compulab-networking-init/compulab-networking-init.sh

# Setup routing and firewall for a new Compulab based edge device

#install software
sudo apt-get install isc-dhcp-server -y
sudo apt-get install bind9 -y
# Setup SSH PubkeyAuth
sudo tee -a /etc/ssh/sshd_config > /dev/null <<EOT
PubkeyAuthentication yes
EOT

sudo mkdir /home/compulab/.ssh

# ensure timezone of CDT
sudo timedatectl set-timezone America/Chicago

#setup cell connection
sudo nmcli connection add type gsm ifname '*' con-name ATT apn 11166.mcs
sudo nmcli connection add type gsm ifname '*' con-name Verizon apn ne01.vzwstatic

#set cellular to higher priority
sudo nmcli connection modify ATT ipv4.route-metric 2
sudo nmcli connection modify Verizon ipv4.route-metric 2
sudo systemctl restart NetworkManager

#setup GPS connection
sed -i "/^DEVICES=.*/c\DEVICES=\"/dev/ttyUSB1\"" /etc/default/gpsd
echo AT+CGPS=0,1 | socat - /dev/ttyUSB3,crnl
echo AT+CGPS=1,1 | socat - /dev/ttyUSB3,crnl

#enable ipv4 forwarding
sudo tee -a /etc/sysctl.conf > /dev/null <<EOT
net.ipv4.ip_forward=1
EOT

#setup interfaces  /etc/network/interfaces
sudo tee /etc/network/interfaces > /dev/null <<EOT
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

# loopback interface
auto lo
iface lo inet loopback

# LAN interface
auto eth0
iface eth0 inet static
        address 192.168.1.1
        netmask 255.255.255.0

auto eth1
iface eth1 inet static
        address 192.168.1.2
        netmask 255.255.255.0
EOT
#setup restore of iptables  /etc/network/if-pre-up.d/iptables
sudo tee /etc/network/if-pre-up.d/iptables > /dev/null <<EOT
#!/bin/sh

/sbin/iptables-restore < /etc/network/iptables
EOT

#setup ip tables  /etc/network/iptables
sudo tee /etc/network/iptables > /dev/null <<EOT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# NAT wwan0 to eth0
-A POSTROUTING -o wwan0 -j MASQUERADE

# NAT port forwards
#-A PREROUTING -p tcp -m tcp -i wwan0 --dport 80 -j DNAT --to-destination 192.168.1.100:80


COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Service rules

# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# DNS - accept from LAN
-A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

# SSH - accept from LAN
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
-A INPUT -i wwan0 -p tcp --dport 22 -j ACCEPT

# DHCP client requests - accept from LAN
-A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 67:68 -j ACCEPT

# drop all other inbound traffic
-A INPUT -j DROP

# Forwarding rules

# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# forward from LAN (eth0) to WAN (wwan0)
-A FORWARD -i eth0 -o wwan0 -j ACCEPT
-A FORWARD -i eth1 -o wwan0 -j ACCEPT

# allow traffic from port forward
#-A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT


# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT
EOT

#setup DHCP /etc/dhcp/dhcpd.conf
sudo tee /etc/dhcp/dhcpd.conf > /dev/null <<EOT
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "henrypump.iot";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;


ddns-update-style none;


subnet 192.168.1.0 netmask 255.255.255.0 {
	range 192.168.1.100 192.168.1.200;
	option routers 192.168.1.1;
	option domain-name-servers 8.8.8.8;
	option broadcast-address 192.168.1.255;
}
EOT

sudo reboot now