From fb50f83733a5710aae319d1b7589a346390dda6e Mon Sep 17 00:00:00 2001 From: jdlugosz963 Date: Wed, 18 Jan 2023 17:16:08 +0100 Subject: Add script --- data/configi/firewall | 177 +++++++++++++++++++++++ data/configi/rc.local | 4 + data/configi/syslog-ng.conf | 16 ++ data/configi/system | 44 ++++++ data/install.sh | 17 +++ data/iperf.sh | 1 + data/paczki/libol_0.3.18-2_ar71xx.ipk | Bin 0 -> 18510 bytes data/paczki/libpthread_0.9.33.2-1_ar71xx.ipk | Bin 0 -> 31529 bytes data/paczki/librt_0.9.33.2-1_ar71xx.ipk | Bin 0 -> 5482 bytes data/paczki/paczka_iperf_3.ipk | Bin 0 -> 24797 bytes data/paczki/paczka_syslog-ng_1.6.12-6_ar71xx.ipk | Bin 0 -> 53712 bytes data/paczki/paczka_uclibcxx_0.2.4-1_ar71xx.ipk | Bin 0 -> 64146 bytes openwrt_pass.txt | 1 + sonda.sh | 22 +++ 14 files changed, 282 insertions(+) create mode 100644 data/configi/firewall create mode 100644 data/configi/rc.local create mode 100644 data/configi/syslog-ng.conf create mode 100644 data/configi/system create mode 100755 data/install.sh create mode 100755 data/iperf.sh create mode 100644 data/paczki/libol_0.3.18-2_ar71xx.ipk create mode 100644 data/paczki/libpthread_0.9.33.2-1_ar71xx.ipk create mode 100644 data/paczki/librt_0.9.33.2-1_ar71xx.ipk create mode 100644 data/paczki/paczka_iperf_3.ipk create mode 100644 data/paczki/paczka_syslog-ng_1.6.12-6_ar71xx.ipk create mode 100644 data/paczki/paczka_uclibcxx_0.2.4-1_ar71xx.ipk create mode 100644 openwrt_pass.txt create mode 100755 sonda.sh diff --git a/data/configi/firewall b/data/configi/firewall new file mode 100644 index 0000000..7f6cbc3 --- /dev/null +++ b/data/configi/firewall @@ -0,0 +1,177 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules + option disable_ipv6 1 + +config zone + option name lan + option network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + option network 'wan' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp + diff --git a/data/configi/rc.local b/data/configi/rc.local new file mode 100644 index 0000000..ab7262b --- /dev/null +++ b/data/configi/rc.local @@ -0,0 +1,4 @@ +# Put your custom commands here that should be executed once +# the system init finished. By default this file does nothing. +iperf -s -u -B 239.239.2.149 -i 10 -y c | logger -t iperf_sonda +exit 0 diff --git a/data/configi/syslog-ng.conf b/data/configi/syslog-ng.conf new file mode 100644 index 0000000..b046d1f --- /dev/null +++ b/data/configi/syslog-ng.conf @@ -0,0 +1,16 @@ +options { + chain_hostnames(off); + sync(0); + + # The default action of syslog-ng 1.6.0 is to log a STAT + # to the file every 10 minutes. That's pretty ugly afte + # Change it to every 12 hours so you get a nice daily up + # how many messages syslog-ng missed (0). + stats(43200); +}; + +source src { unix-stream("/dev/log"); internal(); }; + +# destination messages { file("/var/log/messages"); }; +destination messages { udp("10.200.200.70"); }; +log { source(src); destination(messages); }; diff --git a/data/configi/system b/data/configi/system new file mode 100644 index 0000000..b50b517 --- /dev/null +++ b/data/configi/system @@ -0,0 +1,44 @@ + +config system + option hostname 'iperf_sonda' + option 'zonename' 'Europe/Warsaw' + option 'timezone' 'CET-1CEST,M3.5.0,M10.5.0/3' + +config timeserver 'ntp' + list 'server' '10.200.200.26' + +config led 'led_wan' + option name 'WAN' + option sysfs 'tp-link:green:wan' + option trigger 'netdev' + option dev 'eth1' + option mode 'link tx rx' + +config led 'led_lan1' + option name 'LAN1' + option sysfs 'tp-link:green:lan1' + option trigger 'switch0' + option port_mask '0x04' + +config led 'led_lan2' + option name 'LAN2' + option sysfs 'tp-link:green:lan2' + option trigger 'switch0' + option port_mask '0x08' + +config led 'led_lan3' + option name 'LAN3' + option sysfs 'tp-link:green:lan3' + option trigger 'switch0' + option port_mask '0x10' + +config led 'led_lan4' + option name 'LAN4' + option sysfs 'tp-link:green:lan4' + option trigger 'switch0' + option port_mask '0x02' + +config led 'led_wlan' + option name 'WLAN' + option sysfs 'tp-link:green:wlan' + option trigger 'phy0tpt' diff --git a/data/install.sh b/data/install.sh new file mode 100755 index 0000000..e1836b3 --- /dev/null +++ b/data/install.sh @@ -0,0 +1,17 @@ +/etc/init.d/firewall disable +/etc/init.d/firewall stop + +opkg install paczki/lib* paczki/paczka* +/etc/init.d/syslog-ng enable + +cp configi/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf +cp configi/rc.local /etc/rc.local +cp configi/system /etc/config/system +cp configi/firewall /etc/config/firewall + +opkg remove kmod-ip6tables +opkg remove ip6tables +opkg remove 6relayd +opkg remove odhcp6c +opkg remove kmod-ipv6 + diff --git a/data/iperf.sh b/data/iperf.sh new file mode 100755 index 0000000..2fee251 --- /dev/null +++ b/data/iperf.sh @@ -0,0 +1 @@ +iperf -s -u -B 239.239.2.149 -i 10 -y c diff --git a/data/paczki/libol_0.3.18-2_ar71xx.ipk b/data/paczki/libol_0.3.18-2_ar71xx.ipk new file mode 100644 index 0000000..24dd0eb Binary files /dev/null and b/data/paczki/libol_0.3.18-2_ar71xx.ipk differ diff --git a/data/paczki/libpthread_0.9.33.2-1_ar71xx.ipk b/data/paczki/libpthread_0.9.33.2-1_ar71xx.ipk new file mode 100644 index 0000000..0928861 Binary files /dev/null and b/data/paczki/libpthread_0.9.33.2-1_ar71xx.ipk differ diff --git a/data/paczki/librt_0.9.33.2-1_ar71xx.ipk b/data/paczki/librt_0.9.33.2-1_ar71xx.ipk new file mode 100644 index 0000000..3f6cc56 Binary files /dev/null and b/data/paczki/librt_0.9.33.2-1_ar71xx.ipk differ diff --git a/data/paczki/paczka_iperf_3.ipk b/data/paczki/paczka_iperf_3.ipk new file mode 100644 index 0000000..5a40391 Binary files /dev/null and b/data/paczki/paczka_iperf_3.ipk differ diff --git a/data/paczki/paczka_syslog-ng_1.6.12-6_ar71xx.ipk b/data/paczki/paczka_syslog-ng_1.6.12-6_ar71xx.ipk new file mode 100644 index 0000000..6d320c9 Binary files /dev/null and b/data/paczki/paczka_syslog-ng_1.6.12-6_ar71xx.ipk differ diff --git a/data/paczki/paczka_uclibcxx_0.2.4-1_ar71xx.ipk b/data/paczki/paczka_uclibcxx_0.2.4-1_ar71xx.ipk new file mode 100644 index 0000000..c5bcd57 Binary files /dev/null and b/data/paczki/paczka_uclibcxx_0.2.4-1_ar71xx.ipk differ diff --git a/openwrt_pass.txt b/openwrt_pass.txt new file mode 100644 index 0000000..f77b004 --- /dev/null +++ b/openwrt_pass.txt @@ -0,0 +1 @@ +admin \ No newline at end of file diff --git a/sonda.sh b/sonda.sh new file mode 100755 index 0000000..4f59b0e --- /dev/null +++ b/sonda.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +set -e + +SCRIPT_DIR=$(dirname -- "${BASH_SOURCE[0]}") +PASS=$(cat "$SCRIPT_DIR/openwrt_pass.txt") + +sshpass -p $PASS \ + scp -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -o GlobalKnownHostsFile=/dev/null \ + -oKexAlgorithms=+diffie-hellman-group1-sha1 \ + -O -o HostKeyAlgorithms=+ssh-rsa -r \ + "$SCRIPT_DIR/data" root@192.168.1.1:/root/ + +sshpass -p "admin" \ + ssh -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -o GlobalKnownHostsFile=/dev/null \ + -oKexAlgorithms=+diffie-hellman-group1-sha1 \ + -oHostKeyAlgorithms=+ssh-rsa root@192.168.1.1 "cd data/; ./install.sh" + -- cgit v1.2.3