documentation/Serveurs/routeur.md

1659 lines
45 KiB
Markdown
Raw Normal View History

2021-11-18 21:09:01 +01:00
# Routeur `routeur` : routeur principal de l'infrastructure de Libre en Communs
2021-11-16 20:26:38 +01:00
### Matériel
2022-08-28 12:40:00 +02:00
Turris Omnia 2019 (Argenté), architecture ARMv7 Processor rev 1 (v7l)
SSD KINGSTON SKC600M 256Gio
2021-11-16 20:26:38 +01:00
### Logiciel
2022-08-28 12:40:00 +02:00
Système d'exploitation : OpenWrt 21.02 / LuCI openwrt-21.02 avec patch (voir plus loin)
Reverse proxy HTTP(S) : `nginx`
Interface graphique : `luci`
Certificats SSL : `acme`
Autres logiciels utilisés : `fail2ban`, `htop`, `bash`, `vpn-policy-routing`
#### Patch de block-mount pour montage partition SSD
--- a/block.c
+++ b/block.c
@@ -747,7 +747,7 @@ static void check_filesystem(struct prob
pid = fork();
if (!pid) {
if(!strncmp(pr->type, "f2fs", 4)) {
- execl(ckfs, ckfs, "-f", pr->dev, NULL);
+ execl(ckfs, ckfs, "-p", "2", "-f", pr->dev, NULL);
exit(EXIT_FAILURE);
} else if(!strncmp(pr->type, "btrfs", 5)) {
execl(ckfs, ckfs, "--repair", pr->dev, NULL);
@@ -1591,7 +1591,7 @@ static int main_extroot(int argc, char *
#endif
/* As a last resort look for /etc/config/fstab on "rootfs" partition */
- return mount_extroot(NULL);
+ return mount_extroot("/tmp/overlay");
}
static int main_mount(int argc, char **argv)
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
### Caractéristiques réseau
2021-11-16 20:26:38 +01:00
Domaine : routeur.libre-en-communs.org
2022-08-28 12:40:00 +02:00
Adresses ipv4 publiques : 80.67.176.33, 80.67.179.96
Adresse ipv4 locale : 192.168.0.1
Adresse ipv6 publique : 2001:910:1021::1
2021-11-16 20:26:38 +01:00
#### Configuration des interfaces
2022-08-28 12:40:00 +02:00
Les interfaces sont configurées pour connexion à la fibre FDN en PPPoE sur le port WAN. Il y a deux IPs publiques à récupérer et on utilise donc une interface virtuelle (wan2) utilisant le port de l'interface principale (wan) avec configuration de la seconde IP en statique. La première IP est récupérée automatiquement par l'interface principale.
Le préfixe public IPv6 du routeur (et donc du réseau) est récupéré automatiquement à la connexion, créant une interface virtuelle à la volée (nommée wan_6 et dont le bloc n'est pas visible dans le fichier de configuration, donc).
2021-11-16 20:26:38 +01:00
##### /etc/config/network
2021-11-16 23:39:54 +01:00
<details>
2021-11-16 20:26:38 +01:00
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
2022-08-28 12:40:00 +02:00
option ula_prefix 'fd22:fc53:0a5d::/48'
2021-11-16 20:26:38 +01:00
config device
option name 'br-lan'
option type 'bridge'
2022-08-28 12:40:00 +02:00
list ports 'lan0'
2021-11-16 20:26:38 +01:00
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
2022-08-28 12:40:00 +02:00
option ipaddr '192.168.0.1'
option netmask '255.255.0.0'
option ip6assign '64'
2022-08-28 12:40:00 +02:00
list ip6class 'wan_6'
2021-11-16 20:26:38 +01:00
config interface 'wan'
2022-08-28 12:40:00 +02:00
option device 'eth2'
option proto 'pppoe'
option username 'association.libre.en.comm@fdn.ilf.kosc'
2022-08-28 12:40:00 +02:00
option password 'INFORMATION CACHEE'
list ip6class 'wan_6'
option ipv6 'auto'
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
config interface 'wan2'
option proto 'static'
option device 'eth2'
option ipaddr '80.67.179.96'
option netmask '255.255.255.255'
2021-11-16 20:26:38 +01:00
2021-11-16 23:39:54 +01:00
</details>
2022-08-28 12:40:00 +02:00
#### Configuration DHCP (IP statiques allouées aux VM et serveurs)
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
##### /etc/config/dhcp
2021-11-16 23:39:54 +01:00
<details>
2021-11-16 20:26:38 +01:00
config dnsmasq
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option ednspacket_max '1232'
2022-08-28 12:40:00 +02:00
option rebind_protection '0'
option localservice '0'
list interface 'lan'
list notinterface 'wan'
list notinterface 'wan6'
list notinterface 'wan_6'
list notinterface 'wan2'
2021-11-16 20:26:38 +01:00
option allservers '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'hybrid'
option dhcpv6 'hybrid'
option ndp 'hybrid'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
2021-11-16 20:26:38 +01:00
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'routeur'
option ip '2001:910:1021::1'
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
config domain
option name 'routeur.libre-en-communs.org'
option ip '192.168.0.1'
config domain
option name 'routeur.libre-en-communs.org'
option ip '2001:910:1021::1'
2021-11-16 20:26:38 +01:00
config domain
option name 'mother.libre-en-communs.org'
2022-08-28 12:40:00 +02:00
option ip '192.168.1.2'
2021-11-16 20:26:38 +01:00
config domain
option name 'mother'
option ip '2001:910:1021::2'
2021-11-16 20:26:38 +01:00
config domain
option name 'aunt.libre-en-communs.org'
2022-08-28 12:40:00 +02:00
option ip '192.168.1.3'
2021-11-16 20:26:38 +01:00
config domain
option name 'aunt'
option ip '2001:910:1021::3'
2021-11-16 20:26:38 +01:00
config host
option name 'mother'
option dns '1'
option mac '52:C6:86:7C:8F:7E'
2022-08-28 12:40:00 +02:00
option ip '192.168.1.2'
2021-11-16 20:26:38 +01:00
config host
option name 'aunt'
option dns '1'
option mac 'F2:8A:D8:B6:5D:60'
2022-08-28 12:40:00 +02:00
option ip '192.168.1.3'
2021-11-16 20:26:38 +01:00
config host
option mac '52:54:00:C1:D0:69'
option name 'dns'
option dns '1'
option ip '192.168.1.242'
2021-11-16 20:26:38 +01:00
config host
option name 'gestion'
option dns '1'
option mac '52:54:00:C8:83:EC'
option ip '192.168.1.236'
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
config domain
option name 'gestion.a-lec.org'
option ip '192.168.1.236'
2021-11-16 20:26:38 +01:00
config host
option name 'git'
option dns '1'
option mac '52:54:00:FD:63:1C'
option ip '192.168.1.131'
2021-11-16 20:26:38 +01:00
config host
option mac '52:54:00:12:BC:CF'
option name 'mail'
option dns '1'
option ip '192.168.1.201'
2021-11-16 20:26:38 +01:00
config host
option name 'toot'
option dns '1'
option mac '52:54:00:E4:2A:97'
option ip '192.168.1.179'
2021-11-16 20:26:38 +01:00
config host
option mac '52:54:00:07:F1:3C'
option name 'www'
option dns '1'
option ip '192.168.1.188'
2021-11-16 20:26:38 +01:00
config host
option name 'xmpp'
option dns '1'
option mac '52:54:00:0B:A6:ED'
option ip '192.168.1.211'
2021-11-16 20:26:38 +01:00
config host
option name 'audio'
option dns '1'
option mac '52:54:00:EE:93:E0'
option ip '192.168.1.186'
2021-11-16 20:26:38 +01:00
config host
option mac '52:54:00:F2:BB:55'
2021-11-16 20:26:38 +01:00
option name 'tootest'
option dns '1'
option ip '192.168.1.232'
2021-11-16 20:26:38 +01:00
config host
option mac '52:54:00:86:69:5F'
option name 'generic'
2021-11-16 20:26:38 +01:00
option dns '1'
option ip '192.168.1.195'
config domain
option name 'mail.a-lec.org'
option ip '192.168.1.201'
config domain
option name 'git.a-lec.org'
option ip '192.168.1.131'
2022-08-28 12:40:00 +02:00
config domain
option name 'audio.a-lec.org'
option ip '192.168.1.186'
config domain
option name 'sharedfs.a-lec.org'
option ip '192.168.0.148'
config domain
option name 'isengard.libre-en-communs.org'
option ip '192.168.1.155'
config domain
option name 'mother.libre-en-communs.org'
2022-08-28 12:40:00 +02:00
option ip '192.168.1.2'
config domain
option name 'isengard.libre-en-communs.org'
option ip '192.168.1.155'
config domain
option name 'aunt.libre-en-communs.org'
2022-08-28 12:40:00 +02:00
option ip '192.168.1.3'
config domain
option name 'xmpp.a-lec.org'
option ip '192.168.1.211'
config domain
option name 'dns.libre-en-communs.org'
option ip '192.168.1.242'
2022-08-28 12:40:00 +02:00
config host
option name 'libreboot'
option dns '1'
option mac '52:54:00:1D:0A:65'
option ip '192.168.1.120'
config host
option name 'isengard'
option dns '1'
option mac '52:54:00:C3:51:4D'
option ip '192.168.1.155'
config host
option name 'sharedfs'
option dns '1'
option mac '52:54:00:54:5A:B8'
option ip '192.168.0.148'
config host
option name 'ghn'
option dns '1'
option ip '192.168.1.224'
option mac '52:54:00:e2:13:4f'
config host
option name 'xmpp.chalec.org'
option dns '1'
option mac '52:54:00:FC:74:4C'
option ip '192.168.2.204'
config host
option name 'audio.chalec.org'
option dns '1'
option mac '52:54:00:88:F7:2F'
option ip '192.168.2.114'
config host
option ip '192.168.2.189'
option name 'generic.chalec.org'
option dns '1'
option mac '52:54:00:C9:16:7A'
config host
option mac '52:54:00:CA:E8:51'
option ip '192.168.2.193'
option name 'nuage.chalec.org'
option dns '1'
config host
option name 'toot.chalec.org'
option dns '1'
option mac '52:54:00:AB:41:92'
option ip '192.168.2.220'
config domain
2022-08-28 12:40:00 +02:00
option name 'toot.chalec.org'
option ip '192.168.2.220'
config domain
option name 'audio.chalec.org'
option ip '192.168.2.114'
config domain
option name 'nuage.chalec.org'
option ip '192.168.2.193'
config domain
option ip '192.168.2.204'
option name 'xmpp.chalec.org'
config host
option name 'forge.chalec.org'
option dns '1'
option mac '52:54:00:73:A2:F2'
option ip '192.168.2.239'
config domain
option name 'forge.chalec.org'
option ip '192.168.2.239'
config host
option name 'visio.chalec.org'
option dns '1'
option mac '52:54:00:46:87:63'
option ip '192.168.2.198'
config domain
option name 'visio.chalec.org'
option ip '192.168.2.198'
config host
option mac '52:54:00:5A:EE:F3'
option ip '192.168.2.139'
option name 'libreverse.chalec.org'
option dns '1'
config domain
option name 'libreverse.chalec.org'
option ip '192.168.2.139'
config host
option name 'video.chalec.org'
option dns '1'
option mac '52:54:00:0E:9F:9A'
option ip '192.168.2.199'
config domain
option name 'video.chalec.org'
option ip '192.168.2.199'
config domain
option name 'sharedfs.a-lec.org'
option ip '192.168.0.148'
config domain
option ip '192.168.0.206'
option name 'coreboot'
config host
option name 'ctrlv.chalec.org'
option dns '1'
option mac '52:54:00:C0:45:7A'
option ip '192.168.2.240'
config host
option name 'sondage.chalec.org'
option dns '1'
option mac '52:54:00:E5:F0:F8'
option ip '192.168.2.137'
config host
option name 'pad.chalec.org'
option dns '1'
option mac '52:54:00:50:56:54'
option ip '192.168.2.182'
config host
option name 'stats.chalec.org'
option dns '1'
option mac '52:54:00:87:E2:D5'
option ip '192.168.2.196'
config domain
option name 'stats.chalec.org'
option ip '192.168.2.196'
config domain
option name 'nuage.chalec.org'
option ip '192.168.2.193'
config domain
option name 'visio.chalec.org'
option ip '192.168.2.198'
config host
option name 'www.chalec.org'
option dns '1'
option mac '52:54:00:A6:FD:72'
option ip '192.168.2.225'
config host
option name 'petition.chalec.org'
option dns '1'
option mac '52:54:00:bd:21:03'
option ip '192.168.2.67'
config domain
option name 'www.chalec.org'
option ip '192.168.2.225'
config domain
option name 'ghn.a-lec.org'
option ip '192.168.1.224'
2021-11-16 20:26:38 +01:00
2021-11-16 23:39:54 +01:00
</details>
2022-08-28 12:40:00 +02:00
#### Configuration du pare-feu (et redirections de ports pour IPV4)
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
##### /etc/config/firewall
2021-11-16 23:39:54 +01:00
<details>
2021-11-16 20:26:38 +01:00
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
2022-08-28 12:40:00 +02:00
option drop_invalid '1'
option forward 'DROP'
2021-11-16 20:26:38 +01:00
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
2021-11-16 20:26:38 +01:00
config zone
option name 'wan'
option output 'ACCEPT'
2022-08-28 12:40:00 +02:00
option masq '1'
2021-11-16 20:26:38 +01:00
option input 'ACCEPT'
option forward 'ACCEPT'
2022-08-28 12:40:00 +02:00
list device 'eth2'
option log '1'
list network 'wan'
2022-08-28 12:40:00 +02:00
list network 'wan2'
2021-11-16 20:26:38 +01:00
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
2022-08-28 12:40:00 +02:00
config include
option path '/etc/firewall.fail2ban'
option enabled '1'
option reload '1'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'ssh 222 -> mother'
option src 'wan'
option src_dport '222'
option dest 'lan'
option dest_port '222'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
option dest_ip '192.168.1.2'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'ssh 223 -> aunt'
option src 'wan'
option src_dport '223'
option dest 'lan'
option dest_port '223'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
option dest_ip '192.168.1.3'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'dns 53 -> dns'
option src 'wan'
option src_dport '53'
option dest 'lan'
option dest_port '53'
option dest_ip '192.168.1.242'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '25'
option dest 'lan'
option dest_port '25'
option name 'smtp -> mail'
option dest_ip '192.168.1.201'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '587'
option dest 'lan'
option dest_port '587'
option name 'smtps -> mail'
option dest_ip '192.168.1.201'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '993'
option dest 'lan'
option dest_port '993'
option name 'imaps -> mail'
option dest_ip '192.168.1.201'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
config redirect
option target 'DNAT'
option src 'wan'
option src_dip '80.67.176.33'
option src_dport '4190'
option dest 'lan'
option dest_ip '192.168.1.201'
option dest_port '4190'
option reflection_src 'external'
option name 'sieve -> mail'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'ssh 666 -> mail'
option src 'wan'
option src_dport '666'
option dest 'lan'
option dest_port '22'
option dest_ip '192.168.1.201'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'ssh 22 -> git'
option src 'wan'
option src_dport '22'
option dest 'lan'
option dest_port '22'
option dest_ip '192.168.1.131'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'ssh 777 -> www'
option src 'wan'
option src_dport '777'
option dest 'lan'
option dest_port '22'
option dest_ip '192.168.1.188'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'xmpp c2s'
option src 'wan'
option src_dport '5222'
option dest 'lan'
option dest_port '5222'
option dest_ip '192.168.1.211'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '5223'
option dest 'lan'
option dest_port '5223'
option name 'xmpp c2s tls'
option dest_ip '192.168.1.211'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'xmpp s2s'
option src 'wan'
option src_dport '5269'
option dest 'lan'
option dest_port '5269'
option dest_ip '192.168.1.211'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'xmpp https'
option src 'wan'
option src_dport '5443'
option dest 'lan'
option dest_port '5443'
option dest_ip '192.168.1.211'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'xmpp http'
option src 'wan'
option src_dport '5280'
option dest 'lan'
option dest_port '5280'
option dest_ip '192.168.1.211'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
2021-11-16 20:26:38 +01:00
config redirect
option target 'DNAT'
option name 'xmpp stun'
option src 'wan'
option src_dport '3478'
option dest 'lan'
option dest_port '3478'
option dest_ip '192.168.1.211'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
config redirect
option target 'DNAT'
option name 'mumble -> audio'
option src 'wan'
option src_dport '64738'
option dest 'lan'
option dest_ip '192.168.1.186'
option dest_port '64738'
2022-08-28 12:40:00 +02:00
option src_dip '80.67.176.33'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '113'
option dest 'lan'
option dest_ip '192.168.2.204'
option name 'Chalec xmpp (IRC sortant) identd'
config redirect
option target 'DNAT'
option name 'chalec xmpp c2s'
option src 'wan'
option src_dip '80.67.179.96'
option dest 'lan'
option dest_ip '192.168.2.204'
option src_dport '5222'
config redirect
option target 'DNAT'
option name 'chalec xmpp c2s tls'
option src 'wan'
option src_dport '5223'
option dest 'lan'
option dest_ip '192.168.2.204'
option src_dip '80.67.179.96'
config redirect
option target 'DNAT'
option name 'chalec xmpp s2s'
option src 'wan'
option src_dip '80.67.179.96'
option dest 'lan'
option dest_ip '192.168.2.204'
option src_dport '5269'
config redirect
option target 'DNAT'
option name 'chalec xmpp https'
option src 'wan'
option src_dip '80.67.179.96'
option dest 'lan'
option dest_ip '192.168.2.204'
option src_dport '5443-5444'
config redirect
option target 'DNAT'
option name 'chalec xmpp http'
option src 'wan'
option src_dip '80.67.179.96'
option src_dport '5280'
option dest 'lan'
option dest_ip '192.168.2.204'
config redirect
option target 'DNAT'
option name 'chalec xmpp stun'
option src 'wan'
option src_dip '80.67.179.96'
option dest 'lan'
option dest_ip '192.168.2.204'
option src_dport '3475-3478'
config redirect
option target 'DNAT'
option name 'chalec mumble'
option src 'wan'
option src_dip '80.67.179.96'
option src_dport '64738'
option dest 'lan'
option dest_ip '192.168.2.114'
config redirect
option target 'DNAT'
option name 'Chalec Libreverse'
option src 'wan'
option src_dip '80.67.179.96'
option src_dport '30000'
option dest 'lan'
option dest_ip '192.168.2.139'
config include
option path '/etc/firewall.fail2ban'
option enabled '1'
option reload '1'
config redirect
option target 'DNAT'
option name 'Isengard Grafana'
option src 'wan'
option src_dip '80.67.176.33'
option src_dport '3000'
option dest 'lan'
option dest_ip '192.168.1.155'
option dest_port '3000'
config redirect
option target 'DNAT'
option src 'wan'
option src_dip '80.67.179.96'
option src_dport '1935'
option dest 'lan'
option dest_ip '192.168.2.199'
option dest_port '1935'
option name '1935 -> video'
config redirect
option target 'DNAT'
option name '10000 -> visio'
option src 'wan'
option src_dip '80.67.179.96'
option src_dport '10000'
option dest 'lan'
option dest_ip '192.168.2.198'
config redirect
option target 'DNAT'
option name 'chalec ssh 22 -> forge'
option src 'wan'
option src_dip '80.67.179.96'
option src_dport '22'
option dest 'lan'
option dest_ip '192.168.2.239'
option dest_port '22'
option reflection_src 'external'
config redirect
option target 'DNAT'
option name 'icinga 5665-> isengard'
option src 'wan'
option src_dport '5665'
option dest 'lan'
option dest_ip '192.168.1.155'
option dest_port '5665'
config forwarding
option src 'wan'
option dest 'lan'
</details>
#### Configuration du routage des IPs publiques en sortie
##### /etc/config/vpn-policy-routing
<details>
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
config policy
option name 'sortie chalec'
option src_addr '192.168.2.0/24'
option proto 'all'
option chain 'OUTPUT'
option interface 'wan2'
</details>
### Configuration des certificats SSL
Configuration classique d'acme pour la génération de certificats SSL pour le routeur.
#### /etc/config/acme
<details>
config acme
option state_dir '/etc/acme'
option account_email 'cominfra@a-lec.org'
option debug '0'
config cert 'example_wildcard'
option update_nginx '1'
option enabled '1'
list domains 'routeur.libre-en-communs.org'
option update_uhttpd '0'
option validation_method 'webroot'
option webroot '/www'
option keylength 'ec-384'
option use_staging '0'
2021-11-16 20:26:38 +01:00
2021-11-16 23:39:54 +01:00
</details>
2021-11-16 20:26:38 +01:00
### Configuration Reverse Proxy (nginx)
2022-08-28 12:40:00 +02:00
Le Reverse Proxy a pour mission de rediriger les connexions HTTP(S) qui arrivent en IPv4 sur le routeur vers les machines associées à ces connexions. Il n'est donc pas utilisé pour IPv6 puisque chaque machine a sa propre IP publique accessible depuis Internet. Nous utilisons le logiciel `nginx`.
Pour HTTP (port 80), on utilise la méthode `proxy_pass` en http dans des blocs `server` de la section `http`. Afin d'éviter d'avoir des IPs à configurer ici, nous utilisons les noms d'hôte des machines qui sont donc résolus en "runtime". La redirection vers la machine s'effectue sur le port 80, avec les headers `X-Real-IP` et `X-Forwarded-For` à destination de la machine cible. La configuration du Reverse Proxy HTTP est dans le fichier `/etc/nginx/reverse_proxy.conf`.
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
Pour HTTPS (port 443), en raison de notre volonté de ne pas centraliser les certificats SSL en un seul endroit, nous avons fait le choix de ne pas déchiffrer les requêtes sur le routeur. Ainsi, nous utilisons la méthode `proxy_pass` avec le `proxy_protocol` et `ssl_preread` dans la section `stream`. Cela permet de lire le nom d'hôte dans l'en-tête SSL et de transmettre directement la requête non traitée à la machine correspondante. Afin de ne pas gêner des requêtes en IPv4 sur le port 443 internes au réseau, la redirection vers la machine s'effectue sur le port 444 en `proxy_protocol` permettant de récupérer l'IP de la machine ayant émis la requête. La configuration du Reverse Proxy HTTPS est dans le fichier `/etc/nginx/reverse_proxy_ssl.conf`.
Enfin, la configuration générale de nginx ainsi que le bloc pour le serveur correspondant à la page de configuration du routeur se trouve dans `/etc/nginx/nginx.conf`.
#### /etc/nginx/nginx.conf (fichier principal de configuration)
2021-11-16 23:39:54 +01:00
<details>
2021-11-16 20:26:38 +01:00
worker_processes auto;
user root;
events {
worker_connections 1024;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
#error_log /var/log/nginx/error.log debug;
stream {
include reverse_proxy_ssl.conf;
}
2021-11-16 20:26:38 +01:00
http {
2022-08-28 12:40:00 +02:00
resolver 127.0.0.1 ipv6=off;
2021-11-16 20:26:38 +01:00
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 128M;
large_client_header_buffers 2 1k;
server_names_hash_bucket_size 64;
gzip on;
gzip_vary on;
gzip_proxied any;
2022-08-28 12:40:00 +02:00
include reverse_proxy.conf;
#include conf.d/*.conf;
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
server {
listen 0.0.0.0:444 ssl proxy_protocol;
2021-11-16 20:26:38 +01:00
server_name routeur.libre-en-communs.org;
2022-08-28 12:40:00 +02:00
2021-11-16 20:26:38 +01:00
ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
2022-08-28 12:40:00 +02:00
ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
location /cgi-bin/luci {
index index.html;
include uwsgi_params;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_modifier1 9;
uwsgi_pass unix:///var/run/luci-webui.socket;
}
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
include uwsgi_params;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_modifier1 9;
uwsgi_pass unix:///var/run/luci-cgi_io.socket;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
location /luci-static {
error_log stderr crit;
}
location /ubus {
ubus_interpreter;
ubus_socket_path /var/run/ubus/ubus.sock;
ubus_parallel_req 2;
}
root /www;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
}
2021-11-16 20:26:38 +01:00
}
2021-11-16 23:39:54 +01:00
</details>
2021-11-16 20:26:38 +01:00
#### /etc/nginx/reverse_proxy.conf (reverse proxy HTTP)
2021-11-16 23:39:54 +01:00
<details>
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
#### INFRA
server {
server_name isengard.libre-en-communs.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://isengard.lan:80";
proxy_pass $target;
}
}
2021-11-16 20:26:38 +01:00
server {
server_name gestion.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://gestion.lan:80";
proxy_pass $target;
}
}
server {
server_name don.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://gestion.lan:80";
proxy_pass $target;
}
}
server {
server_name adhesion.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://gestion.lan:80";
proxy_pass $target;
2021-11-16 20:26:38 +01:00
}
}
server {
server_name audio.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP
$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2022-08-28 12:40:00 +02:00
location / {
set $target "http://audio.lan:80";
proxy_pass $target;
}
}
server {
server_name coffre.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://gestion.lan:80";
proxy_pass $target;
}
}
server {
server_name git.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://git.lan:80";
proxy_pass $target;
}
}
server {
server_name www.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://www.lan:80";
proxy_pass $target;
}
}
server {
server_name a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://www.lan:80";
proxy_pass $target;
}
}
server {
server_name toot.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://toot.lan:80";
proxy_pass $target;
}
}
server {
2022-08-28 12:40:00 +02:00
server_name mail.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://mail.lan:80";
proxy_pass $target;
}
}
server {
2022-08-28 12:40:00 +02:00
server_name autoconfig.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://mail.lan:80";
proxy_pass $target;
}
}
2022-08-28 12:40:00 +02:00
server {
server_name xmpp.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://xmpp.lan:80";
proxy_pass $target;
}
}
server {
server_name salons.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://xmpp.lan:80";
proxy_pass $target;
}
}
2022-08-28 12:40:00 +02:00
server {
server_name pubsub.a-lec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2022-08-28 12:40:00 +02:00
location / {
set $target "http://xmpp.lan:80";
proxy_pass $target;
}
}
2021-11-16 20:26:38 +01:00
server {
2022-08-28 12:40:00 +02:00
server_name proxy.a-lec.org;
2021-11-16 20:26:38 +01:00
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://proxy.lan:80";
proxy_pass $target;
2021-11-16 20:26:38 +01:00
}
}
server {
2022-08-28 12:40:00 +02:00
server_name ghn.a-lec.org;
2021-11-16 20:26:38 +01:00
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://ghn.lan:80";
proxy_pass $target;
2021-11-16 20:26:38 +01:00
}
}
2022-08-28 12:40:00 +02:00
### CHALEC
2021-11-16 20:26:38 +01:00
server {
2022-08-28 12:40:00 +02:00
server_name audio.chalec.org;
2021-11-16 20:26:38 +01:00
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://audio.chalec.org.lan:80";
proxy_pass $target;
2021-11-16 20:26:38 +01:00
}
}
server {
2022-08-28 12:40:00 +02:00
server_name toot.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://toot.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name nuage.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://nuage.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name forge.chalec.org;
2021-11-16 20:26:38 +01:00
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://forge.chalec.org.lan:80";
proxy_pass $target;
2021-11-16 20:26:38 +01:00
}
}
server {
2022-08-28 12:40:00 +02:00
server_name ctrlv.chalec.org;
2021-11-16 20:26:38 +01:00
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://ctrlv.chalec.org.lan:80";
proxy_pass $target;
2021-11-16 20:26:38 +01:00
}
}
server {
2022-08-28 12:40:00 +02:00
server_name sondage.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
2022-08-28 12:40:00 +02:00
set $target "http://sondage.chalec.org.lan:80";
proxy_pass $target;
}
}
2022-08-28 12:40:00 +02:00
server {
server_name visio.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://visio.chalec.org.lan:80";
proxy_pass $target;
}
}
2022-08-28 12:40:00 +02:00
server {
server_name video.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://video.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name libreverse.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://libreverse.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name xmpp.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://xmpp.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name pad.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://pad.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name stats.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://stats.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name www.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://www.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name www-wip.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://www.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name petition.chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://petition.chalec.org.lan:80";
proxy_pass $target;
}
}
server {
server_name chalec.org;
listen 80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
set $target "http://www.chalec.org.lan:80";
proxy_pass $target;
}
}
2021-11-16 23:39:54 +01:00
</details>
2021-11-16 20:26:38 +01:00
#### /etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)
2021-11-16 23:39:54 +01:00
<details>
2021-11-16 20:26:38 +01:00
2022-08-28 12:40:00 +02:00
map_hash_max_size 64;
map_hash_bucket_size 64;
map $ssl_preread_server_name $name_444 {
### INFRA
gestion.a-lec.org gestion_a-lec_444;
don.a-lec.org gestion_a-lec_444;
adhesion.a-lec.org gestion_a-lec_444;
coffre.a-lec.org gestion_a-lec_444;
git.a-lec.org git_a-lec_444;
www.a-lec.org www_a-lec_444;
www-wip.a-lec.org www_a-lec_444;
a-lec.org www_a-lec_444;
mail.a-lec.org mail_a-lec_444;
autoconfig.a-lec.org mail_a-lec_444;
toot.a-lec.org toot_a-lec_444;
2021-11-16 20:26:38 +01:00
routeur.libre-en-communs.org routeur_444;
2022-08-28 12:40:00 +02:00
isengard.libre-en-communs.org isengard_444;
audio.a-lec.org audio_a-lec_444;
tootest.a-lec.org tootest_a-lec_444;
ghn.a-lec.org ghn_a-lec_444;
### CHALEC
audio.chalec.org audio_chalec_444;
nuage.chalec.org nuage_chalec_444;
toot.chalec.org toot_chalec_444;
forge.chalec.org forge_chalec_444;
pad.chalec.org pad_chalec_444;
ctrlv.chalec.org ctrlv_chalec_444;
sondage.chalec.org sondage_chalec_444;
stats.chalec.org stats_chalec_444;
visio.chalec.org visio_chalec_444;
video.chalec.org video_chalec_444;
libreverse.chalec.org libreverse_chalec_444;
www.chalec.org www_chalec_444;
chalec.org www_chalec_444;
www-wip.chalec.org www_chalec_444;
petition.chalec.org petition_chalec_444;
xmpp.chalec.org xmpp_chalec_444;
}
upstream gestion_a-lec_444 {
server gestion:444;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
upstream ghn_a-lec_444 {
server ghn:444;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
upstream tootest_a-lec_444 {
server tootest:444;
}
2022-08-28 12:40:00 +02:00
upstream audio_a-lec_444 {
server audio:444;
}
2022-08-28 12:40:00 +02:00
upstream git_a-lec_444 {
server git:444;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
upstream mail_a-lec_444 {
server mail:444;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
upstream www_a-lec_444 {
server www:444;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
upstream toot_a-lec_444 {
server toot:444;
2021-11-16 20:26:38 +01:00
}
upstream routeur_444 {
server 127.0.0.1:444;
}
2022-08-28 12:40:00 +02:00
upstream isengard_444 {
server isengard:444;
2021-11-16 20:26:38 +01:00
}
2022-08-28 12:40:00 +02:00
### CHALEC
upstream audio_chalec_444 {
server audio.chalec.org.lan:444;
}
upstream nuage_chalec_444 {
server nuage.chalec.org.lan:444;
}
upstream toot_chalec_444 {
server toot.chalec.org.lan:444;
}
upstream forge_chalec_444 {
server forge.chalec.org.lan:444;
}
upstream ctrlv_chalec_444 {
server ctrlv.chalec.org.lan:444;
}
upstream pad_chalec_444 {
server pad.chalec.org.lan:444;
}
upstream sondage_chalec_444 {
server sondage.chalec.org.lan:444;
}
upstream stats_chalec_444 {
server stats.chalec.org.lan:444;
}
upstream visio_chalec_444 {
server visio.chalec.org.lan:444;
}
upstream video_chalec_444 {
server video.chalec.org.lan:444;
}
upstream libreverse_chalec_444 {
server libreverse.chalec.org.lan:444;
}
upstream xmpp_chalec_444 {
server xmpp.chalec.org.lan:444;
}
upstream petition_chalec_444 {
server petition.chalec.org.lan:444;
}
upstream www_chalec_444 {
server www.chalec.org.lan:444;
}
### SERVER
server {
listen 443;
proxy_pass $name_444;
proxy_protocol on;
ssl_preread on;
2021-11-16 20:26:38 +01:00
}
2021-11-16 23:39:54 +01:00
2021-11-18 21:09:01 +01:00
</details>