Script things out, fix ipv6?
This commit is contained in:
parent
6674150b7c
commit
a4e7534403
|
@ -12,17 +12,18 @@ require dhcp_server_identifier
|
|||
slaac private
|
||||
noipv4ll
|
||||
noipv6rs
|
||||
waitip 6
|
||||
|
||||
static domain_name_servers=10.0.0.1 1.1.1.1 1.0.0.1
|
||||
|
||||
interface wan0
|
||||
gateway
|
||||
ipv6rs
|
||||
iaid 1
|
||||
option rapid_commit
|
||||
ia_na 1
|
||||
# option rapid_commit
|
||||
# ia_na 1
|
||||
ia_pd 1 lan0
|
||||
|
||||
interface lan0
|
||||
static ip_address=10.0.0.1/8
|
||||
static routers=10.0.0.1
|
||||
static domain_name_servers=1.1.1.1 1.0.0.1
|
||||
static domain_name_servers=10.0.0.1 1.1.1.1 1.0.0.1
|
||||
|
|
14
dnsmasq.conf
14
dnsmasq.conf
|
@ -11,6 +11,7 @@ dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
|
|||
local=/h.lyte.dev/
|
||||
|
||||
dhcp-host=dragon,10.0.0.10,12h
|
||||
dhcp-host=beefcake,10.0.0.9,12h
|
||||
dhcp-host=chromebox,10.0.0.5,12h
|
||||
dhcp-host=mnemonic,10.0.0.248,ea:1b:7a:fb:8b:b8,12h
|
||||
# dhcp-host=frontdoorcam,10.0.0.89,9c:8e:cd:2b:71:e9,120m
|
||||
|
@ -18,6 +19,8 @@ dhcp-host=mnemonic,10.0.0.248,ea:1b:7a:fb:8b:b8,12h
|
|||
address=/video.lyte.dev/10.0.0.5
|
||||
address=/git.lyte.dev/10.0.0.5
|
||||
address=/bw.lyte.dev/10.0.0.5
|
||||
address=/files.lyte.dev/10.0.0.5
|
||||
address=/vpn.h.lyte.dev/10.0.0.9
|
||||
address=/.h.lyte.dev/10.0.0.5
|
||||
|
||||
dhcp-host=AMC058BA_A75F1E,10.0.0.150,12h
|
||||
|
@ -26,14 +29,15 @@ dhcp-host=AMC0587F_A2969A,10.0.0.151,12h
|
|||
# dhcp-host=kubeworker3,d0:50:99:26:89:86,ourcraft,10.0.0.244,120m
|
||||
|
||||
# address=/dragon.h.lyte.dev/10.0.0.10
|
||||
# address=/git.lyte.dev/10.0.0.5
|
||||
# address=/h.lyte.dev/10.0.0.5
|
||||
# address=/a.lyte.dev/10.0.0.5
|
||||
# address=/bw.lyte.dev/10.0.0.5
|
||||
# address=/files.lyte.dev/10.0.0.5
|
||||
address=/git.lyte.dev/10.0.0.5
|
||||
address=/h.lyte.dev/10.0.0.5
|
||||
address=/a.lyte.dev/10.0.0.5
|
||||
address=/bw.lyte.dev/10.0.0.5
|
||||
address=/files.lyte.dev/10.0.0.5
|
||||
# address=/grafana.h.lyte.dev/10.0.0.5
|
||||
# address=/ourcraft.lyte.dev/10.0.0.244
|
||||
|
||||
server=10.0.0.1
|
||||
server=1.1.1.1
|
||||
server=1.0.0.1
|
||||
|
||||
|
|
46
etc-hosts
46
etc-hosts
|
@ -1,44 +1,14 @@
|
|||
# Static table lookup for hostnames.
|
||||
# See hosts(5) for details.
|
||||
|
||||
# WARNING: Do not edit this file at /etc/hosts
|
||||
# You must edit it from the router configuration repository and re-run the
|
||||
# `link.fish` script! If you do otherwise, your changes will be overridden.
|
||||
|
||||
127.0.0.1 localhost
|
||||
::1 localhost
|
||||
# 127.0.1.1 router.h.lyte.dev router
|
||||
127.0.1.1 router.h.lyte.dev router
|
||||
|
||||
# 10.0.0.1 router.h.lyte.dev router
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
|
||||
10.0.0.1 vpn.h.lyte.dev
|
||||
|
||||
10.0.0.10 dragon.h.lyte.dev
|
||||
|
||||
10.0.0.210 git.lyte.dev
|
||||
10.0.0.210 a.lyte.dev
|
||||
10.0.0.210 h.lyte.dev
|
||||
10.0.0.210 chat.lyte.dev
|
||||
10.0.0.210 matrix.lyte.dev
|
||||
10.0.0.210 bw.lyte.dev
|
||||
10.0.0.210 files.lyte.dev
|
||||
10.0.0.210 files.h.lyte.dev
|
||||
10.0.0.210 grafana.lyte.dev
|
||||
10.0.0.210 grafana.h.lyte.dev
|
||||
10.0.0.210 faceless.h.lyte.dev
|
||||
10.0.0.210 video.h.lyte.dev
|
||||
10.0.0.210 video.lyte.dev
|
||||
|
||||
10.0.0.81 kube-cluster.home.lyte.dev
|
||||
10.0.0.138 kube-cluster.home.lyte.dev
|
||||
10.0.0.244 kube-cluster.home.lyte.dev
|
||||
# 10.0.0.81 kube-cluster.home.lyte.dev
|
||||
|
||||
10.0.0.210 dmf.me
|
||||
|
||||
10.0.0.210 greenroof.house
|
||||
|
||||
10.0.0.210 ranch-talk.h.lyte.dev
|
||||
|
||||
10.0.0.138 ourcraft.lyte.dev
|
||||
10.0.0.244 factorio.lyte.dev
|
||||
10.0.0.5 git.lyte.dev
|
||||
10.0.0.5 video.lyte.dev
|
||||
10.0.0.5 files.lyte.dev
|
||||
10.0.0.5 bw.lyte.dev
|
||||
|
|
|
@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
|
|||
# we don't care about existing rules - just use ours, thanks
|
||||
# sudo nft -s list ruleset >> "$f"
|
||||
|
||||
sudo -E nvim "$my_config"
|
||||
sudo -E $EDITOR "$my_config"
|
||||
cat "$my_config"
|
||||
echo "Do you want to load this config? [y/N]"
|
||||
read -r l
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
# install base packages from dotfiles first
|
||||
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd
|
37
link.fish
37
link.fish
|
@ -1,37 +0,0 @@
|
|||
#!/usr/bin/env fish
|
||||
|
||||
if test (id -u) -ne 0
|
||||
echo "must run as root"
|
||||
exit 1
|
||||
end
|
||||
|
||||
function relink
|
||||
rm -f $argv[2]
|
||||
ezln $argv[1] $argv[2]
|
||||
end
|
||||
|
||||
function recopy
|
||||
rm -f $argv[2]
|
||||
cp $argv[1] $argv[2]
|
||||
end
|
||||
|
||||
# DNS, DHCP, prefix delegation
|
||||
recopy dnsmasq.conf /etc/dnsmasq.conf
|
||||
|
||||
# let dnsmasq handle DNS
|
||||
recopy resolved.conf /etc/systemd/resolved.conf
|
||||
|
||||
# sysctl flags we need for forwarding and accepting IPv6 router advertisements
|
||||
recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
|
||||
|
||||
# enable systemd-networkd to setup network interfaces with useful names
|
||||
recopy lan0.link /etc/systemd/network/10-lan0.link
|
||||
recopy wan0.link /etc/systemd/network/10-wan0.link
|
||||
|
||||
# dhcp client configuration
|
||||
recopy dhcpcd.conf /etc/dhcpcd.conf
|
||||
|
||||
# hosts file
|
||||
# recopy ./etc-hosts /etc/hblock/header
|
||||
# recopy ./etc-hosts /etc/hosts
|
||||
# hblock # temporary disable hblock because Val loves ads
|
78
makefile
Normal file
78
makefile
Normal file
|
@ -0,0 +1,78 @@
|
|||
# TODO: some kind of automatic (without confirmation) rollback setup?
|
||||
|
||||
.PHONY: default
|
||||
default: copy-configuration-files restart-services
|
||||
|
||||
.PHONY: setup
|
||||
setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
|
||||
|
||||
.PHONY: mkinitcpio
|
||||
mkinitcpio:
|
||||
mkinitcpio -p linux
|
||||
|
||||
.PHONY: system-dependencies
|
||||
system-dependencies:
|
||||
pacman -Sy --needed archlinux-keyring # get latest keys
|
||||
pacman -Syu # update everything
|
||||
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools # install anything needed
|
||||
|
||||
.PHONY: restart-services
|
||||
restart-services:
|
||||
systemctl restart nftables
|
||||
systemctl restart systemd-sysctl
|
||||
systemctl restart systemd-networkd
|
||||
systemctl restart dnsmasq
|
||||
systemctl restart systemd-resolved
|
||||
systemctl restart dhcpcd@lan0
|
||||
systemctl restart dhcpcd@wan0
|
||||
|
||||
.PHONY: enable-and-start-services
|
||||
enable-and-start-services:
|
||||
systemctl enable --now nftables
|
||||
systemctl enable --now systemd-sysctl
|
||||
systemctl enable --now systemd-networkd
|
||||
systemctl enable --now dnsmasq
|
||||
systemctl enable --now systemd-resolved
|
||||
systemctl enable --now dhcpcd@lan0
|
||||
systemctl enable --now dhcpcd@wan0
|
||||
|
||||
.PHONY: copy-configuration-files
|
||||
copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
|
||||
|
||||
/root/router.wg-key:
|
||||
umask 0077 && wg genkey > $@
|
||||
|
||||
/root/router.wg-pub: /root/router.wg-key
|
||||
umask 0077 && cat $^ wg genkey > $@
|
||||
|
||||
/etc/dnsmasq.conf: dnsmasq.conf
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/systemd/resolved.conf: resolved.conf
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/sysctl.d/10-router-configs.conf: sysctl-configs
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/systemd/network/10-lan0.link: lan0.link
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/systemd/network/10-wan0.link: wan0.link
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/dhcpcd.conf: dhcpcd.conf
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/hosts: ./etc-hosts
|
||||
rm -f $@
|
||||
cp $^ $@
|
||||
|
||||
/etc/nftables.conf: nftables.conf
|
||||
rm -f $@
|
||||
cp $^ $@
|
|
@ -13,8 +13,8 @@ table inet filter {
|
|||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
# do these need ipv6-specific entries, too?
|
||||
tcp dport { 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
|
||||
udp dport { 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
|
||||
tcp dport { 64022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
|
||||
udp dport { 64020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
|
||||
udp dport { 60000-60009 } accept
|
||||
udp dport dhcpv6-client accept
|
||||
drop
|
||||
|
@ -48,18 +48,26 @@ table ip nat {
|
|||
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
||||
|
||||
# chromebox
|
||||
iifname $WAN tcp dport { 443, 80, 22, 8008, 8448 } dnat to 10.0.0.5
|
||||
iifname $WAN tcp dport { 443, 80, 22, 8008, 8448, 7777 } dnat to 10.0.0.5
|
||||
iifname $WAN udp dport { 7777 } dnat to 10.0.0.5
|
||||
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.5
|
||||
|
||||
# dragon
|
||||
# old dragon?
|
||||
# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
||||
# iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
||||
|
||||
iifname $WAN tcp dport { 10578, 5588, 5589 } dnat to 10.0.0.11
|
||||
iifname $WAN udp dport { 10578 } dnat to 10.0.0.11
|
||||
|
||||
# dragon reinstall?
|
||||
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
||||
iifname $WAN udp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
||||
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
||||
iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10
|
||||
# iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10 # valheim
|
||||
|
||||
# beefcake (ben access)
|
||||
iifname $WAN tcp dport { 64022 } dnat to 10.0.0.9
|
||||
iifname $WAN udp dport { 64020 } dnat to 10.0.0.9
|
||||
|
||||
# mnemonic
|
||||
iifname $WAN tcp dport { 8022 } dnat to 10.0.0.248
|
||||
|
@ -67,6 +75,10 @@ table ip nat {
|
|||
# ourcraft
|
||||
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
|
||||
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
|
||||
|
||||
# router
|
||||
iifname $WAN tcp dport { 2201 } dnat to 10.0.0.1
|
||||
iifname $WAN udp dport { 2201 } dnat to 10.0.0.1
|
||||
}
|
||||
|
||||
chain output {
|
||||
|
|
30
readme.md
30
readme.md
|
@ -1,26 +1,20 @@
|
|||
# Router
|
||||
Yeah yeah I need to document this better.
|
||||
|
||||
My little dual-NIC Arch Linux router configuration and scripts.
|
||||
|
||||
# Setup
|
||||
|
||||
With a fresh Arch Linux system:
|
||||
```bash
|
||||
make setup
|
||||
reboot
|
||||
```
|
||||
|
||||
- Install needed packages via `./install.sh`
|
||||
- Run `./link.fish` script
|
||||
- Enable and restart the following services:
|
||||
- `nftables`
|
||||
- `systemd-sysctl`
|
||||
- `systemd-resolved`
|
||||
- `systemd-networkd`
|
||||
- `dnsmasq`
|
||||
- `dhcpcd@lan0`
|
||||
- `dhcpcd@wan0`
|
||||
- Run `mkinitcpio -p linux`
|
||||
- Add any needed hosts to `/etc/hosts`
|
||||
- May be use dnsmasq's `addn-hosts` directive and copy a file from this repo
|
||||
- Reboot
|
||||
# Update System to Match This Configuration
|
||||
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
# TODO:
|
||||
|
||||
- Script this whole thing? NixOS/declarative?
|
||||
- `link.fish` could just write to these files instead of copying them?
|
||||
- NixOS/declarative?
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
net.ipv4.ip_forward=1
|
||||
|
||||
net.ipv6.conf.all.forwarding=1
|
||||
net.ipv6.conf.wan0.accept_ra=2
|
Loading…
Reference in a new issue