*****DEAD ACCOUNT e3b5a9b151 | ||
---|---|---|
ephemeral | ||
etc | ||
irssi | ||
ratbox | ||
ratbox-services | ||
rb_bounce | ||
rb_console | ||
rb_edge | ||
rb_general | ||
rb_hub | ||
rb_mysql | ||
rb_proxy_dmz | ||
rb_services | ||
rb_tor | ||
rb_tor_dmz | ||
tor | ||
znc | ||
README.md |
Quickstart
chmod -R 777 ephemeral */*.conf etc
Console
cd rb_console ; docker-compose up -d ; cd ..
Hub
cd rb_hub ; docker-compose up -d ; cd ..
General leaf
cd rb_general ; docker-compose up -d ; cd ..
Edge leaf
cd rb_edge ; docker-compose up -d ; cd ..
Tor daemon
cd rb_tor ; docker-compose up -d ; cd ..
Tor DMZ leaf
cd rb_tor_dmz ; docker-compose up -d ; cd ..
Proxy DMZ leaf
cd rb_proxy_dmz ; docker-compose up -d ; cd ..
MySQL for Services
cd rb_mysql ; docker-compose up -d
- The database needs to be sourced / created and the structure file is mapped into the container by compose,
docker exec -it <id> /bin/bash
runmysql -u root
- follow the instructions in the .txt file thats in the
rb_mysql
dir.
Services
cd rb_services ; docker-compose up -d ; cd ..
- had to strace it, it's a little under-cooked. Finally got it to work.
Networking
- everything is segmented, networks are technically isolated. Follow the rest of the guide to find out how to isolate them completely.
Uplinking
Host configuration (debian)
sysctl.conf
net.core.default_qdisc = fq
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_mtu_probing = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_dad = 0
net.ipv6.conf.default.accept_redirects = 0
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_tcp_timeout_established = 120
net.netfilter.nf_conntrack_log_invalid = 255
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_max = 524288
net.netfilter.nf_conntrack_timestamp = 1
net.netfilter.nf_conntrack_acct = 1
documentation
Packages
apt install iptables-persistent docker tor
/etc/systemd/network/25-wan_interface.link
- replace
aa:bb:cc:dd:ee:ff
with the MAC address of your VPS or server WAN interface
[Match]
MACAddress=aa:bb:cc:dd:ee:ff
[Link]
Description=WAN
MACAddressPolicy=persistent
Name=WAN
systemctl enable systemd-networkd
systemctl start systemd-networkd
- verify that your WAN interface is renamed to
WAN
IPTables
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o WAN -s 198.18.48.0/20 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER-USER - [0:0]
:INVALID_FORWARD - [0:0]
:INVALID_IN - [0:0]
:INVALID_OUT - [0:0]
:LOG_FORWARD - [0:0]
:LOG_INPUT - [0:0]
:LOG_OUTPUT - [0:0]
-A INPUT -m state --state INVALID -j INVALID_IN
-A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-A INPUT -i WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 198.18.48.0/20 -d 198.18.48.1/32 -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 6667 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 6697 -j ACCEPT
-A INPUT -j LOG_INPUT
-A FORWARD -m state --state INVALID -j INVALID_FORWARD
-A FORWARD -s 198.18.0.0/20 -d 198.18.16.0/20 -j ACCEPT
-A FORWARD -s 198.18.48.0/20 -d 198.18.16.0/20 -j ACCEPT
-A FORWARD -s 198.18.16.0/20 -d 198.18.0.0/20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 198.18.16.0/20 -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 198.18.48.0/20 ! -d 198.18.0.0/17 -j ACCEPT
-A FORWARD ! -s 198.18.0.0/17 -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FORWARD
-A OUTPUT -m state --state INVALID -j INVALID_OUT
-A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -o WAN -j ACCEPT
-A OUTPUT -s 198.18.48.1/32 -d 198.18.48.0/20 -m udp -p udp -j ACCEPT
-A OUTPUT -j LOG_OUTPUT
-A DOCKER-USER -j RETURN
-A INVALID_FORWARD -m limit --limit 2/min -j LOG --log-prefix "4INVALID_FWD: "
-A INVALID_FORWARD -j DROP
-A INVALID_IN -m limit --limit 2/min -j LOG --log-prefix "4INVALID_IN: "
-A INVALID_IN -j DROP
-A INVALID_OUT -m limit --limit 2/min -j LOG --log-prefix "4INVALID_OUT: "
-A INVALID_OUT -j DROP
-A LOG_FORWARD -m limit --limit 2/min -j LOG --log-prefix "4FWD dropped: "
-A LOG_FORWARD -j DROP
-A LOG_INPUT -m limit --limit 2/min -j LOG --log-prefix "4IN dropped: "
-A LOG_INPUT -j DROP
-A LOG_OUTPUT -m limit --limit 2/min -j LOG --log-prefix "4OUT dropped: "
-A LOG_OUTPUT -j DROP
COMMIT
/etc/tor/torrc
DNSPort 0.0.0.0:53
Log notice syslog
systemctl enable tor
systemctl start tor
/etc/default/docker
DOCKER_OPTS="--dns='198.18.48.1' --userns-remap=default --iptables=false --ip-masq=false --bip=198.18.48.1/25 --fixed-cidr=198.18.48.0/25"
ip link del docker0
ip link add docker0 type bridge
ip addr add 198.18.48.1/25 dev docker0
TODO
- DCC from bouncer to services. bouncer to hub scope requires ident, ident module works but port 113 is difficult to get, there's a way without root, its one of:
setcap +eip
net.ipv4.ip_unprivileged_port_start=0
- compose
cap_add:
- CAP_NET_BIND_SERVICE
the services' config also have an option dcc_vhost = "192.168.70.90";
which is is a vlan that is shared with the bouncer. The bouncer has another option:
LoadModule = bouncedcc
I just haven't been able to get it to work:n3tw3rk.services: No access.