Add script

author: jdlugosz963 <jdlugosz963@gmail.com> 2023-01-18 17:16:08 +0100
committer: jdlugosz963 <jdlugosz963@gmail.com> 2023-01-18 17:16:08 +0100
commit: fb50f83733a5710aae319d1b7589a346390dda6e (patch)
tree: af4625d9aeceb5a3e6b7a9a631a19377cddd4ce8 /data/configi
parent: 7edb631dd94ab68bdf5bc73874ad980988bb3ad6 (diff)
download: sonda-fb50f83733a5710aae319d1b7589a346390dda6e.tar.gz
sonda-fb50f83733a5710aae319d1b7589a346390dda6e.zip
4 files changed, 241 insertions, 0 deletions
diff --git a/data/configi/firewall b/data/configi/firewall
new file mode 100644
index 0000000..7f6cbc3
--- /dev/null
+++ b/data/configi/firewall
@@ -0,0 +1,177 @@
+config defaults
+        option syn_flood        1
+        option input            ACCEPT
+        option output           ACCEPT
+        option forward          REJECT
+# Uncomment this line to disable ipv6 rules
+        option disable_ipv6     1
+config zone
+        option name             lan
+        option network          'lan'
+        option input            ACCEPT
+        option output           ACCEPT
+        option forward          REJECT
+config zone
+        option name             wan
+        option network          'wan'
+        option input            REJECT
+        option output           ACCEPT
+        option forward          REJECT
+        option masq             1
+        option mtu_fix          1
+config forwarding
+        option src              lan
+        option dest             wan
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+        option name             Allow-DHCP-Renew
+        option src              wan
+        option proto            udp
+        option dest_port        68
+        option target           ACCEPT
+        option family           ipv4
+# Allow IPv4 ping
+config rule
+        option name             Allow-Ping
+        option src              wan
+        option proto            icmp
+        option icmp_type        echo-request
+        option family           ipv4
+        option target           ACCEPT
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+        option name             Allow-DHCPv6
+        option src              wan
+        option proto            udp
+        option src_ip           fe80::/10
+        option src_port         547
+        option dest_ip          fe80::/10
+        option dest_port        546
+        option family           ipv6
+        option target           ACCEPT
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+        option name             Allow-ICMPv6-Input
+        option src              wan
+        option proto    icmp
+        list icmp_type          echo-request
+        list icmp_type          echo-reply
+        list icmp_type          destination-unreachable
+        list icmp_type          packet-too-big
+        list icmp_type          time-exceeded
+        list icmp_type          bad-header
+        list icmp_type          unknown-header-type
+        list icmp_type          router-solicitation
+        list icmp_type          neighbour-solicitation
+        list icmp_type          router-advertisement
+        list icmp_type          neighbour-advertisement
+        option limit            1000/sec
+        option family           ipv6
+        option target           ACCEPT
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+        option name             Allow-ICMPv6-Forward
+        option src              wan
+        option dest             *
+        option proto            icmp
+        list icmp_type          echo-request
+        list icmp_type          echo-reply
+        list icmp_type          destination-unreachable
+        list icmp_type          packet-too-big
+        list icmp_type          time-exceeded
+        list icmp_type          bad-header
+        list icmp_type          unknown-header-type
+        option limit            1000/sec
+        option family           ipv6
+        option target           ACCEPT
+# include a file with users custom iptables rules
+config include
+        option path /etc/firewall.user
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#       option src              lan
+#       option src_ip   192.168.45.2
+#       option dest             wan
+#       option proto    tcp
+#       option target   REJECT
+# block a specific mac on wan
+#config rule
+#       option dest             wan
+#       option src_mac  00:11:22:33:44:66
+#       option target   REJECT
+# block incoming ICMP traffic on a zone
+#config rule
+#       option src              lan
+#       option proto    ICMP
+#       option target   DROP
+# port redirect port coming in on wan to lan
+#config redirect
+#       option src                      wan
+#       option src_dport        80
+#       option dest                     lan
+#       option dest_ip          192.168.16.235
+#       option dest_port        80
+#       option proto            tcp
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#       option src              wan
+#       option src_dport        22001
+#       option dest             lan
+#       option dest_port        22
+#       option proto            tcp
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#       option src              wan
+#       option dest             lan
+#       option protocol         esp
+#       option target           ACCEPT
+#config rule
+#       option src              wan
+#       option dest             lan
+#       option src_port         500
+#       option dest_port        500
+#       option proto            udp
+#       option target           ACCEPT
+### FULL CONFIG SECTIONS
+#config rule
+#       option src              lan
+#       option src_ip   192.168.45.2
+#       option src_mac  00:11:22:33:44:55
+#       option src_port 80
+#       option dest             wan
+#       option dest_ip  194.25.2.129
+#       option dest_port        120
+#       option proto    tcp
+#       option target   REJECT
+#config redirect
+#       option src              lan
+#       option src_ip   192.168.45.2
+#       option src_mac  00:11:22:33:44:55
+#       option src_port         1024
+#       option src_dport        80
+#       option dest_ip  194.25.2.129
+#       option dest_port        120
+#       option proto    tcp
diff --git a/data/configi/rc.local b/data/configi/rc.local
new file mode 100644
index 0000000..ab7262b
--- /dev/null
+++ b/data/configi/rc.local
@@ -0,0 +1,4 @@
+# Put your custom commands here that should be executed once
+# the system init finished. By default this file does nothing.
+iperf -s -u -B 239.239.2.149 -i 10 -y c | logger -t iperf_sonda 
+exit 0
diff --git a/data/configi/syslog-ng.conf b/data/configi/syslog-ng.conf
new file mode 100644
index 0000000..b046d1f
--- /dev/null
+++ b/data/configi/syslog-ng.conf
@@ -0,0 +1,16 @@
+options {
+        chain_hostnames(off);
+        sync(0);
+        # The default action of syslog-ng 1.6.0 is to log a STAT
+        # to the file every 10 minutes.  That's pretty ugly afte
+        # Change it to every 12 hours so you get a nice daily up
+        # how many messages syslog-ng missed (0).
+        stats(43200);
+};
+source src { unix-stream("/dev/log"); internal(); };
+# destination messages { file("/var/log/messages"); };
+destination messages { udp("10.200.200.70"); };
+log { source(src); destination(messages); };
diff --git a/data/configi/system b/data/configi/system
new file mode 100644
index 0000000..b50b517
--- /dev/null
+++ b/data/configi/system
@@ -0,0 +1,44 @@
+config system
+        option hostname 'iperf_sonda'
+        option 'zonename' 'Europe/Warsaw'
+        option 'timezone' 'CET-1CEST,M3.5.0,M10.5.0/3'
+config timeserver 'ntp'
+        list 'server' '10.200.200.26'
+config led 'led_wan'
+        option name 'WAN'
+        option sysfs 'tp-link:green:wan'
+        option trigger 'netdev'
+        option dev 'eth1'
+        option mode 'link tx rx'
+config led 'led_lan1'
+        option name 'LAN1'
+        option sysfs 'tp-link:green:lan1'
+        option trigger 'switch0'
+        option port_mask '0x04'
+config led 'led_lan2'
+        option name 'LAN2'
+        option sysfs 'tp-link:green:lan2'
+        option trigger 'switch0'
+        option port_mask '0x08'
+config led 'led_lan3'
+        option name 'LAN3'
+        option sysfs 'tp-link:green:lan3'
+        option trigger 'switch0'
+        option port_mask '0x10'
+config led 'led_lan4'
+        option name 'LAN4'
+        option sysfs 'tp-link:green:lan4'
+        option trigger 'switch0'
+        option port_mask '0x02'
+config led 'led_wlan'
+        option name 'WLAN'
+        option sysfs 'tp-link:green:wlan'
+        option trigger 'phy0tpt'
author	jdlugosz963 <jdlugosz963@gmail.com>	2023-01-18 17:16:08 +0100
committer	jdlugosz963 <jdlugosz963@gmail.com>	2023-01-18 17:16:08 +0100
commit	fb50f83733a5710aae319d1b7589a346390dda6e (patch)
tree	af4625d9aeceb5a3e6b7a9a631a19377cddd4ce8 /data/configi
parent	7edb631dd94ab68bdf5bc73874ad980988bb3ad6 (diff)
download	sonda-fb50f83733a5710aae319d1b7589a346390dda6e.tar.gz sonda-fb50f83733a5710aae319d1b7589a346390dda6e.zip

diff --git a/data/configi/firewall b/data/configi/firewall new file mode 100644 index 0000000..7f6cbc3 --- /dev/null +++ b/data/configi/firewall
@@ -0,0 +1,177 @@
	1	config defaults
	2	option syn_flood 1
	3	option input ACCEPT
	4	option output ACCEPT
	5	option forward REJECT
	6	# Uncomment this line to disable ipv6 rules
	7	option disable_ipv6 1
	8
	9	config zone
	10	option name lan
	11	option network 'lan'
	12	option input ACCEPT
	13	option output ACCEPT
	14	option forward REJECT
	15
	16	config zone
	17	option name wan
	18	option network 'wan'
	19	option input REJECT
	20	option output ACCEPT
	21	option forward REJECT
	22	option masq 1
	23	option mtu_fix 1
	24
	25	config forwarding
	26	option src lan
	27	option dest wan
	28
	29	# We need to accept udp packets on port 68,
	30	# see https://dev.openwrt.org/ticket/4108
	31	config rule
	32	option name Allow-DHCP-Renew
	33	option src wan
	34	option proto udp
	35	option dest_port 68
	36	option target ACCEPT
	37	option family ipv4
	38
	39	# Allow IPv4 ping
	40	config rule
	41	option name Allow-Ping
	42	option src wan
	43	option proto icmp
	44	option icmp_type echo-request
	45	option family ipv4
	46	option target ACCEPT
	47
	48	# Allow DHCPv6 replies
	49	# see https://dev.openwrt.org/ticket/10381
	50	config rule
	51	option name Allow-DHCPv6
	52	option src wan
	53	option proto udp
	54	option src_ip fe80::/10
	55	option src_port 547
	56	option dest_ip fe80::/10
	57	option dest_port 546
	58	option family ipv6
	59	option target ACCEPT
	60
	61	# Allow essential incoming IPv6 ICMP traffic
	62	config rule
	63	option name Allow-ICMPv6-Input
	64	option src wan
	65	option proto icmp
	66	list icmp_type echo-request
	67	list icmp_type echo-reply
	68	list icmp_type destination-unreachable
	69	list icmp_type packet-too-big
	70	list icmp_type time-exceeded
	71	list icmp_type bad-header
	72	list icmp_type unknown-header-type
	73	list icmp_type router-solicitation
	74	list icmp_type neighbour-solicitation
	75	list icmp_type router-advertisement
	76	list icmp_type neighbour-advertisement
	77	option limit 1000/sec
	78	option family ipv6
	79	option target ACCEPT
	80
	81	# Allow essential forwarded IPv6 ICMP traffic
	82	config rule
	83	option name Allow-ICMPv6-Forward
	84	option src wan
	85	option dest *
	86	option proto icmp
	87	list icmp_type echo-request
	88	list icmp_type echo-reply
	89	list icmp_type destination-unreachable
	90	list icmp_type packet-too-big
	91	list icmp_type time-exceeded
	92	list icmp_type bad-header
	93	list icmp_type unknown-header-type
	94	option limit 1000/sec
	95	option family ipv6
	96	option target ACCEPT
	97
	98	# include a file with users custom iptables rules
	99	config include
	100	option path /etc/firewall.user
	101
	102
	103	### EXAMPLE CONFIG SECTIONS
	104	# do not allow a specific ip to access wan
	105	#config rule
	106	# option src lan
	107	# option src_ip 192.168.45.2
	108	# option dest wan
	109	# option proto tcp
	110	# option target REJECT
	111
	112	# block a specific mac on wan
	113	#config rule
	114	# option dest wan
	115	# option src_mac 00:11:22:33:44:66
	116	# option target REJECT
	117
	118	# block incoming ICMP traffic on a zone
	119	#config rule
	120	# option src lan
	121	# option proto ICMP
	122	# option target DROP
	123
	124	# port redirect port coming in on wan to lan
	125	#config redirect
	126	# option src wan
	127	# option src_dport 80
	128	# option dest lan
	129	# option dest_ip 192.168.16.235
	130	# option dest_port 80
	131	# option proto tcp
	132
	133	# port redirect of remapped ssh port (22001) on wan
	134	#config redirect
	135	# option src wan
	136	# option src_dport 22001
	137	# option dest lan
	138	# option dest_port 22
	139	# option proto tcp
	140
	141	# allow IPsec/ESP and ISAKMP passthrough
	142	#config rule
	143	# option src wan
	144	# option dest lan
	145	# option protocol esp
	146	# option target ACCEPT
	147
	148	#config rule
	149	# option src wan
	150	# option dest lan
	151	# option src_port 500
	152	# option dest_port 500
	153	# option proto udp
	154	# option target ACCEPT
	155
	156	### FULL CONFIG SECTIONS
	157	#config rule
	158	# option src lan
	159	# option src_ip 192.168.45.2
	160	# option src_mac 00:11:22:33:44:55
	161	# option src_port 80
	162	# option dest wan
	163	# option dest_ip 194.25.2.129
	164	# option dest_port 120
	165	# option proto tcp
	166	# option target REJECT
	167
	168	#config redirect
	169	# option src lan
	170	# option src_ip 192.168.45.2
	171	# option src_mac 00:11:22:33:44:55
	172	# option src_port 1024
	173	# option src_dport 80
	174	# option dest_ip 194.25.2.129
	175	# option dest_port 120
	176	# option proto tcp
	177


diff --git a/data/configi/rc.local b/data/configi/rc.local new file mode 100644 index 0000000..ab7262b --- /dev/null +++ b/data/configi/rc.local
@@ -0,0 +1,4 @@
	1	# Put your custom commands here that should be executed once
	2	# the system init finished. By default this file does nothing.
	3	iperf -s -u -B 239.239.2.149 -i 10 -y c \| logger -t iperf_sonda
	4	exit 0


diff --git a/data/configi/syslog-ng.conf b/data/configi/syslog-ng.conf new file mode 100644 index 0000000..b046d1f --- /dev/null +++ b/data/configi/syslog-ng.conf
@@ -0,0 +1,16 @@
	1	options {
	2	chain_hostnames(off);
	3	sync(0);
	4
	5	# The default action of syslog-ng 1.6.0 is to log a STAT
	6	# to the file every 10 minutes. That's pretty ugly afte
	7	# Change it to every 12 hours so you get a nice daily up
	8	# how many messages syslog-ng missed (0).
	9	stats(43200);
	10	};
	11
	12	source src { unix-stream("/dev/log"); internal(); };
	13
	14	# destination messages { file("/var/log/messages"); };
	15	destination messages { udp("10.200.200.70"); };
	16	log { source(src); destination(messages); };


diff --git a/data/configi/system b/data/configi/system new file mode 100644 index 0000000..b50b517 --- /dev/null +++ b/data/configi/system
@@ -0,0 +1,44 @@
	1
	2	config system
	3	option hostname 'iperf_sonda'
	4	option 'zonename' 'Europe/Warsaw'
	5	option 'timezone' 'CET-1CEST,M3.5.0,M10.5.0/3'
	6
	7	config timeserver 'ntp'
	8	list 'server' '10.200.200.26'
	9
	10	config led 'led_wan'
	11	option name 'WAN'
	12	option sysfs 'tp-link:green:wan'
	13	option trigger 'netdev'
	14	option dev 'eth1'
	15	option mode 'link tx rx'
	16
	17	config led 'led_lan1'
	18	option name 'LAN1'
	19	option sysfs 'tp-link:green:lan1'
	20	option trigger 'switch0'
	21	option port_mask '0x04'
	22
	23	config led 'led_lan2'
	24	option name 'LAN2'
	25	option sysfs 'tp-link:green:lan2'
	26	option trigger 'switch0'
	27	option port_mask '0x08'
	28
	29	config led 'led_lan3'
	30	option name 'LAN3'
	31	option sysfs 'tp-link:green:lan3'
	32	option trigger 'switch0'
	33	option port_mask '0x10'
	34
	35	config led 'led_lan4'
	36	option name 'LAN4'
	37	option sysfs 'tp-link:green:lan4'
	38	option trigger 'switch0'
	39	option port_mask '0x02'
	40
	41	config led 'led_wlan'
	42	option name 'WLAN'
	43	option sysfs 'tp-link:green:wlan'
	44	option trigger 'phy0tpt'