ffrl uplink and fastd split

master
Niklas Yann Wettengel 7 years ago
parent d2270e2e50
commit 99dddff862

@ -4,12 +4,22 @@
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if 'fastd' in group_names %}
{% for site in sites %}
-A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% for peer in wireguard_bb_peers %}
-A PREROUTING -i bb{{ peer.name }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endif %}
{% if 'ffrl_uplink' in group_names %}
{% for peer in groups['fastd'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
COMMIT
*filter
:INPUT DROP [0:0]
@ -21,6 +31,8 @@ COMMIT
# SSH-Server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
{% if 'fastd' in group_names %}
# dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
@ -33,19 +45,35 @@ COMMIT
-A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT
-A INPUT -s {{ site.wireguard_mesh_address }}/48 -p gre -j ACCEPT
{% endfor %}
{% endif %}
# wireguard_backbone
-A INPUT -s fdff:4d59:4bbb::/48 -p gre -j ACCEPT
{% for peer in wireguard_bb_peers %}
-A INPUT -i bb{{ peer.name }} -p udp --dport 6696 -j ACCEPT
{% if 'ffrl_uplink' in group_names %}
{% for peer in groups['fastd'] %}
-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
{% endfor %}
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
{% endfor %}
{% endif %}
# MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
# ffrl bgp
{% if 'ffrl_uplink' in group_names %}
{% for peer in ffrl_peers %}
-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT
{% endfor %}
{% endif %}
# LOG
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4
{% if 'fastd' in group_names %}
{% for site in sites %}
-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
{% endfor %}
{% endif %}
-A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT
COMMIT
*nat
@ -53,5 +81,4 @@ COMMIT
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE
COMMIT

@ -4,12 +4,22 @@
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if 'fastd' in group_names %}
{% for site in sites %}
-A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% for peer in wireguard_bb_peers %}
-A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff
{% endif %}
{% if 'ffrl_uplink' in group_names %}
{% for peer in groups['fastd'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
COMMIT
*filter
:INPUT DROP [0:0]
@ -21,6 +31,8 @@ COMMIT
# SSH-Server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
{% if 'fastd' in group_names %}
# dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
@ -32,19 +44,38 @@ COMMIT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
# fastd
-A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT
{% endif %}
# MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
{% if 'ffrl_uplink' in group_names %}
# ffrl-gre
{% for peer in ffrl_peers %}
-A INPUT -p gre -s {{ peer.remote }} -j ACCEPT
{% endfor %}
# ffrl bgp
{% for peer in ffrl_peers %}
-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT
{% endfor %}
{% endif %}
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4
{% if 'fastd' in group_names %}
{% for site in sites %}
-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
{% endfor %}
-A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT
{% endif %}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE
{% if 'ffrl_uplink' in group_names %}
{% for peer in ffrl_peers %}
-A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
{% endfor %}
{% endif %}
COMMIT

@ -12,4 +12,5 @@ ip -4 rule add to 10.222.16.0/20 table ffmyk priority 10
ip -4 rule add to 10.222.32.0/19 table ffmyk priority 10
ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10
ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10
ip -6 rule add to 2001:470:cd45:FF00::/56 table ffmyk priority 10
ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10

@ -0,0 +1,14 @@
---
- name: copy site specific iproute up config script
template:
src: ffmyk-iproute-up.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy site specific iproute down config script
template:
src: ffmyk-iproute-down.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
mode: 0744
with_items: "{{ sites }}"

@ -4,25 +4,20 @@
path: /etc/iproute2/rt_tables
line: 42 ffmyk
- name: name ffrl routing table
lineinfile:
path: /etc/iproute2/rt_tables
line: 47 ffrl
when: "'ffrl_uplink' in group_names"
- name: copy ffmyk iproute config script
copy:
src: ffmyk-iproute.sh
dest: /usr/local/bin/ffmyk-iproute.sh
mode: 0744
- name: copy site specific iproute up config script
template:
src: ffmyk-iproute-up.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy site specific iproute down config script
template:
src: ffmyk-iproute-down.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
mode: 0744
with_items: "{{ sites }}"
- include_tasks: fastd_tasks.yml
when: "'fastd' in group_names"
- name: copy ffmyk iproute systemd service
copy:

@ -2,6 +2,7 @@
ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route del {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -4 rule del iif bat{{ item.name }} table ffmyk
ip -6 rule del iif bat{{ item.name }} table ffmyk

@ -10,3 +10,4 @@ ip -6 rule add from all iif bat{{ item.name }} type unreachable priority 200
ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route replace {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk

@ -1,10 +1,8 @@
---
- name: install fastd
become: yes
become_user: '{{ aur_user }}'
aur:
pacman:
name: babeld
tool: yaourt
state: present
- name: babeld.conf
template:

@ -5,10 +5,16 @@
ipv6-subtrees true
# You must provide at least one interface for babeld to operate on.
{% for peer in wireguard_bb_peers %}
interface bb{{ peer.name }}
{% if 'ffrl_uplink' in group_names %}
{% for peer in groups['fastd'] %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %}
#interface wlan0
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %}
{% endif %}
# Global options you might want to set. There are many more, see the man page.
#debug 1
@ -44,16 +50,14 @@ import-table 42
#in ip 2001:db8:cafe:cafe::/64 allow
#in deny
redistribute metric 128
{% if 'ffrl_uplink' in group_names %}
{% for peer in ffrl_peers %}
redistribute if {{ peer.name }} metric 128
{% endfor %}
{% endif %}
# Only redistribute addresses from a given prefix, to avoid redistributing
# all local addresses
redistribute ip 10.222.0.0/16 local allow
redistribute ip 2001:470:cd45:FF00::/56 local allow
redistribute ip 10.222.0.0/16 allow
redistribute ip 2001:470:cd45:FF00::/56 allow
redistribute ip 2a03:2260:1016::/48 allow
redistribute local deny
# Redistribute a default route obtained otherwise (here, through DHCP or
# configured statically).
# Note that babeld ignores kernel routes with proto 3 (boot) by default.
#redistribute proto 3 ip 0.0.0.0/0 eq 0 metric 50
#redistribute proto 3 ip ::/0 eq 0 metric 50

@ -22,7 +22,7 @@ options {
{% endfor %}
};
allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; };
allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; 2a03:2260:1016::/48; };
allow-transfer { none; };
allow-update { none; };

@ -1,10 +1,8 @@
---
- name: install fastd
become: yes
become_user: '{{ aur_user }}'
aur:
pacman:
name: fastd
tool: yaourt
state: present
- name: create site folder
file:

@ -18,7 +18,7 @@ interface bat{{ site.name }}
RDNSS {{ site.bat_ipv6 }}
{
AdvRDNSSLifetime 30;
AdvRDNSSLifetime 900;
};
};

@ -0,0 +1,29 @@
---
- name: create wireguard config for peers
template:
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
mode: 0400
with_items: "{{ groups['ffrl_uplink'] }}"
- name: create wireguard up scripts for peers
template:
src: up.sh.j2
dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['ffrl_uplink'] }}"
- name: create wireguard down scripts for peers
template:
src: down.sh.j2
dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['ffrl_uplink'] }}"
- name: start and enable wireguard mesh
systemd:
name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
enabled: yes
state: started
daemon_reload: yes
with_items: "{{ groups['ffrl_uplink'] }}"

@ -0,0 +1,29 @@
---
- name: create wireguard config for peers
template:
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
mode: 0400
with_items: "{{ groups['fastd'] }}"
- name: create wireguard up scripts for peers
template:
src: up.sh.j2
dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['fastd'] }}"
- name: create wireguard down scripts for peers
template:
src: down.sh.j2
dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['fastd'] }}"
- name: start and enable wireguard mesh
systemd:
name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
enabled: yes
state: started
daemon_reload: yes
with_items: "{{ groups['fastd'] }}"

@ -1,34 +1,11 @@
---
- name: create wireguard config for peers
template:
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ item.name }}.conf
mode: 0400
with_items: "{{ wireguard_bb_peers }}"
- name: create wireguard up scripts for peers
template:
src: up.sh.j2
dest: /etc/wireguard/upbb{{ item.name }}.sh
mode: 0744
with_items: "{{ wireguard_bb_peers }}"
- name: create wireguard down scripts for peers
template:
src: down.sh.j2
dest: /etc/wireguard/downbb{{ item.name }}.sh
mode: 0744
with_items: "{{ wireguard_bb_peers }}"
- name: create wireguard backbone service template
copy:
src: wgbackbone@.service
dest: /etc/systemd/system/wgbackbone@.service
- name: start and enable wireguard mesh
systemd:
name: wgbackbone@{{ item.name }}.service
enabled: yes
state: started
daemon_reload: yes
with_items: "{{ wireguard_bb_peers }}"
- include_tasks: ffrl_uplink_tasks.yml
when: "'ffrl_uplink' in group_names"
- include_tasks: fastd_tasks.yml
when: "'fastd' in group_names"

@ -1,5 +1,5 @@
#!/bin/bash
ip -4 rule del iif bb{{ item.name }} table ffmyk
ip -6 rule del iif bb{{ item.name }} table ffmyk
ip link set down dev bb{{ item.name }}
ip link del bb{{ item.name }}
ip -4 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk
ip -6 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk
ip link set down dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip link del bb{{ hostvars[item]['wireguard_bb_name'] }}

@ -1,8 +1,8 @@
#!/bin/bash
ip link add bb{{ item.name }} type wireguard
wg setconf bb{{ item.name }} /etc/wireguard/wgbb{{ item.name }}.conf
ip addr add {{ item.address6 }} dev bb{{ item.name }}
ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ item.address }}/32 dev bb{{ item.name }}
ip link set up dev bb{{ item.name }}
ip -4 rule add iif bb{{ item.name }} table ffmyk priority 10
ip -6 rule add iif bb{{ item.name }} table ffmyk priority 10
ip link add bb{{ hostvars[item]['wireguard_bb_name'] }} type wireguard
wg setconf bb{{ hostvars[item]['wireguard_bb_name'] }} /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
ip addr add {{ wireguard_bb_ipv6 }} dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ hostvars[item]['wireguard_bb_ipv4'] }}/32 dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip link set up dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip -4 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
ip -6 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10

@ -1,9 +1,9 @@
[Interface]
ListenPort = {{ item.local_port }}
PrivateKey = {{ wireguard_bb_key }}
ListenPort = {{ hostvars[item]['wireguard_bb_port'] }}
PrivateKey = {{ wireguard_bb_priv_key }}
[Peer]
PublicKey = {{ item.key }}
PublicKey = {{ hostvars[item]['wireguard_bb_pub_key'] }}
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = [{{ item.endpoint }}]:{{ item.remote_port }}
Endpoint = [{{ hostvars[item]['wireguard_bb_endpoint'] }}]:{{ wireguard_bb_port }}
PersistentKeepalive = 30

@ -0,0 +1,9 @@
---
- name: reenable netctl
command: netctl reenable {{ item.name }}
with_items: "{{ ffrl_peers }}"
- name: reload bird
systemd:
name: bird.service
state: reloaded

@ -0,0 +1,36 @@
---
- name: create netctl config
template:
src: netctl
dest: /etc/netctl/{{ item.name }}
with_items: "{{ ffrl_peers }}"
notify: reenable netctl
- name: enable netctl config
command: netctl enable {{ item.name }}
args:
creates: /etc/systemd/system/netctl@{{ item.name }}.service
with_items: "{{ ffrl_peers }}"
- name: start netctl config
systemd:
name: netctl@{{ item.name }}.service
state: started
with_items: "{{ ffrl_peers }}"
- name: install bird
pacman:
name: bird
state: present
- name: create bird config
template:
src: bird.conf
dest: /etc/bird.conf
notify: reload bird
- name: start and enable bird
systemd:
name: bird.service
state: started
enabled: yes

@ -0,0 +1,160 @@
timeformat protocol iso long;
log "bird.log" all;
# debug protocols all;
define ffrl_nat_address = {{ ffrl_ip4 }};
define ffmyk_as = 65032; # private AS of ffmyk
define ffrl_as = 201701; # public AS of rheinland
router id ffrl_nat_address;
ipv4 table ffrl4;
ipv6 table ffrl6;
function is_default4() {
return net ~ [
0.0.0.0/0
];
}
function is_default6() {
return net ~ [
::/0
];
}
function is_ffrl_nat4() {
return net ~ [
{{ ffrl_ip4 }}/32
];
}
function is_ffrl_public_nets6() {
return net ~ [
2a03:2260:1016::/48{48,56}
];
}
function is_ffrl_tunnel_nets4() {
return net ~ [
100.64.0.0/10
];
}
function is_ffrl_tunnel_nets6() {
return net ~ [
2a03:2260:0::/48
];
}
# BGP Import Filter für Rheinland
filter ebgp_ffrl_import_filter4 {
if is_default4() then accept;
reject;
}
# BGP Export Filter für Rheinland
filter ebgp_ffrl_export_filter4 {
if is_ffrl_nat4() then accept;
reject;
}
filter ebgp_ffrl_import_filter6 {
if is_default6() then accept;
reject;
}
filter ebgp_ffrl_export_filter6 {
if is_ffrl_public_nets6() then accept;
reject;
}
protocol device {
scan time 10;
}
# IP-NAT-Adresse legen wir in die interne BIRD Routing Table
protocol static ffrl_uplink_hostroute4 {
ipv4 { table ffrl4; };
route {{ ffrl_ip4 }}/32 reject;
}
protocol static ffrl_public_routes6 {
ipv6 { table ffrl6; };
route 2a03:2260:1016::/48 reject;
}
# Wir legen die Transfernetze in die interne BIRD Routing Table
#protocol direct {
# ipv4;
# table ffrl4;
# interface {% for peer in ffrl_peers %}"{{ peer.name }}", {% endfor %};
# import where is_ffrl_tunnel_nets4();
#}
# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl)
protocol kernel kernel_ffrl4 {
scan time 30;
ipv4 {
import none;
export filter {
krt_prefsrc = ffrl_nat_address;
accept;
};
table ffrl4;
};
kernel table 42;
};
protocol kernel kernel_ffrl6 {
scan time 30;
ipv6 {
import none;
export filter {
if is_default6() then accept;
reject;
};
table ffrl6;
};
kernel table 42;
};
# BGP Template für Rheinland Peerings
template bgp ffrl_uplink4 {
local as ffmyk_as;
ipv4 {
table ffrl4;
import keep filtered;
import filter ebgp_ffrl_import_filter4;
export filter ebgp_ffrl_export_filter4;
next hop self;
};
direct;
};
template bgp ffrl_uplink6 {
local as ffmyk_as;
ipv6 {
table ffrl6;
import keep filtered;
import filter ebgp_ffrl_import_filter6;
export filter ebgp_ffrl_export_filter6;
next hop self;
};
direct;
};
{% for peer in ffrl_peers %}
protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 {
source address {{ peer.ip4 }};
neighbor {{ peer.peer_ip4 }} as 201701;
};
protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 {
source address {{ peer.ip6 }};
neighbor {{ peer.peer_ip6 }} as 201701;
}
{% endfor %}

@ -0,0 +1,14 @@
Connection=tunnel
Interface={{ item.name }}
Mode=gre
Local={{ ansible_default_ipv4.address }}
Remote={{ item.remote }}
ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64"
IP=static
Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32')
IP6=static
Address6=('{{ item.ip6 }}/64')

@ -1,9 +1,9 @@
---
- name: setup fastds
hosts: fastds
hosts: fastd
user: root
roles:
- install_yaourt
#- install_yaourt
- configure_journald
- configure_sysctl
- configure_iptables
@ -19,14 +19,33 @@
- install_radvd
- install_bind
- install_wireguard
- install_wireguard_mesh
#- install_wireguard_mesh
- install_wireguard_backbone
- install_babeld
- install_fastd
#- install_monitoring
- install_admin_packages
- name: install openvpn uplink
hosts: mullvad_fastds
hosts: mullvad_fastd
user: root
roles:
- install_openvpn
- name: setup ffrl
hosts: ffrl_uplink
user: root
roles:
- configure_journald
- configure_sysctl
- configure_iptables
- configure_static_routes
- install_cronie
#- install_php
#- install_nginx
- install_ntp
- install_haveged
- install_wireguard
- install_wireguard_backbone
- install_babeld
- setup_ffrl_tunnel
#- install_monitoring
- install_admin_packages

Loading…
Cancel
Save