87 lines
2.9 KiB
Django/Jinja
87 lines
2.9 KiB
Django/Jinja
#!/bin/sh
|
|
# Version 1.7
|
|
|
|
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
|
|
|
|
# Block RFC1918 and APIPA destination via WAN
|
|
/sbin/iptables -P OUTPUT ACCEPT
|
|
for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
|
|
/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
|
|
done
|
|
|
|
# Activate IP forwarding
|
|
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
|
|
/sbin/sysctl -w net.ipv4.ip_forward=1
|
|
|
|
# restart when kernel panic
|
|
/sbin/sysctl kernel.panic=1
|
|
|
|
# Routing table 42
|
|
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
|
|
|
|
# Set table for traffice with mark 4
|
|
/bin/ip rule add fwmark 0x4 table 42
|
|
/bin/ip -6 rule add fwmark 0x4 table 42
|
|
|
|
# Set mark 4 to Freifunk traffic
|
|
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
|
|
#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
|
|
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
|
|
|
|
# NAT on eth0
|
|
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
# NAT on GRE Freifunk interface
|
|
#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105
|
|
/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }}
|
|
|
|
# MTU
|
|
/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
|
|
/sbin/ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
|
|
|
|
# All from FF IPv4 via routing table 42
|
|
/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42
|
|
/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42
|
|
|
|
# Allow MAC address spoofing
|
|
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
|
|
|
|
# Create Tunneldigger Bridge
|
|
/sbin/brctl addbr br-nodes
|
|
/sbin/ip link set dev br-nodes up
|
|
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
|
|
/usr/local/sbin/batctl if add br-nodes
|
|
|
|
sleep 5
|
|
|
|
# Fixing the nf_conntrack … dropping packets error
|
|
# hashsize = nf_conntrack_max / 4
|
|
sysctl -w net.netfilter.nf_conntrack_max=262144
|
|
echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
|
|
|
|
# Against Denial of Service attacks from internal network
|
|
# Check with: sysctl -a | grep conntrack | grep timeout
|
|
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
|
|
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
|
|
|
|
# restart bird
|
|
#/bin/systemctl start bird
|
|
#/bin/systemctl start bird6
|
|
#/bin/systemctl enable bird
|
|
#/bin/systemctl enable bird6
|
|
|
|
# Start tunneldigger
|
|
#/bin/systemctl restart tunneldigger
|
|
#/bin/systemctl enable tunneldigger
|
|
|
|
# radvd restart
|
|
#/bin/systemctl restart radvd
|
|
#/bin/systemctl enable radvd
|
|
|
|
#Stop all Services - Started from keepalive.sh
|
|
/bin/systemctl stop radvd
|
|
/bin/systemctl stop tunneldigger
|
|
/bin/systemctl stop bird
|
|
/bin/systemctl stop bird6
|
|
exit 0
|