Last active
April 10, 2021 16:10
-
-
Save FreedomBen/f8a50c7a98c07171a99c419a552321ab to your computer and use it in GitHub Desktop.
Protectli Home Router setup for CentOS 8. / in filenames not allowed so substituted with _
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Initial from: https://wiki.archlinux.org/index.php/dnsmasq | |
# Some from: https://www.tecmint.com/setup-a-dns-dhcp-server-using-dnsmasq-on-centos-rhel/ | |
#listen-address=::1,127.0.0.1,192.168.2.1 | |
# Cloudflare | |
#server=1.1.1.1 | |
#server=1.0.0.1 | |
# Cloudflare family block malware | |
#server=1.1.1.2 | |
#server=1.0.0.2 | |
# Cloudflare family block malware and adult content | |
server=1.1.1.3 | |
server=1.0.0.3 | |
# Set number of cached domains (default is 150) | |
cache-size=1000 | |
expand-hosts | |
# Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to | |
# localhost and udp port 67 to world: | |
interface=enp2s0 | |
# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with | |
# dynamic interfaces (assigning dynamic ips). Dnsmasq will discard world | |
# requests to them, but the paranoid might like to close them and let the | |
# kernel handle them: | |
bind-interfaces | |
# Optionally set a domain name | |
domain=<redacted>.org | |
# Set default gateway | |
dhcp-option=3,192.168.2.1 | |
# Set DNS servers to announce | |
dhcp-option=6,192.168.2.1 | |
# If your dnsmasq server is also doing the routing for your network, | |
# you can use option 121 to push a static route out. | |
# x.x.x.x is the destination LAN, yy is the CIDR notation (usually /24), | |
# and z.z.z.z is the host which will do the routing. | |
#dhcp-option=121,x.x.x.x/yy,z.z.z.z | |
# Dynamic range of IPs to make available to LAN PC and the lease time. | |
# Ideally set the lease time to 5m only at first to test everything | |
# works okay before you set long-lasting records. | |
dhcp-range=192.168.2.50,192.168.2.200,12h | |
#dhcp-range=192.168.2.50,192.168.2.200,5m | |
# Specify lease file so we can easily lookup assignments | |
dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases | |
# Provide IPv6 DHCP leases through Router Advertisements (RAs) for aaaa:bbbb:cccc:dddd::/64 subnet | |
dhcp-range=aaaa:bbbb:cccc:dddd::,ra-only,infinite | |
# If you’d like to have dnsmasq assign static IPs to some clients, | |
# bind the LAN computers | |
# NIC MAC addresses: | |
dhcp-host=e8:40:f2:<redacted>,192.168.2.2 # benssystem76 | |
dhcp-host=de:59:ad:<redacted>,192.168.2.3 # T580 wifi | |
dhcp-host=48:2a:e3:<redacted>,192.168.2.4 # T580 eth | |
dhcp-host=e4:43:4b:<redacted>,192.168.2.5 # Dell R620 (Blue) | |
dhcp-host=18:66:da:<redacted>,192.168.2.6 # Dell Optiplex | |
dhcp-host=52:54:00:<redacted>,192.168.2.7 # OCP Bastion | |
dhcp-host=52:54:00:<redacted>,192.168.2.8 # OCP Load Balancer | |
dhcp-host=52:54:00:<redacted>,192.168.2.9 # OCP Bootstrap machine | |
dhcp-host=52:54:00:<redacted>,192.168.2.10 # OCP Master 1 | |
dhcp-host=52:54:00:<redacted>,192.168.2.11 # OCP Master 2 | |
dhcp-host=52:54:00:<redacted>,192.168.2.12 # OCP Master 3 | |
dhcp-host=52:54:00:<redacted>,192.168.2.13 # OCP Worker 1 | |
dhcp-host=52:54:00:<redacted>,192.168.2.14 # OCP Worker 2 | |
# Use authoritative mode | |
dhcp-authoritative | |
# DNS entries that aren't hosts | |
address=/api.ocpfc.<redacted>.org/192.168.2.8 | |
address=/api-int.ocpfc.<redacted>.org/192.168.2.8 | |
address=/.apps.ocpfc.<redacted>.org/192.168.2.8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 | |
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 | |
192.168.2.1 router router.<redacted>.org | |
192.168.2.2 desktop desktop.<redacted>.org | |
192.168.2.3 t580 t580.<redacted>.org | |
192.168.2.4 t580eth t580eth.<redacted>.org | |
192.168.2.5 r1 r1.<redacted>.org blue blue.<redacted>.org r620 r620.<redacted>.org # R1 (Blue) | |
192.168.2.6 optiplex optiplex.<redacted>.org | |
192.168.2.7 ocpbastion ocpbastion.<redacted>.org | |
192.168.2.8 ocploadbalancer ocploadbalancer.<redacted>.org | |
192.168.2.9 ocpbootstrap ocpbootstrap.<redacted>.org # OCP Bootstrap machine | |
192.168.2.10 ocpmaster1 ocpmaster1.<redacted>.org # OCP Master 1 | |
192.168.2.11 ocpmaster2 ocpmaster2.<redacted>.org # OCP Master 2 | |
192.168.2.12 ocpmaster3 ocpmaster3.<redacted>.org # OCP Master 3 | |
192.168.2.13 ocpworker1 ocpworker1.<redacted>.org # OCP Worker 1 | |
192.168.2.14 ocpworker2 ocpworker2.<redacted>.org # OCP Worker 2 | |
192.168.2.15 ocpworker3 ocpworker3.<redacted>.org # OCP Worker 3 | |
192.168.2.16 ocpworker4 ocpworker4.<redacted>.org # OCP Worker 4 | |
192.168.2.17 blabdriver blabdriver.<redacted>.org # Blab Driver | |
192.168.2.18 wplocal wplocal.<redacted>.org # Word Press local | |
192.168.2.20 green green.<redacted>.org r2 r2.<redacted>.org # R2 (Green) | |
192.168.2.21 benspi benspi.<redacted>.org | |
192.168.2.22 benspi2 benspi2.<redacted>.org | |
# Wifi devices | |
192.168.1.50 laptop laptop.<redacted>.org | |
192.168.1.51 pinebook pinebook.<redacted>.org | |
# This hosts file is brought to you by Dan Pollock and can be found at | |
# http://someonewhocares.org/hosts/ | |
# You are free to copy and distribute this file for non-commercial uses, | |
# as long the original URL and attribution is included. | |
# | |
# See below for acknowledgements. | |
# Please forward any additions, corrections or comments by email to | |
# hosts@someonewhocares.org | |
##### I have removed the contents here to avoid polluting the github gist. You can find it at the link above |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TYPE=Ethernet | |
NAME=enp1s0 | |
UUID=cd1e4c3d-d1f2-4174-87aa-fe3383d0d17b | |
DEVICE=enp1s0 | |
ZONE=wan | |
BOOTPROTO=dhcp | |
DEFROUTE=yes # default Route | |
IPV6_DEFROUTE=yes | |
ONBOOT=yes | |
NM_CONTROLLED=yes | |
PEERDNS=no # Don't use DHCP-provided DNS servers | |
IPV6_PEERDNS=no | |
DNS1=1.1.1.1 # Cloudflare | |
DNS2=1.0.0.1 | |
DNS3=2606:4700:4700::1111 # Cloudflare IPv6 | |
DNS4=2606:4700:4700::1001 # Cloudflare IPv6 | |
USERCTL=no # non-root users can't control this device | |
PROXY_METHOD=none | |
BROWSER_ONLY=no | |
IPV4_FAILURE_FATAL=no | |
# IPv6 - disabled currently. to enable switch comment order on flipped ones | |
IPV6_FAILURE_FATAL=no | |
IPV6FORWARDING=no | |
DHCPV6=no | |
#IPV6INIT=yes | |
IPV6INIT=no | |
#IPV6_AUTOCONF=yes | |
IPV6_AUTOCONF=no | |
#IPV6_DEFROUTE=yes | |
IPV6_ADDR_GEN_MODE=stable-privacy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TYPE=Ethernet | |
NAME=enp2s0 | |
UUID=306feb85-c37e-4677-a224-e26ba61b85ab | |
DEVICE=enp2s0 | |
ZONE=lan | |
BOOTPROTO=none | |
DEFROUTE=yes | |
PROXY_METHOD=none | |
BROWSER_ONLY=no | |
IPV4_FAILURE_FATAL=no | |
IPV6INIT=yes | |
IPV6_AUTOCONF=yes | |
IPV6_DEFROUTE=yes | |
IPV6_FAILURE_FATAL=no | |
IPV6_ADDR_GEN_MODE=stable-privacy | |
IPV6_PEERDNS=yes | |
IPV6_PEERROUTES=yes | |
ONBOOT=yes | |
NM_CONTROLLED=yes | |
USERCTL=no | |
IPADDR=192.168.2.1 | |
PREFIX=24 | |
NETWORK=192.168.2.0 | |
BROADCAST=192.168.2.255 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Enable IP Forwarding | |
## Temporarily | |
sysctl -w net.ipv4.ip_forward=1 | |
sysctl -w net.ipv4.conf.all.proxy_arp=1 | |
sysctl -w net.ipv6.conf.all.forwarding=1 # Should this be ipv6 | |
## Make permanent (after you've set it on temporarily in previous step!) | |
sysctl net.ipv4.ip_forward > /etc/sysctl.d/01-ip-forward.conf | |
sysctl net.ipv4.conf.all.proxy_arp >> /etc/sysctl.d/01-ip-forward.conf | |
sysctl net.ipv4.conf.all.forwarding >> /etc/sysctl.d/01-ip-forward.conf | |
# Change SSH port and configure | |
sed -i -e 's/^PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config | |
sed -i -e 's/^PasswordAuthentication.*/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
sed -i -e 's/^#Port.*/Port 34543/g' /etc/ssh/sshd_config | |
semanage port -a -t ssh_port_t -p tcp 34543 | |
#### Firewalld | |
# Remove zones from firewalld and create a LAN and WAN zone | |
firewall-cmd --permanent --new-zone=lan | |
firewall-cmd --permanent --new-zone=wan | |
firewall-cmd --reload # required to take effect | |
# Enable masquerading on WAN | |
firewall-cmd --permanent --add-masquerade --zone=wan | |
firewall-cmd --permanent --zone lan --add-service dhcp | |
firewall-cmd --permanent --zone lan --add-service dns | |
firewall-cmd --permanent --zone lan --add-service ssh | |
firewall-cmd --permanent --zone lan --add-port=34543/tcp | |
firewall-cmd --permanent --zone lan --add-port=60000-60100/udp | |
firewall-cmd --permanent --zone wan --add-service ssh | |
firewall-cmd --permanent --zone wan --add-port=34543/tcp | |
firewall-cmd --permanent --zone wan --add-port=60000-60100/udp | |
# Restart sshd so the port change above takes effect | |
systemctl restart sshd | |
firewall-cmd --permanent --zone lan --remove-service ssh | |
firewall-cmd --permanent --zone wan --remove-service ssh | |
firewall-cmd --reload | |
#### Configure dnsmasq to have a 5 second startup delay to avoid a race condition | |
cat /usr/lib/systemd/system/dnsmasq.service \ | |
| sed '/^ExecStart=.*dnsmasq/i ExecStartPre=/bin/sleep 5' \ | |
> /etc/systemd/system/dnsmasq.service | |
systemctl daemon-reload | |
systemctl enable --now dnsmasq.service | |
firewall-cmd --reload # required to take effect |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment