From 908a08629f8b083bf402509f93c5cda1a054dc97 Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Wed, 14 Feb 2024 10:37:43 -0800 Subject: [PATCH] Init new, split, commands-based configuration for wizard to ease automated deployment --- wizard/config/configure.sh | 16 +++++ wizard/config/firewall.sh | 122 ++++++++++++++++++++++++++++++++++++ wizard/config/interfaces.sh | 21 +++++++ wizard/config/nat.sh | 59 +++++++++++++++++ wizard/config/qos.sh | 7 +++ wizard/config/service.sh | 53 ++++++++++++++++ wizard/config/system.sh | 32 ++++++++++ 7 files changed, 310 insertions(+) create mode 100644 wizard/config/configure.sh create mode 100644 wizard/config/firewall.sh create mode 100644 wizard/config/interfaces.sh create mode 100644 wizard/config/nat.sh create mode 100644 wizard/config/qos.sh create mode 100644 wizard/config/service.sh create mode 100644 wizard/config/system.sh diff --git a/wizard/config/configure.sh b/wizard/config/configure.sh new file mode 100644 index 0000000..948b369 --- /dev/null +++ b/wizard/config/configure.sh @@ -0,0 +1,16 @@ +#!/bin/vbash + +if [ "$(id -g -n)" != 'vyattacfg' ] ; then + exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@" +fi + +source /opt/vyatta/etc/functions/script-template + +. firewall.sh +. interfaces.sh +. nat.sh +. qos.sh +. service.sh +. system.sh + +exit \ No newline at end of file diff --git a/wizard/config/firewall.sh b/wizard/config/firewall.sh new file mode 100644 index 0000000..ef91e13 --- /dev/null +++ b/wizard/config/firewall.sh @@ -0,0 +1,122 @@ +set firewall global-options all-ping 'enable' +set firewall global-options broadcast-ping 'disable' +set firewall global-options ip-src-route 'disable' +set firewall global-options ipv6-receive-redirects 'disable' +set firewall global-options ipv6-src-route 'disable' +set firewall global-options log-martians 'enable' +set firewall global-options receive-redirects 'disable' +set firewall global-options send-redirects 'enable' +set firewall global-options source-validation 'disable' +set firewall global-options syn-cookies 'enable' +set firewall group interface-group IG_LAN interface 'eth6' +set firewall group interface-group IG_WAN interface 'pppoe1' +set firewall ipv4 forward filter default-action 'accept' +set firewall ipv4 forward filter rule 5 action 'jump' +set firewall ipv4 forward filter rule 5 inbound-interface name 'pppoe1' +set firewall ipv4 forward filter rule 5 jump-target 'WAN_IN' +set firewall ipv4 forward filter rule 101 action 'accept' +set firewall ipv4 forward filter rule 101 inbound-interface group 'IG_LAN' +set firewall ipv4 forward filter rule 101 outbound-interface group 'IG_LAN' +set firewall ipv4 forward filter rule 106 action 'jump' +set firewall ipv4 forward filter rule 106 inbound-interface group 'IG_WAN' +set firewall ipv4 forward filter rule 106 jump-target 'WAN_IN' +set firewall ipv4 forward filter rule 106 outbound-interface group 'IG_LAN' +set firewall ipv4 forward filter rule 111 action 'drop' +set firewall ipv4 forward filter rule 111 description 'zone_LAN default-action' +set firewall ipv4 forward filter rule 111 outbound-interface group 'IG_LAN' +set firewall ipv4 forward filter rule 116 action 'accept' +set firewall ipv4 forward filter rule 116 inbound-interface group 'IG_WAN' +set firewall ipv4 forward filter rule 116 outbound-interface group 'IG_WAN' +set firewall ipv4 forward filter rule 121 action 'jump' +set firewall ipv4 forward filter rule 121 inbound-interface group 'IG_LAN' +set firewall ipv4 forward filter rule 121 jump-target 'IN_WAN' +set firewall ipv4 forward filter rule 121 outbound-interface group 'IG_WAN' +set firewall ipv4 forward filter rule 126 action 'drop' +set firewall ipv4 forward filter rule 126 description 'zone_WAN default-action' +set firewall ipv4 forward filter rule 126 outbound-interface group 'IG_WAN' +set firewall ipv4 input filter default-action 'accept' +set firewall ipv4 input filter rule 5 action 'jump' +set firewall ipv4 input filter rule 5 inbound-interface name 'pppoe1' +set firewall ipv4 input filter rule 5 jump-target 'WAN_LOCAL' +set firewall ipv4 input filter rule 101 action 'jump' +set firewall ipv4 input filter rule 101 inbound-interface group 'IG_LAN' +set firewall ipv4 input filter rule 101 jump-target 'IN_LOCAL' +set firewall ipv4 input filter rule 106 action 'jump' +set firewall ipv4 input filter rule 106 inbound-interface group 'IG_WAN' +set firewall ipv4 input filter rule 106 jump-target 'WAN_LOCAL' +set firewall ipv4 input filter rule 111 action 'drop' +set firewall ipv4 name IN_LOCAL default-action 'accept' +set firewall ipv4 name IN_WAN default-action 'accept' +set firewall ipv4 name LOCAL_IN default-action 'accept' +set firewall ipv4 name LOCAL_WAN default-action 'accept' +set firewall ipv4 name WAN_IN default-action 'drop' +set firewall ipv4 name WAN_IN description 'WAN to internal' +set firewall ipv4 name WAN_IN rule 10 action 'accept' +set firewall ipv4 name WAN_IN rule 10 description 'Allow established/related' +set firewall ipv4 name WAN_IN rule 10 state 'established' +set firewall ipv4 name WAN_IN rule 10 state 'related' +set firewall ipv4 name WAN_IN rule 20 action 'drop' +set firewall ipv4 name WAN_IN rule 20 description 'Drop invalid state' +set firewall ipv4 name WAN_IN rule 20 state 'invalid' +set firewall ipv4 name WAN_IN rule 1000 action 'accept' +set firewall ipv4 name WAN_IN rule 1000 description 'Plex' +set firewall ipv4 name WAN_IN rule 1000 destination port '32400' +set firewall ipv4 name WAN_IN rule 1000 protocol 'tcp_udp' +set firewall ipv4 name WAN_IN rule 1000 state 'new' +set firewall ipv4 name WAN_IN rule 1001 action 'accept' +set firewall ipv4 name WAN_IN rule 1001 description 'BitTorrent' +set firewall ipv4 name WAN_IN rule 1001 destination port '49500' +set firewall ipv4 name WAN_IN rule 1001 protocol 'tcp_udp' +set firewall ipv4 name WAN_IN rule 1001 state 'new' +set firewall ipv4 name WAN_IN rule 1002 action 'accept' +set firewall ipv4 name WAN_IN rule 1002 description 'WireGuard' +set firewall ipv4 name WAN_IN rule 1002 destination port '53820-53829' +set firewall ipv4 name WAN_IN rule 1002 protocol 'tcp_udp' +set firewall ipv4 name WAN_IN rule 1002 state 'new' +set firewall ipv4 name WAN_IN rule 1003 action 'accept' +set firewall ipv4 name WAN_IN rule 1003 description 'Minecraft' +set firewall ipv4 name WAN_IN rule 1003 destination port '25565' +set firewall ipv4 name WAN_IN rule 1003 protocol 'tcp_udp' +set firewall ipv4 name WAN_IN rule 1003 state 'new' +set firewall ipv4 name WAN_IN rule 1005 action 'accept' +set firewall ipv4 name WAN_IN rule 1005 description 'Web' +set firewall ipv4 name WAN_IN rule 1005 destination port '443,80' +set firewall ipv4 name WAN_IN rule 1005 protocol 'tcp_udp' +set firewall ipv4 name WAN_IN rule 1005 state 'new' +set firewall ipv4 name WAN_LOCAL default-action 'drop' +set firewall ipv4 name WAN_LOCAL description 'WAN to router' +set firewall ipv4 name WAN_LOCAL rule 10 action 'accept' +set firewall ipv4 name WAN_LOCAL rule 10 description 'Allow established/related' +set firewall ipv4 name WAN_LOCAL rule 10 state 'established' +set firewall ipv4 name WAN_LOCAL rule 10 state 'related' +set firewall ipv4 name WAN_LOCAL rule 20 action 'accept' +set firewall ipv4 name WAN_LOCAL rule 20 protocol 'icmp' +set firewall ipv4 name WAN_LOCAL rule 20 state 'new' +set firewall ipv4 name WAN_LOCAL rule 30 action 'drop' +set firewall ipv4 name WAN_LOCAL rule 30 description 'Drop invalid state' +set firewall ipv4 name WAN_LOCAL rule 30 state 'invalid' +set firewall ipv4 output filter default-action 'accept' +set firewall ipv4 output filter rule 101 action 'jump' +set firewall ipv4 output filter rule 101 jump-target 'LOCAL_IN' +set firewall ipv4 output filter rule 101 outbound-interface group 'IG_LAN' +set firewall ipv4 output filter rule 106 action 'jump' +set firewall ipv4 output filter rule 106 jump-target 'LOCAL_WAN' +set firewall ipv4 output filter rule 106 outbound-interface group 'IG_WAN' +set firewall ipv4 output filter rule 111 action 'drop' +set firewall ipv6 forward filter default-action 'accept' +set firewall ipv6 forward filter rule 101 action 'accept' +set firewall ipv6 forward filter rule 101 inbound-interface group 'IG_LAN' +set firewall ipv6 forward filter rule 101 outbound-interface group 'IG_LAN' +set firewall ipv6 forward filter rule 106 action 'drop' +set firewall ipv6 forward filter rule 106 description 'zone_LAN default-action' +set firewall ipv6 forward filter rule 106 outbound-interface group 'IG_LAN' +set firewall ipv6 forward filter rule 111 action 'accept' +set firewall ipv6 forward filter rule 111 inbound-interface group 'IG_WAN' +set firewall ipv6 forward filter rule 111 outbound-interface group 'IG_WAN' +set firewall ipv6 forward filter rule 116 action 'drop' +set firewall ipv6 forward filter rule 116 description 'zone_WAN default-action' +set firewall ipv6 forward filter rule 116 outbound-interface group 'IG_WAN' +set firewall ipv6 input filter default-action 'accept' +set firewall ipv6 input filter rule 101 action 'drop' +set firewall ipv6 output filter default-action 'accept' +set firewall ipv6 output filter rule 101 action 'drop' diff --git a/wizard/config/interfaces.sh b/wizard/config/interfaces.sh new file mode 100644 index 0000000..08a740e --- /dev/null +++ b/wizard/config/interfaces.sh @@ -0,0 +1,21 @@ +set interfaces ethernet eth0 hw-id 'd4:3d:7e:94:6e:eb' +set interfaces ethernet eth5 address 'dhcp' +set interfaces ethernet eth5 hw-id '6c:b3:11:32:46:24' +set interfaces ethernet eth5 offload sg +set interfaces ethernet eth5 offload tso +set interfaces ethernet eth5 vif 201 +set interfaces ethernet eth6 address '192.168.1.1/24' +set interfaces ethernet eth6 description 'Primary Switch' +set interfaces ethernet eth6 duplex 'auto' +set interfaces ethernet eth6 hw-id '6c:b3:11:32:46:25' +set interfaces ethernet eth6 offload rps +set interfaces ethernet eth6 offload sg +set interfaces ethernet eth6 offload tso +set interfaces ethernet eth6 speed 'auto' +set interfaces loopback lo +set interfaces pppoe pppoe1 authentication password $INTERFACES_PPPOE_PPPOE1_AUTHENTICATION_PASSWORD +set interfaces pppoe pppoe1 authentication username 'hafnerjoseph' +set interfaces pppoe pppoe1 ip adjust-mss '1452' +set interfaces pppoe pppoe1 mtu '1492' +set interfaces pppoe pppoe1 no-peer-dns +set interfaces pppoe pppoe1 source-interface 'eth5.201' diff --git a/wizard/config/nat.sh b/wizard/config/nat.sh new file mode 100644 index 0000000..ddcb7ef --- /dev/null +++ b/wizard/config/nat.sh @@ -0,0 +1,59 @@ +set nat destination rule 1000 description 'Plex' +set nat destination rule 1000 destination port '32400' +set nat destination rule 1000 inbound-interface name 'pppoe1' +set nat destination rule 1000 protocol 'tcp_udp' +set nat destination rule 1000 translation address '192.168.1.23' +set nat destination rule 1001 description 'BitTorrent' +set nat destination rule 1001 destination port '49500' +set nat destination rule 1001 inbound-interface name 'pppoe1' +set nat destination rule 1001 protocol 'tcp_udp' +set nat destination rule 1001 translation address '192.168.1.23' +set nat destination rule 1002 description 'WireGuard' +set nat destination rule 1002 destination port '53820-53829' +set nat destination rule 1002 inbound-interface name 'pppoe1' +set nat destination rule 1002 protocol 'tcp_udp' +set nat destination rule 1002 translation address '192.168.1.23' +set nat destination rule 1003 description 'Minecraft' +set nat destination rule 1003 destination port '25565' +set nat destination rule 1003 inbound-interface name 'pppoe1' +set nat destination rule 1003 protocol 'tcp_udp' +set nat destination rule 1003 translation address '192.168.1.23' +set nat destination rule 1005 description 'Web' +set nat destination rule 1005 destination port '443,80' +set nat destination rule 1005 inbound-interface name 'pppoe1' +set nat destination rule 1005 protocol 'tcp_udp' +set nat destination rule 1005 translation address '192.168.1.23' +set nat destination rule 1100 description 'Plex (Hairpin NAT)' +set nat destination rule 1100 destination address '174.21.35.181' +set nat destination rule 1100 destination port '32400' +set nat destination rule 1100 inbound-interface name 'eth6' +set nat destination rule 1100 protocol 'tcp_udp' +set nat destination rule 1100 translation address '192.168.1.23' +set nat destination rule 1102 description 'Wireguard (Hairpin NAT)' +set nat destination rule 1102 destination address '174.21.35.181' +set nat destination rule 1102 destination port '53820-53829' +set nat destination rule 1102 inbound-interface name 'eth6' +set nat destination rule 1102 protocol 'tcp_udp' +set nat destination rule 1102 translation address '192.168.1.23' +set nat destination rule 1103 description 'Minecraft (Hairpin NAT)' +set nat destination rule 1103 destination address '174.21.35.181' +set nat destination rule 1103 destination port '25565' +set nat destination rule 1103 inbound-interface name 'eth6' +set nat destination rule 1103 protocol 'tcp_udp' +set nat destination rule 1103 translation address '192.168.1.23' +set nat destination rule 1105 description 'Web (Hairpin NAT)' +set nat destination rule 1105 destination address '174.21.35.181' +set nat destination rule 1105 destination port '80,443' +set nat destination rule 1105 inbound-interface name 'eth6' +set nat destination rule 1105 protocol 'tcp_udp' +set nat destination rule 1105 translation address '192.168.1.23' +set nat source rule 99 description 'Masquerade as public IP on internet' +set nat source rule 99 outbound-interface name 'pppoe1' +set nat source rule 99 source address '192.168.1.0/24' +set nat source rule 99 translation address 'masquerade' +set nat source rule 100 description 'NAT Reflection' +set nat source rule 100 destination address '192.168.1.0/24' +set nat source rule 100 outbound-interface name 'eth6' +set nat source rule 100 protocol 'tcp_udp' +set nat source rule 100 source address '192.168.1.0/24' +set nat source rule 100 translation address 'masquerade' diff --git a/wizard/config/qos.sh b/wizard/config/qos.sh new file mode 100644 index 0000000..b8e803e --- /dev/null +++ b/wizard/config/qos.sh @@ -0,0 +1,7 @@ +set qos interface eth6 egress 'GIGABIT-FQCODEL' +set qos interface pppoe1 ingress 'LIMITER' +set qos policy fq-codel GIGABIT-FQCODEL codel-quantum '8000' +set qos policy fq-codel GIGABIT-FQCODEL flows '1024' +set qos policy fq-codel GIGABIT-FQCODEL queue-limit '800' +set qos policy limiter LIMITER default bandwidth '700mbit' +set qos policy limiter LIMITER default burst '262.5mbit' diff --git a/wizard/config/service.sh b/wizard/config/service.sh new file mode 100644 index 0000000..46d9b9b --- /dev/null +++ b/wizard/config/service.sh @@ -0,0 +1,53 @@ +set service dhcp-server shared-network-name LAN domain-name 'local' +set service dhcp-server shared-network-name LAN domain-search 'local' +set service dhcp-server shared-network-name LAN name-server '192.168.1.32' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router '192.168.1.1' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease '86400' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 1 start '192.168.1.100' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 1 stop '192.168.1.254' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping U6-Lite ip-address '192.168.1.3' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping U6-Lite mac-address '78:45:58:67:87:14' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping UAP-AC-LR ip-address '192.168.1.2' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping UAP-AC-LR mac-address '18:e8:29:50:f7:5b' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-desktop ip-address '192.168.1.100' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-desktop mac-address '04:92:26:DA:BA:C5' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas ip-address '192.168.1.10' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas mac-address '40:8d:5c:52:41:89' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas2 ip-address '192.168.1.11' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas2 mac-address '90:2b:34:37:ce:ea' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server2 ip-address '192.168.1.24' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server2 mac-address '24:4b:fe:57:bc:85' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server3 ip-address '192.168.1.25' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server3 mac-address '78:45:c4:05:4f:21' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server4 ip-address '192.168.1.26' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server4 mac-address '90:2b:34:37:ce:e8' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole1 ip-address '192.168.1.21' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole1 mac-address 'b8:27:eb:3c:8e:bb' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole2 ip-address '192.168.1.22' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole2 mac-address 'b8:27:eb:ff:76:6e' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-1 ip-address '192.168.1.50' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-1 mac-address '3C:61:05:F6:44:1E' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-2 ip-address '192.168.1.51' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-2 mac-address '3c:61:05:f6:d7:d3' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-3 ip-address '192.168.1.52' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-3 mac-address '3c:61:05:f6:f0:62' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse1 ip-address '192.168.1.31' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse1 mac-address '6c:2b:59:37:89:40' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse2 ip-address '192.168.1.32' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse2 mac-address '6c:2b:59:37:9e:91' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse3 ip-address '192.168.1.33' +set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse3 mac-address '6c:2b:59:37:9e:00' +set service dns forwarding allow-from '192.168.1.0/24' +set service dns forwarding cache-size '1000000' +set service dns forwarding listen-address '192.168.1.1' +set service dns forwarding name-server 192.168.1.32 +set service monitoring telegraf prometheus-client +set service ntp allow-client address '0.0.0.0/0' +set service ntp allow-client address '::/0' +set service ntp server time-a-wwv.nist.gov +set service ntp server time-b-wwv.nist.gov +set service ntp server time-c-wwv.nist.gov +set service ntp server time-d-wwv.nist.gov +set service ntp server time-e-wwv.nist.gov +set service ssh disable-password-authentication +set service ssh port '22' diff --git a/wizard/config/system.sh b/wizard/config/system.sh new file mode 100644 index 0000000..caafbc5 --- /dev/null +++ b/wizard/config/system.sh @@ -0,0 +1,32 @@ +set system config-management commit-revisions '200' +set system conntrack expect-table-size '8192' +set system conntrack hash-size '32768' +set system conntrack modules ftp +set system conntrack modules h323 +set system conntrack modules nfs +set system conntrack modules pptp +set system conntrack modules sip +set system conntrack modules sqlnet +set system conntrack modules tftp +set system conntrack table-size '262144' +set system conntrack timeout tcp time-wait '15' +set system console device ttyS0 speed '115200' +set system host-name 'vyos' +set system login banner +set system login user vyos authentication encrypted-password $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_ENCRYPTEDPASSWORD +set system login user vyos authentication otp key $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_OTP_KEY +set system login user vyos authentication otp rate-limit '3' +set system login user vyos authentication otp rate-time '30' +set system login user vyos authentication otp window-size '3' +set system login user vyos authentication public-keys deploy@gitea.jafner.tools key $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_PUBLICKEYS_deploygiteajafnertools_KEY +set system login user vyos authentication public-keys deploy@gitea.jafner.tools type 'ssh-ed25519' +set system login user vyos authentication public-keys jafner425@gmail.com key $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_PUBLICKEYS_jafner425gmailcom_KEY +set system login user vyos authentication public-keys jafner425@gmail.com type 'ssh-ed25519' +set system name-server '192.168.1.32' +set system name-server 'eth5' +set system option performance 'latency' +set system syslog global facility all level 'info' +set system syslog global facility local7 level 'debug' +set system task-scheduler task update-nat-reflection executable path '/home/vyos/ipupdate.sh' +set system task-scheduler task update-nat-reflection interval '5' +set system time-zone 'America/Los_Angeles'