User Tools

Site Tools


projets:fuz:sonic

Sonic

Goals

  • Avoir un serveur/routeur au FUZ pour héberger des services locaux et internet

Ressources

  • heu, internet?

Roadmap

  1. Arrivée de la fibre
  2. Test pour se passer de la livebox
  3. installation du serveur (base sonicemotion)

Procedure

  1. Installation debian stretch (amd64)
  2. Ajout des paquets

ppp vlan (et vim bash-completion etc)

  1. Ajout du fichier /etc/udev/rules.d/70-persistent-net.rules pour avoir des noms de périphérique réseau compréhensibles :
# Port du haut
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:3b:e5:b2", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="*", NAME="wan0"
# Port du bas
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:3b:e5:b3", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="*", NAME="lan0"
  1. Ajout du chargement automatique du module vlan au démarrage :
# /etc/modules: kernel modules to load at boot time. 
# 
# This file contains the names of kernel modules that should be loaded 
# at boot time, one per line. Lines beginning with "#" are ignored. 
8021q
  1. Ajout du fichier /etc/ppp/peers/orange qui définit la connexion à établir :
user "fti/******"

pty "/usr/sbin/pppoe -I wan0.835 -T 80 -m 1452"
noipdefault
defaultroute
hide-password
replacedefaultroute
persist
noauth
usepeerdns
lcp-echo-interval 20
lcp-echo-failure 3
plugin rp-pppoe.so wan0.835
default-asyncmap
noaccomp
mtu 1492
  1. et la ligne avec le mot de passe correspondant au login utilisé dans /etc/ppp/pap-secrets et chap-secrets
  2. Configuration du réseau dans /etc/network/interfaces
auto wan0 wan0.835 ppp0 lan0

iface wan0 inet manual
iface wan0.835 inet manual

iface ppp0 inet ppp
	provider orange

iface lan0 inet static
	address 192.168.42.1/24
  1. Ajout des règles netfilter dans un fichier /etc/netfilter.sh
#!/bin/bash

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts		#Drop ICMP echo-request messages sent to broadcast or multicast addresses 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route	#Drop source routed packets
echo 1 > /proc/sys/net/ipv4/tcp_syncookies			# Enable TCP SYN cookie protection from SYN floods
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects		# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects		# Don't send ICMP redirect messages
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter			# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians		# Log packets with impossible source addresses

# Flush all chains
iptables --flush
ip6tables --flush
# stop routing
echo 0 > /proc/sys/net/ipv4/ip_forward
# Flush
iptables -F 
iptables -t nat -F

OUT="ppp0"
echo "Utilisation de $OUT"

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Accepte les paquets des sessions deja etablies
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow unlimited outbound traffic
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



# Disallow NEW and INVALID incoming or forwarded packets from $OUT.
iptables -A INPUT -i $OUT -m state --state NEW,INVALID -j DROP
     
iptables -t nat -A POSTROUTING -o $OUT -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Sans oublier de le rendre exécutable chmod a+x /etc/netfilter.sh

  1. Configurer le serveur DHCP /etc/dhcp/dhcpd.conf :
option domain-name "fuz.re";
Option domain-name-servers 8.8.8.8, 8.8.4.4; # a changer

## LAN0
subnet 192.168.42.0 netmask 255.255.255.0 {
        range 192.168.42.42 192.168.42.254;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.42.255;
        option routers 192.168.42.1;
}

Relancer tout!

Follow-up

  • Project created on Sun 12-05-19 by Fabien
projets/fuz/sonic.txt · Last modified: 2019/05/12 20:39 by fabien