Compare commits
31 commits
Author | SHA1 | Date | |
---|---|---|---|
24c2dc9efc | |||
7b71687943 | |||
dca612a391 | |||
e4e9be507e | |||
029103c8d1 | |||
|
c3378a3cbd | ||
|
dc5536fd5f | ||
|
e0f087d0a4 | ||
|
18de76b03e | ||
|
a4e7534403 | ||
|
6674150b7c | ||
|
201f49e750 | ||
|
5844f686e4 | ||
|
9cd6a88dab | ||
|
93556180ff | ||
|
7c2d0d6345 | ||
e681b27d4f | |||
|
d602b789d0 | ||
|
944fdb581b | ||
|
3e2311d4f6 | ||
|
2accef144c | ||
|
fe20febcd2 | ||
|
4287a61f9e | ||
|
c7e9fbe549 | ||
|
7ec4eebc65 | ||
|
73107f3d41 | ||
|
8f959b5287 | ||
|
f3d5b6fb63 | ||
|
8e87d5e259 | ||
|
7cd4d3ea01 | ||
|
7e83b39f17 |
14 changed files with 257 additions and 135 deletions
2
.gitignore
vendored
Normal file → Executable file
2
.gitignore
vendored
Normal file → Executable file
|
@ -1 +1 @@
|
||||||
tags
|
dnsmasq.leases
|
||||||
|
|
18
dhcpcd.conf
Normal file → Executable file
18
dhcpcd.conf
Normal file → Executable file
|
@ -1,4 +1,8 @@
|
||||||
duid
|
duid
|
||||||
|
|
||||||
|
# No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
|
||||||
|
# issues caused by guests with oneplus devices
|
||||||
|
noarp
|
||||||
persistent
|
persistent
|
||||||
vendorclassid
|
vendorclassid
|
||||||
|
|
||||||
|
@ -12,16 +16,18 @@ require dhcp_server_identifier
|
||||||
slaac private
|
slaac private
|
||||||
noipv4ll
|
noipv4ll
|
||||||
noipv6rs
|
noipv6rs
|
||||||
waitip 6
|
|
||||||
|
static domain_name_servers=192.168.0.1
|
||||||
|
|
||||||
interface wan0
|
interface wan0
|
||||||
|
gateway
|
||||||
ipv6rs
|
ipv6rs
|
||||||
iaid 1
|
iaid 1
|
||||||
option rapid_commit
|
# option rapid_commit
|
||||||
ia_na 1
|
# ia_na 1
|
||||||
ia_pd 1 lan0
|
ia_pd 1 lan0
|
||||||
|
|
||||||
interface lan0
|
interface lan0
|
||||||
static ip_address=10.0.0.1/24
|
static ip_address=192.168.0.1/16
|
||||||
static routers=10.0.0.1
|
static routers=192.168.0.1
|
||||||
static domain_name_servers=10.0.0.1 8.8.8.8 8.8.4.4
|
static domain_name_servers=192.168.0.1
|
||||||
|
|
63
dnsmasq.conf
Normal file → Executable file
63
dnsmasq.conf
Normal file → Executable file
|
@ -1,37 +1,54 @@
|
||||||
|
# server endpoints
|
||||||
|
listen-address=::1,127.0.0.1,192.168.0.1,0.0.0.0
|
||||||
|
port=53
|
||||||
|
|
||||||
|
# DNS cache entries
|
||||||
|
cache-size=10000
|
||||||
|
|
||||||
|
# local domain entries
|
||||||
|
local=/lan/
|
||||||
|
domain=lan
|
||||||
|
expand-hosts
|
||||||
|
|
||||||
|
dhcp-authoritative
|
||||||
|
|
||||||
|
conf-file=/usr/share/dnsmasq/trust-anchors.conf
|
||||||
|
dnssec
|
||||||
|
|
||||||
except-interface=wan0
|
except-interface=wan0
|
||||||
bogus-priv
|
interface=lan0
|
||||||
|
|
||||||
enable-ra
|
enable-ra
|
||||||
|
|
||||||
dhcp-range=lan,10.0.0.5,10.0.0.250,255.255.255.0,10m
|
# dhcp-option=121,192.168.0.0/16,192.168.0.1
|
||||||
|
|
||||||
|
dhcp-range=lan,192.168.0.5,192.168.0.250,255.255.255.0,10m
|
||||||
dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
|
dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
|
||||||
|
|
||||||
local=/h.lyte.dev/
|
dhcp-host=dragon,192.168.0.10,12h
|
||||||
|
dhcp-host=beefcake,192.168.0.9,12h
|
||||||
|
dhcp-host=bald,192.168.0.153,12h
|
||||||
|
dhcp-host=chromebox,192.168.0.5,12h
|
||||||
|
dhcp-host=B-C02G56VXML85,192.168.0.128,12h
|
||||||
|
dhcp-host=B-W4KNHWJ6XY,192.168.0.217,12h
|
||||||
|
dhcp-host=mnemonic,192.168.0.248,ea:1b:7a:fb:8b:b8,12h
|
||||||
|
# dhcp-host=frontdoorcam,192.168.0.89,9c:8e:cd:2b:71:e9,120m
|
||||||
|
|
||||||
dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.10,12h
|
address=/video.lyte.dev/192.168.0.9
|
||||||
dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.25,12h
|
address=/git.lyte.dev/192.168.0.9
|
||||||
dhcp-host=d0:50:99:26:89:86,ourcraft,10.0.0.244,2m
|
address=/bw.lyte.dev/192.168.0.9
|
||||||
|
address=/files.lyte.dev/192.168.0.9
|
||||||
|
address=/vpn.h.lyte.dev/192.168.0.9
|
||||||
|
address=/.h.lyte.dev/192.168.0.9
|
||||||
|
|
||||||
address=/dragon.h.lyte.dev/10.0.0.10
|
dhcp-host=AMC058BA_A75F1E,192.168.0.150,12h
|
||||||
address=/git.lyte.dev/10.0.0.25
|
dhcp-host=AMC0587F_A2969A,192.168.0.151,12h
|
||||||
address=/h.lyte.dev/10.0.0.25
|
|
||||||
address=/a.lyte.dev/10.0.0.25
|
|
||||||
address=/.h.lyte.dev/10.0.0.25
|
|
||||||
address=/#.h.lyte.dev/10.0.0.25
|
|
||||||
address=/bw.lyte.dev/10.0.0.25
|
|
||||||
address=/files.lyte.dev/10.0.0.25
|
|
||||||
address=/grafana.lyte.dev/10.0.0.25
|
|
||||||
address=/ourcraft.lyte.dev/10.0.0.244
|
|
||||||
|
|
||||||
|
server=192.168.0.1
|
||||||
server=8.8.8.8
|
server=8.8.8.8
|
||||||
server=8.8.4.4
|
server=8.8.4.4
|
||||||
|
server=1.1.1.1
|
||||||
|
server=1.0.0.1
|
||||||
|
|
||||||
expand-hosts
|
|
||||||
|
|
||||||
port=53
|
|
||||||
|
|
||||||
interface=lan0
|
|
||||||
|
|
||||||
domain=h.lyte.dev
|
|
||||||
|
|
||||||
dhcp-authoritative
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
/var/lib/misc/dnsmasq.leases
|
|
20
etc-hosts
Executable file
20
etc-hosts
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
# Static table lookup for hostnames.
|
||||||
|
# See hosts(5) for details.
|
||||||
|
|
||||||
|
127.0.0.1 localhost
|
||||||
|
192.168.0.1 router.h.lyte.dev router
|
||||||
|
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
||||||
|
192.168.0.9 git.lyte.dev
|
||||||
|
192.168.0.9 video.lyte.dev
|
||||||
|
192.168.0.9 files.lyte.dev
|
||||||
|
192.168.0.9 bw.lyte.dev
|
||||||
|
192.168.0.9 vpn.h.lyte.dev
|
||||||
|
192.168.0.9 nix.h.lyte.dev
|
||||||
|
192.168.0.9 a.lyte.dev
|
||||||
|
192.168.0.9 api.lyte.dev
|
||||||
|
192.168.0.9 ourcraft.lyte.dev
|
||||||
|
192.168.0.9 jland.lyte.dev
|
|
@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
|
||||||
# we don't care about existing rules - just use ours, thanks
|
# we don't care about existing rules - just use ours, thanks
|
||||||
# sudo nft -s list ruleset >> "$f"
|
# sudo nft -s list ruleset >> "$f"
|
||||||
|
|
||||||
sudo -E nvim "$my_config"
|
sudo -E $EDITOR "$my_config"
|
||||||
cat "$my_config"
|
cat "$my_config"
|
||||||
echo "Do you want to load this config? [y/N]"
|
echo "Do you want to load this config? [y/N]"
|
||||||
read -r l
|
read -r l
|
0
lan0.link
Normal file → Executable file
0
lan0.link
Normal file → Executable file
31
link.fish
31
link.fish
|
@ -1,31 +0,0 @@
|
||||||
#!/usr/bin/env fish
|
|
||||||
|
|
||||||
if test (id -u) -ne 0
|
|
||||||
echo "must run as root"
|
|
||||||
exit 1
|
|
||||||
end
|
|
||||||
|
|
||||||
function relink
|
|
||||||
rm -f $argv[2]
|
|
||||||
ezln $argv[1] $argv[2]
|
|
||||||
end
|
|
||||||
|
|
||||||
function recopy
|
|
||||||
rm -f $argv[2]
|
|
||||||
cp $argv[1] $argv[2]
|
|
||||||
end
|
|
||||||
|
|
||||||
recopy dnsmasq.conf /etc/dnsmasq.conf
|
|
||||||
recopy resolved.conf /etc/systemd/resolved.conf
|
|
||||||
recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
|
|
||||||
|
|
||||||
# enable systemd-networkd to setup network interfaces with useful names
|
|
||||||
recopy lan0.link /etc/systemd/network/10-lan0.link
|
|
||||||
recopy wan0.link /etc/systemd/network/10-wan0.link
|
|
||||||
|
|
||||||
# enable systemd-networkd set the proper sysctl flags
|
|
||||||
# recopy wan0.network /etc/systemd/network/wan0.network
|
|
||||||
# recopy lan0.network /etc/systemd/network/lan0.network
|
|
||||||
|
|
||||||
# dhcp client configuration
|
|
||||||
recopy dhcpcd.conf /etc/dhcpcd.conf
|
|
96
makefile
Normal file
96
makefile
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
# TODO: some kind of automatic (without confirmation) rollback setup?
|
||||||
|
|
||||||
|
.PHONY: default
|
||||||
|
default: copy-configuration-files restart-services
|
||||||
|
|
||||||
|
.PHONY: setup
|
||||||
|
setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
|
||||||
|
|
||||||
|
.PHONY: firewall-edit
|
||||||
|
firewall-edit:
|
||||||
|
./firewall-edit.bash
|
||||||
|
|
||||||
|
.PHONY: mkinitcpio
|
||||||
|
mkinitcpio:
|
||||||
|
mkinitcpio -p linux
|
||||||
|
|
||||||
|
.PHONY: system-dependencies
|
||||||
|
system-dependencies:
|
||||||
|
echo "Updating system..."
|
||||||
|
pacman -Sy --needed archlinux-keyring # get latest keys
|
||||||
|
pacman -Syu # update everything
|
||||||
|
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools tailscale # install anything needed
|
||||||
|
echo "Done updating system!"
|
||||||
|
echo "The system has updated. This usually means the kernel updated, so tailscale needs you to reboot."
|
||||||
|
|
||||||
|
.PHONY: restart-services
|
||||||
|
restart-services:
|
||||||
|
echo "Restarting services..."
|
||||||
|
systemctl restart nftables
|
||||||
|
systemctl restart systemd-sysctl
|
||||||
|
systemctl restart systemd-networkd
|
||||||
|
systemctl restart dnsmasq
|
||||||
|
# systemctl restart systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
|
||||||
|
systemctl restart dhcpcd@lan0
|
||||||
|
systemctl restart dhcpcd@wan0
|
||||||
|
systemctl restart radvd
|
||||||
|
# ksystemctl restart tailscaled # is this necessary since no config lies in this repo?
|
||||||
|
echo "Services restarted!"
|
||||||
|
|
||||||
|
.PHONY: enable-and-start-services
|
||||||
|
enable-and-start-services:
|
||||||
|
echo "Enabling and starting services..."
|
||||||
|
systemctl enable --now nftables
|
||||||
|
systemctl enable --now systemd-sysctl
|
||||||
|
systemctl enable --now systemd-networkd
|
||||||
|
systemctl enable --now dnsmasq
|
||||||
|
# systemctl enable --now systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
|
||||||
|
systemctl enable --now dhcpcd@lan0
|
||||||
|
systemctl enable --now dhcpcd@wan0
|
||||||
|
systemctl enable --now radvd
|
||||||
|
# systemctl enable --now tailscaled # is this necessary since no config lies in this repo?
|
||||||
|
echo "Services enabled and restarted!"
|
||||||
|
|
||||||
|
.PHONY: copy-configuration-files
|
||||||
|
copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
|
||||||
|
|
||||||
|
/root/router.wg-key:
|
||||||
|
umask 0077 && wg genkey > $@
|
||||||
|
|
||||||
|
/root/router.wg-pub: /root/router.wg-key
|
||||||
|
umask 0077 && cat $^ wg genkey > $@
|
||||||
|
|
||||||
|
/etc/dnsmasq.conf: dnsmasq.conf
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
||||||
|
|
||||||
|
/etc/systemd/resolved.conf: resolved.conf
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
||||||
|
|
||||||
|
/etc/sysctl.d/10-router-configs.conf: sysctl-configs
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
||||||
|
|
||||||
|
/etc/systemd/network/10-lan0.link: lan0.link
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
||||||
|
|
||||||
|
/etc/systemd/network/10-wan0.link: wan0.link
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
||||||
|
|
||||||
|
/etc/dhcpcd.conf: dhcpcd.conf
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
||||||
|
|
||||||
|
/etc/hosts: ./etc-hosts
|
||||||
|
rm -f $@ /tmp/etc-hosts
|
||||||
|
printf "%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
|
||||||
|
cat $^ >> /tmp/etc-hosts
|
||||||
|
printf "\n\n%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
|
||||||
|
cp /tmp/etc-hosts $@
|
||||||
|
|
||||||
|
/etc/nftables.conf: nftables.conf
|
||||||
|
rm -f $@
|
||||||
|
cp $^ $@
|
110
nftables.conf
Normal file → Executable file
110
nftables.conf
Normal file → Executable file
|
@ -1,5 +1,6 @@
|
||||||
define WAN = wan0
|
define WAN = wan0
|
||||||
define LAN = lan0
|
define LAN = lan0
|
||||||
|
define VPN = wg-vpn
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
|
@ -7,12 +8,15 @@ table inet filter {
|
||||||
iifname "lo" accept
|
iifname "lo" accept
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
ct state { established, related } accept
|
ct state { established, related } accept
|
||||||
|
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
|
||||||
ip protocol icmpv6 accept
|
ip protocol icmpv6 accept
|
||||||
ip protocol icmp accept
|
ip protocol icmp accept
|
||||||
meta l4proto ipv6-icmp accept
|
meta l4proto ipv6-icmp accept
|
||||||
tcp dport { 22 } accept comment "allow ssh to router"
|
tcp dport { 4022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 26968, 26965, 34197, 27015, 27036 } accept
|
||||||
udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
|
udp dport { 9876, 9877, 4020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 26968, 26965, 34197 } accept
|
||||||
udp dport { 60000-60009 } accept comment "allow mosh common ports"
|
udp dport 27000-27100 accept
|
||||||
|
udp dport { 60000-60009 } accept
|
||||||
|
udp dport dhcpv6-client accept
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -28,38 +32,10 @@ table inet filter {
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
chain postrouting {
|
|
||||||
type nat hook postrouting priority 100; policy accept;
|
|
||||||
oifname $LAN masquerade
|
|
||||||
}
|
|
||||||
|
|
||||||
chain prerouting {
|
|
||||||
type nat hook prerouting priority -100; policy accept;
|
|
||||||
|
|
||||||
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25
|
|
||||||
|
|
||||||
# faceless
|
|
||||||
# allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless
|
|
||||||
iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.25
|
|
||||||
# allow mosh
|
|
||||||
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.25
|
|
||||||
|
|
||||||
# allow host ssh
|
|
||||||
iifname $WAN tcp dport { 2221 } dnat to 10.0.0.10
|
|
||||||
# allow mosh
|
|
||||||
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
|
||||||
|
|
||||||
# ourcraft
|
|
||||||
iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# nat ipv4 for lan
|
|
||||||
table ip io.systemd.nat {
|
|
||||||
set masq_saddr {
|
set masq_saddr {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 10.0.0.0/24 }
|
elements = { 192.168.0.0/16 }
|
||||||
}
|
}
|
||||||
|
|
||||||
map map_port_ipport {
|
map map_port_ipport {
|
||||||
|
@ -67,8 +43,37 @@ table ip io.systemd.nat {
|
||||||
}
|
}
|
||||||
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
|
iifname $LAN accept
|
||||||
type nat hook prerouting priority dstnat + 1; policy accept;
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
||||||
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
|
|
||||||
|
# beefcake (ben access)
|
||||||
|
iifname $WAN tcp dport { 64022 } dnat to 192.168.0.9
|
||||||
|
iifname $WAN udp dport { 64020 } dnat to 192.168.0.9
|
||||||
|
|
||||||
|
# beefcake services
|
||||||
|
iifname $WAN tcp dport { 443, 80, 22 } dnat to 192.168.0.9
|
||||||
|
|
||||||
|
# mnemonic
|
||||||
|
iifname $WAN tcp dport { 8022 } dnat to 192.168.0.248
|
||||||
|
|
||||||
|
# ourcraft
|
||||||
|
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
|
||||||
|
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
|
||||||
|
|
||||||
|
# jland and dawncraft
|
||||||
|
iifname $WAN tcp dport { 26968, 26965 } dnat to 192.168.0.9
|
||||||
|
iifname $WAN udp dport { 26968, 26965 } dnat to 192.168.0.9
|
||||||
|
|
||||||
|
# v rising
|
||||||
|
iifname $WAN tcp dport { 27015, 27036 } dnat to 192.168.0.9
|
||||||
|
iifname $WAN udp dport 9876-9877 dnat to 192.168.0.9
|
||||||
|
iifname $WAN udp dport { 9876, 9877 } dnat to 192.168.0.9
|
||||||
|
iifname $WAN udp dport 27000-27100 dnat to 192.168.0.9
|
||||||
|
|
||||||
|
# router
|
||||||
|
iifname $WAN tcp dport { 2201 } dnat to 192.168.0.1
|
||||||
|
iifname $WAN udp dport { 2201 } dnat to 192.168.0.1
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
|
@ -78,33 +83,22 @@ table ip io.systemd.nat {
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority srcnat + 1; policy accept;
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
||||||
|
oifname $LAN masquerade
|
||||||
ip saddr @masq_saddr masquerade
|
ip saddr @masq_saddr masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# nat ipv6 for lan
|
# table ip filter {
|
||||||
table ip6 io.systemd.nat {
|
# chain output {
|
||||||
set masq_saddr {
|
# type filter hook output priority 100; policy accept;
|
||||||
type ipv6_addr
|
# }
|
||||||
flags interval
|
#
|
||||||
}
|
# chain input {
|
||||||
|
# type filter hook input priority 0; policy accept;
|
||||||
map map_port_ipport {
|
# }
|
||||||
type inet_proto . inet_service : ipv6_addr . inet_service
|
#
|
||||||
}
|
# chain forward {
|
||||||
|
# type filter hook forward priority 0; policy accept;
|
||||||
chain prerouting {
|
# }
|
||||||
type nat hook prerouting priority dstnat + 1; policy accept;
|
# }
|
||||||
fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
|
#
|
||||||
}
|
|
||||||
|
|
||||||
chain output {
|
|
||||||
type nat hook output priority -99; policy accept;
|
|
||||||
ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
|
|
||||||
}
|
|
||||||
|
|
||||||
chain postrouting {
|
|
||||||
type nat hook postrouting priority srcnat + 1; policy accept;
|
|
||||||
ip6 saddr @masq_saddr masquerade
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
46
readme.md
Normal file → Executable file
46
readme.md
Normal file → Executable file
|
@ -1,18 +1,40 @@
|
||||||
# Router
|
# Router
|
||||||
|
|
||||||
Yeah yeah I need to document this better.
|
My little dual-NIC Arch Linux router configuration and scripts.
|
||||||
|
|
||||||
# Setup
|
# Setup
|
||||||
|
|
||||||
With a fresh Arch Linux system:
|
```bash
|
||||||
|
make setup
|
||||||
|
# setup tailscale if you like
|
||||||
|
reboot
|
||||||
|
```
|
||||||
|
|
||||||
- Install base packages as from dotfiles
|
# Update Configuration Files
|
||||||
- Run `./link.fish` script
|
|
||||||
- Enable and restart the following services:
|
Copies the various services' configuration files from this repo into place and
|
||||||
- `systemd-resolved`
|
restarts those services.
|
||||||
- `dnsmasq`
|
|
||||||
- `nftables`
|
```bash
|
||||||
- `systemd-networkd`
|
make
|
||||||
- `dhcpcd`
|
```
|
||||||
- Run `mkinitcpio -p linux`
|
|
||||||
- Reboot
|
# System Updates
|
||||||
|
|
||||||
|
Should be done regularly for security reasons.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make setup
|
||||||
|
# configure tailscale as needed
|
||||||
|
reboot
|
||||||
|
```
|
||||||
|
|
||||||
|
# Quick Firewall Tweak
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./firewall-edit.bash
|
||||||
|
```
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
|
||||||
|
- NixOS/declarative?
|
||||||
|
|
0
resolved.conf
Normal file → Executable file
0
resolved.conf
Normal file → Executable file
1
sysctl-configs
Normal file → Executable file
1
sysctl-configs
Normal file → Executable file
|
@ -1,4 +1,3 @@
|
||||||
net.ipv4.ip_forward=1
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
net.ipv6.conf.all.forwarding=1
|
net.ipv6.conf.all.forwarding=1
|
||||||
net.ipv6.conf.wan0.accept_ra=2
|
net.ipv6.conf.wan0.accept_ra=2
|
0
wan0.link
Normal file → Executable file
0
wan0.link
Normal file → Executable file
Loading…
Reference in a new issue