search

sudomesh / sudowrt-firmware

Scripts to build the sudo mesh OpenWRT firmware.
Other
73 stars 19 forks source link

no access to internet when ssh'd into node #17

Closed wrought closed 9 years ago

wrought commented 10 years ago

need to fix.

wrought commented 10 years ago

expect update from matt's node

wrought commented 10 years ago

Here is the modified mesh routing (IP tables and route rules) from my node, where @juul got it working:

#!/bin/sh /etc/rc.common

START=90

# TODO
#  Add connection tracking helpers:
#    https://home.regit.org/netfilter-en/secure-use-of-helpers/

# TODO: We need to somehow detect this after the tunnel comes up
EXITIP=10.42.0.99

ETH=eth0
ADHOC=adhoc0
OPEN=open0
MESH=bat0
PRIV=priv0
TUN=l2tp0
BRIDGE=br-openmesh

LOCALNET=127.0.0.1/8
NODENET=10.1.10.0/24
MESHNET=10.0.0.0/8
PRIVNET=172.30.0.0/24
BADNET=10.0.0.0/24 # sometimes used by home routers

NODEIP=10.1.10.1
PRIVIP=172.30.0.1

start() {

    iptables -F INPUT
    iptables -P INPUT ACCEPT
    iptables -F FORWARD
    iptables -P FORWARD ACCEPT
    iptables -t nat -F POSTROUTING

    # Enable IP masquerading for ethernet output (NAT)
    iptables -t nat -A POSTROUTING -o $ETH -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Enable IP masquerading for private net access to mesh
    iptables -t nat -A POSTROUTING -s $PRIVNET -o $BRIDGE -j MASQUERADE ## NEW

    # Only allow stuff from mesh to private if is part of
    # an established connection and is from the mesh subnet
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $BRIDGE -d $PRIVNET -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $BRIDGE -d $LOCALNET -j ACCEPT 
    iptables -A INPUT -i $BRIDGE -d $PRIVNET -j DROP

    # accept everything local
    iptables -A INPUT -i lo -j ACCEPT

    # ignore anything from or to 10.0.0.0/24
    # since we don't use it for the net
    # and some home routers use it per default
    iptables -A INPUT -s $BADNET -j DROP
    iptables -A INPUT -d $BADNET -j DROP

    # allow packets from the open, mesh and priv interfaces as long as the IP's are correct
    iptables -A INPUT -i $BRIDGE -s $MESHNET -j ACCEPT
    iptables -A INPUT -i $PRIV -s $PRIVNET -j ACCEPT

    # allow DHCP on open, mesh and priv
    iptables -A INPUT -i $BRIDGE -p udp --dport 67:68 --sport 67:68 -j ACCEPT
    iptables -A INPUT -i $PRIV -p udp --dport 67:68 --sport 67:68 -j ACCEPT

    # allow established connections from ethernet
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $ETH -j ACCEPT

    iptables -P INPUT DROP

    ### FORWARDING ###

    iptables -A FORWARD -i lo -j ACCEPT

    # ignore anything from or to 10.0.0.0/24
    # since we don't use it for the net
    # and some home routers use it per default
    iptables -A FORWARD -s $BADNET -j DROP
    iptables -A FORWARD -d $BADNET -j DROP

    # Allow traffic from bridged interfaces (mesh and open) as long as it's not headed for privnet
    iptables -A FORWARD -i $BRIDGE -s $MESHNET ! -d $PRIVNET -j ACCEPT

    # Allow all traffic from privnet
    iptables -A FORWARD -i $PRIV -s $PRIVNET -j ACCEPT

    # allow forwarding of established connections from private
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    #iptables -A FORWARD -m state --state NEW -i $PRIV -j ACCEPT # TODO probably not needed

    # No traffic from TUN to PRIV or from PRIV to TUN
    iptables -A FORWARD -i $TUN -o $PRIV -j DROP
    iptables -A FORWARD -i $PRIV -o $TUN -j DROP

    # no mesh to internet forward (only through tunnel)
    iptables -A FORWARD -i $BRIDGE -o $ETH -j DROP
    iptables -A FORWARD -i $MESH -o $ETH -j DROP
    iptables -A FORWARD -i $ADHOC -o $ETH -j DROP
    iptables -A FORWARD -i $OPEN -o $ETH -j DROP
    iptables -A FORWARD -i $TUN -o $ETH -j DROP

    iptables -P FORWARD DROP
    #iptables -P FORWARD ACCEPT

    # no internet to internet forward
    iptables -A FORWARD -i $ETH -o $ETH -j DROP

    # TODO: What about non-IP traffic? 

    # default route for 'public' table is the exit node
    ip route add default via $EXITIP dev $BRIDGE table public

    # add standard route for bridge interface to public table
    # (same as in main routing table)
    ip route add $PRIVNET dev $PRIV proto kernel scope link src $PRIVIP table public

    # add standard route for private interface to public table
    # (same as in main routing table)
    ip route add $MESHNET dev $BRIDGE proto kernel scope link src $NODEIP table public

    # traffic from the mesh goes to the 'public' table
    ip rule add from $MESHNET iif $BRIDGE prio 16000 table public

    ip route flush cache 

# ---- OLD STUFF START
    # add a default route for internet traffic from the mesh / open ap
#    ip route add default via $EXITIP dev $BRIDGE table public

    # all traffic on the subnet owned by this node stays local
#    ip rule add from $NODENET to $NODENET dev $BRIDGE prio 16950 table main

    # all traffic between the local node's mesh/open and the local node's priv stays local
#    ip rule add from $NODENET to $PRIVNET dev $BRIDGE prio 16950 table main

    # all other 10.x.x.x traffic from open/mesh interfaces goes through tunnel
#    ip rule add from $MESHNET dev $BRIDGE prio 17000 table public

    #  TODO: What about normal mesh traffic? Maybe the public table needs some more rules.
    #  We should test if normal mesh traffic between nodes is affected by this script.

#    ip route flush cache 

# ---- OLD STUFF END

}

stop() {
    # TODO implement stop
    echo 
}
max-b commented 9 years ago

This is no longer relevant - we're not using batman-adv anymore.