Server Dokumentation

GRE Tunnel

Gre Tunnel konfigurieren.

DEVICE=tun-ffrl-<ber/fra/dus>  
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
PEER_OUTER_IPADDR=<IPv4 FFRL Endpoint>
PEER_INNER_IPADDR=<IPv4 FFRL Tunnel>
MY_OUTER_IPADDR=<IPv4 FFIN Endpoint>
MY_INNER_IPADDR=<IPv4 FFIN Tunnel>
IPV6ADDR=<IPv6 Tunnel>/<Prefix-Size>
MTU=1400
TTL=64

IP Konfiguration

# Source route verification
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Enable packet forwarding
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

# Configure ipv6 features
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_redirects = 1

net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_redirects = 1

DHCPD

default-lease-time 120;
max-lease-time 600;

authoritative;

log-facility local6;

subnet 10.10.0.0 netmask 255.255.0.0 {
    range 10.10.8.1 10.10.15.254;

    option routers 10.10.0.2;
    option domain-name-servers 10.10.0.2;
    option interface-mtu 1280;
}

interface bat0
{
    AdvSendAdvert on;
    IgnoreIfMissing on;

    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    AdvLinkMTU 1280;

    prefix 2a03:2260:116::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
    };

    RDNSS 2a03:2260:116::2
    {
    };
};

install bind

yum install bind bind-utils vim /etc/named.conf unter "recursion yes;" hinzufügen:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { 127.0.0.1; 10.10.0.2; };
    listen-on-v6 port 53 { ::1; 2a03:2260:116::2; };
    interface-interval 1;
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localnets; localhost; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
    allow-recursion { localnets; localhost; };

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
    channel null { null; };
    category default { null; };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "ffin" {
        type master;
        file "/var/freifunk/ffin-gateway/dns/db.ffin";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
nameserver 127.0.0.1

Installation und Konfiguration von fastd

für fastd müssen wir epel hinzufügen

# Bind to a fixed address and port :31416 interface "eth0";
bind <ipv4-Adresse>:31416 interface "eth0";
bind [<ipv6-Adresse>]:31416 interface "eth0";

# Set the user, fastd will work as
user "nobody";

# Set the mtu of the interface (salsa2012 with ipv6 will need 1406)
mtu 1320;

# Set the methods
method "salsa2012+umac";

# Secret key generated by `fastd --generate-key`
secret "<secret hier einfügen>";

# Set peers directory
include peers from "peers/";

# Allow any connection but blacklist
on verify "/bin/bash /var/freifunk/ffin-gateway/blacklist.sh";

on up "
    #ip link set dev $INTERFACE address ba:d1:de:af:01:02
    ip link set dev $INTERFACE up
    batctl if add $INTERFACE
    ifup bat0
    batctl gw server 1024MBit/1024MBit
    batctl bl 1
";

Nun für jeden CPU-Kern einen Ordner innerhalb des /etc/fastd/mesh Ordners einen Unterorner erzeugen: - mkdir /etc/fastd/mesh/{01..07}

Für jeden Unterordner eine fastd.conf anlegen: - vim /etc/fastd/mesh/01/fastd.conf

include "../fastd-master.conf";

# Set the interface name
interface "mesh-ffin-01";

# Status Socket
status socket "/run/fastd/mesh-ffin-01.sock";

Systemd Service erstellen: - vim /etc/systemd/system/fastd\@.service

[Unit]
Description=Fast and Secure Tunnelling Daemon (connection %I)
After=network.target

[Service]
Type=notify
RuntimeDirectory=fastd
RuntimeDirectoryMode=0777
ExecStart=/usr/bin/fastd --syslog-level info --syslog-ident fastd@%I -c /etc/fastd/%I/fastd.conf
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target 

Netwerkkonfig

DEVICE=bat0
BOOTPROTO=none
ONBOOT=no
TYPE=BAT
IPADDR=10.10.0.2
NETMASK=255.255.0.0
IPV6INIT=yes
IPV6ADDR=2a03:2260:116::2/64

Download und Installation von Batman-adv

batman-adv

Loopback interface konfigrieren

DEVICE=lo
IPADDR0=127.0.0.1
IPADDR1=<FFRL Gateway IP>
PREFIX0=8
PREFIX1=32
ONBOOT=yes
NAME=loopback

log syslog { remote, warning, error, auth, fatal, bug };
#debug protocols all;
router id 10.10.0.2;

protocol direct {
        interface "*";
};

filter not_local {
        if net ~ <IP und Subnetz des Servers> then reject;
        else accept;
};

protocol kernel {
        device routes;
        import all;
        export filter not_local;
        kernel table 42;
};

protocol device {
        scan time 8;
};

function is_default() {
        return (net ~ [0.0.0.0/0]);
};

filter hostroute {
        if net ~ 185.66.194.5/32 then accept;
        reject;
};

template bgp uplink {
        local as 65252;
        import where is_default();
        export filter hostroute;
        next hop self;
        multihop 64;
        default bgp_local_pref 200;
};

protocol bgp ffrl_fra from uplink {
        source address 100.64.0.141;
        neighbor 100.64.0.140 as 201701;
};

protocol bgp ffrl_ber from uplink {
        source address 100.64.0.143;
        neighbor 100.64.0.142 as 201701;
};


log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
debug protocols all;
router id 10.10.0.2;

protocol direct {
        interface "*";  # Restrict network interfaces it works with
}

filter not_local {
        if net ~ <IPv6 und Subnetz des Servers> then reject;
        else accept;
};


protocol kernel {
    device routes;
        import all;
#        export all;
    export filter not_local;
        kernel table 42; # ip table to use
}

protocol device {
        scan time 10;           # Scan interfaces every 10 seconds
}

function is_default() {
    return (net ~ [::/0]);
}

filter hostroute {
    if net ~ 2a03:2260:116::/48 then accept;
    reject;
}

template bgp uplink {
        local as 65252;
        import where is_default();
    export filter hostroute;
    gateway recursive;
}

protocol bgp ffrl_fra from uplink {
        description "Rheinland Backbone";
    source address 2a03:2260:0:4e::2;
        neighbor 2a03:2260:0:4e::1 as 201701;
}

protocol bgp ffrl_ber from uplink {
        description "Rheinland Backbone";
    source address 2a03:2260:0:4f::2;
        neighbor 2a03:2260:0:4f::1 as 201701;
}

unitfile für systemd anlegen

Firewall

Firewalld deinstallieren

IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Regeln zum markieren eingehender Pakete
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun-+ -j TCPMSS --set-mss 1280
-A PREROUTING -i bat0 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o eth0 -p udp --dport 53 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o eth0 -p tcp --dport 53 -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Route an VPN per nat.
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun-+ -j SNAT --to-source 185.66.194.5
COMMIT

Routing

[Unit]
Description=Freifunk related ip rules

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip rule add from 185.66.194.5/30 lookup 42
ExecStart=/usr/sbin/ip rule add from 10.10.0.0/16 lookup 42
ExecStart=/usr/sbin/ip -6 rule add from 2a03:2260:116::/48 lookup 42

[Install]
WantedBy=multi-user.target

Journal.d dekonfigurieren

Storage=volatile
MaxRetentionSec=1m
MaxFileSec=1m
ForwardToSyslog=no 
MaxLevelStore=error

NTPD

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
restrict 10.10.0.0 mask 255.255.0.0 nomodify notrap
restrict 2a03:2260:116:: mask ffff:ffff:ffff:: nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.de.pool.ntp.org iburst
server 1.de.pool.ntp.org iburst
server 2.de.pool.ntp.org iburst
server 3.de.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

alfred

[Unit]
Description=ALFRED Fact Distribution Daemon
Requires=fastd@mesh-01.service
After=fastd@mesh-01.service

[Service]
Type=simple
ExecStart=/usr/sbin/alfred -i bat0

[Install]
WantedBy=multi-user.target

batadv-vis

[Unit]
Description=Batman-adv VIS
Requires=alfred.service
After=alfred.service

[Service]
Type=simple
ExecStart=/usr/sbin/batadv-vis -s

[Install]
WantedBy=multi-user.target

ffnord-alfred-announce

* * * * * PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin /opt/ffnord-alfred-announce/announce.sh

Statistik