mesh firewall

This commit is contained in:
Bob Mottram 2016-01-15 14:41:59 +00:00
parent 1f484f408c
commit 5099ec9143
2 changed files with 103 additions and 29 deletions

View File

@ -432,7 +432,7 @@ TOX_COMMIT='73b2144edcfd1ca617e9054479b66ab0c0361a14'
TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
# These are some default nodes, but you can replace them with trusted nodes # These are some default nodes, but you can replace them with trusted nodes
# as you prefer. See https://wiki.tox.im/Nodes # as you prefer. See https://wiki.tox.im/Nodes
TOX_NODE= TOX_NODES=
#TOX_NODES=( #TOX_NODES=(
# '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US' # '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US'
# '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE' # '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
@ -1235,7 +1235,7 @@ function read_configuration {
TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}') TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi fi
fi fi
echo "System type: $SYSTEM_TYPE" echo "System type: $SYSTEM_TYPE"
} }
function set_default_onion_domains { function set_default_onion_domains {

View File

@ -69,6 +69,8 @@ SSH_PORT=2222
# Whether sites are accessible only within a Tor browser # Whether sites are accessible only within a Tor browser
ONION_ONLY="no" ONION_ONLY="no"
WIFI_INTERFACE='wlan0'
enable_eatmydata_override() { enable_eatmydata_override() {
chroot $rootdir apt-get install --no-install-recommends -y eatmydata chroot $rootdir apt-get install --no-install-recommends -y eatmydata
if [ -x $rootdir/usr/bin/eatmydata ] && \ if [ -x $rootdir/usr/bin/eatmydata ] && \
@ -391,7 +393,7 @@ mesh_avahi() {
echo '</service-group>' >> $rootdir/etc/avahi/services/ssh.service echo '</service-group>' >> $rootdir/etc/avahi/services/ssh.service
# keep the daemon running # keep the daemon running
WATCHDOG_SCRIPT_NAME="keepon" WATCHDOG_SCRIPT_NAME="keepon"
echo '' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME echo '' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
echo '# keep avahi daemon running' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME echo '# keep avahi daemon running' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'AVAHI_RUNNING=$(pgrep avahi-daemon > /dev/null && echo Running)' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME echo 'AVAHI_RUNNING=$(pgrep avahi-daemon > /dev/null && echo Running)' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
@ -400,10 +402,10 @@ mesh_avahi() {
echo ' echo -n $CURRENT_DATE >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME echo ' echo -n $CURRENT_DATE >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
echo ' echo " Avahi daemon restarted" >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME echo ' echo " Avahi daemon restarted" >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
echo 'fi' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME echo 'fi' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
chmod +x $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME chmod +x $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
} }
function mesh_batman { mesh_batman() {
chroot "$rootdir" apt-get -y install iproute bridge-utils libnetfilter-conntrack3 batctl chroot "$rootdir" apt-get -y install iproute bridge-utils libnetfilter-conntrack3 batctl
chroot "$rootdir" apt-get -y install python-dev libevent-dev ebtables python-pip git chroot "$rootdir" apt-get -y install python-dev libevent-dev ebtables python-pip git
chroot "$rootdir" apt-get -y install wireless-tools rfkill chroot "$rootdir" apt-get -y install wireless-tools rfkill
@ -412,11 +414,11 @@ function mesh_batman {
echo 'batman_adv' >> $rootdir/etc/modules echo 'batman_adv' >> $rootdir/etc/modules
fi fi
if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $rootdir/var/lib/batman cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $rootdir/var/lib/batman
else else
cp /usr/bin/${PROJECT_NAME}-mesh-batman $rootdir/var/lib/batman cp /usr/bin/${PROJECT_NAME}-mesh-batman $rootdir/var/lib/batman
fi fi
echo '[Unit]' > $rootdir/etc/systemd/system/batman.service echo '[Unit]' > $rootdir/etc/systemd/system/batman.service
echo 'Description=B.A.T.M.A.N. Advanced' >> $rootdir/etc/systemd/system/batman.service echo 'Description=B.A.T.M.A.N. Advanced' >> $rootdir/etc/systemd/system/batman.service
@ -435,7 +437,78 @@ function mesh_batman {
chroot "$rootdir" systemctl enable batman chroot "$rootdir" systemctl enable batman
} }
function mesh_tox_node { mesh_firewall() {
TOX_PORT=33445
ZERONET_PORT=15441
TRACKER_PORT=6969
FIREWALL_FILENAME=$rootdir/etc/systemd/system/meshfirewall.service
MESH_FIREWALL_SCRIPT=/usr/bin/mesh-firewall
echo '#!/bin/bash' > $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -P INPUT ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'ip6tables -P INPUT ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'ip6tables -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -t nat -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'ip6tables -t nat -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -X' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'ip6tables -X' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -P INPUT DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'ip6tables -P INPUT DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -i lo -j ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '# Make sure incoming tcp connections are SYN packets' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '# Drop packets with incoming fragments' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -f -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '# Drop bogons' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '# Incoming malformed NULL packets:' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
chmod +x $rootdir/$MESH_FIREWALL_SCRIPT
echo '[Unit]' > $FIREWALL_FILENAME
echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
echo '' >> $FIREWALL_FILENAME
echo '[Service]' >> $FIREWALL_FILENAME
echo 'Type=oneshot' >> $FIREWALL_FILENAME
echo "ExecStart=$MESH_FIREWALL_SCRIPT" >> $FIREWALL_FILENAME
echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
echo '' >> $FIREWALL_FILENAME
echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
echo '' >> $FIREWALL_FILENAME
echo '[Install]' >> $FIREWALL_FILENAME
echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
chroot "$rootdir" systemctl enable meshfirewall
}
mesh_tox_node() {
TOX_REPO='git://github.com/irungentoo/toxcore.git'
TOX_COMMIT='73b2144edcfd1ca617e9054479b66ab0c0361a14'
TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
# These are some default nodes, but you can replace them with trusted nodes
# as you prefer. See https://wiki.tox.im/Nodes
TOX_NODES=
#TOX_NODES=(
# '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US'
# '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
#)
iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
save_firewall_settings
chroot "$rootdir" apt-get -y install build-essential libtool autotools-dev chroot "$rootdir" apt-get -y install build-essential libtool autotools-dev
chroot "$rootdir" apt-get -y install automake checkinstall check git yasm chroot "$rootdir" apt-get -y install automake checkinstall check git yasm
chroot "$rootdir" apt-get -y install libsodium13 libsodium-dev libcap2-bin chroot "$rootdir" apt-get -y install libsodium13 libsodium-dev libcap2-bin
@ -543,29 +616,30 @@ initialise_mesh() {
if [[ $VARIANT != "mesh" ]]; then if [[ $VARIANT != "mesh" ]]; then
return return
fi fi
mesh_firewall
mesh_avahi mesh_avahi
mesh_batman mesh_batman
#mesh_tox_node
#MESH_SERVICE='mesh-setup.service' MESH_SERVICE='mesh-setup.service'
#MESH_SETUP_DAEMON=$rootdir/etc/systemd/system/$MESH_SERVICE MESH_SETUP_DAEMON=$rootdir/etc/systemd/system/$MESH_SERVICE
#echo '[Unit]' > $MESH_SETUP_DAEMON echo '[Unit]' > $MESH_SETUP_DAEMON
#echo 'Description=Initial mesh router configuration' >> $MESH_SETUP_DAEMON echo 'Description=Initial mesh router configuration' >> $MESH_SETUP_DAEMON
#echo 'After=syslog.target' >> $MESH_SETUP_DAEMON echo 'After=syslog.target' >> $MESH_SETUP_DAEMON
#echo 'After=network.target' >> $MESH_SETUP_DAEMON echo 'After=network.target' >> $MESH_SETUP_DAEMON
#echo '[Service]' >> $MESH_SETUP_DAEMON echo '[Service]' >> $MESH_SETUP_DAEMON
#echo 'Type=simple' >> $MESH_SETUP_DAEMON echo 'Type=simple' >> $MESH_SETUP_DAEMON
#echo 'User=root' >> $MESH_SETUP_DAEMON echo 'User=root' >> $MESH_SETUP_DAEMON
#echo 'Group=root' >> $MESH_SETUP_DAEMON echo 'Group=root' >> $MESH_SETUP_DAEMON
#echo 'WorkingDirectory=/root' >> $MESH_SETUP_DAEMON echo 'WorkingDirectory=/root' >> $MESH_SETUP_DAEMON
#echo "ExecStart=/usr/local/bin/${PROJECT_NAME}-image-mesh > /var/log/mesh-setup.log" >> $MESH_SETUP_DAEMON echo "ExecStart=/usr/local/bin/${PROJECT_NAME}-image-mesh > /var/log/mesh-setup.log" >> $MESH_SETUP_DAEMON
#echo '' >> $MESH_SETUP_DAEMON echo '' >> $MESH_SETUP_DAEMON
#echo 'TimeoutSec=99999' >> $MESH_SETUP_DAEMON echo 'TimeoutSec=99999' >> $MESH_SETUP_DAEMON
#echo '' >> $MESH_SETUP_DAEMON echo '' >> $MESH_SETUP_DAEMON
#echo '[Install]' >> $MESH_SETUP_DAEMON echo '[Install]' >> $MESH_SETUP_DAEMON
#echo 'WantedBy=multi-user.target' >> $MESH_SETUP_DAEMON echo 'WantedBy=multi-user.target' >> $MESH_SETUP_DAEMON
chroot "$rootdir" systemctl enable $MESH_SERVICE
#chroot "$rootdir" systemctl enable $MESH_SERVICE
} }
# Set to true/false to control if eatmydata is used during build # Set to true/false to control if eatmydata is used during build