base commit

2023-03-29 15:34:39 +02:00 · 2023-03-29 15:34:39 +02:00 · e42d16c2c0
commit e42d16c2c0
parent f2779cdf57
12 changed files with 2293 additions and 0 deletions
--- a/os/bird/bird.conf
+++ b/os/bird/bird.conf
@ -0,0 +1,175 @@
+###### VARIABLES PER ROUTER ######
+
+router id 10.0.0.1;
+define OWNIPv6 = fdef:7b3a:d88f:100::1;
+define OWNLOCALv6 = fdef:7b3a:d88f:100::/56;
+
+###### VARIABLES PER NETWORK ######
+
+define OWNAS =  4242422246;
+define OWNNETv6 = fdef:7b3a:d88f::/48;
+define OWNNETSETv6 = [fdef:7b3a:d88f::/48+];
+
+###### ROA STUFF ######
+
+roa6 table dn42_roa_v6;  # create new roa6 table
+
+protocol static {
+    roa6 { table dn42_roa_v6; };  # set the table to use
+    include "/etc/bird/dn42_roa_bird2_6.conf";  # import routes
+};
+
+###### HELPER FUNCTIONS ######
+
+function is_self_net_v6() {
+  return net ~ OWNNETSETv6;
+}
+
+
+function is_valid_network_v6() {
+  return net ~ [
+    # ULA address space as per RFC 4193
+    fd00::/8{44,64}
+  ];
+}
+
+###### FILTERS ######
+
+filter kernel_export {
+    if source = RTS_STATIC then reject;
+    krt_prefsrc = OWNIPv6;
+    accept;
+}
+
+filter check_incoming_ebgp {
+    # is valid and not our network
+    if is_valid_network_v6() && !is_self_net_v6() then {
+        # does not pass roa
+        if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then {
+            print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+            reject;
+        }
+        # passed roa
+        else {
+            accept;
+        }
+    }
+    # network not valid or is our network
+    else {
+        reject;
+    }
+}
+
+filter check_outgoing_ebgp {
+    # is valid network and the source is static or BGP
+    if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then {
+        accept;
+    }
+    # is not a valid network or is not static/bgp
+    else {
+        reject;
+    }
+}
+
+###### INTERNAL ROUTING OSPF ######
+
+ipv6 table int6;  # create new table
+
+protocol static {
+    route OWNLOCALv6 reject;  # add route that belongs to region
+
+    ipv6 {
+        table int6;
+    };
+}
+
+protocol ospf v3 intnet {
+    ipv6 {
+        table int6;
+        import all;
+        export all;
+    };
+    area 0 {  # there must be a better way to not repeat the interfaces
+        interface "ams02" {
+            type ptmp;
+            neighbors {
+                fe80::200;
+            };
+        };
+        interface "los03" {
+            type ptmp;
+            neighbors {
+                fe80::300;
+            };
+        };
+    };
+}
+
+protocol pipe {  # merge routing tables
+    table master6;
+    peer table int6;
+    import where source != RTS_STATIC;  # import into master6 all except static routes
+    export none;
+}
+
+###### BGP ######
+
+ipv6 table bgp6;  # create new table
+
+protocol static {
+    route OWNNETv6 reject;
+
+    ipv6 {
+        table bgp6;
+    };
+}
+
+protocol pipe {  # merge routing tables
+    table master6;
+    peer table bgp6;
+    import where source != RTS_STATIC;  # import into master6 all except static routes
+    export none;
+}
+
+template bgp dnpeers {
+    local as OWNAS;
+    path metric 1;
+
+    ipv6 {
+        table bgp6;
+        import filter check_incoming_ebgp;
+        export filter check_outgoing_ebgp;
+        import limit 4242 action block;
+    };
+}
+
+template bgp localas {
+    local as OWNAS;
+    keepalive time 5;
+    direct;
+    rr client;
+    
+    ipv6 {
+        table bgp6;
+        import where source = RTS_BGP;
+        export where source = RTS_BGP;
+        next hop self;
+    };
+}
+
+include "/etc/bird/peers/*.conf";
+
+###### MISC BUT NEEDED ######
+
+protocol device {  # why is this needed?
+    scan time 10;
+}
+
+protocol kernel {
+    scan time 10;
+
+    ipv6 {
+        import none;
+        export filter kernel_export;
+    };
+};
--- a/os/bird/dn42_roa_bird2_6.conf
+++ b/os/bird/dn42_roa_bird2_6.conf
--- a/os/bird/envvars
+++ b/os/bird/envvars
@ -0,0 +1,3 @@
+BIRD_RUN_USER=bird
+BIRD_RUN_GROUP=bird
+#BIRD_ARGS=
--- a/os/bird/peers/NETW.conf
+++ b/os/bird/peers/NETW.conf
@ -0,0 +1,3 @@
+protocol bgp NETW_v6 from dnpeers {
+        neighbor fe80::????%dn42_NETW as 424242xxxx;
+}
--- a/os/cron.hourly/dn42-roa6
+++ b/os/cron.hourly/dn42-roa6
@ -0,0 +1,3 @@
+#!/bin/sh
+curl -sfSL -o /etc/bird/dn42_roa_bird2_6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
+/usr/sbin/birdc configure
--- a/os/interfaces.d/90-dn42-loopback
+++ b/os/interfaces.d/90-dn42-loopback
@ -0,0 +1,6 @@
+iface lo inet6 static
+	address fdef:7b3a:d88f:??00::1/64
+
+#####################################
+
+where ?? is the router number, e.g: 03
--- a/os/iptables/rules.v4
+++ b/os/iptables/rules.v4
@ -0,0 +1,7 @@
+# Generated by iptables-save v1.8.7 on Mon Mar 27 07:29:21 2023
+*filter
+:INPUT DROP [8:324]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [12:1034]
+COMMIT
+# Completed on Mon Mar 27 07:29:21 2023
--- a/os/iptables/rules.v6
+++ b/os/iptables/rules.v6
@ -0,0 +1,21 @@
+# Generated by ip6tables-save v1.8.7 on Mon Mar 20 21:32:24 2023
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:DN42_INPUT - [0:0]
+:DN42_OUTPUT - [0:0]
+-A INPUT -i dn42+ -j DN42_INPUT
+-A FORWARD -i dn42+ -j DN42_INPUT
+-A FORWARD -o dn42+ -j DN42_OUTPUT
+-A OUTPUT -o dn42+ -j DN42_OUTPUT
+-A DN42_INPUT -s fd00::/8 -j ACCEPT
+-A DN42_INPUT -s fe80::/10 -j ACCEPT
+-A DN42_INPUT -s ff00::/8 -j ACCEPT
+-A DN42_INPUT -j REJECT --reject-with icmp6-port-unreachable
+-A DN42_OUTPUT -d fd00::/8 -j ACCEPT
+-A DN42_OUTPUT -d fe80::/10 -j ACCEPT
+-A DN42_OUTPUT -d ff00::/8 -j ACCEPT
+-A DN42_OUTPUT -j REJECT --reject-with icmp6-port-unreachable
+COMMIT
+# Completed on Mon Mar 20 21:32:24 2023
--- a/os/software.txt
+++ b/os/software.txt
@ -0,0 +1,7 @@
+htop
+iptables
+iptables-persistent
+bird2
+wireguard-tools
+nginx
+curl
--- a/os/sysctl.d/90-dn42-forwarding.conf
+++ b/os/sysctl.d/90-dn42-forwarding.conf
@ -0,0 +1 @@
+net.ipv6.conf.all.forwarding=1
--- a/os/wireguard/dn42_NETW.conf
+++ b/os/wireguard/dn42_NETW.conf
@ -0,0 +1,22 @@
+[Interface]
+PrivateKey = $?
+Address = fe80::$1/64
+ListenPort = 3$2
+mtu = 1420
+Table = off
+
+# peer addr fe80::$3
+[Peer]
+PublicKey = $?
+Endpoint = $?
+AllowedIPs = fd00::/8, fe80::/10
+
+
+
+########################################
+
+$? = self explanatory
+$1 = network nr, e.g: 100 or 200
+$2 = optional, where $2 is 4 int long and the last 4 numbers of the peer as
+$3 = link local address of the peer
+
--- a/os/www/index.html
+++ b/os/www/index.html
@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to $DNS</title>
+<style>
+    body {
+        width: 45%;
+        margin: 0 auto;
+        font-family: Tahoma, Verdana, Arial, sans-serif;
+    }
+</style>
+</head>
+<body>
+<h1>Welcome to $DNS</h1>
+<p>You have a working IPv6 connection if you see this page!</p>
+<p>This is a DN42 router and its accessible via $DNSRESOLVED (clearnet) or $DN42LOOPBACK (DN42)</p>
+
+<p>If you want to know what DN42 is, refer to <a href="https://dn42.dev/Home">dn42.dev/Home</a>.
+Or if you know what it is and want to peer with me visit <a href="https://www.ventilaar.nl/dn42">www.ventilaar.nl/dn42</a></p>
+
+<p><em>Yes this layout is the default nginx template, how did you know?</em></p>
+</body>
+</html>