From f51727ab22d8ff280c26923e3e9e555c0ff5e801 Mon Sep 17 00:00:00 2001
From: Ludovic Pouzenc <ludovic@pouzenc.fr>
Date: Sun, 3 Jan 2021 13:41:19 +0100
Subject: Import new install script for Debian 10 and a SOHO router

---
 d10-nuc-as-soho-router.sh | 216 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 216 insertions(+)
 create mode 100755 d10-nuc-as-soho-router.sh

diff --git a/d10-nuc-as-soho-router.sh b/d10-nuc-as-soho-router.sh
new file mode 100755
index 0000000..549cab5
--- /dev/null
+++ b/d10-nuc-as-soho-router.sh
@@ -0,0 +1,216 @@
+#!/bin/bash 
+# Successfully used on Intel NUC 7CJYH and Debian 10 to replace a 
+#  Bouygues BBox for French FFTH with external fiber-to-RJ45 module (ONT)
+
+# Edit the following configuration constants to fit your environment
+#  If you want eth0, eth1... names, set GRUB_CMDLINE_LINUX="net.ifnames=0"
+#   in /etc/default/grub then run update-grub && reboot before running this script.
+#
+#  For RT_WAN_MAC snif original box mac address by plugging box WAN port
+#   to a linux computer and with something like "sudo tcpdump -nei eno1 udp".
+#   It happened to work for me with a fake ac:3b:77:01:02:03.
+
+DHCPD_DNSLIST="80.67.169.12,91.224.149.254" # FDN and TTN recursive open-dns
+DHCPD_RANGE="192.168.42.10 192.168.42.254"  # Choose min/max IP within RT_LAN_IP/RT_LAN_MASK 
+PKGS="isc-dhcp-server ssh vlan"
+RT_LAN_IFACE=eth0 # I prefer disabling interface renaming, "stable names" are painful for me
+RT_LAN_IP=192.168.42.1
+RT_LAN_MASK=255.255.255.0
+RT_LAN_NET=192.168.42.0
+RT_WAN_IFACE=eth1 # eth1 is my USB network adapter. I don't want Intel NIC on WAN (security).
+RT_WAN_MAC=ac:3b:77:01:02:03
+RT_WAN_VLAN=100   # Always 100 on Bouygues FTTH network
+#SSH_KEY="ssh-rsa AAAA...................ffsU5 lpouzenc@lud-hp1" # no carriage return allowed at all here
+
+ccommand=`tput setaf 3`
+ccomment=`tput setaf 6`
+crst=`tput sgr0`
+
+overwrite() {
+	echo "${ccommand}editor $1${crst}"
+	cat > $1
+}
+
+trace() {
+	echo "${ccommand}$@${crst}"
+	"$@"
+}
+
+info() {
+	echo "${ccomment}# $@${crst}"
+}
+
+codename=$(sed -ne 's/^VERSION_CODENAME=//p' /etc/os-release)
+if [[ "buster" != "$codename" ]]; then
+	read -p "Warning: this script has only be tested on Debian Buster. Enter to continue anyway or Ctrl+C to cancel " unused
+fi
+
+set -e
+
+info "apt: install needed packages to have a complete SOHO router"
+trace apt update
+trace apt install -y $PKGS
+
+info "ssh: will potentially listen on WAN port, disable Password Authentification"
+trace sed --in-place \
+ -e 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/'\
+ /etc/ssh/sshd_config
+trace mkdir -p /root/.ssh
+[ -n "$SSH_KEY" ] && echo $SSH_KEY | overwrite /root/.ssh/authorized_keys
+trace systemctl reload ssh
+
+info "systemd: please don't block for ages, this hardware have normal IO delays"
+trace sed --in-place \
+ -e 's/^#\?DefaultTimeoutStartSec=.*/DefaultTimeoutStartSec=5s/' \
+ -e 's/^#\?DefaultTimeoutStopSec=.*/DefaultTimeoutStopSec=5s/' \
+ /etc/systemd/{system,user}.conf
+trace mkdir -p /etc/systemd/system/networking.service.d
+overwrite /etc/systemd/system/networking.service.d/override.conf <<EOT
+[Service]
+TimeoutStartSec=20s
+EOT
+
+info "ifupdown: start firewall then routing at boot, configure ifaces' IP"
+info " Humans should use iptables-apply and ip6tables-apply commands"
+overwrite /etc/network/interfaces <<EOT 
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+	up iptables-restore /etc/network/iptables.up.rules
+	up sysctl -w net.ipv4.ip_forward=1
+	up sysctl -w net.ipv4.conf.all.accept_redirects=0
+	up ip6tables-restore /etc/network/ip6tables.up.rules
+	up sysctl -w net.ipv6.conf.all.forwarding=1
+	up sysctl -w net.ipv6.conf.all.autoconf=0
+	up sysctl -w net.ipv6.conf.all.accept_ra=0
+	up sysctl -w net.ipv6.conf.default.autoconf=0
+	up sysctl -w net.ipv6.conf.default.accept_ra=0
+
+auto eth0
+iface eth0 inet static
+	address $RT_LAN_IP
+	netmask $RT_LAN_MASK
+
+allow-hotplug $RT_WAN_IFACE
+iface $RT_WAN_IFACE inet manual
+	pre-up ip link set $RT_WAN_IFACE address $RT_WAN_MAC
+
+allow-hotplug $RT_WAN_IFACE.$RT_WAN_VLAN
+iface $RT_WAN_IFACE.$RT_WAN_VLAN inet dhcp
+EOT
+
+info "iptables: I left here my rules"
+info " drop by default what came from WAN + self-hosting on my NUC + BitTorrent redirect to a host"
+info " network doesn't provide IPv6 yet here, ip6tables should be okay but untested"
+info " iptables-save and ip6tables-save commands generate this exact file format"
+overwrite /etc/network/iptables.up.rules <<EOT 
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:ICMP4 - [0:0]
+:LOGDROP - [0:0]
+:LOGACCEPT - [0:0]
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p icmp -j ICMP4
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 25 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -j DROP
+-A INPUT -i $RT_WAN_IFACE -j LOGDROP
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -p icmp -j ICMP4
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate DNAT -j LOGACCEPT
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -j LOGDROP
+-A FORWARD -i $RT_WAN_IFACE -j LOGDROP
+-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 0 -j ACCEPT
+-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 3 -j ACCEPT
+-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 8 -j ACCEPT
+-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 11 -j ACCEPT
+-A ICMP4 -m limit --limit 1/sec -j LOG --log-prefix "ICMP4-RATELIMIT "
+-A ICMP4 -j DROP
+-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "LOGDROP "
+-A LOGDROP -j DROP
+-A LOGACCEPT -m limit --limit 1/sec -j LOG --log-prefix "LOGACCEPT "
+-A LOGACCEPT -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A PREROUTING -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.42.10:51413
+-A PREROUTING -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 51413 -j DNAT --to-destination 192.168.42.10:51413
+-A POSTROUTING -o $RT_WAN_IFACE.$RT_WAN_VLAN -j MASQUERADE
+COMMIT
+EOT
+
+overwrite /etc/network/ip6tables.up.rules <<EOT 
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:ICMP6 - [0:0]
+:LOGDROP - [0:0]
+:LOGACCEPT - [0:0]
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p ipv6-icmp -j ICMP6
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 25 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -j DROP
+-A INPUT -i $RT_WAN_IFACE -j LOGDROP
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -p ipv6-icmp -j ICMP6
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP
+# Put custom IPv6 WAN to LAN forward rules here
+-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -j LOGDROP
+-A FORWARD -i $RT_WAN_IFACE -j LOGDROP
+-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 1 -j ACCEPT
+-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 2 -j ACCEPT
+-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 3 -j ACCEPT
+-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 4 -j ACCEPT
+-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 128 -j ACCEPT
+-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 129 -j ACCEPT
+# ICMP rules allowing for NDP or RA from the ISP are probably missing here (untested)
+-A ICMP6 -m limit --limit 1/sec -j LOG --log-prefix "ICMP6-RATELIMIT "
+-A ICMP6 -j DROP
+-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "LOGDROP "
+-A LOGDROP -j DROP
+-A LOGACCEPT -m limit --limit 1/sec -j LOG --log-prefix "LOGACCEPT "
+-A LOGACCEPT -j ACCEPT
+COMMIT
+EOT
+
+info "dhcp: upstream files are full pages of comments, not very usefull in this basic case"
+overwrite /etc/dhcp/dhclient.conf <<EOT
+send vendor-class-identifier "BYGTELIAD";
+request subnet-mask, broadcast-address, routers, domain-name-servers;
+EOT
+
+overwrite /etc/dhcp/dhcpd.conf <<EOT
+option domain-name-servers $DHCPD_DNSLIST;
+default-lease-time 600;
+max-lease-time 7200;
+ddns-update-style none;
+authoritative;
+subnet $RT_LAN_NET netmask $RT_LAN_MASK {
+  range $DHCPD_RANGE;
+  option routers $RT_LAN_IP;
+}
+EOT
+
+info "Please review modified files and reboot with a screen attached to see if it is going ok"
+info "You should tweak BIOS to have no 'Press F1 to continue' on POST errors and Power On when AC come back"
+info "Test hard power cutoff and check if everything came back online without interaction after that"
-- 
cgit v1.2.3