X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup-local;h=d900897993b2d7503c41e9b3620229e9f4621c10;hp=1f0a2d547cf90223d71b5646a688ed6e329809e3;hb=739efea3642e2f8a7a672c4600da152a27bedf1a;hpb=2fad38490e36bd2f0328b82c38448d9675e662e8

diff --git a/wrt-setup-local b/wrt-setup-local
index 1f0a2d5..d900897 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -38,9 +38,6 @@ EOF
 }
 
 
-
-
-
 secrets=false
 if [[ -e /root/router-secrets ]]; then
   secrets=true
@@ -53,14 +50,20 @@ fi
 : ${hostname:=wrt}
 
 
+zblock=false
+if [[ -e /root/zblock ]]; then
+  zblock=true
+fi
+
 dnsmasq_restart=false
+unbound_restart=false
 firewall_restart=false
 dev2=false
 test=false
 client=false
 libremanage_host=wrt2
 lanip=1
-while getopts hm:t: opt; do
+while getopts hm:t:yz opt; do
   case $opt in
     h) usage ;;
     t)
@@ -86,6 +89,14 @@ while getopts hm:t: opt; do
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
+    y)
+      zblock=false
+      rm -f /root/zblock
+      ;;
+    z)
+      zblock=true
+      touch /root/zblock
+      ;;
     m)  mac=$OPTARG ;;
     *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
   esac
@@ -187,7 +198,9 @@ udel() {
     eval $restart_var=true
   fi
 }
-
+cedit() {
+  v command cedit -v "$@"
+}
 
 
 ### network config
@@ -344,7 +357,8 @@ fi
 # /root/relay_1.0-1_mips_24kc.ipk
 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
   tcpdump openvpn-openssl adblock libusb-compat \
-  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
+  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
+  unbound-daemon-heavy unbound-checkconf
 
 cat >/etc/libremanage.conf <<EOF
 ${libremanage_host}_type=switch
@@ -371,7 +385,7 @@ mkdir -p /run/parabolaiso/bootmnt
 
 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
 # echo | cedit /etc/config/fstab ||:
-v cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
+cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
 config global automount
       option from_fstab 1
       option anon_mount 1
@@ -435,12 +449,12 @@ EOF
 # # I did, and I had to restart the vpn afterwards.
 # # This maps a uci interface to a real interface which is
 # # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
 # config interface 'tun0'
 #         option ifname 'tun0'
 #         option proto 'none'
 # EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
 # config openvpn my_client_config
 #         option enabled 1
 #         option config /etc/openvpn/client.conf
@@ -452,14 +466,14 @@ wgport=26000
 
 network_restart=false
 if $client; then
-  v cedit wific /etc/config/network <<EOF || network_restart=true
+  cedit wific /etc/config/network <<EOF || network_restart=true
 # https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
 config interface 'wwan'
  option proto 'dhcp'
 EOF
 fi
 
-v cedit /etc/config/network <<EOF || network_restart=true
+cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
  option 'interface' 'lan'
  option 'target' '10.173.0.0'
@@ -488,7 +502,7 @@ fi
 firewall-cedit() {
 
   if $client; then
-    v cedit wific /etc/config/firewall <<EOF
+    cedit wific /etc/config/firewall <<EOF
 config zone
  option name    wwan
  option input    REJECT
@@ -502,7 +516,7 @@ EOF
 
   case $hostname in
     wrt)
-      v cedit host /etc/config/firewall <<EOF
+      cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
@@ -512,7 +526,7 @@ config redirect
 EOF
       ;;
     cmc)
-      v cedit host /etc/config/firewall <<EOF
+      cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
@@ -523,7 +537,57 @@ EOF
       ;;
   esac
 
-  v cedit /etc/config/firewall <<EOF
+  cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src  lan
+ option src_ip   10.2.0.23
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.23
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.31
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.31
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.32
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.32
+ option src_port 53
+ option dest  lan
+ option target REJECT
+## end no external dns for ziva
+
+
 config rule
  option src              wan
  option target           ACCEPT
@@ -641,6 +705,20 @@ config rule
  option dest_port        443
  option proto            tcp
 
+config redirect
+option name httpskd8448
+ option src              wan
+ option src_dport        8448
+ option dest             lan
+ option dest_ip          $l.2
+ option proto            tcp
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8448
+ option proto            tcp
+
+
 config redirect
  option name syncthing
  option src              wan
@@ -696,6 +774,13 @@ config rule
  option target ACCEPT
  option family ipv6
 
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+	option type 'restore'
+	option family 'ipv4'
+
+
 EOF
 }
 firewall-cedit || firewall_restart=true
@@ -712,13 +797,13 @@ firewall-cedit || firewall_restart=true
 
 
 
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
+cedit /etc/hosts <<EOF
 127.0.1.1 $hostname
 EOF
 # not sure this case statement is needed
 case $hostname in
   cmc)
-    v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+    cedit host /etc/hosts <<EOF
 $l.1 $hostname
 # 127.0.0.1 www.youtube.com
 # 127.0.0.1 googlevideo.com
@@ -750,10 +835,123 @@ uset dhcp.@dnsmasq[0].local
 # todo: setup /etc/resolv.conf to point to 127.0.0.1
 uset dhcp.@dnsmasq[0].resolvfile /dev/null
 
-# by default it will send out ipv6 dns, like this
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
 # NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
 # but i dont want ipv6 dns, just keep it simple to ipv4.
-uset dhcp.@odhcpd[0].dns 10.2.0.1
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+/etc/init.d/odhcpd stop
+/etc/init.d/odhcpd disable
+# todo: make the above conditional on which server this is.
+
+# avoid errors in log. current isp doesnt have ipv6
+uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+{
+  cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
+
+  if $zblock; then
+    cat <<'EOF'
+# amy, amyw, samsungtab
+access-control-view: 10.2.0.8/32 "youtube"
+access-control-view: 10.2.0.23/32 "youtube"
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+  fi
+} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+
+
+# dns based blocking vs ip based. with ip, same
+# server can have multiple domains. in dns,
+# you have to make sure clients to use the local dns.
+# https dns will need to be blocked by ip in
+# order to be comprehensive
+
+cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.3 sy.b8.nz"
+local-data-ptr: "10.2.0.4 wrt2.b8.nz"
+local-data-ptr: "10.2.0.5 x2.b8.nz"
+local-data-ptr: "10.2.0.6 x2w.b8.nz"
+local-data-ptr: "10.2.0.7 syw.b8.nz"
+local-data-ptr: "10.2.0.8 amy.b8.nz"
+local-data-ptr: "10.2.0.9 bb8.b8.nz"
+local-data-ptr: "10.2.0.12 demohost.b8.nz"
+local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.19 brother.b8.nz"
+local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.31 amazontab.b8.nz"
+local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
+local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+  name: "."
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+  forward-ssl-upstream: yes
+  forward-first: no
+
+view:
+  name: "youtube"
+  local-zone: "googlevideo.com." refuse
+  local-zone: "video.google.com." refuse
+  local-zone: "youtu.be." refuse
+  local-zone: "youtube-nocookie.com." refuse
+  local-zone: "youtube-ui.l.google.com." refuse
+  local-zone: "youtube.com." refuse
+  local-zone: "youtube.googleapis.com." refuse
+  local-zone: "youtubeeducation.com." refuse
+  local-zone: "youtubei.googleapis.com." refuse
+  local-zone: "yt3.ggpht.com." refuse
+  local-zone: "youtubekids.com." refuse
+  # try global if no match in view
+  view-first: yes
+EOF
+
+
+if $restart_unbound; then
+  /etc/init.d/unbound restart
+  if ! unbound-checkconf; then
+    echo $0: error: unbound-checkconf failed >&2
+    exit 1
+  fi
+fi
 
 
 # disabled for now. i want to selectively enable it
@@ -775,7 +973,7 @@ EOF
 # so make sure we have this dir or else dnsmasq will fail
 # to start.
 mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
 # no dns
 port=0
 server=/b8.nz/#
@@ -785,10 +983,11 @@ ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 stop-dns-rebind
 rebind-domain-ok=b8.nz
 
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=6,$l.1
 
 
 
@@ -814,6 +1013,7 @@ server=1.0.0.3
 server=2606:4700:4700::1113
 server=2606:4700:4700::1003
 
+server=10.2.0.1
 # server=8.8.4.4
 # server=8.8.8.8
 # server=2001:4860:4860::8888
@@ -849,6 +1049,9 @@ dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
 dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
 dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
 dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
+dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+
 
 
 # faiserver vm
@@ -878,14 +1081,14 @@ if $dnsmasq_restart && ! $dev2; then
   # due to the other settings, but will be used for ptr? then maybe
   # we dont have to restart dnsmasq for a dns update?
   #
-  # todo: according to this
+  # interesing link:
   # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
-  # we should turn on dnssec validation when wrt gets version > 2.80. currently at 2.80.
-  # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk
-  # and install it. then we can turn off dnssec in systemd-resolved
+  # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+  # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
   #
   # Also, reload of dnsmasq seems to break things, wifi
   # clients were not getting internet connectivity.
+
   v /etc/init.d/dnsmasq restart
 fi