imlonghao · July 23, 2022 13:58
diff --git a/gistfile1.sh b/gistfile1.sh
 #!/bin/bash

 # ----------------
 AS=
 SUBNET=
 ROUTER_ID=
 GATEWAY_IP=
 SUBNET_v6=
 GATEWAY_IP_v6=
 SNMP_IP=
 SNMP_PASS=
 PUBLIC_IP=`date +%s | sha256sum | base64 | head -c 32`
 # ----------------

 # Update System
 cd ~
 apt-get update && apt-get dist-upgrade -y

 # Install bird
 wget -O - http://bird.network.cz/debian/apt.key | apt-key add -
 apt-get install lsb-release -y
 echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
 apt-get update
 apt-get install bird -y
 systemctl enable bird
 systemctl enable bird6

 # Install OpenVPN
 apt-get install openvpn -y

 # IPv4
 cat << EOF > /etc/bird/bird.conf
 roa table dn42_roa {
    include "bird_roa_dn42.conf";
 };

 # Device status
 protocol device {
  scan time 10; # recheck every 10 seconds
 }

 protocol static {
  # Static routes to announce your own range(s) in dn42
  route $SUBNET reject;
  import all;
  export none;
 };

 # local configuration
 ######################

 # keeping router specific in a seperate file,
 # so this configuration can be reused on multiple routers in your network
 include "/etc/bird/local4.conf";

 # filter helpers
 #################

 include "/etc/bird/filter4.conf";

 # Kernel routing tables
 ########################

 /*
    krt_prefsrc defines the source address for outgoing connections.
    On Linux, this causes the "src" attribute of a route to be set.

    Without this option outgoing connections would use the peering IP which
    would cause packet loss if some peering disconnects but the interface
    is still available. (The route would still exist and thus route through
    the TUN/TAP interface but the VPN daemon would simply drop the packet.)
 */
 protocol kernel {
  scan time 20;
  device routes;
  import none;
  export filter {
    if source = RTS_STATIC then reject;
    krt_prefsrc = OWNIP;
    accept;
  };
 };
 # DN42
 #######

 template bgp dnpeers {
  local as OWNAS;
  # metric is the number of hops between us and the peer
  path metric 1;
  # this lines allows debugging filter rules
  # filtered routes can be looked up in birdc using the "show route filtered" command
  import keep filtered;
  import filter {
    if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
      print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
      reject;
    }
    # accept every subnet, except our own advertised subnet
    # filtering is important, because some guys try to advertise routes like 0.0.0.0
    if is_valid_network() && !is_self_net() then {
      accept;
    }
    reject;
  };
  export filter {
    # here we export the whole net
    if is_valid_network() then {
      accept;
    }
    reject;
  };
  import limit 10000 action block;
  #source address OWNIP;
 };

 template bgp locals {
  local as OWNAS;
  import all;
  export all;
  direct;
  next hop self;
 };

 include "/etc/bird/peers4/*";
 EOF

 cat << EOF > /etc/bird/local4.conf
 router id $ROUTER_ID;

 define OWNAS =  $AS;
 define OWNIP = $GATEWAY_IP;

 function is_self_net() {
  return net ~ [$SUBNET+];
 }
 EOF

 curl -s https://ca.dn42.us/reg/filter.txt | \
    awk '/^[0-9]/ && $2 ~ /permit/ {printf "%s{%s,%s}\n", $3, $4, $5}' | \
    awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n"} \
        NR > 1 {printf ",\n"} {printf "  %s", $1}
        END {printf "\n ];\n}\n"}' > /etc/bird/filter4.conf

 mkdir /etc/bird/peers4
 curl -sfSLR {-o,-z}/etc/bird/bird_roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf
 crontab -l | { cat; echo "*/15 * * * * curl -sfSLR {-o,-z}/etc/bird/bird_roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf && chronic birdc configure"; } | crontab -

 # IPv6
 cat << EOF > /etc/bird/bird6.conf
 roa table dn42_roa {
    include "bird6_roa_dn42.conf";
 };

 protocol device {
  scan time 10;
 }

 # local configuration
 ######################

 include "/etc/bird/local6.conf";

 # filter helpers
 #################

 include "/etc/bird/filter6.conf";

 # Kernel routing tables
 ########################


 /*
    krt_prefsrc defines the source address for outgoing connections.
    On Linux, this causes the "src" attribute of a route to be set.

    Without this option outgoing connections would use the peering IP which
    would cause packet loss if some peering disconnects but the interface
    is still available. (The route would still exist and thus route through
    the TUN/TAP interface but the VPN daemon would simply drop the packet.)
 */
 protocol kernel {
  scan time 20;
  device routes;
  import none;
  export filter {
    if source = RTS_STATIC then reject;
    krt_prefsrc = OWNIP;
    accept;
  };
 }

 # static routes
 ################

 protocol static {
  route $SUBNET_v6 reject;
  import all;
  export none;
 }

 template bgp dnpeers {
  local as OWNAS;
  path metric 1;
  import keep filtered;
  import filter {
    if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
      print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
      reject;
    }
    if is_valid_network() && !is_self_net() then {
      accept;
    }
    reject;
  };
  export filter {
    if is_valid_network() then {
      accept;
    }
    reject;
  };
  import limit 10000 action block;
 }

 template bgp locals {
  local as OWNAS;
  import all;
  export all;
  direct;
  next hop self;
 }

 include "/etc/bird/peers6/*";
 EOF

 cat << EOF > /etc/bird/local6.conf
 router id $ROUTER_ID;

 define OWNAS =  $AS;
 define OWNIP = $GATEWAY_IP_v6;

 function is_self_net() {
  return net ~ [$SUBNET_v6+];
 }

 curl -s https://ca.dn42.us/reg/filter6.txt | \
    awk '/^[0-9]/ && $2 ~ /permit/ {printf "%s{%s,%s}\n", $3, $4, $5}' | \
    awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n"} \
        NR > 1 {printf ",\n"} {printf "  %s", $1}
        END {printf "\n ];\n}\n"}' > /etc/bird/filter6.conf

 mkdir /etc/bird/peers6
 curl -sfSLR {-o,-z}/etc/bird/bird6_roa_dn42.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf
 crontab -l | { cat; echo "*/15 * * * * curl -sfSLR {-o,-z}/etc/bird/bird6_roa_dn42.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf && chronic birdc6 configure"; } | crontab -

 # Snmp
 apt-get install snmpd -y
 cat << EOF > /etc/snmp/snmpd.conf
 com2sec vnet $SNMP_IP $SNMP_PASS
 group vnetGroup v2c vnet
 access vnetGroup "" any noauth prefix all none none
 view all included .1 80
 EOF

 service snmpd restart

 # Bird-lg
 apt-get install python-pip git -y
 pip install flask
 pip install dnspython
 pip install pydot
 git clone https://github.com/sileht/bird-lg
 cat << EOF > ~/bird-lg/lgproxy.cfg
 DEBUG=False
 LOG_FILE="/var/log/lg-proxy.log"
 LOG_LEVEL="WARNING"
 ACCESS_LIST = ["170.178.170.232"]
 IPV4_SOURCE="$GATEWAY_IP"
 IPV6_SOURCE="$GATEWAY_IP_v6"
 EOF
 sed "s/0.0.0.0/$PUBLIC_IP" /root/bird-lg/lgproxy.py -i
 nohup python /root/bird-lg/lgproxy.py > /dev/null 2>&1 &

 # Security
 /sbin/iptables -A FORWARD -o eth0 -j REJECT

 # rc.local
 sed -i '$i\nohup python \/root\/bird-lg\/lgproxy.py > \/dev\/null 2>&1 &' /etc/rc.local
 sed -i '$i\/sbin\/iptables -A FORWARD -o eth0 -j REJECT' /etc/rc.local
	#!/bin/bash

	# ----------------
	AS=
	SUBNET=
	ROUTER_ID=
	GATEWAY_IP=
	SUBNET_v6=
	GATEWAY_IP_v6=
	SNMP_IP=
	SNMP_PASS=
	PUBLIC_IP=`date +%s \| sha256sum \| base64 \| head -c 32`
	# ----------------

	# Update System
	cd ~
	apt-get update && apt-get dist-upgrade -y

	# Install bird
	wget -O - http://bird.network.cz/debian/apt.key \| apt-key add -
	apt-get install lsb-release -y
	echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
	apt-get update
	apt-get install bird -y
	systemctl enable bird
	systemctl enable bird6

	# Install OpenVPN
	apt-get install openvpn -y

	# IPv4
	cat << EOF > /etc/bird/bird.conf
	roa table dn42_roa {
	include "bird_roa_dn42.conf";
	};

	# Device status
	protocol device {
	scan time 10; # recheck every 10 seconds
	}

	protocol static {
	# Static routes to announce your own range(s) in dn42
	route $SUBNET reject;
	import all;
	export none;
	};

	# local configuration
	######################

	# keeping router specific in a seperate file,
	# so this configuration can be reused on multiple routers in your network
	include "/etc/bird/local4.conf";

	# filter helpers
	#################

	include "/etc/bird/filter4.conf";

	# Kernel routing tables
	########################

	/*
	krt_prefsrc defines the source address for outgoing connections.
	On Linux, this causes the "src" attribute of a route to be set.

	Without this option outgoing connections would use the peering IP which
	would cause packet loss if some peering disconnects but the interface
	is still available. (The route would still exist and thus route through
	the TUN/TAP interface but the VPN daemon would simply drop the packet.)
	*/
	protocol kernel {
	scan time 20;
	device routes;
	import none;
	export filter {
	if source = RTS_STATIC then reject;
	krt_prefsrc = OWNIP;
	accept;
	};
	};
	# DN42
	#######

	template bgp dnpeers {
	local as OWNAS;
	# metric is the number of hops between us and the peer
	path metric 1;
	# this lines allows debugging filter rules
	# filtered routes can be looked up in birdc using the "show route filtered" command
	import keep filtered;
	import filter {
	if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
	print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
	reject;
	}
	# accept every subnet, except our own advertised subnet
	# filtering is important, because some guys try to advertise routes like 0.0.0.0
	if is_valid_network() && !is_self_net() then {
	accept;
	}
	reject;
	};
	export filter {
	# here we export the whole net
	if is_valid_network() then {
	accept;
	}
	reject;
	};
	import limit 10000 action block;
	#source address OWNIP;
	};

	template bgp locals {
	local as OWNAS;
	import all;
	export all;
	direct;
	next hop self;
	};

	include "/etc/bird/peers4/*";
	EOF

	cat << EOF > /etc/bird/local4.conf
	router id $ROUTER_ID;

	define OWNAS = $AS;
	define OWNIP = $GATEWAY_IP;

	function is_self_net() {
	return net ~ [$SUBNET+];
	}
	EOF

	curl -s https://ca.dn42.us/reg/filter.txt \| \
	awk '/^[0-9]/ && $2 ~ /permit/ {printf "%s{%s,%s}\n", $3, $4, $5}' \| \
	awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n"} \
	NR > 1 {printf ",\n"} {printf " %s", $1}
	END {printf "\n ];\n}\n"}' > /etc/bird/filter4.conf

	mkdir /etc/bird/peers4
	curl -sfSLR {-o,-z}/etc/bird/bird_roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf
	crontab -l \| { cat; echo "/15 * * * curl -sfSLR {-o,-z}/etc/bird/bird_roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf && chronic birdc configure"; } \| crontab -

	# IPv6
	cat << EOF > /etc/bird/bird6.conf
	roa table dn42_roa {
	include "bird6_roa_dn42.conf";
	};

	protocol device {
	scan time 10;
	}

	# local configuration
	######################

	include "/etc/bird/local6.conf";

	# filter helpers
	#################

	include "/etc/bird/filter6.conf";

	# Kernel routing tables
	########################


	/*
	krt_prefsrc defines the source address for outgoing connections.
	On Linux, this causes the "src" attribute of a route to be set.

	Without this option outgoing connections would use the peering IP which
	would cause packet loss if some peering disconnects but the interface
	is still available. (The route would still exist and thus route through
	the TUN/TAP interface but the VPN daemon would simply drop the packet.)
	*/
	protocol kernel {
	scan time 20;
	device routes;
	import none;
	export filter {
	if source = RTS_STATIC then reject;
	krt_prefsrc = OWNIP;
	accept;
	};
	}

	# static routes
	################

	protocol static {
	route $SUBNET_v6 reject;
	import all;
	export none;
	}

	template bgp dnpeers {
	local as OWNAS;
	path metric 1;
	import keep filtered;
	import filter {
	if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
	print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
	reject;
	}
	if is_valid_network() && !is_self_net() then {
	accept;
	}
	reject;
	};
	export filter {
	if is_valid_network() then {
	accept;
	}
	reject;
	};
	import limit 10000 action block;
	}

	template bgp locals {
	local as OWNAS;
	import all;
	export all;
	direct;
	next hop self;
	}

	include "/etc/bird/peers6/*";
	EOF

	cat << EOF > /etc/bird/local6.conf
	router id $ROUTER_ID;

	define OWNAS = $AS;
	define OWNIP = $GATEWAY_IP_v6;

	function is_self_net() {
	return net ~ [$SUBNET_v6+];
	}

	curl -s https://ca.dn42.us/reg/filter6.txt \| \
	awk '/^[0-9]/ && $2 ~ /permit/ {printf "%s{%s,%s}\n", $3, $4, $5}' \| \
	awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n"} \
	NR > 1 {printf ",\n"} {printf " %s", $1}
	END {printf "\n ];\n}\n"}' > /etc/bird/filter6.conf

	mkdir /etc/bird/peers6
	curl -sfSLR {-o,-z}/etc/bird/bird6_roa_dn42.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf
	crontab -l \| { cat; echo "/15 * * * curl -sfSLR {-o,-z}/etc/bird/bird6_roa_dn42.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf && chronic birdc6 configure"; } \| crontab -

	# Snmp
	apt-get install snmpd -y
	cat << EOF > /etc/snmp/snmpd.conf
	com2sec vnet $SNMP_IP $SNMP_PASS
	group vnetGroup v2c vnet
	access vnetGroup "" any noauth prefix all none none
	view all included .1 80
	EOF

	service snmpd restart

	# Bird-lg
	apt-get install python-pip git -y
	pip install flask
	pip install dnspython
	pip install pydot
	git clone https://github.com/sileht/bird-lg
	cat << EOF > ~/bird-lg/lgproxy.cfg
	DEBUG=False
	LOG_FILE="/var/log/lg-proxy.log"
	LOG_LEVEL="WARNING"
	ACCESS_LIST = ["170.178.170.232"]
	IPV4_SOURCE="$GATEWAY_IP"
	IPV6_SOURCE="$GATEWAY_IP_v6"
	EOF
	sed "s/0.0.0.0/$PUBLIC_IP" /root/bird-lg/lgproxy.py -i
	nohup python /root/bird-lg/lgproxy.py > /dev/null 2>&1 &

	# Security
	/sbin/iptables -A FORWARD -o eth0 -j REJECT

	# rc.local
	sed -i '$i\nohup python \/root\/bird-lg\/lgproxy.py > \/dev\/null 2>&1 &' /etc/rc.local
	sed -i '$i\/sbin\/iptables -A FORWARD -o eth0 -j REJECT' /etc/rc.local