Difference between revisions of "Hout Bay"

From CTWUG Wiki
Jump to: navigation, search
(Initial Ubiquiti customisations doc)
Line 152: Line 152:
 
|Georg
 
|Georg
 
|}
 
|}
 
 
==AirOS Custom Firewall Script==
 
 
Ubiquiti devices run Linux and use [http://linux.die.net/man/8/iptables iptables] for firewalling.  Unfortunately their web interface to iptables is very limited, so in order to run a more advanced ruleset one needs to create a linux shell script that adds firewall rules manually.  This is done by SSH'ing to the device and following [http://www.ubnt.com/wiki/index.php?title=Manual_Routes these instructions] to create a /etc/persistent/rc.poststart file.  Here is a sample of what I use on a few devices:
 
 
#!/bin/sh
 
 
PATH=${PATH}:/sbin
 
LOCALNET="172.18.87.96/28"
 
WLANIP="172.18.87.36/32"
 
DCPORT="2222"
 
 
iptables -F FIREWALL
 
iptables -A FIREWALL --protocol icmp -j ACCEPT
 
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst ${WLANIP} -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst ${WLANIP} --protocol ospf -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst 224.0.0.5/32 --protocol ospf -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst 224.0.0.6/32 --protocol ospf -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst 224.0.0.22/32 --protocol igmp -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport ${DCPORT} -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport $((${DCPORT}+1)) -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport ${DCPORT} -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport 33434:65535 -m state --state NEW -j ACCEPT
 
iptables -A FIREWALL -i ath0 --protocol tcp -j REJECT --reject-with tcp-reset
 
iptables -A FIREWALL -i ath0 --dst 255.255.255.255 --protocol udp --dport 5678 -j DROP
 
iptables -A FIREWALL -i ath0 -j REJECT
 
 
To complete things you must:
 
 
* Edit LOCALNET to be the subnet address of your LAN listed in the [[#IP_Addresses|allocations table]] above.
 
* Edit WLANIP to be the IP address of your WLAN IP address as configured in your device.
 
* Enable the firewall in the web interface of your device.
 
* Configure your DC client as shown [[#File_Sharing|below]].
 
 
This basic ruleset essentially creates a stateful firewall that allows all outgoing connections, all ICMP in both directions, all incoming DC connections, and OSPF router traffic to your device.  Any non-DC incoming traffic is blocked, so if you're going to be gaming or doing something that requires incoming connections, you will need to add additional rules for it.  Contact Aragon if you need any help.
 
  
  
Line 205: Line 168:
  
  
==Setting up OSPF==
+
==Ubiquiti Customisations==
 +
 
 +
We use a number of Ubiquiti customisations to make things run smoother on HBWUG.  The following instructions are intended for wuggers with some networking and Unix knowledge.  All the changes below need to be done on the command line of your device via SSH.
 +
 
 +
===Step 1: Setup shell profile===
 +
This is primarily a cosmetic improvement, but a very useful one.  Add the following to '''/etc/persistent/profile''':
 +
 
 +
<pre>
 +
PS1='\[\e]1;\h-term\a\e]2;\h:\w\a\]\h\$ '
 +
</pre>
 +
 
 +
===Step 2: Setup OSPF===
 +
This requires custom Ubiquiti firmware.  Either obtain a precompiled image from Aragon or build one yourself by following: [[Adding OSPF support to Ubiquiti devices]].
 +
 
 +
Once you've loaded OSPF firmware on your device, create a BIRD configuration in '''/etc/persistent/bird4.conf'''.  Here's a sample:
 +
 
 +
<pre>
 +
log stderr all;
 +
router id 0.0.0.0;
 +
 
 +
filter ospfin {
 +
if gw ~ 172.18.87.0/26 then {
 +
if net ~ 172.18.87.0/24 then accept;
 +
if net ~ 172.18.88.0/24 then accept;
 +
}
 +
if gw = 172.18.87.20 then {
 +
if net ~ 172.16.0.0/12 then accept;
 +
}
 +
if gw = 172.18.87.1 then {
 +
if net = 0.0.0.0/0 then accept;
 +
}
 +
reject;
 +
}
 +
 
 +
protocol kernel {
 +
persist;
 +
learn;
 +
description "kernel";
 +
scan time 300;
 +
import none;
 +
export all;
 +
}
 +
 
 +
protocol device {
 +
scan time 300;
 +
}
 +
 
 +
protocol ospf wug {
 +
tick 1;
 +
import filter ospfin;
 +
export all;
 +
description "WUG";
 +
area 0.0.0.0 {
 +
interface "ath0" {
 +
cost 10;
 +
hello 10;
 +
retransmit 20;
 +
type broadcast;
 +
authentication none;
 +
};
 +
interface "eth0" {
 +
cost 10;
 +
type broadcast;
 +
stub;
 +
};
 +
};
 +
}
 +
</pre>
 +
 
 +
===Step 3: Create firewall script===
 +
Ubiquiti devices run Linux and use [http://linux.die.net/man/8/iptables iptables] for firewalling.  Unfortunately their web interface to iptables is very limited, so in order to run a more advanced firewall we add a custom firewall script.
 +
 
 +
Create '''/etc/persistent/rc.firewall''' with the following contents:
 +
 
 +
<pre>
 +
DCPORT="2222"
 +
 
 +
iptables -F FIREWALL
 +
iptables -A FIREWALL --protocol icmp -j ACCEPT
 +
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst ${WLANIP} -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst ${WLANIP} --protocol ospf -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst 224.0.0.5/32 --protocol ospf -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst 224.0.0.6/32 --protocol ospf -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst 224.0.0.22/32 --protocol igmp -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport ${DCPORT} -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport $((${DCPORT}+1)) -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport ${DCPORT} -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport 33434:65535 -m state --state NEW -j ACCEPT
 +
iptables -A FIREWALL -i ath0 --protocol tcp -j REJECT --reject-with tcp-reset
 +
iptables -A FIREWALL -i ath0 --dst 255.255.255.255 --protocol udp --dport 5678 -j DROP
 +
iptables -A FIREWALL -i ath0 -j REJECT
 +
</pre>
 +
 
 +
Also remember to:
 +
 
 +
* Enable the firewall in the web interface of your device.
 +
* Configure your DC client as shown [[#File_Sharing|below]].
 +
 
 +
===Step 4: Create boot time HBWUG scripts===
 +
This step creates the necessary boot time code that allows Step 2 and 3 to work.  Create the following files:
 +
 
 +
'''/etc/persistent/config.php''':
 +
<pre>
 +
#!/bin/cgi -q
 +
<?
 +
chdir("/usr/www");
 +
include("lib/settings.inc");
 +
$cfg = @cfg_load($cfg_file);
 +
if ($cfg == -1) { exit; }
 +
$netmode = cfg_get($cfg, "netmode");
 +
$fwstatus = cfg_get($cfg, "iptables.status");
 +
$lannet = cfg_get($cfg, "netconf.1.ip") + "/" + cfg_get($cfg, "netconf.1.netmask");
 +
$wlanip = cfg_get($cfg, "netconf.2.ip");
 +
$bridgeip = cfg_get($cfg, "netconf.3.ip");
 +
echo("NETMODE=\"$netmode\"\n");
 +
echo("FWSTATUS=\"$fwstatus\"\n");
 +
echo("LOCALNET=\"$lannet\"\n");
 +
echo("WLANIP=\"$wlanip\"\n");
 +
echo("BRIDGEIP=\"$bridgeip\"\n");
 +
?>
 +
BIRDENABLE=1
 +
OSPFDEFROUTE=1
 +
</pre>
 +
 
 +
'''/etc/persistent/rc.hbwug''':
 +
<pre>
 +
#!/bin/sh
 +
 
 +
eval "$(/etc/persistent/config.php)"
 +
PATH=${PATH}:/sbin
 +
 
 +
case "$1" in
 +
start)
 +
echo "HBWUG startup"
 +
STARTBIRD=0
 +
[ -z "${BIRDENABLE}" ] && BIRDENABLE=0
 +
[ -z "${OSPFDEFROUTE}" ] && OSPFDEFROUTE=0
 +
BIRDCONF=/etc/persistent/bird4.conf
 +
FWCONF=/etc/persistent/rc.firewall
 +
if [ "${NETMODE}" = "router" ]; then
 +
for f in /proc/sys/net/ipv4/conf/*; do
 +
echo 1 >${f}/accept_redirects
 +
echo 1 >${f}/send_redirects
 +
done
 +
if [ "${FWSTATUS}" = "enabled" -a -e ${FWCONF} ]; then
 +
. ${FWCONF}
 +
fi
 +
if [ ${BIRDENABLE} -eq 1 -a -e ${BIRDCONF} -a -n "${WLANIP}" ]; then
 +
sed -i -e "/^router id/ c router id ${WLANIP};" ${BIRDCONF}
 +
STARTBIRD=1
 +
fi
 +
elif [ "${NETMODE}" = "bridge" ]; then
 +
if [ ${BIRDENABLE} -eq 1 -a -e ${BIRDCONF} -a -n "${BRIDGEIP}" ]; then
 +
sed -i -e "/^router id/ c router id ${BRIDGEIP};" ${BIRDCONF}
 +
STARTBIRD=1
 +
fi
 +
fi
 +
if [ ${STARTBIRD} -eq 1 ]; then
 +
if [ ${OSPFDEFROUTE} -eq 1 ]; then
 +
route delete -net 0.0.0.0/0
 +
fi
 +
/usr/bin/bird4.init start
 +
fi
 +
;;
 +
stop)
 +
echo "HBWUG shutdown"
 +
/usr/bin/bird4.init stop
 +
;;
 +
esac
 +
</pre>
 +
 
 +
'''/etc/persistent/rc.poststart''':
 +
<pre>
 +
/etc/persistent/rc.hbwug start
 +
</pre>
  
[[Adding OSPF support to Ubiquiti devices]]
+
'''/etc/persistent/rc.prestop''':
 +
<pre>
 +
/etc/persistent/rc.hbwug stop
 +
</pre>

Revision as of 19:35, 30 January 2011

Hout Bay WUG

The Hout Bay WUG is a historic name for what is now the Hout Bay area on CTWUG. It started life in March 2010 as a Hout Bay specific WUG, disconnected from CTWUG due to geographic hurdles in connecting. On 23 December 2010 it was connected to CTWUG via its only peer, Kommetjie, which established a link to the Noordhoek and Fishoek areas. This Wiki entry is just a knowledge base specific to our area.


Meet the Hout Bay Wuggers

Name Nodes
Aragon Kush
Armand DarkStar DeathStarCanteen
Cobus TROPiX
David HitmanV
Denis d3nis
Georg Slangkop Riverside
James Komskom
Luke FinkNode
Myles MiloNode
Richard ClearV


Network Layout

Hbwug.png


IP Addresses

Network Status Allocated To Function
172.18.87.0/26 Active HBWUG Backbone
172.18.87.64/27 Active Georg Home LAN
172.18.87.96/28 Active Luke Home LAN
172.18.87.112/28 Unallocated
172.18.87.128/28 Active Aragon Home LAN
172.18.87.144/28 Active Armand Second Home LAN
172.18.87.160/28 Active James Home LAN
172.18.87.176/28 Active Richard Home LAN
172.18.87.192/28 Active Myles Home LAN
172.18.87.208/28 Active Armand Home LAN
172.18.87.224/28 Active David Home LAN
172.18.87.240/29 Active Cobus Home LAN
172.18.87.248/29 Unallocated
172.18.88.0/24 Unallocated


Network Services

Address Protocol Admin
172.18.87.1 DNS Aragon
adc://hub.aragon.ctwug.za.net:1511 ADC Aragon
mumble://mumble.aragon.ctwug.za.net Mumble Aragon
minecraft.hbwug:25565 MineCraft Georg


File Sharing

We use ADC for sharing files on the WUG. You will need an ADC 1.0 compliant client to participate, and we recommend EisKaltDC. Once installed use the following connection settings:

  • Mode: Active
  • TCP Port: 2222
  • UDP Port: 2222
  • TLS Port: 2223

Make sure those ports are open on your respective firewalls (the above AirOS firewall script leaves those ports open).

Then just add the ADC hub listed in Network Services above to your favourites.


Ubiquiti Customisations

We use a number of Ubiquiti customisations to make things run smoother on HBWUG. The following instructions are intended for wuggers with some networking and Unix knowledge. All the changes below need to be done on the command line of your device via SSH.

Step 1: Setup shell profile

This is primarily a cosmetic improvement, but a very useful one. Add the following to /etc/persistent/profile:

PS1='\[\e]1;\h-term\a\e]2;\h:\w\a\]\h\$ '

Step 2: Setup OSPF

This requires custom Ubiquiti firmware. Either obtain a precompiled image from Aragon or build one yourself by following: Adding OSPF support to Ubiquiti devices.

Once you've loaded OSPF firmware on your device, create a BIRD configuration in /etc/persistent/bird4.conf. Here's a sample:

log stderr all;
router id 0.0.0.0;

filter ospfin {
	if gw ~ 172.18.87.0/26 then {
		if net ~ 172.18.87.0/24 then accept;
		if net ~ 172.18.88.0/24 then accept;
	}
	if gw = 172.18.87.20 then {
		if net ~ 172.16.0.0/12 then accept;
	}
	if gw = 172.18.87.1 then {
		if net = 0.0.0.0/0 then accept;
	}
	reject;
}

protocol kernel {
	persist;
	learn;
	description "kernel";
	scan time 300;
	import none;
	export all;
}

protocol device {
	scan time 300;
}

protocol ospf wug {
	tick 1;
	import filter ospfin;
	export all;
	description "WUG";
	area 0.0.0.0 {
		interface "ath0" {
			cost 10;
			hello 10;
			retransmit 20;
			type broadcast;
			authentication none;
		};
		interface "eth0" {
			cost 10;
			type broadcast;
			stub;
		};
	};
}

Step 3: Create firewall script

Ubiquiti devices run Linux and use iptables for firewalling. Unfortunately their web interface to iptables is very limited, so in order to run a more advanced firewall we add a custom firewall script.

Create /etc/persistent/rc.firewall with the following contents:

DCPORT="2222"

iptables -F FIREWALL
iptables -A FIREWALL --protocol icmp -j ACCEPT
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${WLANIP} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${WLANIP} --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.5/32 --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.6/32 --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.22/32 --protocol igmp -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport ${DCPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport $((${DCPORT}+1)) -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport ${DCPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport 33434:65535 -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --protocol tcp -j REJECT --reject-with tcp-reset
iptables -A FIREWALL -i ath0 --dst 255.255.255.255 --protocol udp --dport 5678 -j DROP
iptables -A FIREWALL -i ath0 -j REJECT

Also remember to:

  • Enable the firewall in the web interface of your device.
  • Configure your DC client as shown below.

Step 4: Create boot time HBWUG scripts

This step creates the necessary boot time code that allows Step 2 and 3 to work. Create the following files:

/etc/persistent/config.php:

#!/bin/cgi -q
<?
chdir("/usr/www");
include("lib/settings.inc");
$cfg = @cfg_load($cfg_file);
if ($cfg == -1) { exit; }
$netmode = cfg_get($cfg, "netmode");
$fwstatus = cfg_get($cfg, "iptables.status");
$lannet = cfg_get($cfg, "netconf.1.ip") + "/" + cfg_get($cfg, "netconf.1.netmask");
$wlanip = cfg_get($cfg, "netconf.2.ip");
$bridgeip = cfg_get($cfg, "netconf.3.ip");
echo("NETMODE=\"$netmode\"\n");
echo("FWSTATUS=\"$fwstatus\"\n");
echo("LOCALNET=\"$lannet\"\n");
echo("WLANIP=\"$wlanip\"\n");
echo("BRIDGEIP=\"$bridgeip\"\n");
?>
BIRDENABLE=1
OSPFDEFROUTE=1

/etc/persistent/rc.hbwug:

#!/bin/sh

eval "$(/etc/persistent/config.php)"
PATH=${PATH}:/sbin

case "$1" in
start)
	echo "HBWUG startup"
	STARTBIRD=0
	[ -z "${BIRDENABLE}" ] && BIRDENABLE=0
	[ -z "${OSPFDEFROUTE}" ] && OSPFDEFROUTE=0
	BIRDCONF=/etc/persistent/bird4.conf
	FWCONF=/etc/persistent/rc.firewall
	if [ "${NETMODE}" = "router" ]; then
		for f in /proc/sys/net/ipv4/conf/*; do
			echo 1 >${f}/accept_redirects
			echo 1 >${f}/send_redirects
		done
		if [ "${FWSTATUS}" = "enabled" -a -e ${FWCONF} ]; then
			. ${FWCONF}
		fi
		if [ ${BIRDENABLE} -eq 1 -a -e ${BIRDCONF} -a -n "${WLANIP}" ]; then
			sed -i -e "/^router id/ c router id ${WLANIP};" ${BIRDCONF}
			STARTBIRD=1
		fi
	elif [ "${NETMODE}" = "bridge" ]; then
		if [ ${BIRDENABLE} -eq 1 -a -e ${BIRDCONF} -a -n "${BRIDGEIP}" ]; then
			sed -i -e "/^router id/ c router id ${BRIDGEIP};" ${BIRDCONF}
			STARTBIRD=1
		fi
	fi
	if [ ${STARTBIRD} -eq 1 ]; then
		if [ ${OSPFDEFROUTE} -eq 1 ]; then
			route delete -net 0.0.0.0/0
		fi
		/usr/bin/bird4.init start
	fi
	;;
stop)
	echo "HBWUG shutdown"
	/usr/bin/bird4.init stop
	;;
esac

/etc/persistent/rc.poststart:

/etc/persistent/rc.hbwug start

/etc/persistent/rc.prestop:

/etc/persistent/rc.hbwug stop