Ubuntu 16.04 Full Stack Configuration (with Bonding Config): Difference between revisions

← Older edit

Ubuntu 16.04 Full Stack Configuration (with Bonding Config) (view source)

Revision as of 00:22, 18 August 2018

9,262 bytes added , 18 August 2018

clean up, typos fixed: ie. → i.e. , controled → controlled, eg: → e.g.:

Reedy

editor

698

edits

Revision as of 15:19, 3 May 2017 (view source) Pet0r (talk \| contribs) No edit summary ← Older edit		Latest revision as of 00:22, 18 August 2018 (view source) Reedy (talk \| contribs) (clean up, typos fixed: ie. → i.e. , controled → controlled, eg: → e.g.:)
(11 intermediate revisions by 2 users not shown)
<indicator name="Front">[[File:Menu-bonding.svg\|link=:Category:Bonding\|30px\|Back up to the Bonding Page]]</indicator> [[Category:Routers]] [[Category:Bonding Configuration]] [[Category:3rd Party Routers]] = Preface = linkname aa_wan1 Note the additional “unit” and “linkname” instructions from the linked guide, “unit” is in the index of the ppp connection created (iei.e. unit = 0 creates ppp0). === /etc/ppp/chap-secrets === # Accept established connections from AAISP Line 2 (Bonding only) iptables -A INPUT -i pppoe-AA_2 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT # Allow related traffic from AAISP Modem Stats 1 ~~# Reject anything else (not really needed as we will change default policy to drop later)~~ iptables -A INPUT -ms ~~comment~~192.168.2.1/32 -~~-comment~~i ~~"Reject~~DEV_AA_WAN1_C ~~all~~-m ~~remaining traffic"~~state -j-state ~~REJECT~~RELATED,ESTABLISHED -~~-reject-with~~j ~~icmp-port-unreachable~~ACCEPT # Allow related traffic from AAISP Modem Stats 2 (Bonding only) iptables -A INPUT -s 192.168.3.1/32 -i DEV_AA_WAN1_C -m state --state RELATED,ESTABLISHED -j ACCEPT # AAISP Line 1 MSS Clamping iptables -A FORWARD -o pppoe-AA_1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment -- iptables -t nat -A POSTROUTING -o DEV_AA_WAN2_C -m comment --comment NAT -j MASQUERADE # Default drop everything from outside # Note that these drops are important because we don't reject any traffic in the rules themselves, without these, stuff will be wide open iptables -P FORWARD DROP iptables -P INPUT DROP dnssec-enable yes; dnssec-validation yes; auth-nxdomain no; listen-on-v6 { 2001:db8:b9:2041::1; ::1; }; == UPnP == UPnP is something I do have working, but for me it can be a little temperamental after a reboot, but usually starts working after a couple of minutes. ~~Coming soon.~~ We will use miniupnpd for this, and the configuration options are really quite minimal. Firstly, install miniupnpd: apt-get install miniupnpd Next, edit '''/etc/default/miniupnpd''' and update it as follows (notice the commenting out of the OTHER_OPTIONS”). If you need UPnP for IPv6, don’t forget to also set the last option to “yes”: # Set to 1 to start the daemon. Desactivated by default, because # you don't want the outside to control your UPnP router, and # as a consequence MiniUPnPd_LISTENING_IP should be set to a # reasonable value before enabling the daemon. START_DAEMON=1 # Define here the external interface connected to the WAN (e.g.: the public # IP address NIC) MiniUPnPd_EXTERNAL_INTERFACE="pppoe-AA_1" # IP that the daemon should listen on. # Note that you do not want this to be 0.0.0.0, as you don't want # your MiniUPnPd to be controlled by anyone on the internet. MiniUPnPd_LISTENING_IP=”DEV_LAN” # This defines other options which you might want to use when # starting MiniUPnPd. Note that the -S option is important: # -S sets "secure" mode : clients can only add mappings to their own ip # (see man page) #MiniUPnPd_OTHER_OPTIONS="-N -f /etc/miniupnpd/miniupnpd.conf" MiniUPnPd_OTHER_OPTIONS="" # If this option is defined, then the init script will initialize # the ipv6 tables. MiniUPnPd_ip6tables_enable=no Once that’s done, you should be able to execute: systemctl enable miniupnpd systemctl start miniupnpd We need to also restart miniupnpd when a PPP interface comes up or down. If we don’t do this, then miniupnpd will usually start at boot time before the PPP interface is connected, and this breaks the rules it puts in place. Create a new file '''/etc/ppp/ip-up.d/fix-upnp''' with the following contents: #!/bin/bash /etc/init.d/miniupnpd restart Then execute: chmod 0755 /etc/ppp/ip-up.d/fix-upnp chmod +x /etc/ppp/ip-up.d/fix-upnp = Bonus: Run dslstats in Docker on Ubuntu = I'll add this section because some people may find it useful if you either want dslstats for your own use directly or to submit to something like [https://www.mydslwebstats.co.uk/ MyDSLWebStats]. == Install Docker == Install Docker, we'll get a better version than what is in the normal repos: apt-get install apt-transport-https ca-certificates curl software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| sudo apt-key add - # Assuming amd64 add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" apt-get update apt-get install docker-ce == Download & Run Container == Now we have docker, all we need to do is download and run the container, which can be done in a single command. This command will do the following: * Names the container "dslstats_1" * Opens a VNC server on 192.168.1.1:5900 (you should specifically set the router IP like I have to make sure it's only accessible privately) * Opens a tcp listener on port 192.168.1.1:8080 - this won't actually do anything unless you enable the web server for dslstats * Sets the password to login to VNC to "dslstats" * Sets the path for the dslstats configurtion to be '''/etc/dslstats_1/''' on the '''host''' * Mounts /etc/localtime from the host to use the correct timezone data * Restarts the container as soon as the Docker daemon starts (should be on each reboot) docker run -d \ --name=dslstats_1 \ -p 192.168.1.1:5900:5900 \ -p 198.168.1.1:8080:8080 \ -e "VNC_PASSWORD"="dslstats" -v /etc/dslstats_1:/config \ -v /etc/localtime:/etc/localtime:ro \ --restart=always rossallan/dslstats Obviously if you are running 2 modems you wish to report stats for, you will need a second MyDSLWebStats account (if you are submitting there), and to modify this command for the second container to use different ports and configuration directory. For more information about Docker installation, see [https://docs.docker.com/engine/installation/linux/ubuntu/#install-using-the-repository here], and for more information about the dslstats Docker container, see [https://hub.docker.com/r/rossallan/dslstats/ here]. = Bonus: Port based policy routing to a third WAN = I also have a third WAN connection (provided by Virgin Media) over which I route some traffic based on the destination port. It’s of course possible to route it based on destination IP, source IP or any combination of routing rules you can think of. It’s also possible to use it as a failover if your PPP connection dies as well (although this guide does not cover this). ~~Coming soon.~~ Moving forward though I’ll be making assumptions that the third connection is a VM connection (or an “equivalent”) provided by DHCP. == Configure Interface == Edit /etc/network/interfaces and configure the interface for the connection, we give it a higher metric to make sure it doesn’t override any default routes we configured, we also provide a post-up script which we’ll cover later: # VMEDIA auto DEV_VM_WAN iface DEV_VM_WAN inet dhcp post-up /usr/local/sbin/fix_vm_policy metric 100 == Fix Firewalling == We need to add some more iptables rules to allow this interface to NAT and receive related traffic etc., we won’t bother with IPv6 since we don’t get a v6 address: iptables -A INPUT -i DEV_VM_WAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT iptables -A FORWARD -i DEV_LAN -o DEV_VM_WAN -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT iptables -A FORWARD -i DEV_VM_WAN -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT iptables -t nat -A POSTROUTING -o DEV_VM_WAN -m comment --comment NAT -j MASQUERADE Don’t forget '''netfilter-persistent save && netfilter-persistent reload''' afterwards. == Fix Routing == We need to add a new route table, it will be called VMEDIA. echo “20 VMEDIA” >> /etc/iproute2/rt_tables === /usr/local/sbin/fix_vm_policy === Create the script mentioned in post-up earlier. This script does the following: * Fetch the interface address (a /32 IPv4 in this case) * Fetch the gateway address * Check these look like valid IP addresses to avoid any blank routes * Add a default route via the gateway to the routing table VMEDIA * Adds a rule to mark traffic from LAN with a destination port of 563 with mark 10 * Adds a rule to source NAT traffic coming back on the interface to have the correct IP address (without this the external IP will not reply to pings for example) * Adds a rule to send all traffic with mark 10 through the VMEDIA routing table * Adds a rule to send all traffic destined for the /32 address associated with the connection through the VMEDIA routing table * Flushes the route cache * Loosens the return path filter on the interface in question It’s important that you change the rule for port 563 to be your own rule(s) for policy routing. Notice that it is mentioned twice, the first checks if the rule exists, and the second actually adds the rule, so be sure to modify both. #!/bin/bash echo "IFACE: ${IFACE}" echo "LOGICAL: ${LOGICAL}" IFACE_ADDR=`ip addr show dev DEV_VM_WAN \| grep "inet " \| awk '{print $2}' \| sed -E 's/\/[0-9]+$//'` GWAY_ADDR=`ip route show dev DEV_VM_WAN \| grep default \| awk '{print $3}'` (echo ${IFACE_ADDR} \| grep -Eq "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") && echo "VM-FIX IFACE matched" \|\| exit (echo ${GWAY_ADDR} \| grep -Eq "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") && echo "VM-FIX GWAY matched" \|\| exit ip route add default via ${GWAY_ADDR} dev DEV_VM_WAN table VMEDIA \|\| true IPT_CODE=`iptables -t mangle -C PREROUTING -p tcp --dport 563 -s 192.168.1.0/24 -j MARK --set-mark 10 2>&1 \|\| true` if [[ ! -z ${IPT_CODE// } ]]; then echo "VM-FIX Adding rule 1" iptables -t mangle -I PREROUTING 1 -p tcp --dport 563 -s 192.168.1.0/24 -j MARK --set-mark 10 \|\| true fi IPT_CODE=`iptables -t nat -C POSTROUTING -o DEV_VM_WAN -j SNAT --to-source ${IFACE_ADDR} 2>&1 \|\| true` if [[ ! -z ${IPT_CODE// } ]]; then echo "VM-FIX Adding rule 2" iptables -t nat -I POSTROUTING 1 -o DEV_VM_WAN -j SNAT --to-source ${IFACE_ADDR} \|\| true fi ip rule add fwmark 10 table VMEDIA \|\| true ip rule add from ${IFACE_ADDR}/32 table VMEDIA \|\| true ip route flush cache \|\| true if [ -f /proc/sys/net/ipv4/conf/DEV_VM_WAN/rp_filter ]; then echo 2 > /proc/sys/net/ipv4/conf/DEV_VM_WAN/rp_filter fi Then: chmod 0755 /usr/local/sbin/fix_vm_policy chmod +x /usr/local/sbin/fix_vm_policy You should now be able to bring up that interface and it should put all of its own routes in place. Traffic from the LAN should be routed appropriately.