mirror of
https://github.com/tonusoo/koduinternet-cpe
synced 2024-11-14 07:11:00 +02:00
182 lines
7.2 KiB
Plaintext
182 lines
7.2 KiB
Plaintext
# This file describes the network interfaces available on your system
|
|
# and how to activate them. For more information, see interfaces(5).
|
|
|
|
|
|
# The loopback network interface
|
|
auto lo
|
|
iface lo inet loopback
|
|
|
|
|
|
# -> LAN
|
|
auto br0
|
|
iface br0 inet static
|
|
address 192.168.0.1/24
|
|
|
|
# Use the br0 for loading the iptables rules.
|
|
# This ensures that the firewall rules are added
|
|
# before any of the physical interfaces are brought
|
|
# up and the rules are removed after all the physical
|
|
# interfaces are brought down.
|
|
# Man page of ifup(8) claims that the "ifdown -a" brings
|
|
# the interfaces down in the order in which they are
|
|
# currently listed in the state file(/run/network/ifstate),
|
|
# but this seems to be a bug:
|
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033651
|
|
#
|
|
# Worthwhile notes about iptables rules:
|
|
#
|
|
# * dhclient in DHCPv4 mode uses raw sockets(fallback UDP
|
|
# socket for sending unicast packets is also opened) and
|
|
# thus no firewall rule is needed
|
|
#
|
|
# * important ICMP messages like "frag needed" or
|
|
# "TTL exceeded" are accepted thanks to conntrack
|
|
# "RELATED" state match
|
|
#
|
|
# * certain ICMP messages sent by the router including
|
|
# "Echo Reply" or "Destination Unreachable" are rate
|
|
# limited by adjusting the kernel parameters in
|
|
# /etc/sysctl.conf
|
|
#
|
|
# * recent(used in SSH chain) module internals are seen
|
|
# in the /proc/net/xt_recent/SSH file
|
|
#
|
|
# * while igmpproxy is using raw sockets on the downstream
|
|
# interface, then in regard to upstream interface the
|
|
# igmpproxy simply acts as a normal multicast client(calls
|
|
# setsockopt() with IP_ADD_MEMBERSHIP) and thus there is a
|
|
# need to accept IGMP membership query messages sent by ISP.
|
|
# This also means that the IPTV UDP datagrams are sent
|
|
# towards the router application layer and dropped in the
|
|
# filter table INPUT chain.
|
|
#
|
|
# * IGMP messages can not be tracked by the conntrack module.
|
|
# At least without an helper module. IGMP messages are sent
|
|
# to IPv4 multicast address and thus the conntrack module
|
|
# expects a reply sourced from a multicast address in order
|
|
# to move from UNREPLIED state to ESTABLISHED state. However,
|
|
# the multicast address is never used as a src IP.
|
|
#
|
|
# * igmpproxy subscribes to 224.0.0.2(IGMP "Leave group" messages)
|
|
# on a downstream interface and packets sent to this address
|
|
# are subject to INPUT chain rules. That's the reason for
|
|
# "-A INPUT -d 224.0.0.2/32 -i br0 -p igmp -j ACCEPT" rule. Details
|
|
# are in https://marc.info/?l=netfilter&m=168393431101974&w=2
|
|
#
|
|
pre-up iptables-restore /usr/local/etc/IPv4_fw_rules
|
|
|
|
# Consider stray TCP packets with ACK flag set as
|
|
# INVALID. By default, such packets would create
|
|
# a NEW connection.
|
|
# "nf_conntrack_tcp_loose" is configured here instead
|
|
# of /etc/sysctl.conf because the nf_conntrack module
|
|
# is not yet loaded at the time the systemd-sysctl
|
|
# service is run.
|
|
pre-up sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
|
|
|
|
# Set the MAC address manually. This ensures that the MAC address
|
|
# of br0 will not change when bridge ports are added or removed.
|
|
# This will avoid problems like hostapd adding the WNIC to bridge,
|
|
# causing the bridge MAC address change and thus breaking the
|
|
# dnsmasq if br0 flaps as the dnsmasq is bound to IPv6 link-local
|
|
# address derived from the old MAC address of the br0 bridge.
|
|
post-up ip link set dev $IFACE address 02:a7:29:a6:ec:61
|
|
|
|
post-down iptables-restore /usr/local/etc/IPv4_default_fw_rules
|
|
|
|
# "bridge_ports" requires "bridge-utils" package.
|
|
bridge_ports lan0 lan1 lan2 lan3
|
|
|
|
iface br0 inet6 manual
|
|
# Worthwhile notes about ip6tables rules:
|
|
#
|
|
# * dhclient in DHCPv6 mode is able to use ordinary UDP sockets
|
|
# thanks to link-local addresses and does not need to use
|
|
# raw sockets. This means that a firewall rule for DHCPv6
|
|
# traffic is needed.
|
|
#
|
|
# * ICMP6 "echo request" messages are rate limited by the
|
|
# limit module. Newer kernel versions have the net.ipv6.icmp.ratemask
|
|
# which would allow to rate limit the replies to "echo request"
|
|
# messages by adjusting the net.ipv6.icmp.ratelimit.
|
|
# ICMP6 "destination unreachable" messages are rate limited
|
|
# according to net.ipv6.icmp.ratelimit.
|
|
#
|
|
# * important ICMP6 messages like "packet too big" or
|
|
# "time exceeded" or "destination unreachable" are
|
|
# accepted thanks to conntrack "RELATED" state match
|
|
#
|
|
# * RA messages sent by radvd to ff02::1 multicast addr
|
|
# via LAN-facing interface are looped back by the IP
|
|
# layer for local delivery. This is a default behavior
|
|
# and can be controlled by IPV6_MULTICAST_LOOP(man 7 ipv6).
|
|
# Those messages are dropped.
|
|
#
|
|
pre-up ip6tables-restore /usr/local/etc/IPv6_fw_rules
|
|
post-down ip6tables-restore /usr/local/etc/IPv6_default_fw_rules
|
|
|
|
|
|
# -> Telia fiber
|
|
auto wan0
|
|
iface wan0 inet dhcp
|
|
# Telia uses DHCPv6 prefix delegation to assign
|
|
# a /56 IPv6 prefix. Default route is installed
|
|
# thanks to NDP Router Advertisement messages
|
|
# and it points to VRRPv3 link-local address.
|
|
iface wan0 inet6 auto
|
|
|
|
# Stateless DHCPv6. dhclient will be started
|
|
# with "-P"(enable IPv6 prefix delegation) and
|
|
# without "-N"(normal address query for IPv6),
|
|
# i.e IPv6 address is not requested from DHCPv6
|
|
# server.
|
|
dhcp 1
|
|
request_prefix 1
|
|
|
|
# Enabling packet forwarding for IPv6(net.ipv6.conf.all.forwarding=1)
|
|
# in /etc/sysctl.conf sets the "net.ipv6.conf.<int>.forwarding" values
|
|
# to 1 which means that Router Solicitation messages are no longer sent
|
|
# and Router Advertisements messages are no longer accepted on those
|
|
# interfaces. "net.ipv6.conf.<int>.forwarding" value has nothing
|
|
# to do with controlling the per-interface forwarding like it does
|
|
# in case of IPv4. The "accept_ra 2"(net.ipv6.conf.wan0.accept_ra=2)
|
|
# means that Router Solicitations are sent and Router Advertisements
|
|
# are accepted despite the fact that "net.ipv6.conf.<int>.forwarding" is 1.
|
|
# Documentation: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
|
|
accept_ra 2
|
|
|
|
# Mgnt network for Huawei MA5671A SFP ONT.
|
|
# SSH server is reachable at 192.168.1.10.
|
|
# User: root
|
|
# Password: admin123
|
|
#
|
|
# Keeping the manually configured IPv4 addr
|
|
# on the same interface where the dhclient
|
|
# is running works thanks to "get-static-ipv4-addrs"
|
|
# and "restore-static-ipv4-addrs" dhclient-script
|
|
# enter and exit hooks. An alternative approach
|
|
# would be to use a macvlan interface and for
|
|
# example keep the static address there while
|
|
# dhclient runs on the physical interface.
|
|
iface wan0 inet static
|
|
address 192.168.1.200/24
|
|
|
|
|
|
# -> Telia IPTV
|
|
auto wan0.4
|
|
# IPv6 for wan0.4 is disabled in /etc/sysctl.conf with net.ipv6.conf.wan0/4.disable_ipv6=1
|
|
iface wan0.4 inet dhcp
|
|
|
|
|
|
# -> Telia mobile broadband
|
|
auto wwan0
|
|
# wwan0 is a Telia-branded Huawei E3372s-153(hardware version CL1E3372SM Ver.A)
|
|
# LTE modem with 22.x firmware working in Hilink mode having its own DHCP server
|
|
# providing addresses from 192.168.8.0/24 network, web interface, performing NAT,
|
|
# etc. For the OS it appears as an Ethernet device.
|
|
# SIM is from Telia. Huawei E3372s-153 in Hilink mode does not support IPv6, nor
|
|
# is IPv6 supported by Telia for the mobile broadband service.
|
|
iface wwan0 inet static
|
|
address 192.168.8.200/24
|
|
post-up ip route add default via 192.168.8.1 metric 100
|