Compare commits

..

No commits in common. "master" and "dev" have entirely different histories.
master ... dev

14 changed files with 135 additions and 257 deletions

2
.gitignore vendored Executable file → Normal file
View file

@ -1 +1 @@
dnsmasq.leases
tags

18
dhcpcd.conf Executable file → Normal file
View file

@ -1,8 +1,4 @@
duid
# No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
# issues caused by guests with oneplus devices
noarp
persistent
vendorclassid
@ -16,18 +12,16 @@ require dhcp_server_identifier
slaac private
noipv4ll
noipv6rs
static domain_name_servers=192.168.0.1
waitip 6
interface wan0
gateway
ipv6rs
iaid 1
# option rapid_commit
# ia_na 1
option rapid_commit
ia_na 1
ia_pd 1 lan0
interface lan0
static ip_address=192.168.0.1/16
static routers=192.168.0.1
static domain_name_servers=192.168.0.1
static ip_address=10.0.0.1/24
static routers=10.0.0.1
static domain_name_servers=10.0.0.1 8.8.8.8 8.8.4.4

63
dnsmasq.conf Executable file → Normal file
View file

@ -1,54 +1,37 @@
# server endpoints
listen-address=::1,127.0.0.1,192.168.0.1,0.0.0.0
port=53
# DNS cache entries
cache-size=10000
# local domain entries
local=/lan/
domain=lan
expand-hosts
dhcp-authoritative
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
except-interface=wan0
interface=lan0
bogus-priv
enable-ra
# dhcp-option=121,192.168.0.0/16,192.168.0.1
dhcp-range=lan,192.168.0.5,192.168.0.250,255.255.255.0,10m
dhcp-range=lan,10.0.0.5,10.0.0.250,255.255.255.0,10m
dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
dhcp-host=dragon,192.168.0.10,12h
dhcp-host=beefcake,192.168.0.9,12h
dhcp-host=bald,192.168.0.153,12h
dhcp-host=chromebox,192.168.0.5,12h
dhcp-host=B-C02G56VXML85,192.168.0.128,12h
dhcp-host=B-W4KNHWJ6XY,192.168.0.217,12h
dhcp-host=mnemonic,192.168.0.248,ea:1b:7a:fb:8b:b8,12h
# dhcp-host=frontdoorcam,192.168.0.89,9c:8e:cd:2b:71:e9,120m
local=/h.lyte.dev/
address=/video.lyte.dev/192.168.0.9
address=/git.lyte.dev/192.168.0.9
address=/bw.lyte.dev/192.168.0.9
address=/files.lyte.dev/192.168.0.9
address=/vpn.h.lyte.dev/192.168.0.9
address=/.h.lyte.dev/192.168.0.9
dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.10,12h
dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.25,12h
dhcp-host=d0:50:99:26:89:86,ourcraft,10.0.0.244,2m
dhcp-host=AMC058BA_A75F1E,192.168.0.150,12h
dhcp-host=AMC0587F_A2969A,192.168.0.151,12h
address=/dragon.h.lyte.dev/10.0.0.10
address=/git.lyte.dev/10.0.0.25
address=/h.lyte.dev/10.0.0.25
address=/a.lyte.dev/10.0.0.25
address=/.h.lyte.dev/10.0.0.25
address=/#.h.lyte.dev/10.0.0.25
address=/bw.lyte.dev/10.0.0.25
address=/files.lyte.dev/10.0.0.25
address=/grafana.lyte.dev/10.0.0.25
address=/ourcraft.lyte.dev/10.0.0.244
server=192.168.0.1
server=8.8.8.8
server=8.8.4.4
server=1.1.1.1
server=1.0.0.1
expand-hosts
port=53
interface=lan0
domain=h.lyte.dev
dhcp-authoritative

1
dnsmasq.leases Symbolic link
View file

@ -0,0 +1 @@
/var/lib/misc/dnsmasq.leases

View file

@ -1,20 +0,0 @@
# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1 localhost
192.168.0.1 router.h.lyte.dev router
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.0.9 git.lyte.dev
192.168.0.9 video.lyte.dev
192.168.0.9 files.lyte.dev
192.168.0.9 bw.lyte.dev
192.168.0.9 vpn.h.lyte.dev
192.168.0.9 nix.h.lyte.dev
192.168.0.9 a.lyte.dev
192.168.0.9 api.lyte.dev
192.168.0.9 ourcraft.lyte.dev
192.168.0.9 jland.lyte.dev

View file

@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
# we don't care about existing rules - just use ours, thanks
# sudo nft -s list ruleset >> "$f"
sudo -E $EDITOR "$my_config"
sudo -E nvim "$my_config"
cat "$my_config"
echo "Do you want to load this config? [y/N]"
read -r l

0
lan0.link Executable file → Normal file
View file

31
link.fish Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env fish
if test (id -u) -ne 0
echo "must run as root"
exit 1
end
function relink
rm -f $argv[2]
ezln $argv[1] $argv[2]
end
function recopy
rm -f $argv[2]
cp $argv[1] $argv[2]
end
recopy dnsmasq.conf /etc/dnsmasq.conf
recopy resolved.conf /etc/systemd/resolved.conf
recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
# enable systemd-networkd to setup network interfaces with useful names
recopy lan0.link /etc/systemd/network/10-lan0.link
recopy wan0.link /etc/systemd/network/10-wan0.link
# enable systemd-networkd set the proper sysctl flags
# recopy wan0.network /etc/systemd/network/wan0.network
# recopy lan0.network /etc/systemd/network/lan0.network
# dhcp client configuration
recopy dhcpcd.conf /etc/dhcpcd.conf

View file

@ -1,96 +0,0 @@
# TODO: some kind of automatic (without confirmation) rollback setup?
.PHONY: default
default: copy-configuration-files restart-services
.PHONY: setup
setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
.PHONY: firewall-edit
firewall-edit:
./firewall-edit.bash
.PHONY: mkinitcpio
mkinitcpio:
mkinitcpio -p linux
.PHONY: system-dependencies
system-dependencies:
echo "Updating system..."
pacman -Sy --needed archlinux-keyring # get latest keys
pacman -Syu # update everything
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools tailscale # install anything needed
echo "Done updating system!"
echo "The system has updated. This usually means the kernel updated, so tailscale needs you to reboot."
.PHONY: restart-services
restart-services:
echo "Restarting services..."
systemctl restart nftables
systemctl restart systemd-sysctl
systemctl restart systemd-networkd
systemctl restart dnsmasq
# systemctl restart systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
systemctl restart dhcpcd@lan0
systemctl restart dhcpcd@wan0
systemctl restart radvd
# ksystemctl restart tailscaled # is this necessary since no config lies in this repo?
echo "Services restarted!"
.PHONY: enable-and-start-services
enable-and-start-services:
echo "Enabling and starting services..."
systemctl enable --now nftables
systemctl enable --now systemd-sysctl
systemctl enable --now systemd-networkd
systemctl enable --now dnsmasq
# systemctl enable --now systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
systemctl enable --now dhcpcd@lan0
systemctl enable --now dhcpcd@wan0
systemctl enable --now radvd
# systemctl enable --now tailscaled # is this necessary since no config lies in this repo?
echo "Services enabled and restarted!"
.PHONY: copy-configuration-files
copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
/root/router.wg-key:
umask 0077 && wg genkey > $@
/root/router.wg-pub: /root/router.wg-key
umask 0077 && cat $^ wg genkey > $@
/etc/dnsmasq.conf: dnsmasq.conf
rm -f $@
cp $^ $@
/etc/systemd/resolved.conf: resolved.conf
rm -f $@
cp $^ $@
/etc/sysctl.d/10-router-configs.conf: sysctl-configs
rm -f $@
cp $^ $@
/etc/systemd/network/10-lan0.link: lan0.link
rm -f $@
cp $^ $@
/etc/systemd/network/10-wan0.link: wan0.link
rm -f $@
cp $^ $@
/etc/dhcpcd.conf: dhcpcd.conf
rm -f $@
cp $^ $@
/etc/hosts: ./etc-hosts
rm -f $@ /tmp/etc-hosts
printf "%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
cat $^ >> /tmp/etc-hosts
printf "\n\n%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
cp /tmp/etc-hosts $@
/etc/nftables.conf: nftables.conf
rm -f $@
cp $^ $@

110
nftables.conf Executable file → Normal file
View file

@ -1,6 +1,5 @@
define WAN = wan0
define LAN = lan0
define VPN = wg-vpn
table inet filter {
chain input {
@ -8,15 +7,12 @@ table inet filter {
iifname "lo" accept
ct state invalid drop
ct state { established, related } accept
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
ip protocol icmpv6 accept
ip protocol icmp accept
meta l4proto ipv6-icmp accept
tcp dport { 4022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 26968, 26965, 34197, 27015, 27036 } accept
udp dport { 9876, 9877, 4020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 26968, 26965, 34197 } accept
udp dport 27000-27100 accept
udp dport { 60000-60009 } accept
udp dport dhcpv6-client accept
tcp dport { 22 } accept comment "allow ssh to router"
udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
udp dport { 60000-60009 } accept comment "allow mosh common ports"
drop
}
@ -32,10 +28,38 @@ table inet filter {
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $LAN masquerade
}
chain prerouting {
type nat hook prerouting priority -100; policy accept;
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25
# faceless
# allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless
iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.25
# allow mosh
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.25
# allow host ssh
iifname $WAN tcp dport { 2221 } dnat to 10.0.0.10
# allow mosh
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
# ourcraft
iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
}
}
# nat ipv4 for lan
table ip io.systemd.nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 192.168.0.0/16 }
elements = { 10.0.0.0/24 }
}
map map_port_ipport {
@ -43,37 +67,8 @@ table ip nat {
}
chain prerouting {
iifname $LAN accept
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
# beefcake (ben access)
iifname $WAN tcp dport { 64022 } dnat to 192.168.0.9
iifname $WAN udp dport { 64020 } dnat to 192.168.0.9
# beefcake services
iifname $WAN tcp dport { 443, 80, 22 } dnat to 192.168.0.9
# mnemonic
iifname $WAN tcp dport { 8022 } dnat to 192.168.0.248
# ourcraft
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
# jland and dawncraft
iifname $WAN tcp dport { 26968, 26965 } dnat to 192.168.0.9
iifname $WAN udp dport { 26968, 26965 } dnat to 192.168.0.9
# v rising
iifname $WAN tcp dport { 27015, 27036 } dnat to 192.168.0.9
iifname $WAN udp dport 9876-9877 dnat to 192.168.0.9
iifname $WAN udp dport { 9876, 9877 } dnat to 192.168.0.9
iifname $WAN udp dport 27000-27100 dnat to 192.168.0.9
# router
iifname $WAN tcp dport { 2201 } dnat to 192.168.0.1
iifname $WAN udp dport { 2201 } dnat to 192.168.0.1
}
chain output {
@ -83,22 +78,33 @@ table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
oifname $LAN masquerade
ip saddr @masq_saddr masquerade
}
}
# table ip filter {
# chain output {
# type filter hook output priority 100; policy accept;
# }
#
# chain input {
# type filter hook input priority 0; policy accept;
# }
#
# chain forward {
# type filter hook forward priority 0; policy accept;
# }
# }
#
# nat ipv6 for lan
table ip6 io.systemd.nat {
set masq_saddr {
type ipv6_addr
flags interval
}
map map_port_ipport {
type inet_proto . inet_service : ipv6_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip6 saddr @masq_saddr masquerade
}
}

46
readme.md Executable file → Normal file
View file

@ -1,40 +1,18 @@
# Router
My little dual-NIC Arch Linux router configuration and scripts.
Yeah yeah I need to document this better.
# Setup
```bash
make setup
# setup tailscale if you like
reboot
```
With a fresh Arch Linux system:
# Update Configuration Files
Copies the various services' configuration files from this repo into place and
restarts those services.
```bash
make
```
# System Updates
Should be done regularly for security reasons.
```bash
make setup
# configure tailscale as needed
reboot
```
# Quick Firewall Tweak
```bash
./firewall-edit.bash
```
# TODO:
- NixOS/declarative?
- Install base packages as from dotfiles
- Run `./link.fish` script
- Enable and restart the following services:
- `systemd-resolved`
- `dnsmasq`
- `nftables`
- `systemd-networkd`
- `dhcpcd`
- Run `mkinitcpio -p linux`
- Reboot

0
resolved.conf Executable file → Normal file
View file

1
sysctl-configs Executable file → Normal file
View file

@ -1,3 +1,4 @@
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.wan0.accept_ra=2

0
wan0.link Executable file → Normal file
View file