#!/bin/bash 
# Successfully used on Intel NUC 7CJYH and Debian 10 to replace a 
#  Bouygues BBox for French FFTH with external fiber-to-RJ45 module (ONT)

# Edit the following configuration constants to fit your environment
#  If you want eth0, eth1... names, set GRUB_CMDLINE_LINUX="net.ifnames=0"
#   in /etc/default/grub then run update-grub && reboot before running this script.
#
#  For RT_WAN_MAC snif original box mac address by plugging box WAN port
#   to a linux computer and with something like "sudo tcpdump -nei eno1 udp".
#   It happened to work for me with a fake ac:3b:77:01:02:03.

DHCPD_DNSLIST="80.67.169.12,91.224.149.254" # FDN and TTN recursive open-dns
DHCPD_RANGE="192.168.42.10 192.168.42.254"  # Choose min/max IP within RT_LAN_IP/RT_LAN_MASK 
PKGS="isc-dhcp-server ssh vlan"
RT_LAN_IFACE=eth0 # I prefer disabling interface renaming, "stable names" are painful for me
RT_LAN_IP=192.168.42.1
RT_LAN_MASK=255.255.255.0
RT_LAN_NET=192.168.42.0
RT_WAN_IFACE=eth1 # eth1 is my USB network adapter. I don't want Intel NIC on WAN (security).
RT_WAN_MAC=ac:3b:77:01:02:03
RT_WAN_VLAN=100   # Always 100 on Bouygues FTTH network
#SSH_KEY="ssh-rsa AAAA...................ffsU5 lpouzenc@lud-hp1" # no carriage return allowed at all here

ccommand=`tput setaf 3`
ccomment=`tput setaf 6`
crst=`tput sgr0`

overwrite() {
	echo "${ccommand}editor $1${crst}"
	cat > $1
}

trace() {
	echo "${ccommand}$@${crst}"
	"$@"
}

info() {
	echo "${ccomment}# $@${crst}"
}

codename=$(sed -ne 's/^VERSION_CODENAME=//p' /etc/os-release)
if [[ "buster" != "$codename" ]]; then
	read -p "Warning: this script has only be tested on Debian Buster. Enter to continue anyway or Ctrl+C to cancel " unused
fi

set -e

info "apt: install needed packages to have a complete SOHO router"
trace apt update
trace apt install -y $PKGS

info "ssh: will potentially listen on WAN port, disable Password Authentification"
trace sed --in-place \
 -e 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/'\
 /etc/ssh/sshd_config
trace mkdir -p /root/.ssh
[ -n "$SSH_KEY" ] && echo $SSH_KEY | overwrite /root/.ssh/authorized_keys
trace systemctl reload ssh

info "systemd: please don't block for ages, this hardware have normal IO delays"
trace sed --in-place \
 -e 's/^#\?DefaultTimeoutStartSec=.*/DefaultTimeoutStartSec=5s/' \
 -e 's/^#\?DefaultTimeoutStopSec=.*/DefaultTimeoutStopSec=5s/' \
 /etc/systemd/{system,user}.conf
trace mkdir -p /etc/systemd/system/networking.service.d
overwrite /etc/systemd/system/networking.service.d/override.conf <<EOT
[Service]
TimeoutStartSec=20s
EOT

info "ifupdown: start firewall then routing at boot, configure ifaces' IP"
info " Humans should use iptables-apply and ip6tables-apply commands"
overwrite /etc/network/interfaces <<EOT 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
	up iptables-restore /etc/network/iptables.up.rules
	up sysctl -w net.ipv4.ip_forward=1
	up sysctl -w net.ipv4.conf.all.accept_redirects=0
	up ip6tables-restore /etc/network/ip6tables.up.rules
	up sysctl -w net.ipv6.conf.all.forwarding=1
	up sysctl -w net.ipv6.conf.all.autoconf=0
	up sysctl -w net.ipv6.conf.all.accept_ra=0
	up sysctl -w net.ipv6.conf.default.autoconf=0
	up sysctl -w net.ipv6.conf.default.accept_ra=0

auto eth0
iface eth0 inet static
	address $RT_LAN_IP
	netmask $RT_LAN_MASK

allow-hotplug $RT_WAN_IFACE
iface $RT_WAN_IFACE inet manual
	pre-up ip link set $RT_WAN_IFACE address $RT_WAN_MAC

allow-hotplug $RT_WAN_IFACE.$RT_WAN_VLAN
iface $RT_WAN_IFACE.$RT_WAN_VLAN inet dhcp
EOT

info "iptables: I left here my rules"
info " drop by default what came from WAN + self-hosting on my NUC + BitTorrent redirect to a host"
info " network doesn't provide IPv6 yet here, ip6tables should be okay but untested"
info " iptables-save and ip6tables-save commands generate this exact file format"
overwrite /etc/network/iptables.up.rules <<EOT 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ICMP4 - [0:0]
:LOGDROP - [0:0]
:LOGACCEPT - [0:0]
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p icmp -j ICMP4
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -j DROP
-A INPUT -i $RT_WAN_IFACE -j LOGDROP
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -p icmp -j ICMP4
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate DNAT -j LOGACCEPT
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -j LOGDROP
-A FORWARD -i $RT_WAN_IFACE -j LOGDROP
-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 0 -j ACCEPT
-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 3 -j ACCEPT
-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 8 -j ACCEPT
-A ICMP4 -p icmp -m limit --limit 10/sec -m icmp --icmp-type 11 -j ACCEPT
-A ICMP4 -m limit --limit 1/sec -j LOG --log-prefix "ICMP4-RATELIMIT "
-A ICMP4 -j DROP
-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "LOGDROP "
-A LOGDROP -j DROP
-A LOGACCEPT -m limit --limit 1/sec -j LOG --log-prefix "LOGACCEPT "
-A LOGACCEPT -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.42.10:51413
-A PREROUTING -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 51413 -j DNAT --to-destination 192.168.42.10:51413
-A POSTROUTING -o $RT_WAN_IFACE.$RT_WAN_VLAN -j MASQUERADE
COMMIT
EOT

overwrite /etc/network/ip6tables.up.rules <<EOT 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ICMP6 - [0:0]
:LOGDROP - [0:0]
:LOGACCEPT - [0:0]
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p ipv6-icmp -j ICMP6
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i $RT_WAN_IFACE.$RT_WAN_VLAN -j DROP
-A INPUT -i $RT_WAN_IFACE -j LOGDROP
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -p ipv6-icmp -j ICMP6
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -m conntrack ! --ctstate NEW -j LOGDROP
# Put custom IPv6 WAN to LAN forward rules here
-A FORWARD -i $RT_WAN_IFACE.$RT_WAN_VLAN -j LOGDROP
-A FORWARD -i $RT_WAN_IFACE -j LOGDROP
-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A ICMP6 -p ipv6-icmp -m limit --limit 10/sec -m ipv6-icmp --icmpv6-type 129 -j ACCEPT
# ICMP rules allowing for NDP or RA from the ISP are probably missing here (untested)
-A ICMP6 -m limit --limit 1/sec -j LOG --log-prefix "ICMP6-RATELIMIT "
-A ICMP6 -j DROP
-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "LOGDROP "
-A LOGDROP -j DROP
-A LOGACCEPT -m limit --limit 1/sec -j LOG --log-prefix "LOGACCEPT "
-A LOGACCEPT -j ACCEPT
COMMIT
EOT

info "dhcp: upstream files are full pages of comments, not very usefull in this basic case"
overwrite /etc/dhcp/dhclient.conf <<EOT
send vendor-class-identifier "BYGTELIAD";
request subnet-mask, broadcast-address, routers, domain-name-servers;
EOT

overwrite /etc/dhcp/dhcpd.conf <<EOT
option domain-name-servers $DHCPD_DNSLIST;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet $RT_LAN_NET netmask $RT_LAN_MASK {
  range $DHCPD_RANGE;
  option routers $RT_LAN_IP;
}
EOT

info "Please review modified files and reboot with a screen attached to see if it is going ok"
info "You should tweak BIOS to have no 'Press F1 to continue' on POST errors and Power On when AC come back"
info "Test hard power cutoff and check if everything came back online without interaction after that"