Skip to content

Instantly share code, notes, and snippets.

@imlonghao
Last active July 23, 2022 13:58
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save imlonghao/ff33310183bcca9e7c8ad541b8cc9176 to your computer and use it in GitHub Desktop.
Save imlonghao/ff33310183bcca9e7c8ad541b8cc9176 to your computer and use it in GitHub Desktop.
DN42 Startup
#!/bin/bash
# ----------------
AS=
SUBNET=
ROUTER_ID=
GATEWAY_IP=
SUBNET_v6=
GATEWAY_IP_v6=
SNMP_IP=
SNMP_PASS=
PUBLIC_IP=`date +%s | sha256sum | base64 | head -c 32`
# ----------------
# Update System
cd ~
apt-get update && apt-get dist-upgrade -y
# Install bird
wget -O - http://bird.network.cz/debian/apt.key | apt-key add -
apt-get install lsb-release -y
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
apt-get update
apt-get install bird -y
systemctl enable bird
systemctl enable bird6
# Install OpenVPN
apt-get install openvpn -y
# IPv4
cat << EOF > /etc/bird/bird.conf
roa table dn42_roa {
include "bird_roa_dn42.conf";
};
# Device status
protocol device {
scan time 10; # recheck every 10 seconds
}
protocol static {
# Static routes to announce your own range(s) in dn42
route $SUBNET reject;
import all;
export none;
};
# local configuration
######################
# keeping router specific in a seperate file,
# so this configuration can be reused on multiple routers in your network
include "/etc/bird/local4.conf";
# filter helpers
#################
include "/etc/bird/filter4.conf";
# Kernel routing tables
########################
/*
krt_prefsrc defines the source address for outgoing connections.
On Linux, this causes the "src" attribute of a route to be set.
Without this option outgoing connections would use the peering IP which
would cause packet loss if some peering disconnects but the interface
is still available. (The route would still exist and thus route through
the TUN/TAP interface but the VPN daemon would simply drop the packet.)
*/
protocol kernel {
scan time 20;
device routes;
import none;
export filter {
if source = RTS_STATIC then reject;
krt_prefsrc = OWNIP;
accept;
};
};
# DN42
#######
template bgp dnpeers {
local as OWNAS;
# metric is the number of hops between us and the peer
path metric 1;
# this lines allows debugging filter rules
# filtered routes can be looked up in birdc using the "show route filtered" command
import keep filtered;
import filter {
if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
# accept every subnet, except our own advertised subnet
# filtering is important, because some guys try to advertise routes like 0.0.0.0
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
# here we export the whole net
if is_valid_network() then {
accept;
}
reject;
};
import limit 10000 action block;
#source address OWNIP;
};
template bgp locals {
local as OWNAS;
import all;
export all;
direct;
next hop self;
};
include "/etc/bird/peers4/*";
EOF
cat << EOF > /etc/bird/local4.conf
router id $ROUTER_ID;
define OWNAS = $AS;
define OWNIP = $GATEWAY_IP;
function is_self_net() {
return net ~ [$SUBNET+];
}
EOF
curl -s https://ca.dn42.us/reg/filter.txt | \
awk '/^[0-9]/ && $2 ~ /permit/ {printf "%s{%s,%s}\n", $3, $4, $5}' | \
awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n"} \
NR > 1 {printf ",\n"} {printf " %s", $1}
END {printf "\n ];\n}\n"}' > /etc/bird/filter4.conf
mkdir /etc/bird/peers4
curl -sfSLR {-o,-z}/etc/bird/bird_roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf
crontab -l | { cat; echo "*/15 * * * * curl -sfSLR {-o,-z}/etc/bird/bird_roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf && chronic birdc configure"; } | crontab -
# IPv6
cat << EOF > /etc/bird/bird6.conf
roa table dn42_roa {
include "bird6_roa_dn42.conf";
};
protocol device {
scan time 10;
}
# local configuration
######################
include "/etc/bird/local6.conf";
# filter helpers
#################
include "/etc/bird/filter6.conf";
# Kernel routing tables
########################
/*
krt_prefsrc defines the source address for outgoing connections.
On Linux, this causes the "src" attribute of a route to be set.
Without this option outgoing connections would use the peering IP which
would cause packet loss if some peering disconnects but the interface
is still available. (The route would still exist and thus route through
the TUN/TAP interface but the VPN daemon would simply drop the packet.)
*/
protocol kernel {
scan time 20;
device routes;
import none;
export filter {
if source = RTS_STATIC then reject;
krt_prefsrc = OWNIP;
accept;
};
}
# static routes
################
protocol static {
route $SUBNET_v6 reject;
import all;
export none;
}
template bgp dnpeers {
local as OWNAS;
path metric 1;
import keep filtered;
import filter {
if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() then {
accept;
}
reject;
};
import limit 10000 action block;
}
template bgp locals {
local as OWNAS;
import all;
export all;
direct;
next hop self;
}
include "/etc/bird/peers6/*";
EOF
cat << EOF > /etc/bird/local6.conf
router id $ROUTER_ID;
define OWNAS = $AS;
define OWNIP = $GATEWAY_IP_v6;
function is_self_net() {
return net ~ [$SUBNET_v6+];
}
curl -s https://ca.dn42.us/reg/filter6.txt | \
awk '/^[0-9]/ && $2 ~ /permit/ {printf "%s{%s,%s}\n", $3, $4, $5}' | \
awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n"} \
NR > 1 {printf ",\n"} {printf " %s", $1}
END {printf "\n ];\n}\n"}' > /etc/bird/filter6.conf
mkdir /etc/bird/peers6
curl -sfSLR {-o,-z}/etc/bird/bird6_roa_dn42.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf
crontab -l | { cat; echo "*/15 * * * * curl -sfSLR {-o,-z}/etc/bird/bird6_roa_dn42.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf && chronic birdc6 configure"; } | crontab -
# Snmp
apt-get install snmpd -y
cat << EOF > /etc/snmp/snmpd.conf
com2sec vnet $SNMP_IP $SNMP_PASS
group vnetGroup v2c vnet
access vnetGroup "" any noauth prefix all none none
view all included .1 80
EOF
service snmpd restart
# Bird-lg
apt-get install python-pip git -y
pip install flask
pip install dnspython
pip install pydot
git clone https://github.com/sileht/bird-lg
cat << EOF > ~/bird-lg/lgproxy.cfg
DEBUG=False
LOG_FILE="/var/log/lg-proxy.log"
LOG_LEVEL="WARNING"
ACCESS_LIST = ["170.178.170.232"]
IPV4_SOURCE="$GATEWAY_IP"
IPV6_SOURCE="$GATEWAY_IP_v6"
EOF
sed "s/0.0.0.0/$PUBLIC_IP" /root/bird-lg/lgproxy.py -i
nohup python /root/bird-lg/lgproxy.py > /dev/null 2>&1 &
# Security
/sbin/iptables -A FORWARD -o eth0 -j REJECT
# rc.local
sed -i '$i\nohup python \/root\/bird-lg\/lgproxy.py > \/dev\/null 2>&1 &' /etc/rc.local
sed -i '$i\/sbin\/iptables -A FORWARD -o eth0 -j REJECT' /etc/rc.local
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment