Glam

From John's wiki
Revision as of 22:32, 6 November 2023 by Sixsigma (talk | contribs)
Jump to navigation Jump to search

My server 'glam' is one of my computers in my lab.

This Raspberry Pi is a Raspberry Pi 4 Model B Rev 1.5, it used to be 'glimmer'. I use this system as my network router.

See MicroSD for notes about disk images.

This system is running Raspberry Pi OS (64-bit) which doesn't use grub as the bootloader.

To enable predictable network interface names (based on MAC address): 

# sudo raspi-config

Then: Advanced Options -> Network Interface Names -> Enable predictable network interface names (yes)

and reboot. 

$ cat /etc/network/interfaces

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*

# 2023-11-06 jj5 - BLUE:
#
auto end0
iface end0 inet static
  address 10.0.0.5
  netmask 255.255.0.0
  gateway 10.0.0.1
  dns-nameservers 10.0.0.1

# 2023-11-06 jj5 - RED:
#
auto enx00e099001bf7
iface enx00e099001bf7 inet static
  address 10.1.0.5
  netmask 255.255.0.0

# 2023-11-06 jj5 - ORANGE:
#
auto enx00e099001bf6
iface enx00e099001bf6 inet static
  address 10.2.0.5
  netmask 255.255.0.0

# 2023-11-06 jj5 - GREEN:
#
auto enx00e099001cc7
iface enx00e099001cc7 inet static
  address 10.3.0.5
  netmask 255.255.0.0

$ tail -n 8 /etc/sysctl.conf

# 2023-11-06 jj5 - Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 2023-11-06 jj5 - enable routing:
net.ipv4.ip_forward=1

$ cat /etc/iptables/rules.v4

# 2023-11-06 jj5 - SEE: https://gridscale.io/en/community/tutorials/debian-router-gateway/

*nat
-A POSTROUTING -o end0 -j MASQUERADE
COMMIT

*filter
-A INPUT -i lo -j ACCEPT
# allow ssh, so that we do not lock ourselves
-A INPUT -i enx00e099001cc7 -p tcp -m tcp --dport 22 -j ACCEPT
# allow incoming traffic to the outgoing connections,
# et al for clients from the private network
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 2023-11-06 jj5 - interfaces:
## BLUE....: end0
## RED.....: enx00e099001bf7
## ORANGE..: enx00e099001bf6
## GREEN...: enx00e099001cc7
# 2023-11-06 jj5 - disable between interfaces... this isn't working as I expected so commented out for now...
#-A FORWARD -i end0 -o enx00e099001bf7 -j DROP
#-A FORWARD -i end0 -o enx00e099001bf6 -j DROP
#-A FORWARD -i end0 -o enx00e099001cc7 -j DROP
#-A FORWARD -i enx00e099001bf7 -o enx00e099001bf6 -j DROP
#-A FORWARD -i enx00e099001bf7 -o enx00e099001cc7 -j DROP
#-A FORWARD -i enx00e099001bf6 -o enx00e099001cc7 -j DROP
# prohibit everything else incoming 
-A INPUT -i end0 -j DROP
COMMIT

# apt install iptables

# cat /etc/iptables-rules.sh

#!/bin/bash
iptables-restore < /etc/iptables/rules.v4

# chmod +x /etc/iptables-rules.sh

# cat /etc/systemd/system/iptables-rules.service

[Unit]
Description=Apply custom iptables rules

[Service]
Type=oneshot
ExecStart=/etc/iptables-rules.sh

[Install]
WantedBy=multi-user.target

# systemctl enable iptables-rules.service
Retrieved from "https://www.jj5.net/wiki/mediawiki/index.php?title=Glam&oldid=7598"