arti/koduinternet-cpe
1
0
Fork 0
mirror of https://github.com/tonusoo/koduinternet-cpe synced 2025-12-17 07:35:13 +02:00
Code Activity

Initial commit

Browse Source
This commit is contained in:
Martin Tonusoo
2023-06-15 17:55:10 +03:00
commit bf4aa50b38
69 changed files with 3095 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
conf/usr/local/bin/mac_to_ip6_ll_addr Executable file
View File

@@ -0,0 +1,74 @@
#!/usr/bin/env bash
# Title : mac_to_ip6_ll_addr
# Last modified date : 13.03.2023
# Author : Martin Tonusoo
# Description : Script finds the IPv6 link local address
# from the MAC address.
# Options : MAC address.
# Notes : Script expects the MAC address as a
# command line argument in the format
# returned by "ip link" command, e.g
# 52:54:00:db:99:99.
mac_regex="^([0-9a-f]{2}:){5}([0-9a-f]{2})$"
if [[ ! "$1" =~ $mac_regex ]]; then
printf "%s\n%s\n" "Usage: ${0##*/} <MAC_addr>" \
"Example: ${0##*/} 52:54:00:db:99:99" \
>&2
exit 1
fi
IFS=: read -r o1 o2 o3 o4 o5 o6 <<< "$1"
# Convert the four least significant bits of
# the first octet of the MAC address from hex
# to decimal.
o1_dec=$(( 16#"${o1:1:1}" ))
# Loop through the four least significant bits of
# the first octet of the MAC address by shifting
# one bit to right and checking if the bit is set
# or not on each cycle starting from the least
# significant bit and moving towards the most
# significant bit. This will convert the second
# hex character of the MAC address reading from
# left to binary.
for (( n="$o1_dec"; n>0; n >>= 1 )); do
o1_bits="$(( n & 1 ))$o1_bits"
done
# Prepend leading zeros if needed.
o1_bits=$(printf "%04d" "$o1_bits")
# Flip the second-least-significant bit of the
# first octet of the MAC address and convert
# four bits back to hex digit.
flipped_bit=$(tr 01 10 <<< "${o1_bits:2:1}")
o1_bits="${o1_bits:0:2}$flipped_bit${o1_bits:3:1}"
o1_bits=$(printf "%x" $((2#"$o1_bits")))
# Finally, rebuild the first octet of the MAC address.
o1="${o1:0:1}$o1_bits"
# Build the hextets for the IPv6 link local address.
if [[ $o1 == 00 ]] && [[ $o2 == 00 ]]; then
h5=""
else
# Strip possible leading zeros.
h5="$(printf "%x:" "0x$o1$o2")"
fi
if [[ $o3 == 00 ]]; then
h6="ff:"
else
h6="$(printf "%xff:" "0x$o3")"
fi
h7="fe$o4:"
h8="$(printf "%x" "0x$o5$o6")"
printf "fe80::%s%s%s%s\n" "$h5" "$h6" "$h7" "$h8"

75
conf/usr/local/bin/mcast_converter Executable file
View File

@@ -0,0 +1,75 @@
#!/usr/bin/env bash
# Title : mcast_converter
# Last modified date : 12.04.2023
# Author : Martin Tonusoo
# Description : Script converts IPv4 multicast address to
# multicast MAC address or multicast MAC
# address to IPv4 multicast addresses depending
# on the input.
# Options : IPv4 multicast address or multicast MAC address.
# Notes :
# 224.0.0.0 - 239.255.255.255
read -r mip_regex << EOF
^2(2[4-9]|3[0-9])\.\
(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|0)\.\
(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|0)\.\
(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|0)$
EOF
# 01:00:5e:00:00:00 - 01:00:5e:7f:ff:ff
read -r mac_regex << EOF
^01:00:5e:\
([0-7][0-9a-f]):\
([0-9a-f]{2}):\
([0-9a-f]{2})$
EOF
if [[ "$1" =~ $mip_regex ]]; then
for (( n="${BASH_REMATCH[2]}"; n>0; n >>= 1 )); do
o2_bits="$(( n & 1 ))$o2_bits"
done
printf -v o2_bits "%08d" "$o2_bits"
o2_bits="0${o2_bits:1}"
printf "%s:%02x:%02x:%02x\n" \
"01:00:5e" \
"$(( 2#$o2_bits ))" \
"${BASH_REMATCH[3]}" \
"${BASH_REMATCH[4]}"
elif [[ "$1" =~ $mac_regex ]]; then
o4_dec=$(( 16#"${BASH_REMATCH[1]}" ))
for (( n="$o4_dec"; n>0; n >>= 1 )); do
o4_bits="$(( n & 1 ))$o4_bits"
done
printf -v o4_bits "%08d" "$o4_bits"
o4_bits="${o4_bits:1}"
for bits in {0..1}{0..1}{0..1}{0..1}{0..1}; do
printf "%d.%d.%d.%d\n" \
$(( 2#"1110${bits:0:4}" )) \
$(( 2#"${bits:4:1}$o4_bits" )) \
$(( 16#"${BASH_REMATCH[2]}" )) \
$(( 16#"${BASH_REMATCH[3]}" ))
done
else
printf "%s\n%s\n" \
"Invalid multicast MAC or IPv4 address" \
"Examples: '${0##*/} 01:00:5e:00:99:0a' or '${0##*/} 239.1.2.100'" >&2
exit 1
fi

37
conf/usr/local/etc/IPv4_default_fw_rules Normal file
View File

@@ -0,0 +1,37 @@
# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 12:43:45 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 12:43:45 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 12:43:45 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 12:43:45 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 12:43:45 2023

62
conf/usr/local/etc/IPv4_fw_rules Normal file
View File

@@ -0,0 +1,62 @@
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o wan0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o wwan0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SSH - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -m comment --comment "traceroute in UDP mode" -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 224.0.0.0/4 -i wan0.4 -p igmp -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -j SSH
-A INPUT -i br0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 224.0.0.2/32 -i br0 -p igmp -j ACCEPT
-A FORWARD -i br0 -o wan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o wwan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wwan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o wan0.4 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "IPTV - unicast" -j ACCEPT
-A FORWARD -i wan0.4 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "IPTV - unicast" -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -i wan0.4 -o br0 -m comment --comment "IPTV - multicast" -j ACCEPT
-A SSH -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH bruteforce: "
-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j DROP
-A SSH -j ACCEPT
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 30 23:00:39 2023
# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 30 23:00:39 2023

37
conf/usr/local/etc/IPv6_default_fw_rules Normal file
View File

@@ -0,0 +1,37 @@
# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 14:40:57 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 14:40:57 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 14:40:57 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 14:40:57 2023
# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 28 14:40:57 2023

59
conf/usr/local/etc/IPv6_fw_rules Normal file
View File

@@ -0,0 +1,59 @@
# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SSH - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 10/sec -m comment --comment "Echo Request" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment "Echo Request" -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -m comment --comment "Neighbor Solicitation" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -m comment --comment "Neighbor Advertisement" -j ACCEPT
-A INPUT -i wan0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -m comment --comment "Router Advertisement" -j ACCEPT
-A INPUT -i wan0 -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -m comment --comment "Redirect" -j ACCEPT
-A INPUT -i wan0 -p udp -m udp --sport 547 --dport 546 -d fe80::/64 -m comment --comment "DHCPv6 server/relayagent -> DHCPv6 client" -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -m comment --comment "traceroute in UDP mode" -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m comment --comment "new SSH connections from LAN" -j SSH
-A INPUT -i br0 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -m comment --comment "Router Solicitation" -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i br0 -o wan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A SSH -m recent --set --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource
-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j LOG --log-prefix "SSH bruteforce: "
-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A SSH -j ACCEPT
COMMIT
# Completed on Fri Mar 31 17:02:25 2023
# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Mar 31 17:02:25 2023
# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Mar 31 17:02:25 2023
# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Mar 31 17:02:25 2023
# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Mar 31 17:02:25 2023

114
conf/usr/local/sbin/isp-switch Executable file
View File

@@ -0,0 +1,114 @@
#!/usr/bin/env bash
# Title : isp-switch
# Last modified date : 30.05.2023
# Author : Martin Tonusoo
# Description : Script pings anycast DNS servers IPv4 addresses
# using a primary connection(wan0; Telia fiber) and
# if none of those replies, then switches v4 default
# route to backup connection(wwan0; Telia mobile
# broadband). Once the primary connection restores,
# the v4 default route is switched back to primary
# connection.
# Options :
# Notes : "ignore_routes_with_linkdown" settings in
# /etc/sysctl.conf ensure that the route is
# instantly ignored if its link is down.
ping_check() {
ping_success=0
for ip in 1.1.1.1 8.8.8.8 9.9.9.9; do
# Even if one ping out of four succeeds, then
# the exit code is 0.
ping -I "$1" -W 1 -c 4 -q "$ip" &>/dev/null
ping_success=$(( ping_success + $? ))
done
if (( ping_success >= 3 )); then
# All 12 pings failed.
return 1
else
return 0
fi
}
read -r ip_regex << EOF
^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|0)\.){3}\
(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|0)$
EOF
while true; do
sleep 1
read -r _ _ wan0_gw _ wan0_metric _ <<-EOF
$(ip -4 -o route show default dev wan0 2>/dev/null | grep -v " linkdown")
EOF
read -r _ _ wwan0_gw _ wwan0_metric _ <<-EOF
$(ip -4 -o route show default dev wwan0 2>/dev/null | grep -v " linkdown")
EOF
# There is no point to proceed if both or one of the default
# routes is missing. In addition, sanity check the next hop
# address.
if ! { [[ "$wan0_gw" =~ $ip_regex ]] || [[ "$wwan0_gw" =~ $ip_regex ]]; }; then
echo "No default route found."
continue
elif ! [[ "$wan0_gw" =~ $ip_regex ]]; then
echo "Primary default route via wan0 is missing."
continue
elif ! [[ "$wwan0_gw" =~ $ip_regex ]]; then
echo "Failover default route via wwan0 is missing."
continue
fi
# Default IPv4 route metric is 0.
if (( ${wan0_metric:-0} < ${wwan0_metric:-0} )); then
if ! ping_check wan0; then
# Ping check on primary connection failed.
echo "Switching to backup via $wwan0_gw dev wwan0"
ip -4 route flush default
ip -4 route add default via "$wwan0_gw" dev wwan0 metric 100
ip -4 route add default via "$wan0_gw" dev wan0 metric 200
fi
else
# Backup connection is in use. Check if it is possible
# to switch back to primary connection.
ip -4 route add default via "$wan0_gw" table 100
# Specifying the "priority" ensures that there are
# no duplicate rules created.
ip rule add oif wan0 lookup 100 priority 100
if ping_check wan0; then
# Ping check on primary connection succeeded.
echo "Switching to primary via $wan0_gw dev wan0"
ip -4 route flush default
ip -4 route add default via "$wan0_gw" dev wan0 metric 100
ip -4 route add default via "$wwan0_gw" dev wwan0 metric 200
fi
ip -4 route flush table 100
ip rule delete oif wan0 lookup 100 priority 100
fi
done

43
conf/usr/local/sbin/rm-expired-prefixes Executable file
View File

@@ -0,0 +1,43 @@
#!/usr/bin/env bash
# Title : rm-expired-prefixes
# Last modified date : 16.03.2023
# Author : Martin Tonusoo
# Description : Script removes expired "prefix" statements from
# /etc/radvd.conf file based on the expiration
# field(ISO 8601 timestamp) at the end of "prefix"
# line. The expiration field is added to the "prefix"
# statements by dhclient exit hook.
# Options :
# Notes :
radvd_conf="/etc/radvd.conf"
new_radvd_conf="${radvd_conf}.rm-expired-prefixes.$$"
while IFS= read -r line; do
case "$line" in
" prefix "*)
# Add the "prefix" statement if its timestamp
# is in the future.
if [[ "${line##* }" > $(date --iso-8601="seconds") ]]; then
echo "$line"
else
prefix="${line%% \{*}"
logger -t "rm-expired-prefixes" -p daemon.info \
"INFO: Removed expired ${prefix# } from $radvd_conf"
fi
;;
*)
echo "$line"
;;
esac
done < "$radvd_conf" >> "$new_radvd_conf"
chown --reference="$radvd_conf" "$new_radvd_conf"
chmod --reference="$radvd_conf" "$new_radvd_conf"
mv -f "$new_radvd_conf" "$radvd_conf"
systemctl is-active --quiet radvd.service && systemctl reload radvd.service