#!/bin/bash
+# Copyright (C) 2016 Ian Kelling
+
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
# doesn't go into the firmware. build new firmware if you want
# lots of upgrades.
f=(/tmp/opkg-lists/*)
- f=${f[0]}
if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
opkg update
fi
# EOF
+v cedit /etc/config/network <<'EOF' || v /etc/init.d/network reload
+config 'route' 'transmission'
+ option 'interface' 'lan'
+ option 'target' '10.173.0.0'
+ option 'netmask' '255.255.0.0'
+ option 'gateway' '192.168.1.2'
+EOF
v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
config redirect
option target ACCEPT
option dest_port 22
+config redirect
+ option name sshalt
+ option src wan
+ option src_dport 2222
+ option dest_port 22
+ option dest_ip 192.168.1.3
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 2222
-#http/https
config redirect
- option src wan
- option src_dport 443
- option dest lan
- option dest_ip 192.168.1.2
- option proto tcp
+ option src wan
+ option src_dport 443
+ option dest lan
+ option dest_ip 192.168.1.2
+ option proto tcp
config rule
- option src wan
- option target ACCEPT
- option dest_port 443
- option proto tcp
+ option src wan
+ option target ACCEPT
+ option dest_port 443
+ option proto tcp
config redirect
- option src wan
- option src_dport 80
- option dest lan
- option dest_ip 192.168.1.2
- option proto tcp
+ option src wan
+ option src_dport 80
+ option dest lan
+ option dest_ip 192.168.1.2
+ option proto tcp
config rule
- option src wan
- option target ACCEPT
- option dest_port 80
- option proto tcp
+ option src wan
+ option target ACCEPT
+ option dest_port 80
+ option proto tcp
+
+config redirect
+ option name syncthing
+ option src wan
+ option src_dport 22001
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 22001
+
+#### begin rules for nfs ####
+# https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs
+# https://wiki.debian.org/SecuringNFS
+# I had no /etc/default/quota, or any process named quota anything,
+# so, assumed that was unneeded. seems to work.
+config redirect
+ option src wan
+ option src_dport 111
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 111
+config redirect
+ option src wan
+ option src_dport 2049
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 2049
+config redirect
+ option src wan
+ option src_dport 32764
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 32764
+config redirect
+ option src wan
+ option src_dport 32765
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 32765
+config redirect
+ option src wan
+ option src_dport 32766
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 32766
+config redirect
+ option src wan
+ option src_dport 32767
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 32767
+config redirect
+ option src wan
+ option src_dport 32768
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 32768
+#### end rules for nfs ####
+
+
+config redirect
+ option name mariadb
+ option src wan
+ option src_dport 3306
+ option dest lan
+ option dest_ip 192.168.1.2
+ option proto tcp
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 3306
+ option proto tcp
+
EOF
dnsmasq_restart=false
v cedit /etc/hosts <<EOF || dnsmasq_restart=true
192.168.1.1 wrt
-192.168.1.2 treetowl faiserver
-192.168.1.3 frodo
+192.168.1.2 treetowl mail.iankelling.org $HOME_DOMAIN
+192.168.1.3 frodo faiserver
192.168.1.4 htpc
192.168.1.5 x2
-192.168.1.6 testvm
+192.168.1.6 demohost
+#192.168.1.7 faiserver
192.168.1.8 tp
+192.168.1.9 n5
72.14.176.105 li
-173.255.202.210 lj
-23.239.31.172 lk
+45.33.9.11 lj
138.68.10.24 dopub
-# cant ssh to do when on vpn. some routing/firewall rule or something,
-# I don't know. I can get there from wrt but not my machine.
-# but we can get to it from this address, so, good enough.
-10.8.0.1 do
+# netns creation looks for next free subnet starting at 10.173, but I only
+# use one, and I would keep this one as the first created.
+10.173.0.2 transmission
EOF
# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
+# sometimes /mnt/usb fails, cuz it's just a flash drive,
+# so make sure we have this dir or else dnsmasq will fail
+# to start.
+mkdir -p /mnt/usb/tftpboot
v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
############ updating dns servers ###################3
# reformatted. The mac is from doing a virt-install, cancelling it,
# and copying the generated mac, so it should be randomish.
dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
-dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
+#dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
+dhcp-host=c4:43:8f:f2:79:1f,set:n5,192.168.1.9,n5
# this is the ip it picks by default if dhcp fails,
# so might as well use it.
# hostname is the name it uses according to telnet
# Just leave the tftp server up even if we aren't doing pxe boot.
# It has no sensitive info.
+enable-tftp=br-lan
tftp-root=/mnt/usb/tftpboot
EOF