Iet uz failu
*****DEAD ACCOUNT e3b5a9b151
change nicklen to 32, and cleaning up a bit
2020-11-06 15:11:05 +00:00
ephemeral clean up and add notes 2020-11-05 20:41:27 +00:00
etc change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
irssi refactoring 2020-11-04 15:33:34 +00:00
ratbox change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
ratbox-services services work 2020-11-05 10:06:09 +00:00
rb_bounce update notes 2020-11-05 20:30:36 +00:00
rb_console change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
rb_edge change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
rb_general change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
rb_hub change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
rb_mysql services work 2020-11-05 10:06:09 +00:00
rb_proxy_dmz change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
rb_services change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
rb_tor services work 2020-11-05 10:06:09 +00:00
rb_tor_dmz change nicklen to 32, and cleaning up a bit 2020-11-06 15:11:05 +00:00
tor refactoring 2020-11-04 15:33:34 +00:00
znc services work 2020-11-05 10:06:09 +00:00
README.md clean up and add notes 2020-11-05 20:41:27 +00:00

Quickstart

  • chmod -R 777 ephemeral */*.conf etc

Console

  • cd rb_console ; docker-compose up -d ; cd ..

Hub

  • cd rb_hub ; docker-compose up -d ; cd ..

General leaf

  • cd rb_general ; docker-compose up -d ; cd ..

Edge leaf

  • cd rb_edge ; docker-compose up -d ; cd ..

Tor daemon

  • cd rb_tor ; docker-compose up -d ; cd ..

Tor DMZ leaf

  • cd rb_tor_dmz ; docker-compose up -d ; cd ..

Proxy DMZ leaf

  • cd rb_proxy_dmz ; docker-compose up -d ; cd ..

MySQL for Services

  • cd rb_mysql ; docker-compose up -d
  • The database needs to be sourced / created and the structure file is mapped into the container by compose, docker exec -it <id> /bin/bash run mysql -u root
  • follow the instructions in the .txt file thats in the rb_mysql dir.

Services

  • cd rb_services ; docker-compose up -d ; cd ..
  • had to strace it, it's a little under-cooked. Finally got it to work.

Networking

  • everything is segmented, networks are technically isolated. Follow the rest of the guide to find out how to isolate them completely.

Uplinking

Host configuration (debian)

sysctl.conf

net.core.default_qdisc                             = fq
net.core.rmem_max                                  = 134217728
net.core.wmem_max                                  = 134217728
net.ipv4.conf.all.log_martians                     = 1
net.ipv4.tcp_rmem                                  = 4096 87380 67108864
net.ipv4.tcp_wmem                                  = 4096 65536 67108864
net.ipv4.tcp_congestion_control                    = htcp
net.ipv4.tcp_mtu_probing                           = 0
net.ipv4.tcp_timestamps                            = 1
net.ipv4.conf.default.accept_redirects             = 0
net.ipv4.conf.default.secure_redirects             = 0
net.ipv4.conf.default.send_redirects               = 0
net.ipv4.conf.all.rp_filter                        = 2
net.ipv4.conf.all.accept_source_route              = 0
net.ipv4.tcp_syncookies                            = 1
net.ipv6.conf.default.autoconf                     = 0
net.ipv6.conf.default.accept_ra                    = 0
net.ipv6.conf.default.accept_dad                   = 0
net.ipv6.conf.default.accept_redirects             = 0
net.netfilter.nf_conntrack_checksum                = 1
net.netfilter.nf_conntrack_tcp_timeout_established = 120
net.netfilter.nf_conntrack_log_invalid             = 255
net.netfilter.nf_conntrack_tcp_timeout_close_wait  = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait    = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait   = 60
net.netfilter.nf_conntrack_max                     = 524288
net.netfilter.nf_conntrack_timestamp               = 1
net.netfilter.nf_conntrack_acct                    = 1

documentation

Packages

apt install iptables-persistent docker tor

  • replace aa:bb:cc:dd:ee:ff with the MAC address of your VPS or server WAN interface
[Match]
MACAddress=aa:bb:cc:dd:ee:ff 

[Link]
Description=WAN
MACAddressPolicy=persistent 
Name=WAN
  • systemctl enable systemd-networkd
  • systemctl start systemd-networkd
  • verify that your WAN interface is renamed to WAN

IPTables

*nat
:PREROUTING ACCEPT  [0:0]
:INPUT ACCEPT       [0:0]
:OUTPUT ACCEPT      [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING  -o WAN   -s 198.18.48.0/20                                                              -j MASQUERADE
COMMIT
*filter
:INPUT DROP         [0:0]
:FORWARD DROP       [0:0]
:OUTPUT DROP        [0:0]
:DOCKER-USER      - [0:0]
:INVALID_FORWARD  - [0:0]
:INVALID_IN       - [0:0]
:INVALID_OUT      - [0:0]
:LOG_FORWARD      - [0:0]
:LOG_INPUT        - [0:0]
:LOG_OUTPUT       - [0:0]
-A INPUT                                                       -m state --state INVALID                 -j INVALID_IN
-A INPUT        -i lo    -s 127.0.0.0/8      -d 127.0.0.0/8                                             -j ACCEPT
-A INPUT        -i WAN                                         -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A INPUT                 -s 198.18.48.0/20   -d 198.18.48.1/32 -m udp -p udp --dport 53                 -j ACCEPT
-A INPUT                                                       -m tcp -p tcp --dport 22                 -j ACCEPT
-A INPUT                                                       -m tcp -p tcp --dport 6667               -j ACCEPT
-A INPUT                                                       -m tcp -p tcp --dport 6697               -j ACCEPT
-A INPUT                                                                                                -j LOG_INPUT
-A FORWARD                                                     -m state --state INVALID                 -j INVALID_FORWARD
-A FORWARD               -s 198.18.0.0/20    -d 198.18.16.0/20                                          -j ACCEPT
-A FORWARD               -s 198.18.48.0/20   -d 198.18.16.0/20                                          -j ACCEPT
-A FORWARD               -s 198.18.16.0/20   -d 198.18.0.0/20  -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A FORWARD               -s 198.18.16.0/20   -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A FORWARD               -s 198.18.48.0/20 ! -d 198.18.0.0/17                                           -j ACCEPT
-A FORWARD !             -s 198.18.0.0/17    -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED     -j ACCEPT
-A FORWARD                                                                                              -j LOG_FORWARD
-A OUTPUT                                                      -m state --state INVALID                 -j INVALID_OUT
-A OUTPUT       -o lo    -s 127.0.0.0/8      -d 127.0.0.0/8                                             -j ACCEPT
-A OUTPUT       -o WAN                                                                                  -j ACCEPT
-A OUTPUT                -s 198.18.48.1/32   -d 198.18.48.0/20 -m udp -p udp                            -j ACCEPT
-A OUTPUT                                                                                               -j LOG_OUTPUT
-A DOCKER-USER                                                                                          -j RETURN
-A INVALID_FORWARD                                             -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_FWD: "
-A INVALID_FORWARD                                                                                      -j DROP
-A INVALID_IN                                                  -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_IN: "
-A INVALID_IN                                                                                           -j DROP
-A INVALID_OUT                                                 -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_OUT: "
-A INVALID_OUT                                                                                          -j DROP
-A LOG_FORWARD                                                 -m limit --limit 2/min                   -j LOG               --log-prefix "4FWD dropped: "
-A LOG_FORWARD                                                                                          -j DROP
-A LOG_INPUT                                                   -m limit --limit 2/min                   -j LOG               --log-prefix "4IN dropped: "
-A LOG_INPUT                                                                                            -j DROP
-A LOG_OUTPUT                                                  -m limit --limit 2/min                   -j LOG               --log-prefix "4OUT dropped: "
-A LOG_OUTPUT                                                                                           -j DROP
COMMIT

/etc/tor/torrc

DNSPort                     0.0.0.0:53
Log                         notice syslog
  • systemctl enable tor
  • systemctl start tor

/etc/default/docker

DOCKER_OPTS="--dns='198.18.48.1' --userns-remap=default --iptables=false --ip-masq=false --bip=198.18.48.1/25 --fixed-cidr=198.18.48.0/25"
  • ip link del docker0
  • ip link add docker0 type bridge
  • ip addr add 198.18.48.1/25 dev docker0

TODO

  • DCC from bouncer to services. bouncer to hub scope requires ident, ident module works but port 113 is difficult to get, there's a way without root, its one of:
  • setcap +eip
  • net.ipv4.ip_unprivileged_port_start=0
- compose
    cap_add:                                                                                                                                                             
       - CAP_NET_BIND_SERVICE

the services' config also have an option dcc_vhost = "192.168.70.90"; which is is a vlan that is shared with the bouncer. The bouncer has another option:

  • LoadModule = bouncedcc I just haven't been able to get it to work: n3tw3rk.services: No access.