From 31020108bdcc7e0241778c60b9407cd4d0c4ce4b Mon Sep 17 00:00:00 2001 From: kleper Date: Mon, 29 Apr 2019 10:33:57 -0500 Subject: [PATCH] cambios en openwrt --- openwrt-files/etc/config/dhcp | 10 +- openwrt-files/etc/config/firewall | 284 +++++++++++++++++++----------- openwrt-files/etc/config/network | 23 +-- openwrt-files/etc/config/system | 54 ++++-- openwrt-files/etc/config/wireless | 25 +-- openwrt-files/etc/shadow | 2 +- 6 files changed, 230 insertions(+), 168 deletions(-) diff --git a/openwrt-files/etc/config/dhcp b/openwrt-files/etc/config/dhcp index 38159fa..5ba58f0 100644 --- a/openwrt-files/etc/config/dhcp +++ b/openwrt-files/etc/config/dhcp @@ -1,25 +1,25 @@ config dnsmasq option domainneeded '1' - option boguspriv '1' - option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' - option local '/lan/' - option domain 'lan' option expandhosts '1' - option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' option nonwildcard '1' option localservice '1' + option local '/redcomani.org/' + option domain 'redcomani.org' config dhcp 'lan' option interface 'lan' + option dhcpv6 'server' + option ra 'server' option ignore '1' + option ra_management '1' config dhcp 'wan' option interface 'wan' diff --git a/openwrt-files/etc/config/firewall b/openwrt-files/etc/config/firewall index 0ddb704..8874e98 100644 --- a/openwrt-files/etc/config/firewall +++ b/openwrt-files/etc/config/firewall @@ -1,125 +1,195 @@ - config defaults - option syn_flood '1' - option input 'ACCEPT' - option output 'ACCEPT' - option forward 'REJECT' + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 config zone - option name 'lan' - option input 'ACCEPT' - option output 'ACCEPT' - option forward 'ACCEPT' - option network 'lan' + option name lan + list network 'lan' + option input ACCEPT + option output ACCEPT + option forward ACCEPT config zone - option name 'wan' - option input 'REJECT' - option output 'ACCEPT' - option forward 'REJECT' - option masq '1' - option mtu_fix '1' - option network ' ' + option name wan + list network 'wan' + list network 'wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 config forwarding - option src 'lan' - option dest 'wan' + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT config rule - option name 'Allow-DHCP-Renew' - option src 'wan' - option proto 'udp' - option dest_port '68' - option target 'ACCEPT' - option family 'ipv4' + option name Allow-IGMP + option src wan + option proto igmp + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fc00::/6 + option dest_ip fc00::/6 + option dest_port 546 + option family ipv6 + option target ACCEPT config rule - option name 'Allow-Ping' - option src 'wan' - option proto 'icmp' - option icmp_type 'echo-request' - option family 'ipv4' - option target 'ACCEPT' + option name Allow-MLD + option src wan + option proto icmp + option src_ip fe80::/10 + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT config rule - option name 'Allow-IGMP' - option src 'wan' - option proto 'igmp' - option family 'ipv4' - option target 'ACCEPT' + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT config rule - option name 'Allow-DHCPv6' - option src 'wan' - option proto 'udp' - option src_ip 'fc00::/6' - option dest_ip 'fc00::/6' - option dest_port '546' - option family 'ipv6' - option target 'ACCEPT' - -config rule - option name 'Allow-MLD' - option src 'wan' - option proto 'icmp' - option src_ip 'fe80::/10' - list icmp_type '130/0' - list icmp_type '131/0' - list icmp_type '132/0' - list icmp_type '143/0' - option family 'ipv6' - option target 'ACCEPT' - -config rule - option name 'Allow-ICMPv6-Input' - option src 'wan' - option proto 'icmp' - list icmp_type 'echo-request' - list icmp_type 'echo-reply' - list icmp_type 'destination-unreachable' - list icmp_type 'packet-too-big' - list icmp_type 'time-exceeded' - list icmp_type 'bad-header' - list icmp_type 'unknown-header-type' - list icmp_type 'router-solicitation' - list icmp_type 'neighbour-solicitation' - list icmp_type 'router-advertisement' - list icmp_type 'neighbour-advertisement' - option limit '1000/sec' - option family 'ipv6' - option target 'ACCEPT' - -config rule - option name 'Allow-ICMPv6-Forward' - option src 'wan' - option dest '*' - option proto 'icmp' - list icmp_type 'echo-request' - list icmp_type 'echo-reply' - list icmp_type 'destination-unreachable' - list icmp_type 'packet-too-big' - list icmp_type 'time-exceeded' - list icmp_type 'bad-header' - list icmp_type 'unknown-header-type' - option limit '1000/sec' - option family 'ipv6' - option target 'ACCEPT' - -config rule - option name 'Allow-IPSec-ESP' - option src 'wan' - option dest 'lan' - option proto 'esp' - option target 'ACCEPT' - -config rule - option name 'Allow-ISAKMP' - option src 'wan' - option dest 'lan' - option dest_port '500' - option proto 'udp' - option target 'ACCEPT' + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT +# include a file with users custom iptables rules config include - option path '/etc/firewall.user' + option path /etc/firewall.user + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/openwrt-files/etc/config/network b/openwrt-files/etc/config/network index b705d98..ba9a7ee 100644 --- a/openwrt-files/etc/config/network +++ b/openwrt-files/etc/config/network @@ -6,11 +6,11 @@ config interface 'loopback' option netmask '255.0.0.0' config globals 'globals' - option ula_prefix 'fd20:a9a3:4c8a::/48' + option ula_prefix 'fda8:6c9c:aee9::/48' config interface 'lan' option type 'bridge' - option ifname 'eth0.1' + option ifname 'eth0' option proto 'static' option ip6assign '60' option ipaddr '10.17.0.101' @@ -19,25 +19,10 @@ config interface 'lan' option dns '10.17.95.1' config interface 'wan' - option ifname 'eth0.2' + option ifname 'eth1' option proto 'dhcp' config interface 'wan6' - option ifname 'eth0.2' + option ifname 'eth1' option proto 'dhcpv6' -config switch - option name 'switch0' - option reset '1' - option enable_vlan '1' - -config switch_vlan - option device 'switch0' - option vlan '1' - option ports '2 3 4 5 0t' - -config switch_vlan - option device 'switch0' - option vlan '2' - option ports '1 0t' - diff --git a/openwrt-files/etc/config/system b/openwrt-files/etc/config/system index 46a9b41..2ccfd7e 100644 --- a/openwrt-files/etc/config/system +++ b/openwrt-files/etc/config/system @@ -14,22 +14,44 @@ config timeserver 'ntp' list server '2.openwrt.pool.ntp.org' list server '3.openwrt.pool.ntp.org' -config led 'led_usb1' - option name 'USB1' - option sysfs 'tp-link:green:usb1' - option trigger 'usbdev' - option interval '50' - option dev '1-1.1' +config gpio_switch 'poe_passthrough' + option name 'PoE Passthrough' + option gpio_pin '8' + option value '0' -config led 'led_usb2' - option name 'USB2' - option sysfs 'tp-link:green:usb2' - option trigger 'usbdev' - option interval '50' - option dev '1-1.2' +config led 'led_rssilow' + option sysfs 'ubnt:red:link1' + option trigger 'rssi' + option iface 'rssid_wlan0' + option minq '1' + option maxq '100' + option offset '0' + option factor '13' -config led 'led_wlan2g' - option name 'WLAN2G' - option sysfs 'tp-link:blue:wlan2g' - option trigger 'phy0tpt' +config led 'led_rssimediumlow' + option sysfs 'ubnt:orange:link2' + option trigger 'rssi' + option iface 'rssid_wlan0' + option minq '26' + option maxq '100' + option offset '-25' + option factor '13' + +config led 'led_rssimediumhigh' + option sysfs 'ubnt:green:link3' + option trigger 'rssi' + option iface 'rssid_wlan0' + option minq '51' + option maxq '100' + option offset '-50' + option factor '13' + +config led 'led_rssihigh' + option sysfs 'ubnt:green:link4' + option trigger 'rssi' + option iface 'rssid_wlan0' + option minq '76' + option maxq '100' + option offset '-75' + option factor '13' diff --git a/openwrt-files/etc/config/wireless b/openwrt-files/etc/config/wireless index 35af000..70ee549 100644 --- a/openwrt-files/etc/config/wireless +++ b/openwrt-files/etc/config/wireless @@ -1,32 +1,17 @@ config wifi-device 'radio0' option type 'mac80211' + option channel '11' option hwmode '11g' - option path 'platform/ar934x_wmac' - option channel '6' - option htmode 'HT40' + option path 'pci0000:00/0000:00:00.0' + option htmode 'HT20' option country 'US' option legacy_rates '1' config wifi-iface 'default_radio0' option device 'radio0' + option mode 'ap' + option ssid 'RedCoMani.org' option network 'lan' - option mode 'ap' - option encryption 'none' - option ssid 'RedCoMani.org' - -config wifi-device 'radio1' - option type 'mac80211' - option hwmode '11a' - option path 'pci0000:00/0000:00:00.0' - option channel '120' - option htmode 'HT40' - option country 'US' - option legacy_rates '1' - -config wifi-iface 'default_radio1' - option device 'radio1' - option mode 'ap' - option ssid 'RedCoMani.org' option encryption 'none' diff --git a/openwrt-files/etc/shadow b/openwrt-files/etc/shadow index 02516bf..6d0c5e8 100644 --- a/openwrt-files/etc/shadow +++ b/openwrt-files/etc/shadow @@ -1,4 +1,4 @@ -root:$1$o0K13DIt$44HqwLkJyp3ZpxHjNjMh//:17926:0:99999:7::: +root:$1$xhU4xtec$6BYy6N10k/XgXJVFYtKmu/:17926:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7:::