Gowee/README.md

## README.md

      
    Raw
  

              README.md
            
          
    left emtpy

  
## client-tinc-down.sh
#!/bin/sh
set -ux

logger "tinc down"

#if [[ -z $INTERFACE ]]; then
#  INTERFACE=tinc
#fi

iptables -t mangle -F rrmark
iptables -t mangle -X rrmark
iptables -t mangle -D OUTPUT -j rrmark
iptables -t mangle -i br0 -D PREROUTING -j rrmark

iptables -t mangle -D rrmark -m set ! --match-set chnroute dst -j MARK --set-mark 0xcafe
ip rule del fwmark 0xcafe table rrtable
iptables -t nat -o tinc -D POSTROUTING -m mark --mark 0xcafe -j MASQUERADE

ip route del default dev tinc table rrtable
ip addr del <CLIENT_INTERNAL_IP>/24 dev tinc
ip link set tinc down

ipset destroy chnroute

## client-tinc-up.sh
#!/bin/sh
set -eux
#if [[ -z "$INTERFACE" ]]; then
#  INTERFACE=tinc
#fi

logger "tinc up"

ip link set tinc up
ip addr add <CLIENT_INTERNAL_IP>/24 dev tinc

if ipset save chnroute > /dev/null 2>&1; then
  echo "ipset chnroute exists"
else
  if [[ -f "/tmp/chnroute-ipset.txt" ]]; then
    cat /tmp/chnroute-ipset.txt | ipset restore
    echo "recovered ipset chnroute from file"
  else
    ipset -N chnroute hash:net maxelem $(wc -l /opt/etc/chnroute.txt | awk '{ print $1 }')
    for ip in $(cat /opt/etc/chnroute.txt); do
      ipset add chnroute $ip
    done
    ipset save chnroute > /tmp/chnroute-ipset.txt
    echo "created ipset chnroute from routers"
  fi
fi


iptables -t mangle -L rrmark -n > /dev/null 2>&1 || iptables -t mangle -N rrmark

iptables -t mangle -A rrmark -d <SERVER_IP> -j RETURN

#iptables -t mangle -A rrmark -p tcp -j RETURN

iptables -t mangle -A rrmark -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A rrmark -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A rrmark -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A rrmark -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A rrmark -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A rrmark -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A rrmark -d 192.0.0.0/24 -j RETURN
iptables -t mangle -A rrmark -d 192.0.2.0/24 -j RETURN
iptables -t mangle -A rrmark -d 192.88.99.0/24 -j RETURN
iptables -t mangle -A rrmark -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A rrmark -d 198.18.0.0/15 -j RETURN
iptables -t mangle -A rrmark -d 198.51.100.0/24 -j RETURN
iptables -t mangle -A rrmark -d 203.0.113.0/24 -j RETURN
iptables -t mangle -A rrmark -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A rrmark -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A rrmark -d 255.255.255.255/32 -j RETURN

iptables -t mangle -A rrmark -m set ! --match-set chnroute dst -j MARK --set-mark 0xcafe

#echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/tinc/rp_filter

iptables -t mangle -C OUTPUT -j rrmark || iptables -t mangle -A OUTPUT -j rrmark
iptables -t mangle -i br0 -C PREROUTING -j rrmark || iptables -t mangle -i br0 -A PREROUTING -j rrmark

grep "rrtable" /etc/iproute2/rt_tables || echo "233	rrtable" > /etc/iproute2/rt_tables
ip route add default dev tinc table rrtable
ip rule add fwmark 0xcafe table rrtable
iptables -t nat -o tinc -A POSTROUTING -m mark --mark 0xcafe -j MASQUERADE
echo Done.

## refs.txt
1. https://bigeagle.me/2016/02/ipset-policy-routing/
4. https://www.tinc-vpn.org/examples/redirect-gateway/
5. https://tinc.tinc-vpn.narkive.com/1JXOnx1C/subnet-specification-for-tinc-node-as-default-gateway
2. https://typeblog.net/set-up-shadowsocks-with-iptables-and-ipset-on-archlinux/
3. https://zohead.com/archives/openwrt-openvpn-ipset/
6. https://www.linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/

## server-tinc-down
#!/bin/sh
# This file closes down the tap device.
set -eux

ip addr del <SERVER_INTERNAL_IP>/24 dev $INTERFACE
ip link set $INTERFACE down
iptables -D FORWARD -i <SERVER_DEVICE_NAME> -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


## server-tinc-up.sh
#!/bin/sh
# This file sets up the tap device.
# It gives you the freedom to do anything you want with it.
# Use the correct name for the tap device:
# The environment variable $INTERFACE is set to the right name
# on most platforms, but if it doesn't work try to set it manually.

# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
set -eux
ip link set $INTERFACE up
ip addr add <SERVER_INTERNAL_IP>/24 dev $INTERFACE
iptables -A FORWARD -i <CLIENT_DEVICE_NAME> -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	#!/bin/sh
	set -ux

	logger "tinc down"

	#if [[ -z $INTERFACE ]]; then
	# INTERFACE=tinc
	#fi

	iptables -t mangle -F rrmark
	iptables -t mangle -X rrmark
	iptables -t mangle -D OUTPUT -j rrmark
	iptables -t mangle -i br0 -D PREROUTING -j rrmark

	iptables -t mangle -D rrmark -m set ! --match-set chnroute dst -j MARK --set-mark 0xcafe
	ip rule del fwmark 0xcafe table rrtable
	iptables -t nat -o tinc -D POSTROUTING -m mark --mark 0xcafe -j MASQUERADE

	ip route del default dev tinc table rrtable
	ip addr del <CLIENT_INTERNAL_IP>/24 dev tinc
	ip link set tinc down

	ipset destroy chnroute
	#!/bin/sh
	set -eux
	#if [[ -z "$INTERFACE" ]]; then
	# INTERFACE=tinc
	#fi

	logger "tinc up"

	ip link set tinc up
	ip addr add <CLIENT_INTERNAL_IP>/24 dev tinc

	if ipset save chnroute > /dev/null 2>&1; then
	echo "ipset chnroute exists"
	else
	if [[ -f "/tmp/chnroute-ipset.txt" ]]; then
	cat /tmp/chnroute-ipset.txt \| ipset restore
	echo "recovered ipset chnroute from file"
	else
	ipset -N chnroute hash:net maxelem $(wc -l /opt/etc/chnroute.txt \| awk '{ print $1 }')
	for ip in $(cat /opt/etc/chnroute.txt); do
	ipset add chnroute $ip
	done
	ipset save chnroute > /tmp/chnroute-ipset.txt
	echo "created ipset chnroute from routers"
	fi
	fi


	iptables -t mangle -L rrmark -n > /dev/null 2>&1 \|\| iptables -t mangle -N rrmark

	iptables -t mangle -A rrmark -d <SERVER_IP> -j RETURN

	#iptables -t mangle -A rrmark -p tcp -j RETURN

	iptables -t mangle -A rrmark -d 0.0.0.0/8 -j RETURN
	iptables -t mangle -A rrmark -d 10.0.0.0/8 -j RETURN
	iptables -t mangle -A rrmark -d 100.64.0.0/10 -j RETURN
	iptables -t mangle -A rrmark -d 127.0.0.0/8 -j RETURN
	iptables -t mangle -A rrmark -d 169.254.0.0/16 -j RETURN
	iptables -t mangle -A rrmark -d 172.16.0.0/12 -j RETURN
	iptables -t mangle -A rrmark -d 192.0.0.0/24 -j RETURN
	iptables -t mangle -A rrmark -d 192.0.2.0/24 -j RETURN
	iptables -t mangle -A rrmark -d 192.88.99.0/24 -j RETURN
	iptables -t mangle -A rrmark -d 192.168.0.0/16 -j RETURN
	iptables -t mangle -A rrmark -d 198.18.0.0/15 -j RETURN
	iptables -t mangle -A rrmark -d 198.51.100.0/24 -j RETURN
	iptables -t mangle -A rrmark -d 203.0.113.0/24 -j RETURN
	iptables -t mangle -A rrmark -d 224.0.0.0/4 -j RETURN
	iptables -t mangle -A rrmark -d 240.0.0.0/4 -j RETURN
	iptables -t mangle -A rrmark -d 255.255.255.255/32 -j RETURN

	iptables -t mangle -A rrmark -m set ! --match-set chnroute dst -j MARK --set-mark 0xcafe

	#echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
	#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
	#echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
	echo 2 > /proc/sys/net/ipv4/conf/tinc/rp_filter

	iptables -t mangle -C OUTPUT -j rrmark \|\| iptables -t mangle -A OUTPUT -j rrmark
	iptables -t mangle -i br0 -C PREROUTING -j rrmark \|\| iptables -t mangle -i br0 -A PREROUTING -j rrmark

	grep "rrtable" /etc/iproute2/rt_tables \|\| echo "233 rrtable" > /etc/iproute2/rt_tables
	ip route add default dev tinc table rrtable
	ip rule add fwmark 0xcafe table rrtable
	iptables -t nat -o tinc -A POSTROUTING -m mark --mark 0xcafe -j MASQUERADE
	echo Done.
	1. https://bigeagle.me/2016/02/ipset-policy-routing/
	4. https://www.tinc-vpn.org/examples/redirect-gateway/
	5. https://tinc.tinc-vpn.narkive.com/1JXOnx1C/subnet-specification-for-tinc-node-as-default-gateway
	2. https://typeblog.net/set-up-shadowsocks-with-iptables-and-ipset-on-archlinux/
	3. https://zohead.com/archives/openwrt-openvpn-ipset/
	6. https://www.linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/
	#!/bin/sh
	# This file closes down the tap device.
	set -eux

	ip addr del <SERVER_INTERNAL_IP>/24 dev $INTERFACE
	ip link set $INTERFACE down
	iptables -D FORWARD -i <SERVER_DEVICE_NAME> -j ACCEPT
	iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
	#!/bin/sh
	# This file sets up the tap device.
	# It gives you the freedom to do anything you want with it.
	# Use the correct name for the tap device:
	# The environment variable $INTERFACE is set to the right name
	# on most platforms, but if it doesn't work try to set it manually.

	# Give it the right ip and netmask. Remember, the subnet of the
	# tap device must be larger than that of the individual Subnets
	# as defined in the host configuration file!
	set -eux
	ip link set $INTERFACE up
	ip addr add <SERVER_INTERNAL_IP>/24 dev $INTERFACE
	iptables -A FORWARD -i <CLIENT_DEVICE_NAME> -j ACCEPT
	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE