Script things out, fix ipv6?

2023-07-17 18:09:47 +00:00 · 2023-07-17 18:09:47 +00:00 · a4e7534403
commit a4e7534403
parent 6674150b7c
10 changed files with 131 additions and 114 deletions
--- a/dhcpcd.conf
+++ b/dhcpcd.conf
@ -12,17 +12,18 @@ require dhcp_server_identifier
 slaac private
 noipv4ll
 noipv6rs
-waitip 6
+
 static domain_name_servers=10.0.0.1 1.1.1.1 1.0.0.1
 interface wan0
 	gateway
 	ipv6rs
 	iaid 1
-	option rapid_commit
+	# option rapid_commit
-	ia_na 1
+	# ia_na 1
 	ia_pd 1 lan0
 interface lan0
 	static ip_address=10.0.0.1/8
 	static routers=10.0.0.1
-	static domain_name_servers=1.1.1.1 1.0.0.1
+	static domain_name_servers=10.0.0.1 1.1.1.1 1.0.0.1
--- a/dnsmasq.conf
+++ b/dnsmasq.conf
@ -11,6 +11,7 @@ dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
 local=/h.lyte.dev/
 dhcp-host=dragon,10.0.0.10,12h
 dhcp-host=beefcake,10.0.0.9,12h
 dhcp-host=chromebox,10.0.0.5,12h
 dhcp-host=mnemonic,10.0.0.248,ea:1b:7a:fb:8b:b8,12h
 # dhcp-host=frontdoorcam,10.0.0.89,9c:8e:cd:2b:71:e9,120m
@ -18,6 +19,8 @@ dhcp-host=mnemonic,10.0.0.248,ea:1b:7a:fb:8b:b8,12h
 address=/video.lyte.dev/10.0.0.5
 address=/git.lyte.dev/10.0.0.5
 address=/bw.lyte.dev/10.0.0.5
 address=/files.lyte.dev/10.0.0.5
 address=/vpn.h.lyte.dev/10.0.0.9
 address=/.h.lyte.dev/10.0.0.5
 dhcp-host=AMC058BA_A75F1E,10.0.0.150,12h
@ -26,14 +29,15 @@ dhcp-host=AMC0587F_A2969A,10.0.0.151,12h
 # dhcp-host=kubeworker3,d0:50:99:26:89:86,ourcraft,10.0.0.244,120m
 # address=/dragon.h.lyte.dev/10.0.0.10
-# address=/git.lyte.dev/10.0.0.5
+address=/git.lyte.dev/10.0.0.5
-# address=/h.lyte.dev/10.0.0.5
+address=/h.lyte.dev/10.0.0.5
-# address=/a.lyte.dev/10.0.0.5
+address=/a.lyte.dev/10.0.0.5
-# address=/bw.lyte.dev/10.0.0.5
+address=/bw.lyte.dev/10.0.0.5
-# address=/files.lyte.dev/10.0.0.5
+address=/files.lyte.dev/10.0.0.5
 # address=/grafana.h.lyte.dev/10.0.0.5
 # address=/ourcraft.lyte.dev/10.0.0.244
 server=10.0.0.1
 server=1.1.1.1
 server=1.0.0.1
--- a/46
+++ b/46
@ -1,44 +1,14 @@
 # Static table lookup for hostnames.
 # See hosts(5) for details.
 # WARNING: Do not edit this file at /etc/hosts
 # You must edit it from the router configuration repository and re-run the
 # `link.fish` script! If you do otherwise, your changes will be overridden.
 127.0.0.1 localhost
-::1 localhost
+127.0.1.1 router.h.lyte.dev router
 # 127.0.1.1 router.h.lyte.dev router
-# 10.0.0.1 router.h.lyte.dev router
+::1 localhost ip6-localhost ip6-loopback
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
-10.0.0.1 vpn.h.lyte.dev
+10.0.0.5 git.lyte.dev
-
+10.0.0.5 video.lyte.dev
-10.0.0.10 dragon.h.lyte.dev
+10.0.0.5 files.lyte.dev
-
+10.0.0.5 bw.lyte.dev
 10.0.0.210 git.lyte.dev
 10.0.0.210 a.lyte.dev
 10.0.0.210 h.lyte.dev
 10.0.0.210 chat.lyte.dev
 10.0.0.210 matrix.lyte.dev
 10.0.0.210 bw.lyte.dev
 10.0.0.210 files.lyte.dev
 10.0.0.210 files.h.lyte.dev
 10.0.0.210 grafana.lyte.dev
 10.0.0.210 grafana.h.lyte.dev
 10.0.0.210 faceless.h.lyte.dev
 10.0.0.210 video.h.lyte.dev
 10.0.0.210 video.lyte.dev
 10.0.0.81 kube-cluster.home.lyte.dev
 10.0.0.138 kube-cluster.home.lyte.dev
 10.0.0.244 kube-cluster.home.lyte.dev
 # 10.0.0.81 kube-cluster.home.lyte.dev
 10.0.0.210 dmf.me
 10.0.0.210 greenroof.house
 10.0.0.210 ranch-talk.h.lyte.dev
 10.0.0.138 ourcraft.lyte.dev
 10.0.0.244 factorio.lyte.dev
--- a/firewall-edit.bash
+++ b/firewall-edit.bash
@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
 # we don't care about existing rules - just use ours, thanks
 # sudo nft -s list ruleset >> "$f"
-sudo -E nvim "$my_config"
+sudo -E $EDITOR "$my_config"
 cat "$my_config"
 echo "Do you want to load this config? [y/N]"
 read -r l
--- a/install.sh
+++ b/install.sh
@ -1,4 +0,0 @@
 #!/usr/bin/env sh
 # install base packages from dotfiles first
 pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd
--- a/link.fish
+++ b/link.fish
@ -1,37 +0,0 @@
 #!/usr/bin/env fish
 if test (id -u) -ne 0
 	echo "must run as root" 
 	exit 1
 end
 function relink
 	rm -f $argv[2]
 	ezln $argv[1] $argv[2]
 end
 function recopy
 	rm -f $argv[2]
 	cp $argv[1] $argv[2]
 end
 # DNS, DHCP, prefix delegation
 recopy dnsmasq.conf /etc/dnsmasq.conf
 # let dnsmasq handle DNS
 recopy resolved.conf /etc/systemd/resolved.conf
 # sysctl flags we need for forwarding and accepting IPv6 router advertisements
 recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
 # enable systemd-networkd to setup network interfaces with useful names
 recopy lan0.link /etc/systemd/network/10-lan0.link
 recopy wan0.link /etc/systemd/network/10-wan0.link
 # dhcp client configuration
 recopy dhcpcd.conf /etc/dhcpcd.conf
 # hosts file
 # recopy ./etc-hosts /etc/hblock/header
 # recopy ./etc-hosts /etc/hosts
 # hblock # temporary disable hblock because Val loves ads
--- a/78
+++ b/78
@ -0,0 +1,78 @@
 # TODO: some kind of automatic (without confirmation) rollback setup?
 .PHONY: default
 default: copy-configuration-files restart-services
 .PHONY: setup
 setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
 .PHONY: mkinitcpio
 mkinitcpio:
 	mkinitcpio -p linux
 .PHONY: system-dependencies
 system-dependencies:
 	pacman -Sy --needed archlinux-keyring # get latest keys
 	pacman -Syu # update everything
 	pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools # install anything needed
 .PHONY: restart-services
 restart-services:
 	systemctl restart nftables
 	systemctl restart systemd-sysctl
 	systemctl restart systemd-networkd
 	systemctl restart dnsmasq
 	systemctl restart systemd-resolved
 	systemctl restart dhcpcd@lan0
 	systemctl restart dhcpcd@wan0
 .PHONY: enable-and-start-services
 enable-and-start-services:
 	systemctl enable --now nftables
 	systemctl enable --now systemd-sysctl
 	systemctl enable --now systemd-networkd
 	systemctl enable --now dnsmasq
 	systemctl enable --now systemd-resolved
 	systemctl enable --now dhcpcd@lan0
 	systemctl enable --now dhcpcd@wan0
 .PHONY: copy-configuration-files
 copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
 /root/router.wg-key:
 	umask 0077 && wg genkey > $@
 /root/router.wg-pub: /root/router.wg-key
 	umask 0077 && cat $^ wg genkey > $@
 /etc/dnsmasq.conf: dnsmasq.conf
 	rm -f $@
 	cp $^ $@
 /etc/systemd/resolved.conf: resolved.conf 
 	rm -f $@
 	cp $^ $@
 /etc/sysctl.d/10-router-configs.conf: sysctl-configs
 	rm -f $@
 	cp $^ $@
 /etc/systemd/network/10-lan0.link: lan0.link
 	rm -f $@
 	cp $^ $@
 /etc/systemd/network/10-wan0.link: wan0.link 
 	rm -f $@
 	cp $^ $@
 /etc/dhcpcd.conf: dhcpcd.conf 
 	rm -f $@
 	cp $^ $@
 /etc/hosts: ./etc-hosts 
 	rm -f $@
 	cp $^ $@
 /etc/nftables.conf: nftables.conf
 	rm -f $@
 	cp $^ $@
--- a/nftables.conf
+++ b/nftables.conf
@ -13,8 +13,8 @@ table inet filter {
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 		# do these need ipv6-specific entries, too?
-		tcp dport { 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
+		tcp dport { 64022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
-		udp dport { 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
+		udp dport { 64020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
 		udp dport { 60000-60009 } accept
 		udp dport dhcpv6-client accept
 		drop
@ -48,18 +48,26 @@ table ip nat {
 		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
 		# chromebox
-		iifname $WAN tcp dport { 443, 80, 22, 8008, 8448 } dnat to 10.0.0.5
+		iifname $WAN tcp dport { 443, 80, 22, 8008, 8448, 7777 } dnat to 10.0.0.5
 		iifname $WAN udp dport { 7777 } dnat to 10.0.0.5
 		iifname $WAN udp dport 60010-60019 dnat to 10.0.0.5
-		# dragon
+		# old dragon?
 		# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
 		# iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
 		iifname $WAN tcp dport { 10578, 5588, 5589 } dnat to 10.0.0.11
 		iifname $WAN udp dport { 10578 } dnat to 10.0.0.11
 		# dragon reinstall?
 		iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
 		iifname $WAN udp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
 		iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
-		iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10
+		# iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10 # valheim
 		# beefcake (ben access)
 		iifname $WAN tcp dport { 64022 } dnat to 10.0.0.9
 		iifname $WAN udp dport { 64020 } dnat to 10.0.0.9
 		# mnemonic
 		iifname $WAN tcp dport { 8022 } dnat to 10.0.0.248
@ -67,6 +75,10 @@ table ip nat {
 		# ourcraft
 		iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
 		iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
 		# router
 		iifname $WAN tcp dport { 2201 } dnat to 10.0.0.1
 		iifname $WAN udp dport { 2201 } dnat to 10.0.0.1
 	}
 	chain output {
--- a/readme.md
+++ b/readme.md
@ -1,26 +1,20 @@
 # Router
-Yeah yeah I need to document this better.
+
 My little dual-NIC Arch Linux router configuration and scripts.
 # Setup
-With a fresh Arch Linux system:
+```bash
 make setup
 reboot
 ```
- Install needed packages via `./install.sh`
+# Update System to Match This Configuration
- Run `./link.fish` script
+
- Enable and restart the following services:
+```bash
-	- `nftables`
+make
-	- `systemd-sysctl`
+```
 	- `systemd-resolved`
 	- `systemd-networkd`
 	- `dnsmasq`
 	- `dhcpcd@lan0`
 	- `dhcpcd@wan0`
 - Run `mkinitcpio -p linux`
 - Add any needed hosts to `/etc/hosts`
 	- May be use dnsmasq's `addn-hosts` directive and copy a file from this repo
 - Reboot
 # TODO:
- Script this whole thing? NixOS/declarative?
+- NixOS/declarative?
 - `link.fish` could just write to these files instead of copying them?
--- a/3
+++ b/3
@ -1,4 +1,3 @@
 net.ipv4.ip_forward=1
 net.ipv6.conf.all.forwarding=1
-net.ipv6.conf.wan0.accept_ra=2
+net.ipv6.conf.wan0.accept_ra=2