--- /dev/null
+firewall rules, temporarily disabled until I get them working
+
+
+#### begin port forwarding rules ####
+ # each port forward needs corresponding forward in the vpn server
+config redirect
+ option name ssh
+ option src wan
+ # example of using a non-standard port
+ # and comment out the 22 port line
+ # option src_dport 63321
+ # option dest_port 22 # already default
+ option src_dport 22
+ option dest_ip 192.168.1.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 22
+
+
+config redirect
+ option name bittorrent
+ option src vpn
+ option src_dport 63324
+ option dest_ip 192.168.1.2
+ option dest lan
+# making the port open (not sure if this is actually needed)
+config rule
+ option src vpn
+ option target ACCEPT
+ option dest_port 63324
+
+config redirect
+ option name frodobittorrent
+ option src vpn
+ option src_dport 63326
+ option dest_ip 192.168.1.3
+ option dest lan
+config rule
+ option src vpn
+ option target ACCEPT
+ option dest_port 63326
+
+
+config redirect
+ option name treetowlsyncthing
+ option src vpn
+ option src_dport 22000
+ option dest_ip 192.168.1.2
+ option dest lan
+ option proto tcp
+config rule
+ option src vpn
+ option target ACCEPT
+ option dest_port 22000
+
+
+config redirect
+ option name bithtpc
+ option src vpn
+ option src_dport 63325
+ option dest_ip 192.168.1.4
+ option dest lan
+config rule
+ option src vpn
+ option target ACCEPT
+ option dest_port 63325
+
+
+
+
+
+# http server
+ # for https
+ # config redirect
+ # option src wan
+ # option src_dport 443
+ # option dest lan
+ # option dest_ip 192.168.1.2
+ # option proto tcp
+
+ # config rule
+ # option src wan
+ # option target ACCEPT
+ # option dest_port 443
+ # option proto tcp
+
+ # config redirect
+ # option src wan
+ # option src_dport 80
+ # option dest lan
+ # option dest_ip 192.168.1.2
+ # option proto tcp
+
+ # config rule
+ # option src wan
+ # option target ACCEPT
+ # option dest_port 80
+ # option proto tcp
+
+#### end port forwarding rules ####
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
# ssh
pmirror() {
v /etc/init.d/portmap enable
v /etc/init.d/nfsd enable
-v /etc/init.d/openvpn start
-v /etc/init.d/openvpn enable
-
-
-# setup to use only vpn in 5 ways:
-# set lan forward to vpn instead of wan,
-# disable wan masquerade,
-# set the default for outgoing to reject,
-# open wan port 1194 and 22 (ssh is too useful),
-# setup port forwardings to use vpn.
-firewall_restart=false
-# https://wiki.openwrt.org/doc/uci
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
- # default is wan
- # https://wiki.openwrt.org/doc/uci
- v uci set firewall.@forwarding[0].dest=vpn
- uci commit firewall
- firewall_restart=true
-fi
-wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-w="firewall.@zone[$wan_index]"
-if [[ $(uci get $w.masq) == 1 ]]; then
- v uci set $w.masq=0
- uci commit firewall
- firewall_restart=true
-fi
-if [[ $(uci get $w.output) != REJECT ]]; then
- v uci set $w.masq=REJECT
- uci commit firewall
- firewall_restart=true
-fi
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
- # default is wan
- v uci set uci set firewall.@forwarding[0].dest=vpn
- uci commit firewall
- firewall_restart=true
-fi
-# from https://wiki.openwrt.org/doc/uci/firewall
-# todo: not sure if /etc/init.d/network needs restarting.
-# I did, and I had to restart the vpn afterwards.
-# This maps a uci interface to a real interface which is
-# managed outside of uci.
-cedit /etc/config/network <<'EOF' ||:
-config interface 'tun0'
- option ifname 'tun0'
- option proto 'none'
-EOF
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+# # default is wan
+# v uci set firewall.@forwarding[0].dest=$forward_dest
+# uci commit firewall
+# firewall_restart=true
+# fi
-# each port forward needs corresponding forward in the vpn server
-cedit /etc/config/firewall <<'EOF' || firewall_restart=true
-config zone
- option name vpn
- list network 'tun0'
- option input REJECT
- option output ACCEPT
- option forward REJECT
- option masq 1
+########## openvpn exampl
+########## missing firewall settings for routing lan
+########## traffic
+# v /etc/init.d/openvpn start
+# v /etc/init.d/openvpn enable
-config rule
- option dest wan
- option target ACCEPT
- option dest_port '1194 22'
+# # from https://wiki.openwrt.org/doc/uci/firewall
+# # todo: not sure if /etc/init.d/network needs restarting.
+# # I did, and I had to restart the vpn afterwards.
+# # This maps a uci interface to a real interface which is
+# # managed outside of uci.
+# v cedit /etc/config/network <<'EOF' ||:
+# config interface 'tun0'
+# option ifname 'tun0'
+# option proto 'none'
+# EOF
+# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# config openvpn my_client_config
+# option enabled 1
+# option config /etc/openvpn/client.conf
+# EOF
-# port forwarding
-config redirect
-option name bittorrent
-option src vpn
-option src_dport 63324
-option dest_ip 192.168.1.2
-option dest lan
-# making the port open (not sure if this is actually needed)
-config rule
-option src vpn
-option target ACCEPT
-option dest_port 63324
-
-config redirect
-option name frodobittorrent
-option src vpn
-option src_dport 63326
-option dest_ip 192.168.1.3
-option dest lan
-
-config rule
-option src vpn
-option target ACCEPT
-option dest_port 63326
+v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
config redirect
-option name treetowlsyncthing
-option src vpn
-option src_dport 22000
-option dest_ip 192.168.1.2
-option dest lan
-option proto tcp
-
+ option name ssh
+ option src wan
+ option src_dport 22
+ option dest_ip 192.168.1.2
+ option dest lan
config rule
-option src vpn
-option target ACCEPT
-option dest_port 22000
-
-
-config redirect
-option name bithtpc
-option src vpn
-option src_dport 63325
-option dest_ip 192.168.1.4
-option dest lan
-
-config rule
-option src vpn
-option target ACCEPT
-option dest_port 63325
-
+ option src wan
+ option target ACCEPT
+ option dest_port 22
+EOF
-config redirect
-option name ssh
-option src wan
-# example of using a non-standard port
-# and comment out the 22 port line
-# option src_dport 63321
-# option dest_port 22 # already default
-option src_dport 22
-option dest_ip 192.168.1.2
-option dest lan
-config rule
-option src wan
-option target ACCEPT
-option dest_port 22
-
-
-# not using http server atm, so disable it.
-# for https
-# config redirect
-# option src wan
-# option src_dport 443
-# option dest lan
-# option dest_ip 192.168.1.2
-# option proto tcp
-
-# config rule
-# option src wan
-# option target ACCEPT
-# option dest_port 443
-# option proto tcp
-
-# config redirect
-# option src wan
-# option src_dport 80
-# option dest lan
-# option dest_ip 192.168.1.2
-# option proto tcp
-
-# config rule
-# option src wan
-# option target ACCEPT
-# option dest_port 80
-# option proto tcp
-EOF
-if $firewall_restart; then
- /etc/init.d/firewall restart
-fi
dnsmasq_restart=false
-cedit /etc/hosts <<EOF || dnsmasq_restart=true
+v cedit /etc/hosts <<EOF || dnsmasq_restart=true
192.168.1.1 wrt
192.168.1.2 treetowl faiserver
192.168.1.3 frodo
72.14.176.105 li
173.255.202.210 lj
23.239.31.172 lk
-104.131.150.120 dopub
+138.68.10.24 dopub
# cant ssh to do when on vpn. some routing/firewall rule or something,
# I don't know. I can get there from wrt but not my machine.
# but we can get to it from this address, so, good enough.
# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
-cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
+v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
############ updating dns servers ###################3
v /etc/init.d/dnsmasq restart
fi
-cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
-config openvpn my_client_config
- option enabled 1
- option config /etc/openvpn/client.conf
-EOF
+if $firewall_restart; then
+ v /etc/init.d/firewall restart
+fi
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+cd "${BASH_SOURCE%/*}"
+
h=root@192.168.1.1
scp /a/bin/fai/wrt-setup /a/bin/cedit/cedit $h:/usr/bin
-ssh $h <<'EOF'
+ssh $h <<EOF
if ! opkg list-installed|grep bash; then
opkg update
opkg install bash
fi
wrt-setup
EOF
-
-if ! ssh wrt test -e /etc/openvpn/client.key; then
- /a/bin/vpn-setup/vpn-mk-client-cert do wrt
- sleep 10 # wait for connection before we try to ssh
-fi
-
-
-ssh do bash <<'EOFOUTER'
-set -eE -o pipefail
-old_rules="$(iptables -t nat -S PREROUTING)"
-iptables -t nat -F PREROUTING
-
-rm -rf /root/port-forwards
-for port in 63324 63326; do
-for proto in udp tcp; do
-echo iptables -t nat -A PREROUTING -i eth0 -p $proto -m $proto --dport $port -j DNAT --to-destination 10.8.0.6:$port >> /root/port-forwards
-done
-done
-chmod +x /root/port-forwards
-
-sudo dd of=/etc/systemd/system/myport-forward.service <<EOF
-[Unit]
-Description=Turns on port forwarding rules
-
-[Service]
-Type=oneshot
-ExecStart=/root/port-forwards
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl daemon-reload # needed if the file was already there
-systemctl enable myport-forward.service
-
-/root/port-forwards
-diff <(echo "$old_rules") <(iptables -t nat -S PREROUTING) ||:
-EOFOUTER
iankelling.org / git / automated-distro-installer / commitdiff