freifunk funkenpumpe

1. funkenpumpe-suedstern-tcp.conf:
2. ======================================================================================================================
3. # Freifunk Berlin VPN, TCP, Encrypted, OpenVPN 2.1+
4.  
5. #client
6. tls-client
7. proto tcp-client
8. dev tunfreifunkvpn
9. remote vpn03.berlin.freifunk.net 443 # Standard Server
10. remote vpn03-backup.berlin.freifunk.net 443 # Backup Server
11. # remote vpn03.berlin.freifunk.net 80 tcp # Alternativer Port: 80
12. # remote vpn03.berlin.freifunk.net 443 tcp6 # Alternative: IPv6 Transport
13. nobind
14. persist-key
15. ca /etc/openvpn/funkenpumpe-suedstern/freifunk-ca.crt
16. cert /etc/openvpn/funkenpumpe-suedstern/funkenpumpe-suedstern.crt
17. key /etc/openvpn/funkenpumpe-suedstern/funkenpumpe-suedstern.key
18. ns-cert-type server
19. comp-lzo yes # Bessere Datenleitungs-Nutzung
20. cipher AES-256-CBC # Ist kompatibel zu OpenVPN+PolarSSL
21. pull
22. dhcp-option DNS 8.8.8.8
23. # Ignore the redirect-gateway so 'lan' works, and do policy-based routing "manually" in the script
24. allow-pull-fqdn
25. route-nopull
26. script-security 2
27. up /etc/openvpn/funkenpumpe-suedstern-updown.sh
28. down /etc/openvpn/funkenpumpe-suedstern-updown.sh
29. log-append /var/log/openvpn/openvpn.log
30. ======================================================================================================================
31.  
32.  
33. funkenpumpe-suedstern-updown.sh:
34. ======================================================================================================================
35. #!/bin/sh
36.  
37. table=100
38.  
39. case $script_type in up)
40. ip route add default via $ifconfig_local dev $dev table $table
41. ip rule add from 6.0.82.0/24 table $table
42. ip route flush cache
43.  
44. #iptable stuff id done in openwrt's firewall custom_rules because each time firewall restarts ip table's flushed.
45. #iptables -I FORWARD -o $dev -j ACCEPT
46. #iptables -t nat -I POSTROUTING -o $dev --src 6.0.82.0/24 -j MASQUERADE
47. #ip tables logging
48. #iptables -A FORWARD -s 6.0.82.0/24 -j LOG --log-level debug
49. #iptables -t nat -A POSTROUTING --src 6.0.82.0/24 -p tcp -j LOG --log-level debug
50.  
51. ;;
52.  
53. down)
54. ip rule del from 6.0.82.0/24 lookup 100
55. ip route flush cache
56. ;;
57. esac
58. ======================================================================================================================
59.  
60.  
61. /etc/config/firewall:
62. ======================================================================================================================
63. config defaults
64. option syn_flood '1'
65. option input 'ACCEPT'
66. option output 'ACCEPT'
67. option forward 'REJECT'
68. option drop_invalid '1'
69.  
70. config zone
71. option name 'lan'
72. option output 'ACCEPT'
73. option forward 'REJECT'
74. option network 'lan'
75. option input 'ACCEPT'
76.  
77. config zone
78. option name 'wan'
79. option network 'wan'
80. option output 'ACCEPT'
81. option masq '1'
82. option mtu_fix '1'
83. option local_restrict '1'
84. option forward 'REJECT'
85. option input 'REJECT'
86.  
87. config rule
88. option name 'openvpn-tcp'
89. option src 'wan'
90. option target 'ACCEPT'
91. option proto 'tcp'
92. option dest_port '1194'
93.  
94. config rule
95. option name 'Allow-DHCP-Renew'
96. option src 'wan'
97. option proto 'udp'
98. option dest_port '68'
99. option target 'ACCEPT'
100. option family 'ipv4'
101.  
102. config rule
103. option name 'Allow-Ping'
104. option src 'wan'
105. option proto 'icmp'
106. option icmp_type 'echo-request'
107. option family 'ipv4'
108. option target 'ACCEPT'
109.  
110. config rule
111. option name 'Allow-DHCPv6'
112. option src 'wan'
113. option proto 'udp'
114. option src_ip 'fe80::/10'
115. option src_port '547'
116. option dest_ip 'fe80::/10'
117. option dest_port '546'
118. option family 'ipv6'
119. option target 'ACCEPT'
120.  
121. config rule
122. option name 'Allow-ICMPv6-Input'
123. option src 'wan'
124. option proto 'icmp'
125. list icmp_type 'echo-request'
126. list icmp_type 'echo-reply'
127. list icmp_type 'destination-unreachable'
128. list icmp_type 'packet-too-big'
129. list icmp_type 'time-exceeded'
130. list icmp_type 'bad-header'
131. list icmp_type 'unknown-header-type'
132. list icmp_type 'router-solicitation'
133. list icmp_type 'neighbour-solicitation'
134. list icmp_type 'router-advertisement'
135. list icmp_type 'neighbour-advertisement'
136. option limit '1000/sec'
137. option family 'ipv6'
138. option target 'ACCEPT'
139.  
140. config rule
141. option name 'Allow-ICMPv6-Forward'
142. option src 'wan'
143. option dest '*'
144. option proto 'icmp'
145. list icmp_type 'echo-request'
146. list icmp_type 'echo-reply'
147. list icmp_type 'destination-unreachable'
148. list icmp_type 'packet-too-big'
149. list icmp_type 'time-exceeded'
150. list icmp_type 'bad-header'
151. list icmp_type 'unknown-header-type'
152. option limit '1000/sec'
153. option family 'ipv6'
154. option target 'ACCEPT'
155.  
156. config include
157. option path '/etc/firewall.user'
158.  
159. config redirect
160. option target 'DNAT'
161. option src 'wan'
162. option dest 'lan'
163. option proto 'tcp'
164. option src_dport '80'
165. option dest_ip '192.168.49.2'
166. option dest_port '80'
167. option name 'http'
168.  
169. config redirect
170. option target 'DNAT'
171. option src 'wan'
172. option dest 'lan'
173. option proto 'tcp'
174. option src_dport '443'
175. option dest_ip '192.168.49.2'
176. option dest_port '443'
177. option name 'https'
178.  
179. config redirect
180. option target 'DNAT'
181. option src 'wan'
182. option dest 'lan'
183. option proto 'tcp'
184. option src_dport '22'
185. option dest_ip '192.168.49.2'
186. option dest_port '22'
187. option name 'ssh'
188.  
189. config redirect
190. option target 'DNAT'
191. option src 'wan'
192. option dest 'lan'
193. option proto 'tcp'
194. option src_dport '5223'
195. option dest_ip '192.168.49.2'
196. option dest_port '5223'
197. option name 'xmmp/ssl'
198.  
199. config redirect
200. option target 'DNAT'
201. option src 'wan'
202. option dest 'lan'
203. option proto 'tcp'
204. option src_dport '993'
205. option dest_ip '192.168.49.2'
206. option dest_port '993'
207. option name 'imaps'
208.  
209. config redirect
210. option target 'DNAT'
211. option src 'wan'
212. option dest 'lan'
213. option proto 'tcp'
214. option src_dport '25'
215. option dest_ip '192.168.49.2'
216. option dest_port '25'
217. option name 'smtp'
218.  
219. config include
220. option path '/etc/firewall.freifunk'
221.  
222. config zone 'zone_freifunk'
223. option name 'freifunk'
224. option output 'ACCEPT'
225. option input 'REJECT'
226. list masq_src 'wireless0dhcp'
227. list masq_src 'wireless0ahdhcp'
228. option conntrack '1'
229. option network 'wireless0 wireless0dhcp'
230. option forward 'REJECT'
231.  
232. config include 'freifunk'
233. option path '/etc/firewall.freifunk'
234.  
235. config rule 'fficmp'
236. option src 'freifunk'
237. option target 'ACCEPT'
238. option proto 'icmp'
239.  
240. config rule 'ffhttp'
241. option src 'freifunk'
242. option target 'ACCEPT'
243. option proto 'tcp'
244. option dest_port '80'
245.  
246. config rule 'ffhttps'
247. option src 'freifunk'
248. option target 'ACCEPT'
249. option proto 'tcp'
250. option dest_port '443'
251.  
252. config rule 'ffssh'
253. option src 'freifunk'
254. option target 'ACCEPT'
255. option proto 'tcp'
256. option dest_port '22'
257.  
258. config rule 'ffolsr'
259. option src 'freifunk'
260. option target 'ACCEPT'
261. option proto 'udp'
262. option dest_port '698'
263.  
264. config rule 'ffwprobe'
265. option src 'freifunk'
266. option target 'ACCEPT'
267. option proto 'tcp'
268. option dest_port '17990'
269.  
270. config rule 'ffdns'
271. option dest_port '53'
272. option src 'freifunk'
273. option target 'ACCEPT'
274. option proto 'udp'
275.  
276. config rule 'ffdhcp'
277. option src_port '68'
278. option src 'freifunk'
279. option target 'ACCEPT'
280. option dest_port '67'
281. option proto 'udp'
282. option leasetime '30m'
283.  
284. config rule 'ffsplash'
285. option dest_port '8082'
286. option src 'freifunk'
287. option target 'ACCEPT'
288. option proto 'tcp'
289.  
290. config zone
291. option output 'ACCEPT'
292. option network 'freifunkvpn'
293. option masq '1'
294. option mtu_fix '1'
295. option input 'REJECT'
296. option forward 'REJECT'
297. option name 'ffvpnzone'
298. option conntrack '1'
299.  
300. config forwarding
301. option dest 'ffvpnzone'
302. option src 'freifunk'
303.  
304. config forwarding
305. option dest 'freifunk'
306. option src 'lan'
307.  
308. config forwarding
309. option dest 'wan'
310. option src 'lan'
311.  
312. ======================================================================================================================
313.  
314.  
315. /etc/firewall.user:
316. ======================================================================================================================
317. # This file is interpreted as shell script.
318. # Put your custom iptables rules here, they will
319. # be executed with each firewall (re-)start.
320.  
321. iptables -I FORWARD -o tunfreifunkvpn -j ACCEPT
322. iptables -t nat -I POSTROUTING -o tunfreifunkvpn -j MASQUERADE
323. ======================================================================================================================