No Description

philoctetes409bc e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
ephemeral 7b3abaa633 clean up and add notes 11 months ago
etc e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
irssi f1b7ec18e8 refactoring 11 months ago
ratbox e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
ratbox-services f9cdf77d5c services work 11 months ago
rb_bounce b08b74f9a2 update notes 11 months ago
rb_console e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
rb_edge e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
rb_general e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
rb_hub e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
rb_mysql f9cdf77d5c services work 11 months ago
rb_proxy_dmz e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
rb_services e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
rb_tor f9cdf77d5c services work 11 months ago
rb_tor_dmz e3b5a9b151 change nicklen to 32, and cleaning up a bit 11 months ago
tor f1b7ec18e8 refactoring 11 months ago
znc f9cdf77d5c services work 11 months ago
README.md 7b3abaa633 clean up and add notes 11 months ago

README.md

Quickstart

  • chmod -R 777 ephemeral */*.conf etc

Console

  • cd rb_console ; docker-compose up -d ; cd ..

Hub

  • cd rb_hub ; docker-compose up -d ; cd ..

General leaf

  • cd rb_general ; docker-compose up -d ; cd ..

Edge leaf

  • cd rb_edge ; docker-compose up -d ; cd ..

Tor daemon

  • cd rb_tor ; docker-compose up -d ; cd ..

Tor DMZ leaf

  • cd rb_tor_dmz ; docker-compose up -d ; cd ..

Proxy DMZ leaf

  • cd rb_proxy_dmz ; docker-compose up -d ; cd ..

MySQL for Services

  • cd rb_mysql ; docker-compose up -d
  • The database needs to be sourced / created and the structure file is mapped into the container by compose, docker exec -it <id> /bin/bash run mysql -u root
  • follow the instructions in the .txt file thats in the rb_mysql dir.

Services

  • cd rb_services ; docker-compose up -d ; cd ..
  • had to strace it, it's a little under-cooked. Finally got it to work.

Networking

  • everything is segmented, networks are technically isolated. Follow the rest of the guide to find out how to isolate them completely.

Uplinking

Host configuration (debian)

sysctl.conf

net.core.default_qdisc                             = fq
net.core.rmem_max                                  = 134217728
net.core.wmem_max                                  = 134217728
net.ipv4.conf.all.log_martians                     = 1
net.ipv4.tcp_rmem                                  = 4096 87380 67108864
net.ipv4.tcp_wmem                                  = 4096 65536 67108864
net.ipv4.tcp_congestion_control                    = htcp
net.ipv4.tcp_mtu_probing                           = 0
net.ipv4.tcp_timestamps                            = 1
net.ipv4.conf.default.accept_redirects             = 0
net.ipv4.conf.default.secure_redirects             = 0
net.ipv4.conf.default.send_redirects               = 0
net.ipv4.conf.all.rp_filter                        = 2
net.ipv4.conf.all.accept_source_route              = 0
net.ipv4.tcp_syncookies                            = 1
net.ipv6.conf.default.autoconf                     = 0
net.ipv6.conf.default.accept_ra                    = 0
net.ipv6.conf.default.accept_dad                   = 0
net.ipv6.conf.default.accept_redirects             = 0
net.netfilter.nf_conntrack_checksum                = 1
net.netfilter.nf_conntrack_tcp_timeout_established = 120
net.netfilter.nf_conntrack_log_invalid             = 255
net.netfilter.nf_conntrack_tcp_timeout_close_wait  = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait    = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait   = 60
net.netfilter.nf_conntrack_max                     = 524288
net.netfilter.nf_conntrack_timestamp               = 1
net.netfilter.nf_conntrack_acct                    = 1

documentation

Packages

apt install iptables-persistent docker tor

/etc/systemd/network/25-wan_interface.link

  • replace aa:bb:cc:dd:ee:ff with the MAC address of your VPS or server WAN interface

    [Match]
    MACAddress=aa:bb:cc:dd:ee:ff 
    
    [Link]
    Description=WAN
    MACAddressPolicy=persistent 
    Name=WAN
    
  • systemctl enable systemd-networkd

  • systemctl start systemd-networkd

  • verify that your WAN interface is renamed to WAN

IPTables

*nat
:PREROUTING ACCEPT  [0:0]
:INPUT ACCEPT       [0:0]
:OUTPUT ACCEPT      [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING  -o WAN   -s 198.18.48.0/20                                                              -j MASQUERADE
COMMIT
*filter
:INPUT DROP         [0:0]
:FORWARD DROP       [0:0]
:OUTPUT DROP        [0:0]
:DOCKER-USER      - [0:0]
:INVALID_FORWARD  - [0:0]
:INVALID_IN       - [0:0]
:INVALID_OUT      - [0:0]
:LOG_FORWARD      - [0:0]
:LOG_INPUT        - [0:0]
:LOG_OUTPUT       - [0:0]
-A INPUT                                                       -m state --state INVALID                 -j INVALID_IN
-A INPUT        -i lo    -s 127.0.0.0/8      -d 127.0.0.0/8                                             -j ACCEPT
-A INPUT        -i WAN                                         -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A INPUT                 -s 198.18.48.0/20   -d 198.18.48.1/32 -m udp -p udp --dport 53                 -j ACCEPT
-A INPUT                                                       -m tcp -p tcp --dport 22                 -j ACCEPT
-A INPUT                                                       -m tcp -p tcp --dport 6667               -j ACCEPT
-A INPUT                                                       -m tcp -p tcp --dport 6697               -j ACCEPT
-A INPUT                                                                                                -j LOG_INPUT
-A FORWARD                                                     -m state --state INVALID                 -j INVALID_FORWARD
-A FORWARD               -s 198.18.0.0/20    -d 198.18.16.0/20                                          -j ACCEPT
-A FORWARD               -s 198.18.48.0/20   -d 198.18.16.0/20                                          -j ACCEPT
-A FORWARD               -s 198.18.16.0/20   -d 198.18.0.0/20  -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A FORWARD               -s 198.18.16.0/20   -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A FORWARD               -s 198.18.48.0/20 ! -d 198.18.0.0/17                                           -j ACCEPT
-A FORWARD !             -s 198.18.0.0/17    -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A FORWARD                                                                                              -j LOG_FORWARD
-A OUTPUT                                                      -m state --state INVALID                 -j INVALID_OUT
-A OUTPUT       -o lo    -s 127.0.0.0/8      -d 127.0.0.0/8                                             -j ACCEPT
-A OUTPUT       -o WAN                                                                                  -j ACCEPT
-A OUTPUT                -s 198.18.48.1/32   -d 198.18.48.0/20 -m udp -p udp                            -j ACCEPT
-A OUTPUT                                                                                               -j LOG_OUTPUT
-A DOCKER-USER                                                                                          -j RETURN
-A INVALID_FORWARD                                             -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_FWD: "
-A INVALID_FORWARD                                                                                      -j DROP
-A INVALID_IN                                                  -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_IN: "
-A INVALID_IN                                                                                           -j DROP
-A INVALID_OUT                                                 -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_OUT: "
-A INVALID_OUT                                                                                          -j DROP
-A LOG_FORWARD                                                 -m limit --limit 2/min                   -j LOG               --log-prefix "4FWD dropped: "
-A LOG_FORWARD                                                                                          -j DROP
-A LOG_INPUT                                                   -m limit --limit 2/min                   -j LOG               --log-prefix "4IN dropped: "
-A LOG_INPUT                                                                                            -j DROP
-A LOG_OUTPUT                                                  -m limit --limit 2/min                   -j LOG               --log-prefix "4OUT dropped: "
-A LOG_OUTPUT                                                                                           -j DROP
COMMIT

/etc/tor/torrc

DNSPort                     0.0.0.0:53
Log                         notice syslog
  • systemctl enable tor
  • systemctl start tor

/etc/default/docker

DOCKER_OPTS="--dns='198.18.48.1' --userns-remap=default --iptables=false --ip-masq=false --bip=198.18.48.1/25 --fixed-cidr=198.18.48.0/25"
  • ip link del docker0
  • ip link add docker0 type bridge
  • ip addr add 198.18.48.1/25 dev docker0

TODO

  • DCC from bouncer to services. bouncer to hub scope requires ident, ident module works but port 113 is difficult to get, there's a way without root, its one of:
  • setcap +eip
  • net.ipv4.ip_unprivileged_port_start=0

    - compose
    cap_add:                                                                                                                                                             
       - CAP_NET_BIND_SERVICE
    

    the services' config also have an option dcc_vhost = "192.168.70.90"; which is is a vlan that is shared with the bouncer. The bouncer has another option:

  • LoadModule = bouncedcc I just haven't been able to get it to work: n3tw3rk.services: No access.