X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup;h=86e82cfd128c78beb2cad792db041b3bb5f07ec0;hp=0c9fb29d5dce9c86b76551894d6808ad09c14fe6;hb=efcfb463ceda4de1d9953da31a2c0737471e5cf8;hpb=d3d495af167adba91b190e8dcb95649c34fa04c7

diff --git a/wrt-setup b/wrt-setup
index 0c9fb29..86e82cf 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -1,8 +1,22 @@
 #!/bin/bash
+# Copyright (C) 2016 Ian Kelling
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 # ssh
 
@@ -11,7 +25,6 @@ pmirror() {
     # doesn't go into the firmware. build new firmware if you want
     # lots of upgrades.
     f=(/tmp/opkg-lists/*)
-    f=${f[0]}
     if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
         opkg update
     fi
@@ -55,7 +68,8 @@ cat >.profile <<'EOF'
        exit
 }
 EOF
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server tcpdump
+v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
+  tcpdump openvpn-openssl
 
 
 
@@ -103,12 +117,11 @@ EOF
 
 
 
- # exportfs -ra won't cut it when its the same path, but now a bind mount
+# exportfs -ra wont cut it when its the same path, but now a bind mount
 cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
 /mnt/usb  192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
 # for arch pxe
 /run/archiso/bootmnt	192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
-
 EOF
 
 
@@ -117,132 +130,243 @@ v /etc/init.d/nfsd start
 v /etc/init.d/portmap enable
 v /etc/init.d/nfsd enable
 
-# default is 250, but my switch wants a high static address by default,
-# and I don't need that many, so lets just reduce it.
-sed -ri 's/^(.*option limit ).*/\1100/' /etc/config/dhcp
 
-cedit /etc/config/firewall <<'EOF' || /etc/init.d/firewall restart
-# port forwarding
-config redirect
-option name bittorrent
-option src              wan
-option src_dport        63324
-option dest_ip          192.168.1.2
-option dest             lan
-# making the port open (not sure if this is actually needed)
-config rule
-option src              wan
-option target           ACCEPT
-option dest_port        63324
 
-config redirect
-option name frodobittorrent
-option src              wan
-option src_dport        63326
-option dest_ip          192.168.1.3
-option dest             lan
 
-config rule
-option src              wan
-option target           ACCEPT
-option dest_port        63326
 
 
-config redirect
-option name treetowlsyncthing
-option src              wan
-option src_dport        22000
-option dest_ip          192.168.1.2
-option dest             lan
-option proto            tcp
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+#     # default is wan
+#     v uci set firewall.@forwarding[0].dest=$forward_dest
+#     uci commit firewall
+#     firewall_restart=true
+# fi
 
-config rule
-option src              wan
-option target           ACCEPT
-option dest_port        22000
 
 
+########## openvpn exampl
+########## missing firewall settings for routing lan
+########## traffic
+# v /etc/init.d/openvpn start
+# v /etc/init.d/openvpn enable
+
+# # from https://wiki.openwrt.org/doc/uci/firewall
+# # todo: not sure if /etc/init.d/network needs restarting.
+# # I did, and I had to restart the vpn afterwards.
+# # This maps a uci interface to a real interface which is
+# # managed outside of uci.
+# v cedit /etc/config/network <<'EOF' ||:
+# config interface 'tun0'
+#         option ifname 'tun0'
+#         option proto 'none'
+# EOF
+# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# config openvpn my_client_config
+#         option enabled 1
+#         option config /etc/openvpn/client.conf
+# EOF
+
+
+v cedit /etc/config/network <<'EOF' || v /etc/init.d/network reload
+config 'route' 'transmission'
+        option 'interface' 'lan'
+        option 'target' '10.173.0.0'
+        option 'netmask' '255.255.0.0'
+        option 'gateway' '192.168.1.2'
+EOF
+
+v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
 config redirect
-option name bithtpc
-option src              wan
-option src_dport        63325
-option dest_ip          192.168.1.4
-option dest             lan
+    option name ssh
+    option src              wan
+    option src_dport        22
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        22
 
+config redirect
+    option name sshalt
+    option src              wan
+    option src_dport        2222
+    option dest_port        22
+    option dest_ip          192.168.1.3
+    option dest             lan
 config rule
-option src              wan
-option target           ACCEPT
-option dest_port        63325
+    option src              wan
+    option target           ACCEPT
+    option dest_port        2222
 
+config redirect
+    option src              wan
+    option src_dport        443
+    option dest             lan
+    option dest_ip          192.168.1.2
+    option proto            tcp
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        443
+    option proto            tcp
 
 config redirect
-option name ssh
-option src              wan
-#uncomment the 2 lines for security of using a non-standard port
-# and comment out the 22 port line
-#   option src_dport        63321
-option src_dport        22
-option dest_ip          192.168.1.2
-option dest             lan
-#   option dest_port        22  # already default
+    option src              wan
+    option src_dport        80
+    option dest             lan
+    option dest_ip          192.168.1.2
+    option proto            tcp
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        80
+    option proto            tcp
 
+config redirect
+    option name syncthing
+    option src              wan
+    option src_dport        22001
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        22001
+
+#### begin rules for nfs ####
+# https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs
+# https://wiki.debian.org/SecuringNFS
+# I had no /etc/default/quota, or any process named quota anything,
+# so, assumed that was unneeded. seems to work.
+config redirect
+    option src              wan
+    option src_dport        111
+    option dest_ip          192.168.1.2
+    option dest             lan
 config rule
-option src              wan
-option target           ACCEPT
-option dest_port        22
+    option src              wan
+    option target           ACCEPT
+    option dest_port        111
+config redirect
+    option src              wan
+    option src_dport        2049
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        2049
+config redirect
+    option src              wan
+    option src_dport        32764
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        32764
+config redirect
+    option src              wan
+    option src_dport        32765
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        32765
+config redirect
+    option src              wan
+    option src_dport        32766
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        32766
+config redirect
+    option src              wan
+    option src_dport        32767
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        32767
+config redirect
+    option src              wan
+    option src_dport        32768
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        32768
+#### end rules for nfs ####
 
 
-# for https
 config redirect
-       option src                      wan
-       option src_dport        443
-       option dest                     lan
-       option dest_ip          192.168.1.2
-       option proto            tcp
-
+    option name mariadb
+    option src              wan
+    option src_dport        3306
+    option dest             lan
+    option dest_ip          192.168.1.2
+    option proto            tcp
 config rule
-       option src              wan
-       option target           ACCEPT
-       option dest_port        443
-       option proto            tcp
-
-# not using http server atm, so disable it.
-# config redirect
-#        option src                      wan
-#        option src_dport        80
-#        option dest                     lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
-
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        80
-#        option proto            tcp
+    option src              wan
+    option target           ACCEPT
+    option dest_port        3306
+    option proto            tcp
+
+
 EOF
 
 
+
+
 dnsmasq_restart=false
-cedit /etc/hosts <<EOF || dnsmasq_restart=true
+v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 192.168.1.1 wrt
-192.168.1.2 treetowl
-192.168.1.3 frodo faiserver
+192.168.1.2 treetowl mail.iankelling.org $HOME_DOMAIN faiserver
+192.168.1.3 frodo
 192.168.1.4 htpc
 192.168.1.5 x2
-192.168.1.6 testvm
+192.168.1.6 demohost
+#192.168.1.7 faiserver
 192.168.1.8 tp
+192.168.1.9 n5
 72.14.176.105 li
+45.33.9.11 lj
+138.68.10.24 dopub
+# netns creation looks for next free subnet starting at 10.173, but I only
+# use one, and I would keep this one as the first created.
+10.173.0.2 transmission
 EOF
 
 
+# avoid using the dns servers that my isp tells me about.
+if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
+    # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
+    # /etc/resolv.conf
+    v uci delete dhcp.@dnsmasq[0].resolvfile
+    uci commit dhcp
+    dnsmasq_restart=true
+fi
+
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 
-cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
+# sometimes /mnt/usb fails, cuz it's just a flash drive,
+# so make sure we have this dir or else dnsmasq will fail
+# to start.
+mkdir -p /mnt/usb/tftpboot
+v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 
 ############ updating dns servers ###################3
-# download namebench and run it like this:
-# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 
 
 # this says the ip of default gateway and dns server,
@@ -257,51 +381,59 @@ cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 # in a browsing session, I probably won't ever do 5000 lookups
 # before the ttl expiration or whatever does expiration.
 cache-size=10000
+
+# ask all servers, use the one which responds first.
 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
 all-servers
-# namebench showed 4 servers fairly close ranking:
-# qwest
-server=205.171.3.65
-server=205.171.2.25
-# clearwire anchorage
-server=64.13.115.12
-# comcast spokane
-server=68.87.69.146
+
+# namebench benchmarks dns servers. google's dns was only
+# slightly less fast than some others, and I trust it more
+# to give accurate results, stay relatively fast, and
+# not do anythin too malicious, so just use that.
+# download namebench and run it like this:
+# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 # google
 server=8.8.4.4
-# NTT
-server=129.250.35.250
-# isp servers
-server=75.75.76.76
-server=75.75.75.75
-
+server=8.8.8.8
+server=2001:4860:4860::8888
+server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
 # sudo dhclient -r; sudo dhclient <interface-name>
 
 # default dhcp range is 100-150
-dhcp-host=f4:6d:04:02:ee:eb,192.168.1.2,treetowl
-dhcp-host=00:26:18:97:bb:16,192.168.1.3,frodo
-dhcp-host=10:78:d2:da:29:22,192.168.1.4,htpc
-dhcp-host=00:1f:16:16:39:24,192.168.1.5,x2
+dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
+dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
+dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
+dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
 # this is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,192.168.1.6,demohost
-dhcp-host=52:54:00:56:09:f9,192.168.1.7,faiserver
-dhcp-host=80:fa:5b:1c:6e:cf,192.168.1.8,tp
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
+#dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
+dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
+dhcp-host=c4:43:8f:f2:79:1f,set:n5,192.168.1.9,n5
 # this is the ip it picks by default if dhcp fails,
 # so might as well use it.
 # hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,192.168.1.251,switch9429ca
+dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
 
 
 # template
 # dhcp-host=,192.168.1.,
+
+# Just leave the tftp server up even if we aren't doing pxe boot.
+# It has no sensitive info.
+enable-tftp=br-lan
+tftp-root=/mnt/usb/tftpboot
 EOF
 
 if $dnsmasq_restart; then
     v /etc/init.d/dnsmasq restart
 fi
+
+if $firewall_restart; then
+    v /etc/init.d/firewall restart
+fi