APPPUNTI VM internet e AMPRNET
Appunti di viaggio per gli addetti ai lavori
Vm di base
Questa è una VM debian minimal su OVH che ha una configurazione di rete MOLTO particolare.
Se funziona qui, ci sono altissime probabilità che funioni anche da voi.
Pacchetti base installalti: iptables ipset wireguard ssh caddy
interfacce
root@geu-ampr:/etc/network# cat interfaces
source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug eth0 iface eth0 inet static address ip.in.ter.net/32 post-up ip route add gw.in.ter.net dev eth0 post-up ip route add default via gw.in.ter.net dev eth0 pre-down ip route del default via gw.in.ter.net dev eth0 pre-down ip route del gw.in.ter.net dev eth0 dns-nameservers 8.8.8.8
tunnel wireguard
root@geu-ampr:/etc/wireguard# cat wg_ampr_ari0.conf
[Peer] PublicKey = PUBLICKEY AllowedIPs = 44.0.0.0/9, 44.128.0.0/10 Endpoint = 5.144.187.34:13236 PresharedKey = PRESHAREDKEY [Interface] ListenPort = 51820 PrivateKey = PRIVATEKEY Address = 44.32.33.xxx/21 # Se si usa questa riga DNS, tutte le richieste dns verranno dirottate li. Usare systemd-resolved per avere un risolutore specifico per dominio #DNS = 44.32.32.2, 44.60.44.3, 44.32.32.1 # Creare riga "585 r_AMPR" in /etc/iproute2/rt_tables Table = r_AMPR PostUp = /etc/wireguard/wg_ampr_ari-up0.sh
root@geu-ampr:/etc/wireguard# cat wg_ampr_ari0-up.sh
#!/bin/bash ip route del 44.0.0.0/9 via 44.32.32.1 >/dev/null ||true ip route del 44.128.0.0/10 via 44.32.32.1 >/dev/null ||true ip route add 44.0.0.0/9 via 44.32.32.1 ip route add 44.128.0.0/10 via 44.32.32.1 ip route del 44.0.0.0/9 via 44.32.32.1 dev wg_ampr_ari0 table r_AMPR >/dev/null |true ip route del 44.128.0.0/10 via 44.32.32.1 dev wg_ampr_ari0 table r_AMPR >/dev/null |true ip route add 44.0.0.0/9 via 44.32.32.1 dev wg_ampr_ari0 table r_AMPR ip route add 44.128.0.0/10 via 44.32.32.1 dev wg_ampr_ari0 table r_AMPR
firewall
root@geu-ampr:/etc/iptables# cat rules.v4
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Mar 6 14:11:24 2024 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Mar 6 14:11:24 2024 # Generated by iptables-save v1.8.9 (nf_tables) on Wed Mar 6 14:11:24 2024 *filter :INPUT DROP [79:8052] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [118:18860] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 51820 -j ACCEPT -m comment --comment "WireGuard" -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT -m comment --comment "PMTU Discovery" -A INPUT -p icmp --icmp-type 8 -s 44.0.0.0/9 -j ACCEPT -m comment --comment "ping solo da AMPR" -A INPUT -p icmp --icmp-type 8 -s 44.128.0.0/10 -j ACCEPT -m comment --comment "ping solo da AMPR" -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s ip.qth -m comment --comment "Casa" -j ACCEPT COMMIT # Completed on Wed Mar 6 14:11:24 2024
NS resolver selettivo
Resolver di default e resolver specifico per dominio e sottodomini di ampr.ari.it
root@geu-ampr:/etc/systemd/resolved.conf.d# cat ampr.ari.it.conf
[Resolve] Domains=ampr.ari.it DNS=44.32.32.2 44.60.44.3 44.32.32.1
root@geu-ampr:/etc/systemd/resolved.conf.d# cat dns_servers.conf
[Resolve] DNS=8.8.8.8 Domains=~.
reverse proxy
root@geu-ampr:/etc/caddy# cat Caddyfile
vm.iw1geu.ampr.ari.it:80 { root * /var/www/vm.iw1geu.ampr.ari.it file_server } my.ip.ampr.net:80 { root * /var/www/my.ip.ampr.net file_server } ip.in.ter.net:80 { root * /var/www/ip.in.ter.net file_server } :80 { respond "Makkè quarzo vuoi!??" }