Skip to content

Instantly share code, notes, and snippets.

View rikka0w0's full-sized avatar

Rikka0_0小六花 rikka0w0

  • UNSW
  • Sydney
View GitHub Profile
@rikka0w0
rikka0w0 / README.md
Last active March 1, 2025 12:29
[nftables] IPv6 firewall with dynamic prefix update

It is very common that the ISP-provided modem only allows you to block all incoming IPv6 connections entirely or let all incoming requests through.

To publish your service on the internet, the only option is to tell the ISP-provided modem to let all incoming requests go through. However, this poses a security risk, which may accidentally expose private service on the internet (e.g. SMB sharing or remote desktop).

To enhance the security on such a network, each device needs to configure its firewall properly. A device needs to either block all IPv6 incoming requests or only allow connections from hosts with the same IPv6 prefix. For the sake of convenience, we obviously want the latter. But things can be complicated when you have a dynamic IPv6 prefix from your ISP.

Generally speaking, you must run a script to update the firewall rules each time your prefix changes.

So the automated firewall rule modification can be breakdown into two parts:

  1. Setup firewall to allow dynamic update of rule set
@rikka0w0
rikka0w0 / 4_boot_attempt.log
Last active December 20, 2024 10:39
Port OpenWrt to CG3100D, a BCM3380-based device
[ 0.000000] Linux version 6.6.50 (rikka@i9-13900ks-wsl) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r27346-c7ba5574f5) 13.3.0, GNU ld (GNU Binutils) 2.42) #0 SMP Mon Oct 14 09:59:31 2024
[ 0.000000] CPU0 revision is: 0002a070 (Broadcom BMIPS4350)
[ 0.000000] MIPS: machine is Netgear CG3100D
[ 0.000000] 64MB of RAM installed
[ 0.000000] earlycon: bcm63xx_uart0 at MMIO 0x14e00200 (options '115200n8')
[ 0.000000] printk: bootconsole [bcm63xx_uart0] enabled
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Reserving 0KB of memory at 4194303KB for kdump
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[ 0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
@rikka0w0
rikka0w0 / ipv6_relay_pxe_coexist.md
Last active July 26, 2024 18:44
Setup IPv6 Relay and IPv6 PxE (Co-exist) on OpenWrt

Some ISP only offer you a /64 prefix. If you want to add an OpenWrt router between the ISP router and your LAN while granting IPv6 access to LAN devices, you need relay. OpenWrt's built-in odhcpd(odhcp-ipv6only) can handle DHCPv6 relay. To enable this feature, you need to enable relay mode for ra and ndp for the wan6 (The upstream-facing IPv6 interface) and lan:

image image

Reboot your router and your LAN devices should get IPv6 addresses.

I'm running an OpenWrt as a VM on a PVE hypervisor. The vmbr0 interface is used as private LAN and the vmbr1 is for the public WAN.

I noticed that vmbr1 got an IPv6 via SLAAC, and the admin web console was accessible on the public Internet. This is a safety threat and must be resolved. The solution is to remove the unwanted IPv6.

Method 1 - Disable IPv6 on a per-interface base

Run the following command to append to /etc/sysctl.conf, then reboot. echo 'net.ipv6.conf.vmbr1.disable_ipv6 = 1' >> /etc/sysctl.conf

Method 2 - Disable SLAAC on a per-interface base

Find out if your Wifi adapter supports monitor mode

Windows: netsh wlan show wirelesscapabilities in admin cmd shell, look for Network monitor mode.

Linux: iw list | grep -Fe "Supported interface modes" -n10, look for * monitor in section Supported interface modes:.

In Kali Linux

I boot a live Kali 2024.1 on a 8G USB stick on a Acer ES1-531-P8NJ and install hcxdumptool and hcxtools from the official repo. The version of hcxdumptool from the repo is 6.3.1 as of 20240420.

Stop Wifi related services

@rikka0w0
rikka0w0 / openwrt_pve.md
Last active March 27, 2024 13:19
Install an OpenWrt KVM on a PVE host machine
  1. Install PVE using the official ISO and create a KVM with 512MB of ram and no disk.
  2. In the PVE host shell, run these commands to import the official OpenWrt image into the VM:
cd /tmp
wget https://downloads.openwrt.org/releases/23.05.2/targets/x86/64/openwrt-23.05.2-x86-64-generic-squashfs-combined-efi.img.gz
gunzip openwrt-23.05.2-x86-64-generic-squashfs-combined-efi.img.gz
# Replace 101 with the VM ID 
qm importdisk 101 openwrt-23.05.2-x86-64-generic-squashfs-combined-efi.img local-lvm

https://medium.com/@aj.abdelwahed/openwrt-on-proxmox-ve-turn-your-raspberry-pi-into-a-networking-powerhouse-ee61bd2f342c

@rikka0w0
rikka0w0 / workstation_pve_win11
Last active March 19, 2024 07:07
[Workstation]pve install win11
# `cat /etc/default/grub`
`GRUB_CMDLINE_LINUX_DEFAULT="intel_iommu=on kvm.ignore_msrs=1 vfio-pci.ids=10de:2786,10de:22bc pci=realloc"`
May also need: `video=efifb:off video=simplefb:off`
# `cat /etc/modprobe.d/blacklist-nouveau.conf`
```
blacklist nouveau
options nouveau modeset=0
```
$a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
$a.SettingData.MonitorMode = 2
Add-VMSwitchExtensionPortFeature -ExternalPort –SwitchName "DefaultSwitch" -VMSwitchExtensionFeature $a

Also check Enable MAC address spoofing in the VM's NIC settings.

@rikka0w0
rikka0w0 / index.html
Created November 11, 2023 16:59
A simple shell on Webpage with NodeJS
<!DOCTYPE html>
<html>
<head>
<title>Simple Webshell</title>
<style>
body {
font-family: 'Consolas', monospace;
}
#commandInput {
display: block;