Dobby overview

• General:
  • (Node: case)
  • (CT ID: 113)
  • Hostname: dobby
  • Unprivileged container: yes
  • Nesting: yes
  • SSH public key(s): T_X
• Template:
  • Storage: local
  • Template: debian-12-standard_12.2-1_amd64.tar.zst
• Disk(s):
  • rootfs:
    • Disk Size: 4 GiB
    • Storage: disks
• CPU:
  • Cores: 1
• Memory:
  • Memory: 2048 MiB
  • Swap: 512 MiB
• Network:
  • Name: eth0
  • MAC address: auto (→ BC:24:11:0F:A6:06)
  • bridge: vmbr0
  • VLAN tag: no VLAN
  • Firewall: no
  • IPv4: static
    • IPv4/CIDR: 172.23.208.8/23
    • Gateway: 172.23.208.1
  • IPv6: static
    • IPv6/CIDR: 2a01:170:1112::8/64
    • Gateway: 2a01:170:1112::1

https://wiki.debian.org/UnattendedUpgrades

$ apt-get update && apt-get dist-upgrade
$ apt-get install unattended-upgrades apt-listchanges

/etc/apt/apt.conf.d/52unattended-upgrades:

$ echo 'Unattended-Upgrade::Automatic-Reboot "true";' > /etc/apt/apt.conf.d/52unattended-upgrades-local
$ echo 'Unattended-Upgrade::Automatic-Reboot-Time "03:42";' >> /etc/apt/apt.conf.d/52unattended-upgrades-local

$ reboot

Ansatz:

• zwischen dn42 peers immer routen/forwarden erlauben
• eingehend ins nbsp Netz nur bei established/related erlauben

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0\; policy accept\; }
nft add chain inet filter output { type filter hook output priority 0\; policy accept\; }
nft add chain inet filter forward { type filter hook forward priority 0\; policy drop\; }
nft add rule inet filter forward iifname "dn42_*" oifname "dn42_*" accept
nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept
nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept
nft add rule inet filter forward counter reject

Testen, dann persistent machen:

mv /etc/nftables.conf /etc/nftables.conf.bak
echo '#!/usr/sbin/nft -f' > /etc/nftables.conf
echo '' >> /etc/nftables.conf
echo 'flush ruleset' >> /etc/nftables.conf
echo '' >> /etc/nftables.conf
nft -s list ruleset >> /etc/nftables.conf
systemctl enable nftables.service
systemctl start nftables.service

$ apt-get install bird2
$ mv bird.conf bird.conf.bak

/etc/bird/bird.conf:

hauptsächlich von hier kopiert:

• https://dn42.dev/howto/Bird2#example-configuration
• https://dn42.dev/services/Route-Collector.md#bgp-configuration

################################################
#               Variable header                #
################################################

define OWNAS =  4242421976;
define OWNIP =  172.23.208.8;
define OWNIPv6 = fd20:bdda:5df0::8;
define OWNNET = 172.23.208.0/23;
define OWNNETv6 = fd20:bdda:5df0::/48;
define OWNNETSET = [172.23.208.0/23+];
define OWNNETSETv6 = [fd20:bdda:5df0::/48+];

################################################
#                 Header end                   #
################################################

router id OWNIP;

protocol device {
    scan time 10;
}

/*
 *  Utility functions
 */

function is_self_net() {
  return net ~ OWNNETSET;
}

function is_self_net_v6() {
  return net ~ OWNNETSETv6;
}

function is_valid_network() {
  return net ~ [
    172.20.0.0/14{21,29}, # dn42
    172.20.0.0/24{28,32}, # dn42 Anycast
    172.21.0.0/24{28,32}, # dn42 Anycast
    172.22.0.0/24{28,32}, # dn42 Anycast
    172.23.0.0/24{28,32}, # dn42 Anycast
    172.31.0.0/16+,       # ChaosVPN
    10.100.0.0/14+,       # ChaosVPN
    10.127.0.0/16{16,32}, # neonetwork
    10.0.0.0/8{15,24}     # Freifunk.net
  ];
}

roa4 table dn42_roa;
roa6 table dn42_roa_v6;

protocol static {
    roa4 { table dn42_roa; };
    include "/etc/bird/roa_dn42.conf";
};

protocol static {
    roa6 { table dn42_roa_v6; };
    include "/etc/bird/roa_dn42_v6.conf";
};

function is_valid_network_v6() {
  return net ~ [
    fd00::/8{44,64} # ULA address space as per RFC 4193
  ];
}

protocol kernel {
    scan time 20;

    ipv6 {
        import none;
        export filter {
            if source = RTS_STATIC then reject;
            krt_prefsrc = OWNIPv6;
            accept;
        };
    };
};

protocol kernel {
    scan time 20;

    ipv4 {
        import none;
        export filter {
            if source = RTS_STATIC then reject;
            krt_prefsrc = OWNIP;
            accept;
        };
    };
}

protocol static {
    route OWNNET reject;

    ipv4 {
        import all;
        export none;
    };
}

protocol static {
    route OWNNETv6 reject;

    ipv6 {
        import all;
        export none;
    };
}

protocol bgp ROUTE_COLLECTOR
{
  local as OWNAS;
  neighbor fd42:4242:2601:ac12::1 as 4242422602;

  # enable multihop as the collector is not locally connected
  multihop;

  ipv4 {
    # export all available paths to the collector    
    add paths tx;

    # import/export filters
    import none;
    export filter {
      # export all valid routes
      if ( is_valid_network() && source ~ [ RTS_STATIC, RTS_BGP ] )
      then {
        accept;
      }
      reject;
    };
  };

  ipv6 {
    # export all available paths to the collector    
    add paths tx;

    # import/export filters
    import none;
    export filter {
      # export all valid routes
      if ( is_valid_network_v6() && source ~ [ RTS_STATIC, RTS_BGP ] )
      then {
        accept;
      }
      reject;
    };
  };
}

template bgp dnpeers {
    local as OWNAS;
    path metric 1;

    ipv4 {
        import filter {
          if is_valid_network() && !is_self_net() then {
            if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
              print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
              reject;
            } else accept;
          } else reject;
        };

        export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
        import limit 1000 action block;
    };

    ipv6 {   
        import filter {
          if is_valid_network_v6() && !is_self_net_v6() then {
            if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then {
              print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
              reject;
            } else accept;
          } else reject;
        };
        export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
        import limit 1000 action block; 
    };
}


include "/etc/bird/peers/*";

$ apt-get install --no-install-recommends wireguard-tools

$ cd /etc/systemd/network/
$ PEERNAME=replaceexamplepeer
$ PEERASN=replaceexapmlepeerasn
$ PEERIP4=...
$ PEERIP6=...
$ sh -c "umask 066; touch dn42-$PEERNAME-wg.key; chown systemd-network:systemd-network dn42-$PEERNAME-wg.key"
$ wg genkey | tee -a dn42-$PEERNAME-wg.key | wg pubkey > dn42-$PEERNAME-wg.pub

$ cat << EOF > dn42-${PEERNAME}-wg.netdev
[NetDev]
Name=dn42_${PEERNAME}_wg
Kind=wireguard
Description=DN42 ${PEERNAME} WG tunnel
MTUBytes=1392

[WireGuard]
ListenPort=$(for i in `seq 2300 2399`; do grep -q "^ListenPort=$i\$" dn42-*.netdev && continue; echo "$i"; break; done)
PrivateKeyFile=/etc/systemd/network/dn42-${PEERNAME}-wg.key

[WireGuardPeer]
#PublicKey=
#Endpoint=
AllowedIPs=fe80::/64
AllowedIPs=fd00::/8
AllowedIPs=172.16.0.0/12
AllowedIPs=10.0.0.0/8
EOF

$ cat << EOF > dn42-${PEERNAME}-wg.network
[Match]
Name=dn42_${PEERNAME}_wg

[Network]
DHCP=no
IPv6AcceptRA=false
IPForward=yes

# for networkd >= 244 KeepConfiguration stops networkd from
# removing routes on this interface when restarting
KeepConfiguration=yes

[Address]
Address=fe80::1976/64

[Address]
Address=172.20.240.$(for i in `seq 0 255`; do grep -q "^Address=172\.20\.240\.$i/32\$" dn42-*.network && continue; echo "$i"; break; done)/32
#Peer=
EOF

`PublicKey`, `Endpoint` und `Peer` mit den Werten der Gegenseite updaten. Dann `networkctl reload` aufrufen.

$ cat << EOF > /etc/bird/peers/dn42-${PEERNAME}.conf
protocol bgp dn42_${PEERNAME} from dnpeers {
        neighbor ${PEERIP4} as ${PEERASN};
}

protocol bgp dn42_${PEERNAME}_v6 from dnpeers {
        neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
}