcp iface eth0 inet dhcp
post-up ip route add 185.66.193.106/32 via 10.188.255.6 table 42
post-up ip route add 185.66.193.106/32 via 10.188.255.6
allow-hotplug eth1 allow-hotplug eth1
iface eth1 inet6 static iface eth1 inet6 static
address 2a01:4f8:161:62a9::5 address 2a01:4f8:161:62a9::5

View File

@ -20,6 +20,8 @@ iface eth0 inet static
netmask 255.255.255.192 netmask 255.255.255.192
gateway 46.4.138.129 gateway 46.4.138.129
dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98 dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98
post-up ip route add 185.66.193.105/32 via 10.188.255.5 table 42
post-up ip route add 185.66.193.105/32 via 10.188.255.5
iface eth0 inet6 static iface eth0 inet6 static
address 2a01:4f8:11d:600::189 address 2a01:4f8:11d:600::189

View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Version 1.7 # Version 1.9
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
@ -25,14 +25,12 @@ done
# Set mark 4 to Freifunk traffic # Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4 /sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
# NAT on eth0 # NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# NAT on GRE Freifunk interface # NAT on GRE Freifunk interface
#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105
/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }} /sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }}
# MTU # MTU
@ -48,36 +46,12 @@ done
# Create Tunneldigger Bridge # Create Tunneldigger Bridge
/sbin/brctl addbr br-nodes /sbin/brctl addbr br-nodes
/sbin/ip link set dev br-nodes up /sbin/ip link set dev br-nodes up address 2E:9D:FA:A1:6B:0{{ sn_number }}
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP /sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
/usr/local/sbin/batctl if add br-nodes /usr/local/sbin/batctl if add br-nodes
sleep 5 sleep 5
# Fixing the nf_conntrack … dropping packets error
# hashsize = nf_conntrack_max / 4
sysctl -w net.netfilter.nf_conntrack_max=262144
echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
# Against Denial of Service attacks from internal network
# Check with: sysctl -a | grep conntrack | grep timeout
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
# restart bird
#/bin/systemctl start bird
#/bin/systemctl start bird6
#/bin/systemctl enable bird
#/bin/systemctl enable bird6
# Start tunneldigger
#/bin/systemctl restart tunneldigger
#/bin/systemctl enable tunneldigger
# radvd restart
#/bin/systemctl restart radvd
#/bin/systemctl enable radvd
#Stop all Services - Started from keepalive.sh #Stop all Services - Started from keepalive.sh
/bin/systemctl stop radvd /bin/systemctl stop radvd
/bin/systemctl stop tunneldigger /bin/systemctl stop tunneldigger

View File

@ -9,7 +9,7 @@
user: root user: root
gather_facts: False gather_facts: False
vars: vars:
snversion: master_v3.0.1 snversion: master_v3.0.3
batmanversion: v2015.2 batmanversion: v2015.2
common_required_packages: common_required_packages:
- git - git
@ -277,6 +277,13 @@
- name: Bird configuration - name: Bird configuration
copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444 copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444
when: sn_exit is defined when: sn_exit is defined
- name: set netfilter rules
lineinfile: dest=/etc/sysctl.conf line={{ item }}
with_items:
- "net.ipv4.netfilter.ip_conntrack_generic_timeout = 240"
- "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000"
- "net.netfilter.nf_conntrack_max = 262144"
- lineinfile: dest=/etc/modprobe.conf line="options ip_conntrack hashsize=65536"
- name: Reboot the server finally - name: Reboot the server finally
shell: sleep 2 && shutdown -r now "Ansible updates triggered" shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1 async: 1