API tools faq
paste
Guest User

Criar Debian12 Otimizado com FRR

a guest
Nov 19th, 2023
269
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.75 KB | None | 0 0
raw download clone embed print report
  1. ########################### REPOSITORIOS DEBIAN 12 ################################################################
  2.  
  3. cp -p /etc/apt/sources.list /etc/apt/sources.old
  4.  
  5. (
  6. echo 'deb http://deb.debian.org/debian bookworm main non-free-firmware contrib non-free'
  7. echo 'deb-src http://deb.debian.org/debian bookworm main non-free-firmware contrib non-free'
  8. echo ' '
  9. echo 'deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware contrib non-free'
  10. echo 'deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware contrib non-free'
  11. ) > /etc/apt/sources.list
  12.  
  13.  
  14. ################################################################################################################
  15.  
  16. apt update && apt upgrade -y
  17.  
  18. apt install firmware-linux firmware-linux-free firmware-linux-nonfree -y
  19.  
  20.  
  21. cp -p /etc/default/grub /etc/default/grub.old
  22.  
  23. sed -i '/GRUB_CMDLINE_LINUX_DEFAULT=/s/=splash net.ifnames=0 mitigations=off quiet/' /etc/default/grub
  24.  
  25.  
  26. (
  27. echo 'source /etc/network/interfaces.d/*.cfg'
  28. echo 'auto lo'
  29. echo 'iface lo inet loopback'
  30. echo
  31. echo 'auto lo0'
  32. echo 'iface lo0 inet manual'
  33. echo ' pre-up ip link add lo0 type dummy'
  34. echo
  35. echo 'auto bond0'
  36. echo 'iface bond0 inet manual'
  37. echo '#bond-slaves eth0 eth1'
  38. echo 'bond-mode 802.3ad'
  39. echo 'bond-xmit-hash-policy layer2+3'
  40. echo ' #post-up ifconfig eth0 mtu 9000'
  41. echo ' #post-up ifconfig eth1 mtu 9000'
  42. echo ' #post-up ifconfig bond0 mtu 9000'
  43. echo
  44. echo '#Vlan'
  45. echo '#auto eth0.XXX'
  46. echo '#iface eth0.XXX inet manual'
  47. echo '# pre-up ip link set dev $IFACE up'
  48. echo '# pre-down ip link set dev $IFACE down'
  49. echo
  50. echo 'auto eth0'
  51. echo 'iface eth0 inet manual'
  52. echo ' pre-up ip link set dev $IFACE up'
  53. echo ' pre-down ip link set dev $IFACE down'
  54. echo
  55. echo '#auto eth1'
  56. echo '#iface eth1 inet manual'
  57. echo '# pre-up ip link set dev $IFACE up'
  58. echo '# pre-down ip link set dev $IFACE down'
  59.  
  60. ) > /etc/network/interfaces
  61.  
  62. update-grub
  63.  
  64. reboot
  65.  
  66.  
  67. ############## install FRR Debian ##############
  68.  
  69. apt remove open-vm-tools -y
  70. apt purge open-vm-tools -y
  71.  
  72. apt update && apt upgrade -y
  73. apt autoremove -y
  74.  
  75. apt install curl apt-transport-https gnupg2 lsb-release tree net-tools htop wget ethtool grc libdrm-common mtr libdrm2 libglib2.0-0 libglib2.0-data libicu72 libmspack0 libxml2 libxmlsec1 libxslt1.1 shared-mime-info xdg-user-dirs zerofree frr frr-doc frr-pythontools frr-rpki-rtrlib frr-snmp -y
  76.  
  77.  
  78. sed -i '/bgpd/s/=no/=yes/' /etc/frr/daemons
  79. sed -i '/ospfd/s/=no/=yes/' /etc/frr/daemons
  80. sed -i '/ospf6d/s/=no/=yes/' /etc/frr/daemons
  81. sed -i '/babeld/s/=no/=no/' /etc/frr/daemons
  82. sed -i '/pbrd/s/=no/=yes/' /etc/frr/daemons
  83. sed -i '/bfdd/s/=no/=yes/' /etc/frr/daemons
  84.  
  85.  
  86. (
  87. echo '#!/bin/sh'
  88. echo
  89. echo '[ "x$1" = "x" ] && exit 1'
  90. echo 'cmd="show $@"'
  91. echo 'vtysh -c "$cmd"'
  92. echo
  93. ) > /usr/bin/show
  94. chmod +x /usr/bin/show
  95.  
  96. (
  97. echo '#!/bin/sh'
  98. echo
  99. echo 'hostname $1'
  100. echo 'echo "$1" > /etc/hostname'
  101. echo
  102. ) > /sbin/sethostname
  103. chmod +x /sbin/sethostname
  104.  
  105.  
  106.  
  107. apt install ifenslave vlan -y
  108. modprobe bonding
  109. modprobe 8021q
  110. modprobe tcp_htcp
  111. modprobe tcp_illinois
  112.  
  113. echo bonding >> /etc/modules
  114. echo 8021q >> /etc/modules
  115. echo tcp_westwood >> /etc/modules
  116. echo tcp_htcp >> /etc/modules
  117.  
  118. cat /etc/modules
  119.  
  120.  
  121.  
  122. ############### CONF FRR ##################
  123. (
  124. echo 'frr version 8.x'
  125. echo 'frr defaults traditional'
  126. echo 'hostname debianRouter'
  127. echo 'log syslog informational'
  128. echo 'ip forwarding'
  129. echo 'ipv6 forwarding'
  130. echo 'service integrated-vtysh-config'
  131. echo '!'
  132. echo 'ip route 0.0.0.0/0 192.168.48.1 250'
  133. echo '!'
  134. echo '#interface bond0'
  135. echo 'interface eth0'
  136. echo ' description WAN'
  137. echo ' ip address 192.168.48.254/24'
  138. echo 'exit'
  139. echo '!'
  140. ) > /etc/frr/frr.conf
  141.  
  142.  
  143. (
  144. echo 'frr version 8.x'
  145. echo 'frr defaults traditional'
  146. echo 'hostname debianRouter'
  147. echo 'log syslog informational'
  148. echo 'ip forwarding'
  149. echo 'ipv6 forwarding'
  150. echo 'service integrated-vtysh-config'
  151. echo '!'
  152. echo 'ip route 0.0.0.0/0 10.100.100.1 250'
  153. echo 'ip route 0.0.0.0/1 10.100.100.1 250'
  154. echo 'ip route 128.0.0.0/1 10.100.100.1 250'
  155. echo '!'
  156. echo '#interface bond0'
  157. echo 'interface eth0'
  158. echo 'description WAN'
  159. echo 'ip address 10.100.100.24/24'
  160. echo 'ip ospf area 0.0.0.0'
  161. echo 'ip ospf cost 1'
  162. echo 'ipv6 address 2001:db8:ffff:ffff:ffff::24/64'
  163. echo 'ipv6 ospf6 area 0.0.0.0'
  164. echo 'ipv6 ospf6 cost 1'
  165. echo 'exit'
  166. echo '!'
  167. echo 'interface lo0'
  168. echo ' ip address 192.0.2.24/32'
  169. echo 'exit'
  170. echo '!'
  171. echo '#interface lo1'
  172. echo '# description INT-Virtual'
  173. echo '# ip address 1.0.0.1/32'
  174. echo '# ip address 1.1.1.1/32'
  175. echo '# ip address 189.38.95.95/32'
  176. echo '# ip address 189.38.95.96/32'
  177. echo '# ip address 208.67.220.220/32'
  178. echo '# ip address 208.67.222.222/32'
  179. echo '# ip address 4.4.4.4/32'
  180. echo '# ip address 8.8.4.4/32'
  181. echo '# ip address 8.8.8.8/32'
  182. echo '# ip address 9.9.9.9/32'
  183. echo '# ipv6 address 2001:4860:4860::8844/128'
  184. echo '# ipv6 address 2001:4860:4860::8888/128'
  185. echo '# ipv6 address 2606:4700:4700::1001/128'
  186. echo '# ipv6 address 2606:4700:4700::1111/128'
  187. echo '# ipv6 address 2620:119:35::35/128'
  188. echo '# ipv6 address 2620:119:53::53/128'
  189. echo '# ipv6 address 2620:fe::9/128'
  190. echo '# ipv6 address 2620:fe::fe/128'
  191. echo '# ipv6 address 2804:10:10::10/128'
  192. echo '# ipv6 address 2804:10:10::20/128'
  193. echo '#exit'
  194. echo '#!'
  195. echo 'router ospf'
  196. echo ' ospf router-id 192.0.2.24'
  197. echo ' log-adjacency-changes'
  198. echo ' redistribute connected'
  199. echo ' redistribute static'
  200. echo 'exit'
  201. echo '!'
  202. echo 'router ospf6'
  203. echo ' ospf6 router-id 192.0.2.24'
  204. echo ' log-adjacency-changes'
  205. echo ' redistribute connected'
  206. echo ' redistribute static'
  207. echo ' interface eth0 area 0.0.0.0'
  208. echo 'exit'
  209. echo '!'
  210. ) > /etc/frr/frr.ospf
  211.  
  212.  
  213. ############### Confi resolv.conf ##############
  214.  
  215. (
  216. echo '#nameserver 127.0.0.1'
  217. echo 'nameserver 8.8.4.4'
  218. echo 'nameserver 8.8.8.8'
  219. echo 'nameserver 2001:4860:4860::8844'
  220. echo 'nameserver 2001:4860:4860::8888'
  221. ) > /etc/resolv.conf
  222.  
  223.  
  224.  
  225. ################ Criar Servico Supergateway
  226.  
  227. touch /lib/systemd/system/supergw.service
  228.  
  229. (
  230. echo '[Unit]'
  231. echo 'Description=SuperGateway '
  232. echo 'After=network.target'
  233. echo
  234. echo '[Service]'
  235. echo 'User=root'
  236. echo 'Group=root'
  237. echo 'Type=simple'
  238. echo 'RemainAfterExit=yes'
  239. echo
  240. echo 'WorkingDirectory=/etc/network/'
  241. echo 'ExecStart=/etc/network/supergw.sh'
  242. echo
  243. echo 'TimeoutStartSec=60'
  244. echo 'TimeoutStopSec=300'
  245. echo
  246. echo '[Install]'
  247. echo 'WantedBy=multi-user.target'
  248. echo 'Alias=supergw.service'
  249. echo
  250. ) > /lib/systemd/system/supergw.service
  251.  
  252.  
  253. ########################### Criação do script com a conf supergatey
  254.  
  255. touch /etc/network/supergw.sh
  256.  
  257. (
  258. echo '#!/bin/sh'
  259. echo
  260. echo 'gateway=$(ip route get 1.2.3.4 | grep via | awk '{print $3}')'
  261. echo 'sourceip=$(ip addr show dev lo0 | grep -v inet6 | grep inet | awk ''{print $2}'' | cut -f1 -d/)'
  262. echo
  263. echo '/sbin/ip route add 0.0.0.0/1 via $gateway src $sourceip'
  264. echo '/sbin/ip route add 128.0.0.0/1 via $gateway src $sourceip'
  265. echo 'exit 0'
  266.  
  267. ) > /etc/network/supergw.sh
  268.  
  269. chmod +x /etc/network/supergw.sh
  270.  
  271. ############################ Colocar para iniciar
  272.  
  273.  
  274. systemctl daemon-reload
  275. systemctl enable supergw.service
  276.  
  277. systemctl start supergw.service
  278.  
  279.  
  280. ############################# NFTABLES #################################
  281. apt install nftables -y
  282.  
  283. (
  284. echo '#!/usr/sbin/nft -f'
  285. echo '#nft list ruleset '
  286. echo 'flush ruleset'
  287. echo
  288. echo 'table inet filter {'
  289. echo
  290. echo 'set acesso-4 {'
  291. echo 'flags interval'
  292. echo 'type ipv4_addr'
  293. echo ' elements = { 127.0.0.1, 192.168.0.0/16, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.0.2.0/22 }'
  294. echo ' }'
  295. echo ' set acesso-6 {'
  296. echo ' flags interval'
  297. echo ' type ipv6_addr'
  298. echo ' elements = { ::1, 2001:db8::/32 }'
  299. echo ' }'
  300. echo ' chain input {'
  301. echo ' type filter hook input priority 0;'
  302. echo
  303. echo ' # Permite Acesso'
  304. echo ' ip saddr @acesso-4 tcp dport 22 counter accept'
  305. echo ' ip saddr @acesso-4 tcp dport 8822 counter accept'
  306. echo ' ip6 saddr @acesso-6 tcp dport 22 counter accept'
  307. echo ' ip6 saddr @acesso-6 tcp dport 8822 counter accept'
  308. echo ' tcp dport 22 counter drop'
  309. echo ' tcp dport 8822 counter drop'
  310. echo
  311. echo ' type filter hook input priority 0;'
  312. echo ' }'
  313. echo ' chain forward {'
  314. echo ' type filter hook forward priority 0;'
  315. echo ' }'
  316. echo ' chain output {'
  317. echo ' type filter hook output priority 0;'
  318. echo '}'
  319. echo '}'
  320. ) > /etc/nftables.conf
  321.  
  322.  
  323. systemctl daemon-reload
  324. systemctl enable nftables.service
  325.  
  326.  
  327.  
  328. apt install neofetch -y
  329.  
  330. echo -n > /etc/motd
  331. echo -n > /etc/issue
  332. echo -n > /etc/issue.net
  333.  
  334. touch /etc/profile.d/my_bash.sh
  335. chmod +x /etc/profile.d/my_bash.sh
  336.  
  337. (
  338. echo '#!/bin/bash'
  339. echo '/usr/bin/neofetch'
  340. echo
  341. echo 'echo Servidor Debian - Router '
  342. echo 'echo By Paulo Jr Andrade '
  343. echo 'echo 67 98151-2941 '
  344. echo 'echo ++++++++++++++++++++++++++++++++++++++++++++++++ '
  345. echo 'echo ACESSO PERMITIDO APENAS A PESSOAL AUTORIZADO '
  346. echo 'echo TODAS AS CONEXOES ESTAO SENDO '
  347. echo 'echo MONITORADAS E AUDITADAS '
  348. echo 'echo ++++++++++++++++++++++++++++++++++++++++++++++++ '
  349.  
  350. ) > /etc/profile.d/my_bash.sh
  351.  
  352.  
  353. ######################## otimização kernel ####################
  354.  
  355. rm /etc/sysctl.d/*
  356. echo -n > /etc/sysctl.conf
  357.  
  358. (
  359. echo 'vm.swappiness=10'
  360. echo 'vm.vfs_cache_pressure=50'
  361. echo 'vm.max_map_count=262144'
  362. echo
  363. echo 'kernel.panic=3'
  364. echo 'kernel.threads-max=1031306'
  365. echo 'kernel.pid_max=262144'
  366. echo 'kernel.msgmax=327680'
  367. echo 'kernel.msgmnb=655360'
  368. echo 'kernel.msgmni=32768'
  369. echo
  370. echo 'vm.min_free_kbytes = 32768'
  371. echo
  372. echo 'net.core.rmem_default=31457280'
  373. echo 'net.core.wmem_default=31457280'
  374. echo 'net.core.rmem_max=134217728'
  375. echo 'net.core.wmem_max=134217728'
  376. echo
  377. echo 'net.core.netdev_max_backlog=4096'
  378. echo 'net.core.optmem_max=33554432'
  379. echo 'net.core.default_qdisc=fq'
  380. echo 'net.core.somaxconn=4096'
  381. echo
  382. echo 'net.ipv4.tcp_sack = 1'
  383. echo 'net.ipv4.tcp_timestamps = 1'
  384. echo 'net.ipv4.tcp_low_latency = 1'
  385. echo 'net.ipv4.tcp_max_syn_backlog = 8192'
  386. echo 'net.ipv4.tcp_rmem = 4096 87380 67108864'
  387. echo 'net.ipv4.tcp_wmem = 4096 65536 67108864'
  388. echo 'net.ipv4.tcp_mem = 6672016 6682016 7185248'
  389. echo 'net.ipv4.tcp_congestion_control=reno'
  390. echo 'net.ipv4.tcp_mtu_probing=1'
  391. echo 'net.ipv4.tcp_moderate_rcvbuf =1'
  392. echo 'net.ipv4.tcp_no_metrics_save = 1'
  393. echo
  394. echo 'net.ipv4.udp_rmem_min=131072'
  395. echo 'net.ipv4.udp_mem=2097152 4194304 8388608'
  396. echo
  397. echo 'net.ipv4.ipfrag_high_thresh=4194304'
  398. echo 'net.ipv4.ipfrag_low_thresh=3145728'
  399. echo 'net.ipv4.ipfrag_max_dist=64'
  400. echo 'net.ipv4.ipfrag_secret_interval=0'
  401. echo 'net.ipv4.ipfrag_time=30'
  402. echo
  403. echo 'net.ipv6.ip6frag_high_thresh=4194304'
  404. echo 'net.ipv6.ip6frag_low_thresh=3145728'
  405. echo 'net.ipv6.ip6frag_secret_interval=0'
  406. echo 'net.ipv6.ip6frag_time=60'
  407. echo
  408. echo 'net.ipv4.ip_local_port_range=1024 65535'
  409. echo 'net.ipv4.ip_default_ttl=128'
  410. echo
  411. echo 'net.ipv4.neigh.default.gc_interval = 30'
  412. echo 'net.ipv4.neigh.default.gc_stale_time = 60'
  413. echo 'net.ipv4.neigh.default.gc_thresh1 = 4096'
  414. echo 'net.ipv4.neigh.default.gc_thresh2 = 8192'
  415. echo 'net.ipv4.neigh.default.gc_thresh3 = 12288'
  416. echo
  417. echo 'net.ipv6.neigh.default.gc_interval = 30'
  418. echo 'net.ipv6.neigh.default.gc_stale_time = 60'
  419. echo 'net.ipv6.neigh.default.gc_thresh1 = 4096'
  420. echo 'net.ipv6.neigh.default.gc_thresh2 = 8192'
  421. echo 'net.ipv6.neigh.default.gc_thresh3 = 12288'
  422. echo
  423. echo 'net.ipv4.conf.default.forwarding=1'
  424. echo 'net.ipv6.conf.default.forwarding=1'
  425. echo
  426. echo 'net.ipv4.conf.all.forwarding=1'
  427. echo 'net.ipv6.conf.all.forwarding=1'
  428. echo 'net.ipv4.ip_forward=1'
  429. echo
  430. echo '#net.nf_conntrack_max=8000000'
  431. echo '#net.nf_conntrack_max=8000000'
  432. echo
  433. echo '#net.netfilter.nf_conntrack_buckets=262144'
  434. echo '#net.netfilter.nf_conntrack_checksum=1'
  435. echo '#net.netfilter.nf_conntrack_events = 1'
  436. echo '#net.netfilter.nf_conntrack_expect_max = 1024'
  437. echo '#net.netfilter.nf_conntrack_timestamp = 0'
  438. echo
  439. echo 'fs.file-max = 3263776'
  440. echo 'fs.aio-max-nr=3263776'
  441. echo 'fs.mount-max=1048576'
  442. echo 'fs.mqueue.msg_max=128'
  443. echo 'fs.mqueue.msgsize_max=131072'
  444. echo 'fs.mqueue.queues_max=4096'
  445. echo 'fs.pipe-max-size=8388608'
  446. ) > /etc/sysctl.conf
  447.  
  448. sysctl -p
  449.  
  450.  
  451. ############## SEGURANCA SSH ####################
  452.  
  453.  
  454. cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_old
  455.  
  456. (
  457. echo 'Include /etc/ssh/sshd_config.d/*.conf'
  458. echo 'Port 8822'
  459. echo 'PermitRootLogin no'
  460. echo 'AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2'
  461. echo 'PermitEmptyPasswords no'
  462. echo 'KbdInteractiveAuthentication no'
  463. echo 'UsePAM yes'
  464. echo 'X11Forwarding yes'
  465. echo 'PrintMotd no'
  466. echo 'AcceptEnv LANG LC_*'
  467. echo 'Subsystem sftp /usr/lib/openssh/sftp-server'
  468. echo 'PasswordAuthentication yes'
  469. echo 'Match Address 192.168.0.0/16,10.0.0.0/8,100.100.64.0.0/10,192.0.2.0/22,2001:db8::/32'
  470. echo 'PermitRootLogin yes'
  471. echo
  472. ) > /etc/ssh/sshd_config
  473.  
  474. systemctl restart ssh*
  475.  
  476.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!