Green (Diskussion | Beiträge) K (→11.10.15) |
|||
Zeile 129: | Zeile 129: | ||
* Fastd Skript einfügen | * Fastd Skript einfügen | ||
christiand@fff-fra1:~$ cat /etc/fastd/fff_aux_fastd.sh | |||
#!/bin/sh | |||
SERVERNAME="fff-fra1" | |||
hood="def" | |||
project="fffaux" | |||
port=10000 | |||
SERVERNAME="$SERVERNAME.$hood" | |||
hostname=$SERVERNAME | |||
if [ ! -d /etc/fastd ] | |||
then | |||
mkdir /etc/fastd | |||
fi | |||
if [ ! -d /etc/fastd/$project.$hood ] | |||
then | |||
mkdir /etc/fastd/$project.$hood | |||
mkdir /etc/fastd/$project.$hood/peers | |||
#fastd config | |||
( | |||
echo "# Log warnings and errors to stderr" | |||
echo "log level error;" | |||
echo "# Log everything to a log file" | |||
echo "log to syslog as \"${project}${hood}\" level info;" | |||
echo "# Set the interface name" | |||
echo "interface \"${project}${hood}VPN\";" | |||
echo "# Support xsalsa20 and aes128 encryption methods, prefer xsalsa20" | |||
echo "#method \"xsalsa20-poly1305\";" | |||
echo "#method \"aes128-gcm\";" | |||
echo "method \"null\";" | |||
echo "# Bind to a fixed port, IPv4 only" | |||
echo "bind any:${port};" | |||
echo "# Secret key generated by \"fastd --generate-key\"" | |||
echo "secret \"$(fastd --generate-key | grep -i Secret | awk '{print $2}')\";" | |||
echo "# Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE)" | |||
echo "# (see MTU selection documentation)" | |||
echo "mtu 1426;" | |||
echo "on up \"/etc/fastd/${project}.${hood}/up.sh\";" | |||
echo "on post-down \"/etc/fastd/${project}.${hood}/down.sh\";" | |||
echo "# Include peers from the directory 'peers'" | |||
echo "include peers from \"/etc/fastd/${project}.${hood}/peers\";" | |||
echo "secure handshakes no;" | |||
) >> "/etc/fastd/$project.$hood/$project.$hood.conf" | |||
#fastd-up | |||
( | |||
echo "#!/bin/sh" | |||
echo "/sbin/ifdown \$INTERFACE" | |||
) >> /etc/fastd/$project.$hood/down.sh | |||
chmod +x /etc/fastd/$project.$hood/down.sh | |||
( | |||
echo "#!/bin/sh" | |||
echo "/sbin/ifup \$INTERFACE" >> /etc/fastd/$project.$hood/up.sh | |||
) >> /etc/fastd/$project.$hood/up.sh | |||
chmod +x /etc/fastd/$project.$hood/up.sh | |||
fi | |||
pubkey=$(fastd -c /etc/fastd/$project.$hood/$project.$hood.conf --show-key --machine-readable) | |||
port=$(grep ^bind /etc/fastd/$project.$hood/$project.$hood.conf | cut -d: -f2 | cut -d\; -f1) | |||
# fire up | |||
if [ "$(/sbin/ifconfig -a | grep -i ethernet | grep ${project}${hood}VPN)" = "" ] | |||
then | |||
/bin/rm /var/run/fastd.$project.$hood.pid | |||
fastd -c /etc/fastd/$project.$hood/$project.$hood.conf -d --pid-file /var/run/fastd.$project.$hood.pid | |||
fi | |||
# register | |||
wget -T15 -q "http://keyserver.freifunk-franken.de/${project}/?name=$hostname&port=$port&key=$pubkey" -O /tmp/fastd_${project}.${hood}_output | |||
if [ "$?" != "0" ] | |||
then | |||
echo "Update failed" | |||
echo "Exiting, no clean up, no refresh" | |||
exit | |||
fi | |||
touch /tmp/fastd_${project}.${hood}_starting | |||
filenames=$(cat /tmp/fastd_${project}.${hood}_output| grep ^#### | sed -e 's/^####//' | sed -e 's/.conf//g') | |||
for file in $filenames | |||
do | |||
grep -A100 ^####$file.conf$ /tmp/fastd_${project}.${hood}_output | grep -v ^####$file.conf$ | grep -m1 ^### -B100 | grep -v ^### | sed 's/ float;/;/g' > "/etc/fastd/$project.$hood/peers/$file" | |||
echo 'float yes;' >> "/etc/fastd/$project.$hood/peers/$file" | |||
done | |||
#find old peers | |||
OLD=$(find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print) | |||
if [ -n "${OLD}" ] ; then | |||
echo "Lösche alte:" | |||
echo $OLD | |||
find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print | xargs /bin/rm /tmp/fastd_${project}.${hood}_starting | |||
fi | |||
#reload | |||
kill -HUP "$(cat /var/run/fastd.$project.$hood.pid)" | |||
exit 0 | |||
* Hostname geändert | * Hostname geändert | ||
* IP Forwarding aktiviert | * IP Forwarding aktiviert |
Version vom 11. Oktober 2015, 18:44 Uhr
08.10.15
- Passwort für fffranken geändert.
- Passwort für root geändert.
09.10.15
sudo installieren (als root)
apt-get update
apt-get install sudo
Neuen User delpiN angelegt (als root)
adduser delphin
adduser delphin sudo
nano /etc/sudoers
# User privilege specification root ALL=(ALL:ALL) ALL delphin ALL=(ALL:ALL) ALL
fail2ban installiert und eingerichtet
sudo apt-get install fail2ban
sudo nano /etc/fail2ban/jail.local
sudo /etc/init.d/fail2ban restart
SSH Port geändert
Es sollte einen Port gewählt werden der nicht bereits vergeben ist (Liste vergebener Ports: more /etc/services)
sudo nano /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for Port 8024
/etc/init.d/ssh restart
SSH Login nur über Key erlauben
sudo nano /etc/ssh/sshd_config
RSAAuthentification no AuthorizedKeysFile %h/.ssh/authorized_keys IgnoreUserKnowHosts yes ChallengeResponseAuthentication no PasswordAuthentication no
sudo /etc/init.d/ssh restart
vnstat installiert
sudo apt-get install vnstat
mtr installiert
sudo apt-get install mtr
11.10.15
- 3x User hinzugefügt (mifritsche, christiand, green) (login via ssh key only)
- 3 Usern sudo Rechte eingeräumt (/etc/sudoers)
- sudo ohne erneute Passwordeingabe (sudo visudo; username ALL=(ALL) NOPASSWD: ALL)
- screen installiert
- dist-upgrade
- BTAMAN compilieren
- batctl compiliert
- fastd installiert
- kein OpenVPN
- DHCP
- bind9
- wget https://mifritscher.de/austausch/olsrd/jessie/olsrd_0.6.8.1-1_amd64.deb
- wget https://mifritscher.de/austausch/olsrd/jessie/olsrd-plugins_0.6.8.1-1_amd64.deb
TODO binary auf freifunk server (FTP) legen!
- dpkg -i ol*.deb
- device: bat0
iface bat0 inet manual post-up ifconfig $IFACE up
##Einschalten post-up: # IP des Gateways am B.A.T.M.A.N interface: post-up ip addr add 10.50.240.2/21 dev $IFACE # Regeln, wann die fff Routing-Tabelle benutzt werden soll: post-up ip rule add iif $IFACE table fff post-up ip rule add from 10.0.0.0/8 table fff post-up ip rule add to 10.0.0.0/8 table fff # Route in die Aux Hood: post-up ip route add 10.50.240.0/21 dev $IFACE table fff # Start des DHCP Servers: ### post-up invoke-rc.d isc-dhcp-server restart
##Ausschalten post-down: # Loeschen von oben definieren Routen, Regeln und Interface: post-down ip route del 10.50.240.0/21 dev $IFACE table fff post-down ip rule del from 10.0.0.0/8 table fff post-down ip rule del to 10.0.0.0/8 table fff post-down ip rule del iif $IFACE table fff post-down ifconfig $IFACE down
- VPN Verbindung in die Aux Hood
iface fffauxVPN inet manual
post-up batctl -m bat0 if add $IFACE post-up ifconfig $IFACE up post-up ifup bat0 post-down ifdown bat0 post-down ifconfig $IFACE down
- Fastd Skript einfügen
christiand@fff-fra1:~$ cat /etc/fastd/fff_aux_fastd.sh
- !/bin/sh
SERVERNAME="fff-fra1"
hood="def" project="fffaux" port=10000
SERVERNAME="$SERVERNAME.$hood"
hostname=$SERVERNAME
if [ ! -d /etc/fastd ] then
mkdir /etc/fastd
fi
if [ ! -d /etc/fastd/$project.$hood ] then
mkdir /etc/fastd/$project.$hood mkdir /etc/fastd/$project.$hood/peers
#fastd config ( echo "# Log warnings and errors to stderr" echo "log level error;" echo "# Log everything to a log file" echo "log to syslog as \"${project}${hood}\" level info;" echo "# Set the interface name" echo "interface \"${project}${hood}VPN\";" echo "# Support xsalsa20 and aes128 encryption methods, prefer xsalsa20" echo "#method \"xsalsa20-poly1305\";" echo "#method \"aes128-gcm\";" echo "method \"null\";" echo "# Bind to a fixed port, IPv4 only" echo "bind any:${port};" echo "# Secret key generated by \"fastd --generate-key\"" echo "secret \"$(fastd --generate-key | grep -i Secret | awk '{print $2}')\";" echo "# Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE)" echo "# (see MTU selection documentation)" echo "mtu 1426;" echo "on up \"/etc/fastd/${project}.${hood}/up.sh\";" echo "on post-down \"/etc/fastd/${project}.${hood}/down.sh\";" echo "# Include peers from the directory 'peers'" echo "include peers from \"/etc/fastd/${project}.${hood}/peers\";" echo "secure handshakes no;" ) >> "/etc/fastd/$project.$hood/$project.$hood.conf"
#fastd-up ( echo "#!/bin/sh" echo "/sbin/ifdown \$INTERFACE" ) >> /etc/fastd/$project.$hood/down.sh
chmod +x /etc/fastd/$project.$hood/down.sh
( echo "#!/bin/sh" echo "/sbin/ifup \$INTERFACE" >> /etc/fastd/$project.$hood/up.sh ) >> /etc/fastd/$project.$hood/up.sh chmod +x /etc/fastd/$project.$hood/up.sh
fi
pubkey=$(fastd -c /etc/fastd/$project.$hood/$project.$hood.conf --show-key --machine-readable) port=$(grep ^bind /etc/fastd/$project.$hood/$project.$hood.conf | cut -d: -f2 | cut -d\; -f1)
- fire up
if [ "$(/sbin/ifconfig -a | grep -i ethernet | grep ${project}${hood}VPN)" = "" ] then
/bin/rm /var/run/fastd.$project.$hood.pid fastd -c /etc/fastd/$project.$hood/$project.$hood.conf -d --pid-file /var/run/fastd.$project.$hood.pid
fi
- register
wget -T15 -q "http://keyserver.freifunk-franken.de/${project}/?name=$hostname&port=$port&key=$pubkey" -O /tmp/fastd_${project}.${hood}_output if [ "$?" != "0" ] then
echo "Update failed" echo "Exiting, no clean up, no refresh" exit
fi
touch /tmp/fastd_${project}.${hood}_starting
filenames=$(cat /tmp/fastd_${project}.${hood}_output| grep ^#### | sed -e 's/^####//' | sed -e 's/.conf//g') for file in $filenames do
grep -A100 ^####$file.conf$ /tmp/fastd_${project}.${hood}_output | grep -v ^####$file.conf$ | grep -m1 ^### -B100 | grep -v ^### | sed 's/ float;/;/g' > "/etc/fastd/$project.$hood/peers/$file" echo 'float yes;' >> "/etc/fastd/$project.$hood/peers/$file"
done
- find old peers
OLD=$(find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print)
if [ -n "${OLD}" ] ; then
echo "Lösche alte:" echo $OLD
find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print | xargs /bin/rm /tmp/fastd_${project}.${hood}_starting
fi
- reload
kill -HUP "$(cat /var/run/fastd.$project.$hood.pid)"
exit 0
- Hostname geändert
- IP Forwarding aktiviert
- Fastd Skript ausführbar (chmod +x /etc/fastd/fff_aux_fastd.sh)
- fastd Script gestartet, interface Name angepasst
- fastd Script in crontab und rc.local
- dns / bind9 als caching nameserver (8.8.8.8, 10.50.240.1)
- batman gw selection 1:1 aus anleitung
- bat0 als interface dhcp-server
- dhcp config:
- Freifunk Franken
option domain-name "fff.community"; option domain-name-servers 10.50.240.2; authoritative;
- aux
subnet 10.50.32.0 netmask 255.255.248.0 { # Netzwerk und Netzmaske der Aux
range 10.50.242.0 10.50.243.255; # IP-Range die der DHCP-Server i option routers 10.50.240.2; # Default-Gateway, dass Clients option domain-name-servers 10.50.240.2; # Name-Server, die Clients mitge
}