diff options
Diffstat (limited to 'd10-nuc-as-soho-router.sh')
-rwxr-xr-x | d10-nuc-as-soho-router.sh | 216 |
1 files changed, 216 insertions, 0 deletions
diff --git a/d10-nuc-as-soho-router.sh b/d10-nuc-as-soho-router.sh new file mode 100755 index 0000000..549cab5 --- /dev/null +++ b/d10-nuc-as-soho-router.sh @@ -0,0 +1,216 @@ +#!/bin/bash +# Successfully used on Intel NUC 7CJYH and Debian 10 to replace a +# Bouygues BBox for French FFTH with external fiber-to-RJ45 module (ONT) + +# Edit the following configuration constants to fit your environment +# If you want eth0, eth1... names, set GRUB_CMDLINE_LINUX="net.ifnames=0" +# in /etc/default/grub then run update-grub && reboot before running this script. +# +# For RT_WAN_MAC snif original box mac address by plugging box WAN port +# to a linux computer and with something like "sudo tcpdump -nei eno1 udp". +# It happened to work for me with a fake ac:3b:77:01:02:03. + +DHCPD_DNSLIST="80.67.169.12,91.224.149.254" # FDN and TTN recursive open-dns +DHCPD_RANGE="192.168.42.10 192.168.42.254" # Choose min/max IP within RT_LAN_IP/RT_LAN_MASK +PKGS="isc-dhcp-server ssh vlan" +RT_LAN_IFACE=eth0 # I prefer disabling interface renaming, "stable names" are painful for me +RT_LAN_IP=192.168.42.1 +RT_LAN_MASK=255.255.255.0 +RT_LAN_NET=192.168.42.0 +RT_WAN_IFACE=eth1 # eth1 is my USB network adapter. I don't want Intel NIC on WAN (security). +RT_WAN_MAC=ac:3b:77:01:02:03 +RT_WAN_VLAN=100 # Always 100 on Bouygues FTTH network +#SSH_KEY="ssh-rsa AAAA...................ffsU5 lpouzenc@lud-hp1" # no carriage return allowed at all here + +ccommand=`tput setaf 3` +ccomment=`tput setaf 6` +crst=`tput sgr0` + +overwrite() { + echo "${ccommand}editor $1${crst}" + cat > $1 +} + +trace() { + echo "${ccommand}$@${crst}" + "$@" +} + +info() { + echo "${ccomment}# $@${crst}" +} + +codename=$(sed -ne 's/^VERSION_CODENAME=//p' /etc/os-release) +if [[ "buster" != "$codename" ]]; then + read -p "Warning: this script has only be tested on Debian Buster. Enter to continue anyway or Ctrl+C to cancel " unused +fi + +set -e + +info "apt: install needed packages to have a complete SOHO router" +trace apt update +trace apt install -y $PKGS + +info "ssh: will potentially listen on WAN port, disable Password Authentification" +trace sed --in-place \ + -e 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/'\ + /etc/ssh/sshd_config +trace mkdir -p /root/.ssh +[ -n "$SSH_KEY" ] && echo $SSH_KEY | overwrite /root/.ssh/authorized_keys +trace systemctl reload ssh + +info "systemd: please don't block for ages, this hardware have normal IO delays" +trace sed --in-place \ + -e 's/^#\?DefaultTimeoutStartSec=.*/DefaultTimeoutStartSec=5s/' \ + -e 's/^#\?DefaultTimeoutStopSec=.*/DefaultTimeoutStopSec=5s/' \ + /etc/systemd/{system,user}.conf +trace mkdir -p /etc/systemd/system/networking.service.d +overwrite /etc/systemd/system/networking.service.d/override.conf <<EOT +[Service] +TimeoutStartSec=20s +EOT + +info "ifupdown: start firewall then routing at boot, configure ifaces' IP" +info " Humans should use iptables-apply and ip6tables-apply commands" +overwrite /etc/network/interfaces <<EOT +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + up iptables-restore /etc/network/iptables.up.rules + up sysctl -w net.ipv4.ip_forward=1 + up sysctl -w net.ipv4.conf.all.accept_redirects=0 + up ip6tables-restore /etc/network/ip6tables.up.rules + up sysctl -w net.ipv6.conf.all.forwarding=1 + up sysctl -w net.ipv6.conf.all.autoconf=0 + up sysctl -w net.ipv6.conf.all.accept_ra=0 + up sysctl -w net.ipv6.conf.default.autoconf=0 + up sysctl -w net.ipv6.conf.default.accept_ra=0 + +auto eth0 +iface eth0 inet static + address $RT_LAN_IP + netmask $RT_LAN_MASK + +allow-hotplug $RT_WAN_IFACE +iface $RT_WAN_IFACE inet manual + pre-up ip link set $RT_WAN_IFACE address $RT_WAN_MAC + +allow-hotplug $RT_WAN_IFACE.$RT_WAN_VLAN +iface $RT_WAN_IFACE.$RT_WAN_VLAN inet dhcp +EOT + +info "iptables: I left here my rules" +info " drop by default what came from WAN + self-hosting on my NUC + BitTorrent redirect to a host" +info " network doesn't provide IPv6 yet here, ip6tables should be okay but untested" +info " iptables-save and ip6tables-save commands generate this exact file format" +overwrite /etc/network/iptables.up.rules <<EOT +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:ICMP4 - [0:0] +:LOGDROP - [0:0] +:LOGACCEPT - [0:0] +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p icmp -j ICMP4 +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 25 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 80 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 443 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -j DROP +-A INPUT -i $RT_WAN_IFACE -j LOGDROP +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -p icmp -j ICMP4 +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate DNAT -j LOGACCEPT +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -j LOGDROP +-A FORWARD -i $RT_WAN_IFACE -j LOGDROP +-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 0 -j ACCEPT +-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 3 -j ACCEPT +-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 8 -j ACCEPT +-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 11 -j ACCEPT +-A ICMP4 -m limit --limit 1/sec -j LOG --log-prefix "ICMP4-RATELIMIT " +-A ICMP4 -j DROP +-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "LOGDROP " +-A LOGDROP -j DROP +-A LOGACCEPT -m limit --limit 1/sec -j LOG --log-prefix "LOGACCEPT " +-A LOGACCEPT -j ACCEPT +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A PREROUTING -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.42.10:51413 +-A PREROUTING -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 51413 -j DNAT --to-destination 192.168.42.10:51413 +-A POSTROUTING -o $RT_WAN_IFACE.$RT_WAN_VLAN -j MASQUERADE +COMMIT +EOT + +overwrite /etc/network/ip6tables.up.rules <<EOT +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:ICMP6 - [0:0] +:LOGDROP - [0:0] +:LOGACCEPT - [0:0] +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p ipv6-icmp -j ICMP6 +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 25 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 80 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 443 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -j DROP +-A INPUT -i $RT_WAN_IFACE -j LOGDROP +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -p ipv6-icmp -j ICMP6 +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP +# Put custom IPv6 WAN to LAN forward rules here +-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -j LOGDROP +-A FORWARD -i $RT_WAN_IFACE -j LOGDROP +-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 1 -j ACCEPT +-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 2 -j ACCEPT +-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 3 -j ACCEPT +-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 4 -j ACCEPT +-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 128 -j ACCEPT +-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 129 -j ACCEPT +# ICMP rules allowing for NDP or RA from the ISP are probably missing here (untested) +-A ICMP6 -m limit --limit 1/sec -j LOG --log-prefix "ICMP6-RATELIMIT " +-A ICMP6 -j DROP +-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "LOGDROP " +-A LOGDROP -j DROP +-A LOGACCEPT -m limit --limit 1/sec -j LOG --log-prefix "LOGACCEPT " +-A LOGACCEPT -j ACCEPT +COMMIT +EOT + +info "dhcp: upstream files are full pages of comments, not very usefull in this basic case" +overwrite /etc/dhcp/dhclient.conf <<EOT +send vendor-class-identifier "BYGTELIAD"; +request subnet-mask, broadcast-address, routers, domain-name-servers; +EOT + +overwrite /etc/dhcp/dhcpd.conf <<EOT +option domain-name-servers $DHCPD_DNSLIST; +default-lease-time 600; +max-lease-time 7200; +ddns-update-style none; +authoritative; +subnet $RT_LAN_NET netmask $RT_LAN_MASK { + range $DHCPD_RANGE; + option routers $RT_LAN_IP; +} +EOT + +info "Please review modified files and reboot with a screen attached to see if it is going ok" +info "You should tweak BIOS to have no 'Press F1 to continue' on POST errors and Power On when AC come back" +info "Test hard power cutoff and check if everything came back online without interaction after that" |