https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=DngrayAlpine Linux - User contributions [en]2026-04-25T20:07:25ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi_(IPv6)&diff=19844Linux Router with VPN on a Raspberry Pi (IPv6)2021-07-13T06:44:52Z<p>Dngray: /* Make description more generic */</p>
<hr />
<div>{{TOC right}}<br />
<br />
I have split this off the main article [[Linux Router with VPN on a Raspberry Pi]] IPv6 implementation requires a few changes to the initial article to work. I haven't duplicated everything here however, just the stuff that relates to IPv6.<br />
<br />
= Introduction =<br />
IPv6 introduces a number of new complexities into our network. If you've completed previous IPv4 only guide [[Linux Router with VPN on a Raspberry Pi]] then read on.<br />
<br />
Your VPN provider may only offers you a single stack connection (no IPv6). You won't be able to implement IPv6 addressing on VLAN 3 to carry your IPv6 traffic out of the VPN. If your ISP gives you IPv6 addressing you may still implement addressing on VLAN2 to carry traffic directly to your ISP. In this example I do both.<br />
<br />
If you don't know much about IPv6 then these pages might be of interest to get you up to speed.<br />
<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO Linux IPv6 HOWTO (en)] - in particular the "basics" and "address types".<br />
* [https://en.wikipedia.org/wiki/IPv6 IPv6]<br />
* [https://en.wikipedia.org/wiki/IPv6_address IPv6 Address]<br />
* [https://en.wikipedia.org/wiki/Prefix_delegation Prefix delegation] we use this with dhcpcd when doing DHCPv6-PD to inform our ISP of our network devices.<br />
* [https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol Neighbor Discovery Protocol] we use this with radvd to distribute our routes.<br />
* [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_version_6 Internet Control Message Protocol version 6] ICMPv6 differs from ICMPv4 and is used for many critical parts of IPv6 infrastructure.<br />
* [http://ipv6-test.com IPv6-test.com] Useful for diagnosing if IPv6 is working.<br />
<br />
<br />
[[File:Network_Diagram_ipv4_ipv6_with_vlans.svg|900px|center|Network Diagram IPv4 and IPv6]]<br />
<br />
= Enabling IPv6 support =<br />
<br />
Assuming you're using the Alpine Linux kernel, IPv6 support is available separately as a module.<br />
<br />
{{cmd|modprobe ipv6}}<br />
To add the module to our startup configuration.<br />
{{cmd|echo "ipv6" >> /etc/modules}}<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
Modify the sysctl section to include IPv6 support:<br />
<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# http://vk5tu.livejournal.com/37206.html<br />
# What's this special value "2"? Originally the value was "1", but this <br />
# disabled autoconfiguration on all interfaces. That is, you couldn't appear <br />
# to be a router on some interfaces and appear to be a host on other <br />
# interfaces. But that's exactly the mental model of a ADSL router. <br />
<br />
# Controls IP packet forwarding<br />
net.ipv6.conf.all.forwarding = 2<br />
net.ipv6.conf.default.forwarding = 2<br />
<br />
# Accept Router Advertisments<br />
net.ipv6.conf.all.accept_ra = 2<br />
net.ipv6.conf.default.accept_ra = 2<br />
<br />
# We are a router so disable temporary addresses<br />
net.ipv6.conf.all.use_tempaddr = 0<br />
net.ipv6.conf.default.use_tempaddr = 0</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add an IPv6 interface for each VLAN. Note we don't need to add one for VLAN2 because dhcpcd will take care of that for us using our ISPs router advertisements. Also note the . (dot notation) represents a VLAN interface where as : (colon notation) used in the previous article represented an IP address aliased on an interface. <br />
<br />
The reason we need VLANs here is because each VLAN has it's own broadcast and we don't want our router advertisements to be putting routes and addresses on all the interfaces. It also helps us with a more secure design, but requires a managed switch.<br />
<br />
<pre># VLAN 2 - DESTINED FOR ISP<br />
auto eth0.2<br />
iface eth0.2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules<br />
<br />
# VLAN 3 - DESTINED FOR VPN<br />
auto eth0.3<br />
iface eth0.3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
<br />
iface eth0.3 inet6 static<br />
address fde4:8dba:82e1:fff3::1<br />
netmask 64<br />
autoconf 0<br />
accept_ra 0<br />
privext 0<br />
<br />
# VLAN 4 - LAN ONLY<br />
auto eth0.4<br />
iface eth0.4 inet static<br />
address 192.168.4.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.4.255<br />
post-up /etc/network/route_LAN<br />
<br />
iface eth0.4 inet6 static<br />
address fde4:8dba:82e1:fff4::1<br />
netmask 64<br />
autoconf 0<br />
accept_ra 0<br />
privext 0</pre><br />
<br />
= Configuring PPP =<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem. <br />
<br />
See [[PPP]], you will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
== Check system log ==<br />
Restart ppp.<br />
<br />
{{cmd|poff yourISP}}<br />
{{cmd|pon yourISP}}<br />
<br />
In /var/log/messages you should see something like<br />
<br />
<pre>pppd[]: Plugin rp-pppoe.so loaded.<br />
pppd[]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7<br />
pppd[]: pppd 2.4.7 started by root, uid 0<br />
pppd[]: PPP session is 49969<br />
pppd[]: Connected to 00:53:00:ff:ff:f0 via interface eth1<br />
pppd[]: Using interface ppp0<br />
pppd[]: Connect: ppp0 <--> eth1<br />
pppd[]: CHAP authentication succeeded<br />
pppd[]: CHAP authentication succeeded<br />
pppd[]: peer from calling number 00:53:00:FF:FF:F0 authorized<br />
pppd[]: local LL address fe80::0db8:ffff:ffff:fff1<br />
pppd[]: remote LL address fe80::0db8:ffff:ffff:fff0<br />
pppd[]: local IP address 192.0.2.1<br />
pppd[]: remote IP address 192.0.2.0<br />
pppd[]: primary DNS address 192.0.2.10<br />
pppd[]: secondary DNS address 192.0.2.20</pre><br />
<br />
You should be able to now ping things such as<br />
<br />
{{cmd|ping6 ipv6.google.com}}<br />
<br />
from your router.<br />
<br />
= Prefix Delegation =<br />
<br />
The next step will be to configure DHCPv6 Prefix Delegation with your ISP. Install dhcpcd. While many guides do use the wide-dhcpv6-client [http://bugs.alpinelinux.org/issues/564 it should be noted this is unmaintained] and not included in Alpine Linux.<br />
<br />
Don't use the ISC's dhclient either as [https://bugs.gentoo.org/show_bug.cgi?id=432652 this does not support Prefix Delegations on PPP links] without a patch.<br />
<br />
{{cmd|apk add dhcpcd}}<br />
<br />
You can check out the manual for [http://roy.marples.name/man/html5/dhcpcd.conf.html dhcpcd.conf]. Installing dhcpcd-doc will allow you to read the man file. Eg:<br />
<br />
{{cmd|apk add dhcpcd-doc}}<br />
<br />
=== /etc/dhcpcd.conf ===<br />
<br />
{{cmd|apk add dhcpcd}}<br />
<br />
If the main repositories have dhcpcd below version 7.0.7 (at time of writing AlpineLinux 3.8 and below) you will need to use the latest version from edge as it fixes a bug with unique link local addresses on our VLANs [https://roy.marples.name/blog/dhcpcd-7-0-7-released dhcpcd ChangeLog] this [https://patchwork.alpinelinux.org/patch/4016/ patch] already applied in v7.0.7<br />
<br />
{{cmd|apk add dhcpcd@edge}}<br />
<br />
If you haven't you may need to add the edge repository for pinning [[Alpine Linux package management#Repository_pinning]]<br />
<br />
<pre># Enable extra debugging<br />
#debug<br />
#logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
#clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# IPv6 Only<br />
ipv6only<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
# Use the interface connected to WAN<br />
interface ppp0<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64</pre><br />
<br />
Add dhcpcd to the default run level:<br />
<br />
{{cmd|rc-update add dhcpcd default}}<br />
<br />
= Configuring firewall for IPv4 and IPv6 traffic =<br />
<br />
== iptables ==<br />
Here are some rules for iptables that I am currently using, yours may look something similar.<br />
<br />
<pre>#########################################################################<br />
# Uses 192.168.1.0 VLAN1 Management Untagged - no route<br />
# 192.168.2.0 VLAN2 - route to ISP<br />
# 192.168.3.0 VLAN3 - route to VPN<br />
# 192.168.4.0 VLAN4 - no route<br />
# <br />
# Packets to/from 192.168.1.0/24 not in any VLAN ie tagged<br />
# Packets to/from 192.168.2.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.3.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.4.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
# These destinations will always be marked with 0x1 from VLAN3:<br />
#<br />
# <ip_of_exception> some exception<br />
#########################################################################<br />
<br />
# <br />
# Raw Table<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_DROP_MSFT - [0:0]<br />
<br />
# Create output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN's DNS server<br />
-A PREROUTING -s 172.16.32.1/32 -i tun0 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Block MSFT known tracking IPs from https://github.com/Nummer/Destroy-Windows-10-Spying<br />
-A PREROUTING -i ppp0 -m set --match-set dropped-msft-ip-ipv4 src -j LOG_DROP_MSFT<br />
-A PREROUTING -i tun0 -m set --match-set dropped-msft-ip-ipv4 src -j LOG_DROP_MSFT<br />
<br />
# Allows my excepted ranges<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Allows traffic originating from router to remote address on VPN<br />
-A OUT_TUN0 -d 172.16.32.1 -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT (ipv4) : " --log-level 6<br />
-A LOG_DROP_MSFT -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Block packets originating from the router destined to msft ranges<br />
-A OUT_PPP0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Blocks packets originating from the router destined to msft ranges<br />
-A OUT_TUN0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent through VPN<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 20001 -j DNAT --to-destination 192.168.3.30<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 20001 -j DNAT --to-destination 192.168.3.30<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows routing to Printer<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
:FWD_V1_MGMT - [0:0]<br />
:FWD_V2_ISP - [0:0]<br />
:FWD_V3_VPN - [0:0]<br />
:FWD_V4_LANONLY - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
:IN_V1_MGMT - [0:0]<br />
:IN_V2_ISP - [0:0]<br />
:IN_V3_VPN - [0:0]<br />
:IN_V4_LANONLY - [0:0]<br />
<br />
# Create a drop/reject chains<br />
:LOG_DROP - [0:0]<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_DROP_MSFT - [0:0]<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_V1_MGMT<br />
-A INPUT -i eth0.2 -j IN_V2_ISP<br />
-A INPUT -i eth0.3 -j IN_V3_VPN<br />
-A INPUT -i eth0.4 -j IN_V4_LANONLY<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_V1_MGMT<br />
-A FORWARD -i eth0.2 -j FWD_V2_ISP<br />
-A FORWARD -i eth0.3 -j FWD_V3_VPN<br />
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.3.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port<br />
-A FWD_TUN0 -d 192.168.3.30/32 -p tcp -m tcp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.3.30/32 -p udp -m udp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward established packets to hosts in VLAN2/3 from Printer<br />
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Refuse to forward bogons from VLAN1 (Untagged Management)<br />
-A FWD_V1_MGMT -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Refuse to forward msft from VLAN1 (Untagged Management)<br />
-A FWD_V1_MGMT -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Forward traffic from VLAN2 to Modem<br />
-A FWD_V2_ISP -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Forward traffic from VLAN2 to Printer<br />
-A FWD_V2_ISP -d 192.168.4.9/32 -j ACCEPT<br />
<br />
# Drop bogons from VLAN2<br />
-A FWD_V2_ISP -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Drop msft from VLAN2<br />
-A FWD_V2_ISP -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Allow rest from VLAN2<br />
-A FWD_V2_ISP -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Forward traffic from VLAN3 to Modem<br />
-A FWD_V3_VPN -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Forward traffic from VLAN3 to Printer<br />
-A FWD_V3_VPN -d 192.168.4.9/32 -j ACCEPT<br />
<br />
# Allow rest from VLAN3<br />
-A FWD_V3_VPN -s 192.168.3.0/24 -j ACCEPT<br />
<br />
# Drop bogons from VLAN3<br />
-A FWD_V3_VPN -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Drop msft from VLAN3<br />
-A FWD_V3_VPN -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Forward some exception to ppp0 from VLAN3<br />
-A FWD_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT<br />
<br />
# Allow in NTP from Router (this machine)<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow in HTTP from Router (this machine)<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
# -A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
# -A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Allow in established packets from Printer to hosts in VLAN2/3<br />
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Clients (access point A & B)<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest in from VLAN1<br />
-A IN_V1_MGMT -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ssh in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow DNS in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# ALLOW NTP in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ssh in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow DNS in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# Allow NTP in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow some exception direct from ppp0 to VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log dropped msft tracking that never got forwarded<br />
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT forward(ipv4) " --log-level 6<br />
-A LOG_DROP_MSFT -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only" --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.3.0/24 -m mark --mark 0x2<br />
<br />
# Check some exception are 0x1<br />
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -m mark --mark 0x1<br />
<br />
# Mark packets coming from 192.168.3.0/24 are 0x2<br />
-A PREROUTING -s 192.168.3.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x1<br />
<br />
# Mark packets 192.168.2.0/24 are 0x1<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark some exception as 0x1<br />
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Strip mark if packet is destined for printer<br />
-A PREROUTING -d 192.168.4.9/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
== ip6tables ==<br />
<br />
You'll need to modify your prefix in one of the rules.<br />
<br />
<pre>#########################################################################<br />
# Uses 2001:0db8:1234:ffff::1/64 VLAN2 - route to ISP<br />
# fde4:8dba:82e1:fff3::1/64 VLAN3 - route to VPN<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows my excepted ranges<br />
-A PREROUTING -m set --match-set allowed-nets-ipv6 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allows hosts of the network to use the VPN tunnel for IPv6<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Drop unusually large ping packets<br />
-A PREROUTING -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m length --length 170:65535 -j DROP<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
:FWD_V1_MGMT - [0:0]<br />
:FWD_V2_ISP - [0:0]<br />
:FWD_V3_VPN - [0:0]<br />
:FWD_V4_LANONLY - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
:IN_V1_MGMT - [0:0]<br />
:IN_V2_ISP - [0:0]<br />
:IN_V3_VPN - [0:0]<br />
:IN_V4_LANONLY - [0:0]<br />
<br />
# Create a drop/reject chains<br />
:LOG_DROP - [0:0]<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_V1_MGMT<br />
-A INPUT -i eth0.2 -j IN_V2_ISP<br />
-A INPUT -i eth0.3 -j IN_V3_VPN<br />
-A INPUT -i eth0.4 -j IN_V4_LANONLY<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_V1_MGMT<br />
-A FORWARD -i eth0.2 -j FWD_V2_ISP<br />
-A FORWARD -i eth0.3 -j FWD_V3_VPN<br />
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Rate limit ICMPv6 PING<br />
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 30/min -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward VLAN2 to ISP<br />
-A FWD_V2_ISP -s 2001:0db8:1234:ffff::/64 -j ACCEPT<br />
<br />
# Forward VLAN3 to VPN<br />
-A FWD_V3_VPN -o tun0 -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Allow and rate limit ICMP<br />
-A IN_PPP0 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT<br />
-A IN_PPP0 -p ipv6-icmp -m limit --limit 30/sec -j ACCEPT<br />
<br />
# Allow DHCPv6 PD on Link Local from ISP<br />
-A IN_PPP0 -s fe80::/10 -p udp -m udp --sport 547 --dport 546 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets on VPN<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Allow tracked connections in from ppp0 to VLAN2<br />
-A IN_V2_ISP -s 2001:0db8:1234:ffff::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ICMP in from VLAN2<br />
-A IN_V2_ISP -p ipv6-icmp -j ACCEPT<br />
<br />
# Allow tracked connections in from tun0 to VLAN3<br />
-A IN_V3_VPN -s fde4:8dba:82e1:fff3::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ICMP in from VLAN3<br />
-A IN_V3_VPN -p ipv6-icmp -j ACCEPT<br />
COMMIT</pre><br />
<br />
Add ip6tables to the default run level:<br />
<br />
{{cmd|rc-update add ip6tables default}}<br />
<br />
<br />
== nftables ==<br />
<br />
Optionally one might decide to use nftables instead of old legacy iptables. nftables has a few improvements such as a cleaner rule syntax, ipv4 and ipv6 is all in one table, and the ability to use [https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables variables], [https://wiki.nftables.org/wiki-nftables/index.php/Sets sets], [https://wiki.nftables.org/wiki-nftables/index.php/Dictionaries dictionaries] and [https://wiki.nftables.org/wiki-nftables/index.php/Maps maps]. This also means you no longer need to worry about using [[Linux Router with VPN on a Raspberry Pi#Installing_ipset | ipset]].<br />
<br />
<pre>#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
###################################################################################<br />
#<br />
#| Address | Route To | Interface | VLAN | Mark |<br />
#|------------------------------------|-----------------|-----------|------|------|<br />
#| 192.168.0.0/24 | Modem | eth1 | 1 | |<br />
#| 192.168.1.0/24 | Nowhere | eth0 | 1 | |<br />
#| 192.168.2.0/24 | ISP | eth0.2 | 2 | 0x1 |<br />
#| 2001:0db8:1234:ffff::/64 | ISP | eth0.2 | 2 | 0x1 |<br />
#| 192.168.3.0/24 | VPN | eth0.3 | 3 | 0x2 |<br />
#| fde4:8dba:82e1:fff3::/64 | VPN | eth0.3 | 3 | 0x2 |<br />
#| 192.168.4.0/24 | Nowhere | eth0.4 | 4 | |<br />
#| <ip_of_exception> | Exception (ISP) | eth0.2 | 4 | 0x1 |<br />
#<br />
###################################################################################<br />
<br />
define net_v0_ip4 = 192.168.0.0/24<br />
define net_v1_ip4 = 192.168.1.0/24<br />
define net_v2_ip4 = 192.168.2.0/24<br />
define net_v3_ip4 = 192.168.3.0/24<br />
define network_v4_ip4 = 192.168.4.0/24<br />
define mailserver = <ip_of_exception><br />
define modem = 192.168.0.2<br />
define router = 192.168.1.1<br />
define printer = 192.168.4.9<br />
define workstation = 192.168.3.30<br />
define wifi_aps = { 192.168.1.10, 192.168.1.11 }<br />
define net_ula_v1_ip6 = fde4:8dba:82e1:fff1::/64<br />
define net_gua_v2_ip6 = 2001:0db8:1234:ffff::/64<br />
define net_ula_v3_ip6 = fde4:8dba:82e1:fff3::/64<br />
define net_ula_v4_ip6 = fde4:8dba:82e1:fff4::/64<br />
define vpn_gateway = 172.16.32.1<br />
<br />
#<br />
# Mangle Table (IPv4)<br />
# Markings happen: whether they be 0x1 or 0x2<br />
#<br />
table ip mangle {<br />
chain PREROUTING {<br />
type filter hook prerouting priority mangle; policy accept;<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
mark set ct mark<br />
<br />
# If packet MARK is 2, then it means there is already a<br />
# connection mark and theoriginal packet came in on VPN<br />
ip saddr $net_v3_ip4 mark 0x00000002<br />
<br />
# Check mail server are 0x1<br />
ip saddr $net_v3_ip4 ip daddr $mailserver mark 0x00000001<br />
<br />
# Mark packets coming from VLAN3 as 0x2<br />
ip saddr $net_v3_ip4 mark set 0x00000002<br />
<br />
# If packet MARK is 1, then it means there is already a<br />
# connection mark and the original packet came in on ISP<br />
ip saddr $net_v2_ip4 mark 0x00000001<br />
<br />
# Mark packets coming from VLAN2 as 0x1<br />
ip saddr $net_v2_ip4 mark set 0x00000001<br />
<br />
# Mark mail server as 0x1<br />
ip saddr $net_v3_ip4 ip daddr $mailserver mark set 0x00000001<br />
<br />
# Strip mark if packet is destined for modem<br />
ip daddr $modem mark set 0x00000000<br />
<br />
# Strip mark if packet is destined for printer<br />
ip daddr $printer mark set 0x00000000<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
ct mark set mark<br />
}<br />
}<br />
<br />
#<br />
# Filter Table (IPv4)<br />
# Filtering things coming IN and OUT of the router<br />
#<br />
table ip filter {<br />
# Create rule chain per input interface for input packets (for host itself)<br />
chain INPUT {<br />
type filter hook input priority filter; policy drop;<br />
iifname "lo" accept<br />
iifname "eth0" jump IN_V1_MGMT<br />
iifname "eth0.2" jump IN_V2_ISP<br />
iifname "eth0.3" jump IN_V3_VPN<br />
iifname "eth1" jump IN_ETH1<br />
iifname "tun0" jump IN_TUN0<br />
}<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
chain FORWARD {<br />
type filter hook forward priority filter; policy drop;<br />
ct state established,related accept<br />
iifname "eth0" jump FWD_V1_MGMT<br />
iifname "eth0.2" jump FWD_V2_ISP<br />
iifname "eth0.3" jump FWD_V3_VPN<br />
iifname "eth1" jump FWD_ETH1<br />
iifname "tun0" jump FWD_TUN0<br />
}<br />
<br />
chain FWD_ETH1 {<br />
ip saddr $modem ip daddr $net_v2_ip4 tcp sport http ct state established,new accept<br />
ip saddr $modem ip daddr $net_v3_ip4 tcp sport http ct state established,new accept<br />
}<br />
<br />
chain FWD_TUN0 {<br />
# Forward bittorrent<br />
ip daddr $workstation tcp dport 20001 ct state established,new accept<br />
ip daddr $workstation udp dport 20001 ct state established,new accept<br />
}<br />
<br />
chain FWD_V1_MGMT {<br />
# Forward established packets to hosts in VLAN2/3 from printer<br />
ip saddr $printer ip daddr $net_v2_ip4 ct state established,new accept<br />
ip saddr $printer ip daddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Forward established packets to hosts in VLAN2/3 from modem<br />
ip saddr $modem ip daddr $net_v3_ip4 tcp sport http ct state established,new accept<br />
}<br />
<br />
chain FWD_V2_ISP {<br />
# Forward traffic from VLAN2 to Modem<br />
ip daddr $modem tcp dport http accept<br />
<br />
# Forward traffic from VLAN2 to printer<br />
ip daddr $printer accept<br />
<br />
# Allow rest from VLAN2<br />
ip saddr $net_v2_ip4 accept<br />
}<br />
<br />
chain FWD_V3_VPN {<br />
# Forward traffic from VLAN3 to Modem<br />
ip daddr $modem tcp dport http accept<br />
<br />
# Forward traffic from VLAN3 to printer<br />
ip daddr $printer accept<br />
<br />
# Allow rest from VLAN3<br />
ip saddr $net_v3_ip4 accept<br />
<br />
# Allow mailserver direct from VLAN3 out<br />
oifname "eth1" ip saddr $net_v3_ip4 ip daddr $mailserver accept<br />
}<br />
<br />
chain IN_ETH1 {<br />
# Accept incoming tracked connection from eth1<br />
ip saddr $router ip daddr $modem tcp sport http ct state established,new accept<br />
<br />
# Allow incoming NTP in from VLAN1<br />
ip saddr $net_v0_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Log dropped packets coming in on eth1<br />
ct state established,related accept<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_TUN0 {<br />
# Log dropped packets coming in on tun0<br />
ct state established,related accept<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_V1_MGMT {<br />
# Allow in established packets from printer to VLAN2 and VLAN3<br />
ip saddr $printer ip daddr $net_v2_ip4 ct state established,new accept<br />
ip saddr $printer ip daddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Allow NTP in from VLAN1<br />
ip saddr $net_v1_ip4 udp dport ntp ct state established,new accept<br />
<br />
# FreeRadius Clients<br />
ip saddr $wifi_aps tcp dport radius ct state established,new accept<br />
ip saddr $wifi_aps udp dport radius ct state established,new accept<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
ip saddr $wifi_aps udp dport 10001 ct state established,new accept<br />
ip saddr $wifi_aps udp dport 3478 ct state established,new accept<br />
<br />
# Allow rest in from VLAN1<br />
ip saddr $net_v1_ip4 ct state established,new accept<br />
}<br />
<br />
chain IN_V2_ISP {<br />
# Allow ssh in from VLAN2<br />
ip saddr $net_v2_ip4 tcp dport ssh ct state established,new accept<br />
<br />
# Allow DNS in from VLAN2<br />
ip saddr $net_v2_ip4 udp dport domain ct state new accept<br />
<br />
# Allow NTP in from VLAN2<br />
ip saddr $net_v2_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Allow rest from VLAN2<br />
ip saddr $net_v2_ip4 ct state established,new accept<br />
}<br />
<br />
chain IN_V3_VPN {<br />
# Allow ssh in from VLAN3<br />
ip saddr $net_v3_ip4 tcp dport ssh ct state established,new accept<br />
<br />
# Allow DNS in from VLAN3<br />
ip saddr $net_v3_ip4 udp dport domain ct state new accept<br />
<br />
# Allow NTP in from VLAN3<br />
ip saddr $net_v3_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Allow rest from VLAN3<br />
ip saddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Allow mailserver direct from eth1 from VLAN3<br />
oifname "eth1" ip saddr $net_v3_ip4 ip daddr $mailserver accept<br />
}<br />
<br />
chain LOG_DROP {<br />
log prefix "Dropped v4: " drop<br />
}<br />
}<br />
<br />
#<br />
# NAT Table (IPv4)<br />
# Translation of packets happens to our single external address<br />
# Forwarding of ports through our public interfaces<br />
#<br />
table ip nat {<br />
chain PREROUTING {<br />
type nat hook prerouting priority dstnat; policy accept;<br />
# Port forwarding for Bittorrent on workstation through VPN<br />
iifname "tun0" tcp dport 20001 dnat to $workstation<br />
iifname "tun0" udp dport 20001 dnat to $workstation<br />
}<br />
<br />
chain POSTROUTING {<br />
type nat hook postrouting priority srcnat; policy accept;<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
oifname "eth0" ip saddr $net_v2_ip4 ip daddr $modem tcp dport http masquerade<br />
oifname "eth0" ip saddr $net_v3_ip4 ip daddr $modem tcp dport http masquerade<br />
<br />
# Allows routing to printer<br />
oifname "eth0" ip saddr $net_v2_ip4 ip daddr $printer masquerade<br />
oifname "eth0" ip saddr $net_v3_ip4 ip daddr $printer masquerade<br />
<br />
# Masquerade behind NAT<br />
oifname "tun0" masquerade<br />
oifname "eth1" masquerade<br />
}<br />
}<br />
<br />
#<br />
# Filter Table (IPv6)<br />
# Filtering things coming IN and OUT of the router<br />
#<br />
table ip6 filter {<br />
chain INPUT {<br />
# Create rule chain per input interface for input packets (for host itself)<br />
type filter hook input priority filter; policy drop;<br />
iifname "lo" accept<br />
iifname "eth0.2" jump IN_V2_ISP<br />
iifname "eth0.3" jump IN_V3_VPN<br />
iifname "eth1" jump IN_ETH1<br />
iifname "tun0" jump IN_TUN0<br />
}<br />
<br />
chain FORWARD {<br />
# Track forwarded packets<br />
type filter hook forward priority filter; policy drop;<br />
ct state established,related accept<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
iifname "eth0.2" jump FWD_V2_ISP<br />
iifname "eth0.3" jump FWD_V3_VPN<br />
# iifname "tun0" jump FWD_TUN0<br />
<br />
# Rate limit ICMPv6 PING<br />
icmpv6 type echo-request limit rate 30/minute accept<br />
}<br />
<br />
chain OUTPUT {<br />
type filter hook output priority filter; policy accept;<br />
}<br />
<br />
# chain FWD_TUN0 {<br />
# We could forward ports IPv6 ports through the VPN here<br />
# }<br />
<br />
chain FWD_V2_ISP {<br />
# Forward VLAN2 to ISP<br />
ip6 saddr $net_gua_v2_ip6 accept<br />
}<br />
<br />
chain FWD_V3_VPN {<br />
# Forward VLAN3 to VPN<br />
ip6 saddr $net_ula_v3_ip6 accept<br />
}<br />
<br />
chain IN_ETH1 {<br />
# Accept incoming tracked ETH1 connection<br />
ct state established,related accept<br />
<br />
# Allow and rate limit ICMP<br />
icmpv6 type packet-too-big accept<br />
meta l4proto ipv6-icmp limit rate 30/second accept<br />
<br />
# Allow DHCPv6 PD on Link Local from ISP<br />
ip6 saddr fe80::/10 udp sport dhcpv6-server udp dport dhcpv6-client ct state established,new accept<br />
<br />
# Allow Router advetisements/solict form ISP<br />
ip6 saddr fe80::/10 icmpv6 type nd-router-advert accept<br />
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit accept<br />
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-advert accept<br />
<br />
# Log dropped packets coming in on ETH1<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_TUN0 {<br />
# Accept incoming tracked TUN0 connection<br />
ct state established,related accept<br />
<br />
# Allow and rate limit ICMP<br />
icmpv6 type packet-too-big accept<br />
meta l4proto ipv6-icmp limit rate 30/second accept<br />
<br />
# Log dropped packets on VPN<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_V2_ISP {<br />
# Allow tracked connections in from ETH1 to VLAN2<br />
ip6 saddr $net_gua_v2_ip6 ct state established,new accept<br />
<br />
# Allow ICMP in from VLAN2<br />
meta l4proto ipv6-icmp accept<br />
}<br />
<br />
chain IN_V3_VPN {<br />
# Allow tracked connections in from tun0 to VLAN3<br />
ip6 saddr $net_ula_v3_ip6 ct state established,new accept<br />
<br />
# Allow ICMP in from VLAN3<br />
meta l4proto ipv6-icmp accept<br />
}<br />
<br />
chain LOG_DROP {<br />
log prefix "Dropped v6: " drop<br />
}<br />
}<br />
<br />
#<br />
# Mangle Table (IPv6)<br />
#<br />
table ip6 mangle {<br />
chain PREROUTING {<br />
type filter hook prerouting priority mangle; policy accept;<br />
<br />
# Drop unusually large ping packets<br />
icmpv6 type echo-request meta length 170-65535 drop<br />
}<br />
}<br />
<br />
#<br />
# NAT Table (IPv6)<br />
# Translation of packets happens to our single external address<br />
# only used for the VPN as our ISP give us a /56 range to split up<br />
#<br />
table ip6 nat {<br />
chain POSTROUTING {<br />
type nat hook postrouting priority srcnat; policy accept;<br />
oifname "tun0" masquerade<br />
}<br />
}<br />
<br />
#<br />
# Raw Table - IPv4/IPv6<br />
#<br />
table inet raw {<br />
set bogon-bn-nonagg-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 0.0.0.0/8, 10.0.0.0/8,<br />
100.64.0.0/10, 127.0.0.0/8,<br />
169.254.0.0/16, 172.16.0.0/12,<br />
192.0.0.0/24, 192.0.2.0/24,<br />
192.168.0.0/16, 198.18.0.0/15,<br />
198.51.100.0/24, 203.0.113.0/24,<br />
224.0.0.0/4, 240.0.0.0-255.255.255.255 }<br />
}<br />
<br />
set lo-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 127.0.0.0/8 }<br />
}<br />
<br />
set eth0-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { $net_v1_ip4 }<br />
}<br />
<br />
set eth0.2-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth0.3-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth0.4-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth1-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.0.0/30, 255.255.255.255 }<br />
}<br />
<br />
set tun0-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 172.16.32.0/20, 172.16.48.0/20 }<br />
}<br />
<br />
set lo-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { ::1/128 }<br />
}<br />
<br />
set eth0-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff1::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.2-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { 2001:0db8:1234:ffff::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.3-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff3::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.4-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff4::/64,<br />
fe80::/10 }<br />
}<br />
<br />
chain PREROUTING {<br />
type filter hook prerouting priority raw; policy accept;<br />
<br />
# Allows traffic from NNTP/DNS vpn gateway<br />
iifname "tun0" ip saddr $vpn_gateway accept;<br />
<br />
# Allows traffic originating from router to vpn gateway<br />
ip daddr $vpn_gateway accept<br />
<br />
# Allows traffic originating from router to modem<br />
ip daddr $modem accept<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
#iifname "eth1" ip saddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_PR;<br />
#iifname "tun0" ip saddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_PR;<br />
}<br />
<br />
chain OUTPUT {<br />
type filter hook output priority raw; policy accept;<br />
<br />
# Allows my excepted ranges<br />
iifname vmap { lo : jump lo-allowed-net, eth0 : jump eth0-allowed-net,<br />
eth0.2 : jump eth0.2-allowed-net, eth0.3 : jump eth0.3-allowed-net,<br />
eth0.4 : jump eth0.4-allowed-net, eth1 : jump eth1-allowed-net,<br />
tun0 : jump tun0-allowed-net };<br />
<br />
oifname vmap { lo : jump lo-allowed-net, eth0 : jump eth0-allowed-net,<br />
eth0.2 : jump eth0.2-allowed-net, eth0.3 : jump eth0.3-allowed-net,<br />
eth0.4 : jump eth0.4-allowed-net, eth1 : jump eth1-allowed-net,<br />
tun0 : jump tun0-allowed-net };<br />
<br />
<br />
# Drop any remaining bogons that try to leave the router<br />
oifname "eth1" ip daddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_IN;<br />
oifname "tun0" ip daddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_IN;<br />
}<br />
<br />
chain lo-allowed-net {<br />
ip saddr @lo-allowed-net-ip4-set accept<br />
ip6 saddr @lo-allowed-net-ip6-set accept<br />
}<br />
<br />
chain eth0-allowed-net {<br />
ip saddr @eth0-allowed-net-ip4-set accept<br />
ip6 saddr @eth0-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 0: " level info<br />
}<br />
<br />
chain eth0.2-allowed-net {<br />
ip saddr @eth0.2-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.2-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 2: " level info<br />
}<br />
<br />
chain eth0.3-allowed-net {<br />
ip saddr @eth0.3-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.3-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 3: " level info<br />
}<br />
<br />
chain eth0.4-allowed-net {<br />
ip saddr @eth0.4-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.4-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 4: " level info<br />
}<br />
<br />
chain eth1-allowed-net {<br />
ip saddr @eth1-allowed-net-ip4-set accept<br />
#log prefix "Allowed packet allow eth1: " level info<br />
}<br />
<br />
chain tun0-allowed-net {<br />
ip saddr @tun0-allowed-net-ip4-set accept<br />
#log prefix "Allowed packet allow tun0: " level info<br />
}<br />
<br />
chain LOG_DROP_BOGON_IN {<br />
log prefix "Dropped Bogon outgoing " drop<br />
}<br />
chain LOG_DROP_BOGON_OUT {<br />
log prefix "Dropped Bogon incoming " drop<br />
}<br />
chain LOG_DROP_BOGON_PR {<br />
log prefix "Dropped Bogon prerouting " drop<br />
}<br />
}</pre><br />
<br />
Add nftables to the default run level:<br />
<br />
{{cmd|rc-update add nftables default}}<br />
<br />
= Router Advertisements =<br />
<br />
Now we need to configure radvd to give router advertisements to out VLANs for addressing and routing.<br />
<br />
{{cmd|apk add radvd}}<br />
<br />
Once radvd is installed, you may configure it:<br />
<br />
== /etc/radvd.conf ==<br />
<br />
<pre>interface eth0.2 {<br />
<br />
# We are sending advertisements (route)<br />
AdvSendAdvert on;<br />
<br />
# When set, host use the administered (stateful) protocol<br />
# for address autoconfiguration. The use of this flag is<br />
# described in RFC 4862<br />
AdvManagedFlag on;<br />
<br />
# When set, host use the administered (stateful) protocol<br />
# for address autoconfiguration. For other (non-address)<br />
# information.<br />
# The use of this flag is described in RFC 4862<br />
AdvOtherConfigFlag on;<br />
<br />
# Suggested Maximum Transmission setting for using the<br />
# Hurricane Electric Tunnel Broker.<br />
# AdvLinkMTU 1480;<br />
<br />
# We have native Dual Stack IPv6 so we can use the regular MTU<br />
# http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues<br />
AdvLinkMTU 1500;<br />
<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on; ## SLAAC based on EUI<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
interface eth0.3 {<br />
<br />
AdvSendAdvert on;<br />
AdvManagedFlag on;<br />
AdvOtherConfigFlag on;<br />
AdvLinkMTU 1500;<br />
<br />
# Helps the route not get lost when on WiFi with packet loss<br />
MaxRtrAdvInterval 30;<br />
AdvDefaultLifetime 9000;<br />
<br />
prefix fde4:8dba:82e1:fff3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on; ## SLAAC based on EUI<br />
};<br />
};</pre><br />
<br />
Add radvd to the default run level:<br />
<br />
{{cmd|rc-update add radvd default}}<br />
<br />
= DHCP =<br />
You may decide you want more control over your network address assignment. I like to have certain hosts get certain addresses when they connect on a particular VLAN, note v2 and v3. You can do this with:<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.21 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
<br />
host wifi_ap {<br />
hardware ethernet <mac_addess>;<br />
fixed-address 192.168.1.11;<br />
option subnet-mask 255.255.255.0;<br />
option routers 192.168.1.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.40 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.2.1;<br />
allow unknown-clients;<br />
<br />
host host-v2 {<br />
hardware ethernet <mac_address>;<br />
fixed-address 192.168.2.30;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.20 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.3.1;<br />
ignore unknown-clients;<br />
<br />
host host-v3 {<br />
hardware ethernet <mac_address>;<br />
fixed-address 192.168.3.30;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.4.0 netmask 255.255.255.0 {<br />
range 192.168.4.40 192.168.4.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.4.255;<br />
option routers 192.168.4.1;<br />
option ntp-servers 192.168.4.1;<br />
option domain-name-servers 192.168.4.1;<br />
<br />
host printer {<br />
hardware ethernet <PRINTER_MAC_ADDRESS>;<br />
fixed-address 192.168.4.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.4.255;<br />
option routers 192.168.4.1;<br />
option host-name "My_Printer";<br />
} ignore unknown-clients;<br />
}</pre><br />
<br />
For IPv6 I don't use DHCPv6 because Android doesn't support it. I just let SLAAC assign addresses.<br />
<br />
= VPN Tunnel VLAN3 =<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN<br />
3 LAN</pre><br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
/sbin/ip -6 rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
/sbin/ip -6 rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300<br />
/sbin/ip -6 rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/network/route_LAN ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script adds the LAN routes.<br />
#<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0.2 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0.2 table ISP<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}<br />
<br />
# Add route to LAN subnet<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table ISP</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.3.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table VPN<br />
/sbin/ip -6 route add fde4:8dba:82e1:fff3::/64 dev eth0.3 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
/sbin/ip -6 rule add from fde4:8dba:82e1:fff3::/64 table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN<br />
/sbin/ip -6 route add default dev tun0 table VPN <br />
<br />
# Add route to LAN only subnet<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table VPN<br />
<br />
# Add route to IP on VPN for traffic originating from the router<br />
/sbin/ip route add 172.16.32.1 dev tun0</pre><br />
<br />
== /etc/openvpn/route-down-fwmark.sh ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200<br />
/sbin/ip -6 rule del from fde4:8dba:82e1:fff3::/64 table VPN prio 200<br />
<br />
# Delete route to IP on VPN for traffic originating from the router<br />
/sbin/ip route del 172.16.32.1 dev tun0</pre><br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in your VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
<br />
[[category: Raspberry]]<br />
[[category: VPN]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=FreeRadius_EAP-TLS_configuration&diff=19597FreeRadius EAP-TLS configuration2021-06-14T11:36:07Z<p>Dngray: Mention domain_suffix_match as a part of WPA3</p>
<hr />
<div>= Introduction =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. In the previous tutorial [[Linux Router with VPN on a Raspberry Pi]] I mentioned I'd be doing this with a <br />
([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]). I have tested this with two phones running CyanogenMod 11 (Android 4.4.4).<br />
<br />
= Installation =<br />
<br />
Install FreeRadius:<br />
{{cmd|apk add freeradius freeradius-eap}}<br />
<br />
= Certificates =<br />
You will want to create your certificates. The easiest way to do that is to use the scripts provided by FreeRadius. The scripts allow you to easily create a CA (certificate authority), Server certificate, and Client certificates. Remember to increase the expiry time from 60 days if that doesn't suit you and fill in the other information in the .cnf files like the README says.<br />
<br />
The readme for that script is in /etc/raddb/certs/README or can be found [https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs here].<br />
<br />
= Certificate Revocation List =<br />
The CRL is not created by the script, you have to do that one manually.<br />
<br />
I created a file called crl.cnf:<br />
<br />
<pre>[ ca ]<br />
default_ca = CA_default<br />
<br />
[ CA_default ]<br />
dir = ./<br />
certs = $dir<br />
crl_dir = $dir/crl<br />
database = $dir/index.txt<br />
new_certs_dir = $dir<br />
certificate = $dir/ca.pem<br />
serial = $dir/serial<br />
crl = $dir/crl.pem<br />
private_key = $dir/ca.key<br />
RANDFILE = $dir/.rand<br />
name_opt = ca_default<br />
cert_opt = ca_default<br />
default_days = 730<br />
default_crl_days = 730<br />
default_md = sha256<br />
preserve = no<br />
policy = policy_match<br />
crlDistributionPoints = URI:http://www.example.com/example_ca.crl<br />
<br />
[ policy_match ]<br />
countryName = match<br />
stateOrProvinceName = match<br />
organizationName = match<br />
organizationalUnitName = optional<br />
commonName = supplied<br />
emailAddress = optional<br />
<br />
[ policy_anything ]<br />
countryName = optional<br />
stateOrProvinceName = optional<br />
localityName = optional<br />
organizationName = optional<br />
organizationalUnitName = optional<br />
commonName = supplied<br />
emailAddress = optional<br />
<br />
[ req ]<br />
prompt = no<br />
distinguished_name = cacrl<br />
default_bits = 2048<br />
input_password = <password1><br />
output_password = <password2><br />
x509_extensions = v3_ca<br />
<br />
[certificate_authority]<br />
countryName = <COUNTRY_CODE><br />
stateOrProvinceName = Radius<br />
localityName = <REGION><br />
organizationName = FreeRadius<br />
emailAddress = freeradius@localhost <br />
commonName = "FreeRadius Certificate Authority"<br />
<br />
[v3_ca]<br />
subjectKeyIdentifier = hash<br />
authorityKeyIdentifier = keyid:always,issuer:always<br />
basicConstraints = CA:true<br />
crlDistributionPoints = URI:http://www.example.com/example_ca.crl</pre><br />
<br />
Create the revocation list:<br />
{{cmd|openssl ca -gencrl -keyfile ca.key -cert ca.pem -out crl.pem -config crl.cnf}}<br />
<br />
Finally, create new file which will hold both CA and revoked certificates:<br />
{{cmd|cat ca.pem crl.pem > cacrl.pem}}<br />
<br />
= Create the Diffie-Hellman nonce file =<br />
{{cmd|openssl dhparam -check -text -5 1024 -out /etc/raddb/certs/dh}}<br />
<br />
Or you can use a larger one, eg (this can take a while if you're unlucky!).<br />
<br />
{{cmd|openssl dhparam -check -text -5 4096 -out /etc/raddb/certs/dh}}<br />
<br />
= Server config =<br />
<br />
The [https://www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf WPA3 specification] (p12), has a few changes to EAP. Even if you're not using WPA3 it still effects your EAP RADIUS authentication, particularly for clients such as Android 11+. Further discussion was [https://reddit.com/comments/l4fdzp here].<br />
<br />
{{Box|WPA 3.1 Page 12|<br />
<br />
5.1.2 The STA is configured with EAP credentials that explicitly specify a CA root certificate that matches the root certificate in the received Server Certificate message and, if the EAP credentials also include a domain name<br />
(FQDN or suffix-only), it matches the domain name (SubjectAltName dNSName if present, otherwise SubjectName CN) of the certificate [2] in the received Server Certificate message.<br />
<br />
5.1.3 The STA is configured with EAP credentials that include a domain name (FQDN or suffix-only) that matches the domain name (SubjectAltName dNSName if present, otherwise SubjectName CN) of the certificate [2] in the received Server Certificate message, and the root certificate of that certificate is present in the STA's trust root store.}}<br />
<br />
Without these changes you'll see errors in logcat like:<br />
<br />
<pre>EAP: Status notification: remote certificate verification (param=self signed certificate in certificate chain)<br />
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA<br />
EAP: Status notification: local TLS alert (param=unknown CA)</pre><br />
<br />
== /etc/raddb/server.cnf ==<br />
<pre>[ v3_req ]<br />
basicConstraints = CA:FALSE<br />
keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br />
subjectAltName = @alt_names<br />
<br />
# This should be a host name of the RADIUS server.<br />
# Note that the host name is exchanged in EAP *before*<br />
# the user machine has network access. So the host name<br />
# here doesn't really have to match anything in DNS.<br />
+ [alt_names]<br />
+ DNS.1 = radius.example.com<br />
+<br />
+ # NAIRealm from RFC 7585<br />
+ otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com</pre><br />
<br />
Then you'd need to put "radius.example.com" in the "Domain" box when you add the WiFi Network. It's also known as "domain_suffix_match" in wpa_supplicant.conf or NetworkManager configuration files.<br />
<br />
== /etc/raddb/certs/xpextensions ==<br />
<br />
Then you need to update xpextensions before making your configs.<br />
<br />
<pre>+ [ xpserver_ext]<br />
+ extendedKeyUsage = 1.3.6.1.5.5.7.3.1<br />
+ crlDistributionPoints = URI:http://www.example.com/example_ca.crl<br />
<br />
+ subjectAltName = @alt_names<br />
<br />
and then at the bottom:<br />
<br />
+ [alt_names]<br />
+ DNS.1 = radius.example.com<br />
<br />
+ # NAIRealm from RFC 7585<br />
+ otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com</pre><br />
<br />
= Configuration =<br />
== /etc/raddb/clients.conf ==<br />
<br />
First we're going to add a client, this is your WiFi AP:<br />
<br />
<pre>client home {<br />
ipaddr = 192.168.1.10<br />
proto = *<br />
secret = <PASSWORD USED BY YOUR AP TO AUTHENTICATE WITH THIS RADIUS SERVER><br />
shortname = <YOUR_SSID><br />
require_message_authenticator = no<br />
nas_type = other<br />
<br />
limit {<br />
max_connections = 16<br />
lifetime = 0<br />
idle_timeout = 30<br />
}<br />
}</pre><br />
<br />
== /etc/raddb/mods-enabled/eap ==<br />
Next we configure eap. Note the + and - represent lines removed and added, don't include them in your config!<br />
<br />
You're going to want to make these changes:<br />
<br />
<pre>- default_eap_type = md5<br />
+ default_eap_type = tls</pre><br />
<br />
<pre>- private_key_password = whatever<br />
+ private_key_password = <Password you set output_password in server.cnf><br />
private_key_file = ${certdir}/server.pem</pre><br />
<br />
<pre>- ca_file = ${cadir}/ca.pem<br />
+ ca_file = ${cadir}/cacrl.pem</pre><br />
<br />
<pre>- random_file = /dev/urandom<br />
+ random_file = /dev/random</pre><br />
<br />
<pre>- # check_crl = yes <br />
+ check_crl = yes</pre><br />
<br />
<br />
Reduce cipher list from DEFAULT to HIGH, or even a specific list:<br />
<pre>- cipher_list = "DEFAULT"<br />
+ cipher_list = "HIGH"</pre><br />
<br />
Or a shorter list if you decide (might cause some device compatibility issues)<br />
<pre>+ cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"</pre><br />
<br />
Change ecdh curve to something stronger:<br />
<pre>- ecdh_curve = "prime256v1"<br />
+ ecdh_curve = "secp384r1"</pre><br />
<br />
You can also increase the curve to a higher bit (521), but this may cause compatibility problems.<br />
<pre>+ ecdh_curve = "secp521r1"</pre><br />
<br />
These all worked with Android 4.4.4, but if you have older stuff you may need to set the list to HIGH or DEFAULT.<br />
<br />
Couple of other things to change:<br />
<br />
<pre>- #name = "EAP module"<br />
+ name = "EAP-TLS"</pre><br />
<br />
<pre>- #persist_dir = "${logdir}/tlscache"<br />
+ persist_dir = "${logdir}/tlscache"</pre><br />
<br />
== /etc/raddb/sites-enabled/default ==<br />
Change the listening port to what suits you<br />
<pre>- ipaddr = *<br />
+ ipv4addr = 192.168.1.1</pre><br />
<br />
Disable chap<br />
<pre># The chap module will set 'Auth-Type := CHAP' if we are<br />
# handling a CHAP request and Auth-Type has not already been set<br />
- chap<br />
+ # chap</pre><br />
<br />
Disable mschap<br />
<pre># the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'<br />
# to the request, which will cause the server to then use<br />
# the mschap module for authentication.<br />
- mschap<br />
+ # mschap</pre><br />
<br />
Disable pap<br />
<pre># This module should be listed last, so that the other modules<br />
# get a chance to set Auth-Type for themselves.<br />
<br />
- pap<br />
+ #pap</pre><br />
<br />
Disable the auth types we're not using<br />
<pre>- Auth-Type PAP {<br />
- pap<br />
- }<br />
+ #Auth-Type PAP {<br />
+ # pap<br />
+ #}<br />
<br />
- Auth-Type CHAP {<br />
- chap<br />
- }<br />
+ #Auth-Type CHAP {<br />
+ # chap<br />
+ #}<br />
<br />
- Auth-Type MS-CHAP {<br />
- mschap<br />
- }<br />
+ #Auth-Type MS-CHAP {<br />
+ # mschap<br />
+ #}</pre><br />
<br />
Enable eap<br />
<pre>-# eap<br />
+ eap</pre><br />
<br />
== /etc/raddb/sites-available/tls ==<br />
<br />
<pre>tls {<br />
- private_key_password = whatever<br />
+ private_key_password = <Password you set input_password in server.cnf><br />
private_key_file = ${certdir}/server.pem</pre><br />
<br />
= IPtables rules =<br />
Next up you're going to want some iptables rules.<br />
<br />
<pre>#Accept incoming connections from client FreeRadius<br />
iptables -A IN_ETH0 -p tcp -s 192.168.1.10/24 --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
iptables -A IN_ETH0 -p udp -s 192.168.1.10/24 --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT</pre><br />
<br />
I also noticed with the Ubiquiti devices you need to allow this for AP adoption to work:<br />
<br />
<pre>#Ubiquiti UAP Device Discovery Broadcast<br />
iptables -A IN_ETH0 -p udp -s 192.168.1.10/24 --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT</pre><br />
<br />
Note that these rules depend on the chains originally created here [[Linux Router with VPN on a Raspberry Pi#Basic IPtables firewall with routing]].<br />
<br />
= Configure AP =<br />
You're going to want to configure your access point to talk to your new Radius server.<br />
<br />
Using the secret and shortname from clients.conf enter them into your access point administration panel.<br />
<br />
Start Radius <br />
{{cmd|service radiusd start}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add radiusd default}}<br />
<br />
You can debug it with radiusd -X from the console, or check /var/log/radius/radius.log if that didn't work.<br />
<br />
= Configure a device =<br />
On Android I go into "Settings > Security > Install from Storage" and select ca.pem<br />
<br />
I then do "Settings > Security > Install from Storage" and select client.p12"<br />
<br />
After putting in the correct passwords it should work. On Android you may see a warning such as "Network May Be Monitored by an Unknown Third Party". You can fix this by moving the CA from /data/misc/keychain/cacerts-added to /system/etc/security/cacerts make sure the user and group are root and that the permissions are set to 644, ie readable by everyone, only root has permissions to write to the files. Keep it in /sdcard/ so you can move it back if you re-flash the phone with a newer ROM.<br />
<br />
= Revoke a certificate =<br />
If in the future you want to revoke the certificates of a particular user you can do this by:<br />
<br />
{{cmd|openssl ca -revoke user@example.com.pem -keyfile ca.key -cert ca.pem -config ca.cnf}}<br />
<enter output_password from ca.cnf><br />
<br />
Now, take a moment and open index.txt and you should see "R" next to cert index number. If you ever need to make this cert valid again, you would edit line with "R" to match other certs format.<br />
<br />
Now you need to create crl list again, just like it was done at the beginning of tutorial:<br />
<br />
{{cmd|openssl ca -gencrl -keyfile ca.key -cert ca.pem -out crl.pem -config crl.cnf}}<br />
<enter output_password from ca.cnf><br />
<br />
{{cmd|cat ca.pem crl.pem > cacrl.pem}}<br />
<br />
You need to restart FreeRadius after revoking certificates.<br />
{{cmd|service radiusd restart}}<br />
<br />
You can verify that a certificate is revoked with:<br />
{{cmd|openssl crl -in /etc/raddb/certs/cacrl.pem -text}}<br />
<br />
If no certificates are revoked you'll see:<br />
<pre>No Revoked Certificates.</pre><br />
<br />
If one or more certificates are revoked you'll see:<br />
<pre>Revoked Certificates:<br />
Serial Number: <number of your cert></pre><br />
<br />
= References =<br />
* https://forums.freebsd.org/threads/howto-wpa2-enterprise-with-freeradius.28467<br />
* https://samhobbs.co.uk/2013/12/remove-network-may-be-monitored-by-an-unknown-third-party-in-android-4-4-kitkat<br />
<br />
[[Category:Server]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=19351Linux Router with VPN on a Raspberry Pi2021-05-14T04:07:30Z<p>Dngray: /* Remove redundant section */</p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
==== DHCP from ISP ====<br />
<br />
Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.<br />
<br />
We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.<br />
<br />
My /etc/dhcpcd.conf looks like this:<br />
<br />
<pre># Enable extra debugging<br />
# debug<br />
# logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
# clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu 1586<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
allowinterfaces eth1 eth0.2<br />
# Use the interface connected to WAN<br />
interface eth1<br />
waitip 4<br />
noipv4ll<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64<br />
timeout 30<br />
<br />
interface eth0.2<br />
ipv6only</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Additional DNS level filtering ==<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost.<br />
<br />
{{Note| If you're filtering telemetry from Windows based PCs you should either use a [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services group policy] or [https://www.oo-software.com/en/shutup10 ShutUp10]}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== DNSCrypt ==<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']</pre><br />
<br />
== Add policy route for dnscrypt over VPN ==<br />
<br />
Add a [https://en.wikipedia.org/wiki/Policy-based_routing policy based route] based on the uid of the dnscrypt user. On Alpine Linux dnscrypt-proxy runs as a specific user so check /etc/passwd<br />
<br />
<pre>dnscrypt:x:103:104:dnscrypt:/var/empty:/sbin/nologin</pre><br />
<br />
In this example the dnscrypt user has the uid 103.<br />
<br />
{{Warning|Make sure you check the uid of your dnscrypt user and don't just copy the one here!}}<br />
<br />
Add this to [https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules fwmark_rules] eg:<br />
<br />
=== /etc/network/fwmark_rules ===<br />
<pre># Route DNSCrypt user through the VPN table<br />
/sbin/ip rule add uidrange 103-103 table VPN prio 200</pre><br />
<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=19350Linux Router with VPN on a Raspberry Pi2021-05-14T03:14:52Z<p>Dngray: /* Use group policy to filter telemetry */</p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
==== DHCP from ISP ====<br />
<br />
Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.<br />
<br />
We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.<br />
<br />
My /etc/dhcpcd.conf looks like this:<br />
<br />
<pre># Enable extra debugging<br />
# debug<br />
# logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
# clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu 1586<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
allowinterfaces eth1 eth0.2<br />
# Use the interface connected to WAN<br />
interface eth1<br />
waitip 4<br />
noipv4ll<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64<br />
timeout 30<br />
<br />
interface eth0.2<br />
ipv6only</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Additional DNS level filtering ==<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost.<br />
<br />
{{Note| If you're filtering telemetry from Windows based PCs you should either use a [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services group policy] or [https://www.oo-software.com/en/shutup10 ShutUp10]}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']</pre><br />
<br />
== Add policy route for dnscrypt over VPN ==<br />
<br />
Add a [https://en.wikipedia.org/wiki/Policy-based_routing policy based route] based on the uid of the dnscrypt user. On Alpine Linux dnscrypt-proxy runs as a specific user so check /etc/passwd<br />
<br />
<pre>dnscrypt:x:103:104:dnscrypt:/var/empty:/sbin/nologin</pre><br />
<br />
In this example the dnscrypt user has the uid 103.<br />
<br />
{{Warning|Make sure you check the uid of your dnscrypt user and don't just copy the one here!}}<br />
<br />
Add this to [https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules fwmark_rules] eg:<br />
<br />
=== /etc/network/fwmark_rules ===<br />
<pre># Route DNSCrypt user through the VPN table<br />
/sbin/ip rule add uidrange 103-103 table VPN prio 200</pre><br />
<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=19349Linux Router with VPN on a Raspberry Pi2021-05-14T03:09:51Z<p>Dngray: /* fix warning */</p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
==== DHCP from ISP ====<br />
<br />
Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.<br />
<br />
We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.<br />
<br />
My /etc/dhcpcd.conf looks like this:<br />
<br />
<pre># Enable extra debugging<br />
# debug<br />
# logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
# clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu 1586<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
allowinterfaces eth1 eth0.2<br />
# Use the interface connected to WAN<br />
interface eth1<br />
waitip 4<br />
noipv4ll<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64<br />
timeout 30<br />
<br />
interface eth0.2<br />
ipv6only</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Blocking Microsoft Telemetry on the network by domain ==<br />
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].<br />
<br />
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].<br />
<br />
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']</pre><br />
<br />
== Add policy route for dnscrypt over VPN ==<br />
<br />
Add a [https://en.wikipedia.org/wiki/Policy-based_routing policy based route] based on the uid of the dnscrypt user. On Alpine Linux dnscrypt-proxy runs as a specific user so check /etc/passwd<br />
<br />
<pre>dnscrypt:x:103:104:dnscrypt:/var/empty:/sbin/nologin</pre><br />
<br />
In this example the dnscrypt user has the uid 103.<br />
<br />
{{Warning|Make sure you check the uid of your dnscrypt user and don't just copy the one here!}}<br />
<br />
Add this to [https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules fwmark_rules] eg:<br />
<br />
=== /etc/network/fwmark_rules ===<br />
<pre># Route DNSCrypt user through the VPN table<br />
/sbin/ip rule add uidrange 103-103 table VPN prio 200</pre><br />
<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=19348Linux Router with VPN on a Raspberry Pi2021-05-14T03:09:02Z<p>Dngray: /* Use a PBR instead of socks proxy*/</p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
==== DHCP from ISP ====<br />
<br />
Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.<br />
<br />
We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.<br />
<br />
My /etc/dhcpcd.conf looks like this:<br />
<br />
<pre># Enable extra debugging<br />
# debug<br />
# logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
# clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu 1586<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
allowinterfaces eth1 eth0.2<br />
# Use the interface connected to WAN<br />
interface eth1<br />
waitip 4<br />
noipv4ll<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64<br />
timeout 30<br />
<br />
interface eth0.2<br />
ipv6only</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Blocking Microsoft Telemetry on the network by domain ==<br />
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].<br />
<br />
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].<br />
<br />
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']</pre><br />
<br />
== Add policy route for dnscrypt over VPN ==<br />
<br />
Add a [https://en.wikipedia.org/wiki/Policy-based_routing policy based route] based on the uid of the dnscrypt user. On Alpine Linux dnscrypt-proxy runs as a specific user so check /etc/passwd<br />
<br />
<pre>dnscrypt:x:103:104:dnscrypt:/var/empty:/sbin/nologin</pre><br />
<br />
In this example the dnscrypt user has the uid 103.<br />
<br />
Warning: {{Warning|Make sure you check the uid of your dnscrypt user and don't just copy the one here!}}<br />
<br />
Add this to [https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules fwmark_rules] eg:<br />
<br />
=== /etc/network/fwmark_rules ===<br />
<pre># Route DNSCrypt user through the VPN table<br />
/sbin/ip rule add uidrange 103-103 table VPN prio 200</pre><br />
<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=16945Linux Router with VPN on a Raspberry Pi2020-02-25T10:03:22Z<p>Dngray: Mention dhcpcd</p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
==== DHCP from ISP ====<br />
<br />
Above we set DHCP and we set a static IP. The purpose of this is so we can still forward packets through to the modem to be able to access the web interface or ssh.<br />
<br />
We do still need DHCP to get an IP address form our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.<br />
<br />
My /etc/dhcpcd.conf looks like this:<br />
<br />
<pre># Enable extra debugging<br />
# debug<br />
# logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
# clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu 1586<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
allowinterfaces eth1 eth0.2<br />
# Use the interface connected to WAN<br />
interface eth1<br />
waitip 4<br />
noipv4ll<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64<br />
timeout 30<br />
<br />
interface eth0.2<br />
ipv6only</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Blocking Microsoft Telemetry on the network by domain ==<br />
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].<br />
<br />
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].<br />
<br />
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
Configuring DNSCrypt to send it's lookups through the VPN and not directly out your ppp interface is done using a socks proxy.<br />
<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']<br />
proxy = "socks5://127.0.0.1:1080"</pre><br />
<br />
== Dante ==<br />
First install dante, you'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]].<br />
<br />
{{cmd|apk add dante-server@testing}}<br />
<br />
Configure it like so:<br />
<br />
=== /etc/sockd.conf ===<br />
<pre>logoutput: stderr<br />
internal: 127.0.0.1 port = 1080<br />
external: tun0<br />
clientmethod: none<br />
socksmethod: none<br />
user.unprivileged: sockd<br />
<br />
# Allow connections from localhost to any host<br />
client pass {<br />
from: 127.0.0.1/8 to: 0.0.0.0/0<br />
log: error # connect/disconnect<br />
}<br />
<br />
# Generic pass statement - bind/outgoing traffic<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bind connect udpassociate<br />
log: error # connect disconnect iooperation<br />
}<br />
<br />
# Generic pass statement for incoming connections/packets<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bindreply udpreply<br />
log: error # connect disconnect iooperation<br />
}</pre><br />
<br />
Finally the services to the the default run level:<br />
{{cmd|rc-update add sockd default}}<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=16944Linux Router with VPN on a Raspberry Pi2020-02-25T09:52:29Z<p>Dngray: Mention IPoE</p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and only runs DHCP on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Blocking Microsoft Telemetry on the network by domain ==<br />
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].<br />
<br />
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].<br />
<br />
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
Configuring DNSCrypt to send it's lookups through the VPN and not directly out your ppp interface is done using a socks proxy.<br />
<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']<br />
proxy = "socks5://127.0.0.1:1080"</pre><br />
<br />
== Dante ==<br />
First install dante, you'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]].<br />
<br />
{{cmd|apk add dante-server@testing}}<br />
<br />
Configure it like so:<br />
<br />
=== /etc/sockd.conf ===<br />
<pre>logoutput: stderr<br />
internal: 127.0.0.1 port = 1080<br />
external: tun0<br />
clientmethod: none<br />
socksmethod: none<br />
user.unprivileged: sockd<br />
<br />
# Allow connections from localhost to any host<br />
client pass {<br />
from: 127.0.0.1/8 to: 0.0.0.0/0<br />
log: error # connect/disconnect<br />
}<br />
<br />
# Generic pass statement - bind/outgoing traffic<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bind connect udpassociate<br />
log: error # connect disconnect iooperation<br />
}<br />
<br />
# Generic pass statement for incoming connections/packets<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bindreply udpreply<br />
log: error # connect disconnect iooperation<br />
}</pre><br />
<br />
Finally the services to the the default run level:<br />
{{cmd|rc-update add sockd default}}<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi_(IPv6)&diff=16943Linux Router with VPN on a Raspberry Pi (IPv6)2020-02-25T09:44:12Z<p>Dngray: Missing space</p>
<hr />
<div>{{TOC right}}<br />
<br />
I have split this off the main article [[Linux Router with VPN on a Raspberry Pi]] IPv6 implementation requires a few changes to the initial article to work. I haven't duplicated everything here however, just the stuff that relates to IPv6.<br />
<br />
= Introduction =<br />
IPv6 introduces a number of new complexities into our network. If you've completed previous IPv4 only guide [[Linux Router with VPN on a Raspberry Pi]] then read on.<br />
<br />
Your VPN provider may only offers you a single stack connection (no IPv6). You won't be able to implement IPv6 addressing on VLAN 3 to carry your IPv6 traffic out of the VPN. If your ISP gives you IPv6 addressing you may still implement addressing on VLAN2 to carry traffic directly to your ISP. In this example I do both.<br />
<br />
If you don't know much about IPv6 then these pages might be of interest to get you up to speed.<br />
<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO Linux IPv6 HOWTO (en)] - in particular the "basics" and "address types".<br />
* [https://en.wikipedia.org/wiki/IPv6 IPv6]<br />
* [https://en.wikipedia.org/wiki/IPv6_address IPv6 Address]<br />
* [https://en.wikipedia.org/wiki/Prefix_delegation Prefix delegation] we use this with dhcpcd when doing DHCPv6-PD to inform our ISP of our network devices.<br />
* [https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol Neighbor Discovery Protocol] we use this with radvd to distribute our routes.<br />
* [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_version_6 Internet Control Message Protocol version 6] ICMPv6 differs from ICMPv4 and is used for many critical parts of IPv6 infrastructure.<br />
* [http://ipv6-test.com IPv6-test.com] Useful for diagnosing if IPv6 is working.<br />
<br />
<br />
[[File:Network_Diagram_ipv4_ipv6_with_vlans.svg|900px|center|Network Diagram IPv4 and IPv6]]<br />
<br />
= Enabling IPv6 support =<br />
<br />
Assuming you're using the Alpine Linux kernel, IPv6 support is available separately as a module.<br />
<br />
{{cmd|modprobe ipv6}}<br />
To add the module to our startup configuration.<br />
{{cmd|echo "ipv6" >> /etc/modules}}<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
Modify the sysctl section to include IPv6 support:<br />
<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# http://vk5tu.livejournal.com/37206.html<br />
# What's this special value "2"? Originally the value was "1", but this <br />
# disabled autoconfiguration on all interfaces. That is, you couldn't appear <br />
# to be a router on some interfaces and appear to be a host on other <br />
# interfaces. But that's exactly the mental model of a ADSL router. <br />
<br />
# Controls IP packet forwarding<br />
net.ipv6.conf.all.forwarding = 2<br />
net.ipv6.conf.default.forwarding = 2<br />
<br />
# Accept Router Advertisments<br />
net.ipv6.conf.all.accept_ra = 2<br />
net.ipv6.conf.default.accept_ra = 2<br />
<br />
# We are a router so disable temporary addresses<br />
net.ipv6.conf.all.use_tempaddr = 0<br />
net.ipv6.conf.default.use_tempaddr = 0</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add an IPv6 interface for each VLAN. Note we don't need to add one for VLAN2 because dhcpcd will take care of that for us using our ISPs router advertisements. Also note the . (dot notation) represents a VLAN interface where as : (colon notation) used in the previous article represented an IP address aliased on an interface. <br />
<br />
The reason we need VLANs here is because each VLAN has it's own broadcast and we don't want our router advertisements to be putting routes and addresses on all the interfaces. It also helps us with a more secure design, but requires a managed switch.<br />
<br />
<pre># VLAN 2 - DESTINED FOR ISP<br />
auto eth0.2<br />
iface eth0.2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules<br />
<br />
# VLAN 3 - DESTINED FOR VPN<br />
auto eth0.3<br />
iface eth0.3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
<br />
iface eth0.3 inet6 static<br />
address fde4:8dba:82e1:fff3::1<br />
netmask 64<br />
autoconf 0<br />
accept_ra 0<br />
privext 0<br />
<br />
# VLAN 4 - LAN ONLY<br />
auto eth0.4<br />
iface eth0.4 inet static<br />
address 192.168.4.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.4.255<br />
post-up /etc/network/route_LAN<br />
<br />
iface eth0.4 inet6 static<br />
address fde4:8dba:82e1:fff4::1<br />
netmask 64<br />
autoconf 0<br />
accept_ra 0<br />
privext 0</pre><br />
<br />
= Configuring PPP =<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem. <br />
<br />
See [[PPP]], you will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
== Check system log ==<br />
Restart ppp.<br />
<br />
{{cmd|poff yourISP}}<br />
{{cmd|pon yourISP}}<br />
<br />
In /var/log/messages you should see something like<br />
<br />
<pre>pppd[]: Plugin rp-pppoe.so loaded.<br />
pppd[]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7<br />
pppd[]: pppd 2.4.7 started by root, uid 0<br />
pppd[]: PPP session is 49969<br />
pppd[]: Connected to 00:53:00:ff:ff:f0 via interface eth1<br />
pppd[]: Using interface ppp0<br />
pppd[]: Connect: ppp0 <--> eth1<br />
pppd[]: CHAP authentication succeeded<br />
pppd[]: CHAP authentication succeeded<br />
pppd[]: peer from calling number 00:53:00:FF:FF:F0 authorized<br />
pppd[]: local LL address fe80::0db8:ffff:ffff:fff1<br />
pppd[]: remote LL address fe80::0db8:ffff:ffff:fff0<br />
pppd[]: local IP address 192.0.2.1<br />
pppd[]: remote IP address 192.0.2.0<br />
pppd[]: primary DNS address 192.0.2.10<br />
pppd[]: secondary DNS address 192.0.2.20</pre><br />
<br />
You should be able to now ping things such as<br />
<br />
{{cmd|ping6 ipv6.google.com}}<br />
<br />
from your router.<br />
<br />
= Prefix Delegation =<br />
<br />
The next step will be to configure DHCPv6 Prefix Delegation with your ISP. Install dhcpcd. While many guides do use the wide-dhcpv6-client [http://bugs.alpinelinux.org/issues/564 it should be noted this is unmaintained] and not included in Alpine Linux.<br />
<br />
Don't use the ISC's dhclient either as [https://bugs.gentoo.org/show_bug.cgi?id=432652 this does not support Prefix Delegations on PPP links] without a patch.<br />
<br />
{{cmd|apk add dhcpcd}}<br />
<br />
You can check out the manual for [http://roy.marples.name/man/html5/dhcpcd.conf.html dhcpcd.conf]. Installing dhcpcd-doc will allow you to read the man file. Eg:<br />
<br />
{{cmd|apk add dhcpcd-doc}}<br />
<br />
=== /etc/dhcpcd.conf ===<br />
<br />
{{cmd|apk add dhcpcd}}<br />
<br />
If the main repositories have dhcpcd below version 7.0.7 (at time of writing AlpineLinux 3.8 and below) you will need to use the latest version from edge as it fixes a bug with unique link local addresses on our VLANs [https://roy.marples.name/blog/dhcpcd-7-0-7-released dhcpcd ChangeLog] this [https://patchwork.alpinelinux.org/patch/4016/ patch] already applied in v7.0.7<br />
<br />
{{cmd|apk add dhcpcd@edge}}<br />
<br />
If you haven't you may need to add the edge repository for pinning [[Alpine Linux package management#Repository_pinning]]<br />
<br />
<pre># Enable extra debugging<br />
#debug<br />
#logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
#clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# IPv6 Only<br />
ipv6only<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
# Use the interface connected to WAN<br />
interface ppp0<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64</pre><br />
<br />
Add dhcpcd to the default run level:<br />
<br />
{{cmd|rc-update add dhcpcd default}}<br />
<br />
= Configuring firewall for IPv4 and IPv6 traffic =<br />
<br />
== iptables ==<br />
Here are some rules for iptables that I am currently using, yours may look something similar.<br />
<br />
<pre>#########################################################################<br />
# Uses 192.168.1.0 VLAN1 Management Untagged - no route<br />
# 192.168.2.0 VLAN2 - route to ISP<br />
# 192.168.3.0 VLAN3 - route to VPN<br />
# 192.168.4.0 VLAN4 - no route<br />
# <br />
# Packets to/from 192.168.1.0/24 not in any VLAN ie tagged<br />
# Packets to/from 192.168.2.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.3.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.4.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
# These destinations will always be marked with 0x1 from VLAN3:<br />
#<br />
# <ip_of_exception> some exception<br />
#########################################################################<br />
<br />
# <br />
# Raw Table<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_DROP_MSFT - [0:0]<br />
<br />
# Create output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN's DNS server<br />
-A PREROUTING -s 172.16.32.1/32 -i tun0 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Block MSFT known tracking IPs from https://github.com/Nummer/Destroy-Windows-10-Spying<br />
-A PREROUTING -i ppp0 -m set --match-set dropped-msft-ip-ipv4 src -j LOG_DROP_MSFT<br />
-A PREROUTING -i tun0 -m set --match-set dropped-msft-ip-ipv4 src -j LOG_DROP_MSFT<br />
<br />
# Allows my excepted ranges<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Allows traffic originating from router to remote address on VPN<br />
-A OUT_TUN0 -d 172.16.32.1 -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT (ipv4) : " --log-level 6<br />
-A LOG_DROP_MSFT -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Block packets originating from the router destined to msft ranges<br />
-A OUT_PPP0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Blocks packets originating from the router destined to msft ranges<br />
-A OUT_TUN0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent through VPN<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 20001 -j DNAT --to-destination 192.168.3.30<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 20001 -j DNAT --to-destination 192.168.3.30<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows routing to Printer<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
:FWD_V1_MGMT - [0:0]<br />
:FWD_V2_ISP - [0:0]<br />
:FWD_V3_VPN - [0:0]<br />
:FWD_V4_LANONLY - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
:IN_V1_MGMT - [0:0]<br />
:IN_V2_ISP - [0:0]<br />
:IN_V3_VPN - [0:0]<br />
:IN_V4_LANONLY - [0:0]<br />
<br />
# Create a drop/reject chains<br />
:LOG_DROP - [0:0]<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_DROP_MSFT - [0:0]<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_V1_MGMT<br />
-A INPUT -i eth0.2 -j IN_V2_ISP<br />
-A INPUT -i eth0.3 -j IN_V3_VPN<br />
-A INPUT -i eth0.4 -j IN_V4_LANONLY<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_V1_MGMT<br />
-A FORWARD -i eth0.2 -j FWD_V2_ISP<br />
-A FORWARD -i eth0.3 -j FWD_V3_VPN<br />
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.3.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port<br />
-A FWD_TUN0 -d 192.168.3.30/32 -p tcp -m tcp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.3.30/32 -p udp -m udp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward established packets to hosts in VLAN2/3 from Printer<br />
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Refuse to forward bogons from VLAN1 (Untagged Management)<br />
-A FWD_V1_MGMT -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Refuse to forward msft from VLAN1 (Untagged Management)<br />
-A FWD_V1_MGMT -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Forward traffic from VLAN2 to Modem<br />
-A FWD_V2_ISP -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Forward traffic from VLAN2 to Printer<br />
-A FWD_V2_ISP -d 192.168.4.9/32 -j ACCEPT<br />
<br />
# Drop bogons from VLAN2<br />
-A FWD_V2_ISP -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Drop msft from VLAN2<br />
-A FWD_V2_ISP -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Allow rest from VLAN2<br />
-A FWD_V2_ISP -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Forward traffic from VLAN3 to Modem<br />
-A FWD_V3_VPN -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Forward traffic from VLAN3 to Printer<br />
-A FWD_V3_VPN -d 192.168.4.9/32 -j ACCEPT<br />
<br />
# Allow rest from VLAN3<br />
-A FWD_V3_VPN -s 192.168.3.0/24 -j ACCEPT<br />
<br />
# Drop bogons from VLAN3<br />
-A FWD_V3_VPN -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Drop msft from VLAN3<br />
-A FWD_V3_VPN -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Forward some exception to ppp0 from VLAN3<br />
-A FWD_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT<br />
<br />
# Allow in NTP from Router (this machine)<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow in HTTP from Router (this machine)<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
# -A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
# -A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Allow in established packets from Printer to hosts in VLAN2/3<br />
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Clients (access point A & B)<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest in from VLAN1<br />
-A IN_V1_MGMT -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ssh in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow DNS in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# ALLOW NTP in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ssh in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow DNS in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# Allow NTP in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow some exception direct from ppp0 to VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log dropped msft tracking that never got forwarded<br />
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT forward(ipv4) " --log-level 6<br />
-A LOG_DROP_MSFT -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only" --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.3.0/24 -m mark --mark 0x2<br />
<br />
# Check some exception are 0x1<br />
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -m mark --mark 0x1<br />
<br />
# Mark packets coming from 192.168.3.0/24 are 0x2<br />
-A PREROUTING -s 192.168.3.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x1<br />
<br />
# Mark packets 192.168.2.0/24 are 0x1<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark some exception as 0x1<br />
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Strip mark if packet is destined for printer<br />
-A PREROUTING -d 192.168.4.9/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
== ip6tables ==<br />
<br />
You'll need to modify your prefix in one of the rules.<br />
<br />
<pre>#########################################################################<br />
# Uses 2001:0db8:1234:ffff::1/64 VLAN2 - route to ISP<br />
# fde4:8dba:82e1:fff3::1/64 VLAN3 - route to VPN<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows my excepted ranges<br />
-A PREROUTING -m set --match-set allowed-nets-ipv6 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allows hosts of the network to use the VPN tunnel for IPv6<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Drop unusually large ping packets<br />
-A PREROUTING -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m length --length 170:65535 -j DROP<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
:FWD_V1_MGMT - [0:0]<br />
:FWD_V2_ISP - [0:0]<br />
:FWD_V3_VPN - [0:0]<br />
:FWD_V4_LANONLY - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
:IN_V1_MGMT - [0:0]<br />
:IN_V2_ISP - [0:0]<br />
:IN_V3_VPN - [0:0]<br />
:IN_V4_LANONLY - [0:0]<br />
<br />
# Create a drop/reject chains<br />
:LOG_DROP - [0:0]<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_V1_MGMT<br />
-A INPUT -i eth0.2 -j IN_V2_ISP<br />
-A INPUT -i eth0.3 -j IN_V3_VPN<br />
-A INPUT -i eth0.4 -j IN_V4_LANONLY<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_V1_MGMT<br />
-A FORWARD -i eth0.2 -j FWD_V2_ISP<br />
-A FORWARD -i eth0.3 -j FWD_V3_VPN<br />
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Rate limit ICMPv6 PING<br />
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 30/min -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward VLAN2 to ISP<br />
-A FWD_V2_ISP -s 2001:0db8:1234:ffff::/64 -j ACCEPT<br />
<br />
# Forward VLAN3 to VPN<br />
-A FWD_V3_VPN -o tun0 -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Allow and rate limit ICMP<br />
-A IN_PPP0 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT<br />
-A IN_PPP0 -p ipv6-icmp -m limit --limit 30/sec -j ACCEPT<br />
<br />
# Allow DHCPv6 PD on Link Local from ISP<br />
-A IN_PPP0 -s fe80::/10 -p udp -m udp --sport 547 --dport 546 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets on VPN<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Allow tracked connections in from ppp0 to VLAN2<br />
-A IN_V2_ISP -s 2001:0db8:1234:ffff::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ICMP in from VLAN2<br />
-A IN_V2_ISP -p ipv6-icmp -j ACCEPT<br />
<br />
# Allow tracked connections in from tun0 to VLAN3<br />
-A IN_V3_VPN -s fde4:8dba:82e1:fff3::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ICMP in from VLAN3<br />
-A IN_V3_VPN -p ipv6-icmp -j ACCEPT<br />
COMMIT</pre><br />
<br />
Add ip6tables to the default run level:<br />
<br />
{{cmd|rc-update add ip6tables default}}<br />
<br />
== nftables ==<br />
<br />
Optionally one might decide to use nftables instead of old legacy iptables. nftables has a few improvements such as a cleaner rule syntax, ipv4 and ipv6 is all in one table, and the ability to use [https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables variables], [https://wiki.nftables.org/wiki-nftables/index.php/Sets sets], [https://wiki.nftables.org/wiki-nftables/index.php/Dictionaries dictionaries] and [https://wiki.nftables.org/wiki-nftables/index.php/Maps maps]. This also means you no longer need to worry about using [[Linux Router with VPN on a Raspberry Pi#Installing_ipset | ipset]].<br />
<br />
<pre>#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
###################################################################################<br />
#<br />
#| Address | Route To | Interface | VLAN | Mark |<br />
#|------------------------------------|-----------------|-----------|------|------|<br />
#| 192.168.0.0/24 | Modem | eth1 | 1 | |<br />
#| 192.168.1.0/24 | Nowhere | eth0 | 1 | |<br />
#| 192.168.2.0/24 | ISP | eth0.2 | 2 | 0x1 |<br />
#| 2001:0db8:1234:ffff::/64 | ISP | eth0.2 | 2 | 0x1 |<br />
#| 192.168.3.0/24 | VPN | eth0.3 | 3 | 0x2 |<br />
#| fde4:8dba:82e1:fff3::/64 | VPN | eth0.3 | 3 | 0x2 |<br />
#| 192.168.4.0/24 | Nowhere | eth0.4 | 4 | |<br />
#| <ip_of_exception> | Exception (ISP) | eth0.2 | 4 | 0x1 |<br />
#<br />
###################################################################################<br />
<br />
define net_v0_ip4 = 192.168.0.0/24<br />
define net_v1_ip4 = 192.168.1.0/24<br />
define net_v2_ip4 = 192.168.2.0/24<br />
define net_v3_ip4 = 192.168.3.0/24<br />
define network_v4_ip4 = 192.168.4.0/24<br />
define mailserver = <ip_of_exception><br />
define modem = 192.168.0.2<br />
define router = 192.168.1.1<br />
define printer = 192.168.4.9<br />
define workstation = 192.168.3.30<br />
define wifi_aps = { 192.168.1.10, 192.168.1.11 }<br />
define net_ula_v1_ip6 = fde4:8dba:82e1:fff1::/64<br />
define net_gua_v2_ip6 = 2001:0db8:1234:ffff::/64<br />
define net_ula_v3_ip6 = fde4:8dba:82e1:fff3::/64<br />
define net_ula_v4_ip6 = fde4:8dba:82e1:fff4::/64<br />
define vpn_gateway = 172.16.32.1<br />
<br />
#<br />
# Mangle Table (IPv4)<br />
# Markings happen: whether they be 0x1 or 0x2<br />
#<br />
table ip mangle {<br />
chain PREROUTING {<br />
type filter hook prerouting priority mangle; policy accept;<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
mark set ct mark<br />
<br />
# If packet MARK is 2, then it means there is already a<br />
# connection mark and theoriginal packet came in on VPN<br />
ip saddr $net_v3_ip4 mark 0x00000002<br />
<br />
# Check mail server are 0x1<br />
ip saddr $net_v3_ip4 ip daddr $mailserver mark 0x00000001<br />
<br />
# Mark packets coming from VLAN3 as 0x2<br />
ip saddr $net_v3_ip4 mark set 0x00000002<br />
<br />
# If packet MARK is 1, then it means there is already a<br />
# connection mark and the original packet came in on ISP<br />
ip saddr $net_v2_ip4 mark 0x00000001<br />
<br />
# Mark packets coming from VLAN2 as 0x1<br />
ip saddr $net_v2_ip4 mark set 0x00000001<br />
<br />
# Mark mail server as 0x1<br />
ip saddr $net_v3_ip4 ip daddr $mailserver mark set 0x00000001<br />
<br />
# Strip mark if packet is destined for modem<br />
ip daddr $modem mark set 0x00000000<br />
<br />
# Strip mark if packet is destined for printer<br />
ip daddr $printer mark set 0x00000000<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
ct mark set mark<br />
}<br />
}<br />
<br />
#<br />
# Filter Table (IPv4)<br />
# Filtering things coming IN and OUT of the router<br />
#<br />
table ip filter {<br />
# Create rule chain per input interface for input packets (for host itself)<br />
chain INPUT {<br />
type filter hook input priority filter; policy drop;<br />
iifname "lo" accept<br />
iifname "eth0" jump IN_V1_MGMT<br />
iifname "eth0.2" jump IN_V2_ISP<br />
iifname "eth0.3" jump IN_V3_VPN<br />
iifname "eth1" jump IN_ETH1<br />
iifname "tun0" jump IN_TUN0<br />
}<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
chain FORWARD {<br />
type filter hook forward priority filter; policy drop;<br />
ct state established,related accept<br />
iifname "eth0" jump FWD_V1_MGMT<br />
iifname "eth0.2" jump FWD_V2_ISP<br />
iifname "eth0.3" jump FWD_V3_VPN<br />
iifname "eth1" jump FWD_ETH1<br />
iifname "tun0" jump FWD_TUN0<br />
}<br />
<br />
chain FWD_ETH1 {<br />
ip saddr $modem ip daddr $net_v2_ip4 tcp sport http ct state established,new accept<br />
ip saddr $modem ip daddr $net_v3_ip4 tcp sport http ct state established,new accept<br />
}<br />
<br />
chain FWD_TUN0 {<br />
# Forward bittorrent<br />
ip daddr $workstation tcp dport 20001 ct state established,new accept<br />
ip daddr $workstation udp dport 20001 ct state established,new accept<br />
}<br />
<br />
chain FWD_V1_MGMT {<br />
# Forward established packets to hosts in VLAN2/3 from printer<br />
ip saddr $printer ip daddr $net_v2_ip4 ct state established,new accept<br />
ip saddr $printer ip daddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Forward established packets to hosts in VLAN2/3 from modem<br />
ip saddr $modem ip daddr $net_v3_ip4 tcp sport http ct state established,new accept<br />
}<br />
<br />
chain FWD_V2_ISP {<br />
# Forward traffic from VLAN2 to Modem<br />
ip daddr $modem tcp dport http accept<br />
<br />
# Forward traffic from VLAN2 to printer<br />
ip daddr $printer accept<br />
<br />
# Allow rest from VLAN2<br />
ip saddr $net_v2_ip4 accept<br />
}<br />
<br />
chain FWD_V3_VPN {<br />
# Forward traffic from VLAN3 to Modem<br />
ip daddr $modem tcp dport http accept<br />
<br />
# Forward traffic from VLAN3 to printer<br />
ip daddr $printer accept<br />
<br />
# Allow rest from VLAN3<br />
ip saddr $net_v3_ip4 accept<br />
<br />
# Allow mailserver direct from VLAN3 out<br />
oifname "eth1" ip saddr $net_v3_ip4 ip daddr $mailserver accept<br />
}<br />
<br />
chain IN_ETH1 {<br />
# Accept incoming tracked connection from eth1<br />
ip saddr $router ip daddr $modem tcp sport http ct state established,new accept<br />
<br />
# Allow incoming NTP in from VLAN1<br />
ip saddr $net_v0_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Log dropped packets coming in on eth1<br />
ct state established,related accept<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_TUN0 {<br />
# Log dropped packets coming in on tun0<br />
ct state established,related accept<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_V1_MGMT {<br />
# Allow in established packets from printer to VLAN2 and VLAN3<br />
ip saddr $printer ip daddr $net_v2_ip4 ct state established,new accept<br />
ip saddr $printer ip daddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Allow NTP in from VLAN1<br />
ip saddr $net_v1_ip4 udp dport ntp ct state established,new accept<br />
<br />
# FreeRadius Clients<br />
ip saddr $wifi_aps tcp dport radius ct state established,new accept<br />
ip saddr $wifi_aps udp dport radius ct state established,new accept<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
ip saddr $wifi_aps udp dport 10001 ct state established,new accept<br />
ip saddr $wifi_aps udp dport 3478 ct state established,new accept<br />
<br />
# Allow rest in from VLAN1<br />
ip saddr $net_v1_ip4 ct state established,new accept<br />
}<br />
<br />
chain IN_V2_ISP {<br />
# Allow ssh in from VLAN2<br />
ip saddr $net_v2_ip4 tcp dport ssh ct state established,new accept<br />
<br />
# Allow DNS in from VLAN2<br />
ip saddr $net_v2_ip4 udp dport domain ct state new accept<br />
<br />
# Allow NTP in from VLAN2<br />
ip saddr $net_v2_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Allow rest from VLAN2<br />
ip saddr $net_v2_ip4 ct state established,new accept<br />
}<br />
<br />
chain IN_V3_VPN {<br />
# Allow ssh in from VLAN3<br />
ip saddr $net_v3_ip4 tcp dport ssh ct state established,new accept<br />
<br />
# Allow DNS in from VLAN3<br />
ip saddr $net_v3_ip4 udp dport domain ct state new accept<br />
<br />
# Allow NTP in from VLAN3<br />
ip saddr $net_v3_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Allow rest from VLAN3<br />
ip saddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Allow mailserver direct from eth1 from VLAN3<br />
oifname "eth1" ip saddr $net_v3_ip4 ip daddr $mailserver accept<br />
}<br />
<br />
chain LOG_DROP {<br />
log prefix "Dropped v4: " drop<br />
}<br />
}<br />
<br />
#<br />
# NAT Table (IPv4)<br />
# Translation of packets happens to our single external address<br />
# Forwarding of ports through our public interfaces<br />
#<br />
table ip nat {<br />
chain PREROUTING {<br />
type nat hook prerouting priority dstnat; policy accept;<br />
# Port forwarding for Bittorrent on workstation through VPN<br />
iifname "tun0" tcp dport 20001 dnat to $workstation<br />
iifname "tun0" udp dport 20001 dnat to $workstation<br />
}<br />
<br />
chain POSTROUTING {<br />
type nat hook postrouting priority srcnat; policy accept;<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
oifname "eth0" ip saddr $net_v2_ip4 ip daddr $modem tcp dport http masquerade<br />
oifname "eth0" ip saddr $net_v3_ip4 ip daddr $modem tcp dport http masquerade<br />
<br />
# Allows routing to printer<br />
oifname "eth0" ip saddr $net_v2_ip4 ip daddr $printer masquerade<br />
oifname "eth0" ip saddr $net_v3_ip4 ip daddr $printer masquerade<br />
<br />
# Masquerade behind NAT<br />
oifname "tun0" masquerade<br />
oifname "eth1" masquerade<br />
}<br />
}<br />
<br />
#<br />
# Filter Table (IPv6)<br />
# Filtering things coming IN and OUT of the router<br />
#<br />
table ip6 filter {<br />
chain INPUT {<br />
# Create rule chain per input interface for input packets (for host itself)<br />
type filter hook input priority filter; policy drop;<br />
iifname "lo" accept<br />
iifname "eth0.2" jump IN_V2_ISP<br />
iifname "eth0.3" jump IN_V3_VPN<br />
iifname "eth1" jump IN_ETH1<br />
iifname "tun0" jump IN_TUN0<br />
}<br />
<br />
chain FORWARD {<br />
# Track forwarded packets<br />
type filter hook forward priority filter; policy drop;<br />
ct state established,related accept<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
iifname "eth0.2" jump FWD_V2_ISP<br />
iifname "eth0.3" jump FWD_V3_VPN<br />
# iifname "tun0" jump FWD_TUN0<br />
<br />
# Rate limit ICMPv6 PING<br />
icmpv6 type echo-request limit rate 30/minute accept<br />
}<br />
<br />
chain OUTPUT {<br />
type filter hook output priority filter; policy accept;<br />
}<br />
<br />
# chain FWD_TUN0 {<br />
# We could forward ports IPv6 ports through the VPN here<br />
# }<br />
<br />
chain FWD_V2_ISP {<br />
# Forward VLAN2 to ISP<br />
ip6 saddr $net_gua_v2_ip6 accept<br />
}<br />
<br />
chain FWD_V3_VPN {<br />
# Forward VLAN3 to VPN<br />
ip6 saddr $net_ula_v3_ip6 accept<br />
}<br />
<br />
chain IN_ETH1 {<br />
# Accept incoming tracked ETH1 connection<br />
ct state established,related accept<br />
<br />
# Allow and rate limit ICMP<br />
icmpv6 type packet-too-big accept<br />
meta l4proto ipv6-icmp limit rate 30/second accept<br />
<br />
# Allow DHCPv6 PD on Link Local from ISP<br />
ip6 saddr fe80::/10 udp sport dhcpv6-server udp dport dhcpv6-client ct state established,new accept<br />
<br />
# Allow Router advetisements/solict form ISP<br />
ip6 saddr fe80::/10 icmpv6 type nd-router-advert accept<br />
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit accept<br />
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-advert accept<br />
<br />
# Log dropped packets coming in on ETH1<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_TUN0 {<br />
# Accept incoming tracked TUN0 connection<br />
ct state established,related accept<br />
<br />
# Allow and rate limit ICMP<br />
icmpv6 type packet-too-big accept<br />
meta l4proto ipv6-icmp limit rate 30/second accept<br />
<br />
# Log dropped packets on VPN<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_V2_ISP {<br />
# Allow tracked connections in from ETH1 to VLAN2<br />
ip6 saddr $net_gua_v2_ip6 ct state established,new accept<br />
<br />
# Allow ICMP in from VLAN2<br />
meta l4proto ipv6-icmp accept<br />
}<br />
<br />
chain IN_V3_VPN {<br />
# Allow tracked connections in from tun0 to VLAN3<br />
ip6 saddr $net_ula_v3_ip6 ct state established,new accept<br />
<br />
# Allow ICMP in from VLAN3<br />
meta l4proto ipv6-icmp accept<br />
}<br />
<br />
chain LOG_DROP {<br />
log prefix "Dropped v6: " drop<br />
}<br />
}<br />
<br />
#<br />
# Mangle Table (IPv6)<br />
#<br />
table ip6 mangle {<br />
chain PREROUTING {<br />
type filter hook prerouting priority mangle; policy accept;<br />
<br />
# Drop unusually large ping packets<br />
icmpv6 type echo-request meta length 170-65535 drop<br />
}<br />
}<br />
<br />
#<br />
# NAT Table (IPv6)<br />
# Translation of packets happens to our single external address<br />
# only used for the VPN as our ISP give us a /56 range to split up<br />
#<br />
table ip6 nat {<br />
chain POSTROUTING {<br />
type nat hook postrouting priority srcnat; policy accept;<br />
oifname "tun0" masquerade<br />
}<br />
}<br />
<br />
#<br />
# Raw Table - IPv4/IPv6<br />
#<br />
table inet raw {<br />
set bogon-bn-nonagg-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 0.0.0.0/8, 10.0.0.0/8,<br />
100.64.0.0/10, 127.0.0.0/8,<br />
169.254.0.0/16, 172.16.0.0/12,<br />
192.0.0.0/24, 192.0.2.0/24,<br />
192.168.0.0/16, 198.18.0.0/15,<br />
198.51.100.0/24, 203.0.113.0/24,<br />
224.0.0.0/4, 240.0.0.0-255.255.255.255 }<br />
}<br />
<br />
set lo-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 127.0.0.0/8 }<br />
}<br />
<br />
set eth0-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { $net_v1_ip4 }<br />
}<br />
<br />
set eth0.2-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth0.3-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth0.4-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth1-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.0.0/30, 255.255.255.255 }<br />
}<br />
<br />
set tun0-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 172.16.32.0/20, 172.16.48.0/20 }<br />
}<br />
<br />
set lo-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { ::1/128 }<br />
}<br />
<br />
set eth0-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff1::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.2-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { 2001:0db8:1234:ffff::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.3-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff3::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.4-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff4::/64,<br />
fe80::/10 }<br />
}<br />
<br />
chain PREROUTING {<br />
type filter hook prerouting priority raw; policy accept;<br />
<br />
# Allows traffic from NNTP/DNS ovpn.to<br />
iifname "tun0" ip saddr $gateway_ovpn_to accept;<br />
<br />
# Allows traffic originating from router to gateway.ovpn.to<br />
ip daddr $gateway_ovpn_to accept<br />
<br />
# Allows traffic originating from router to modem<br />
ip daddr $modem accept<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
#iifname "eth1" ip saddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_PR;<br />
#iifname "tun0" ip saddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_PR;<br />
}<br />
<br />
chain OUTPUT {<br />
type filter hook output priority raw; policy accept;<br />
<br />
# Allows my excepted ranges<br />
iifname vmap { lo : jump lo-allowed-net, eth0 : jump eth0-allowed-net,<br />
eth0.2 : jump eth0.2-allowed-net, eth0.3 : jump eth0.3-allowed-net,<br />
eth0.4 : jump eth0.4-allowed-net, eth1 : jump eth1-allowed-net,<br />
tun0 : jump tun0-allowed-net };<br />
<br />
oifname vmap { lo : jump lo-allowed-net, eth0 : jump eth0-allowed-net,<br />
eth0.2 : jump eth0.2-allowed-net, eth0.3 : jump eth0.3-allowed-net,<br />
eth0.4 : jump eth0.4-allowed-net, eth1 : jump eth1-allowed-net,<br />
tun0 : jump tun0-allowed-net };<br />
<br />
<br />
# Drop any remaining bogons that try to leave the router<br />
oifname "eth1" ip daddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_IN;<br />
oifname "tun0" ip daddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_IN;<br />
}<br />
<br />
chain lo-allowed-net {<br />
ip saddr @lo-allowed-net-ip4-set accept<br />
ip6 saddr @lo-allowed-net-ip6-set accept<br />
}<br />
<br />
chain eth0-allowed-net {<br />
ip saddr @eth0-allowed-net-ip4-set accept<br />
ip6 saddr @eth0-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 0: " level info<br />
}<br />
<br />
chain eth0.2-allowed-net {<br />
ip saddr @eth0.2-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.2-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 2: " level info<br />
}<br />
<br />
chain eth0.3-allowed-net {<br />
ip saddr @eth0.3-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.3-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 3: " level info<br />
}<br />
<br />
chain eth0.4-allowed-net {<br />
ip saddr @eth0.4-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.4-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 4: " level info<br />
}<br />
<br />
chain eth1-allowed-net {<br />
ip saddr @eth1-allowed-net-ip4-set accept<br />
#log prefix "Allowed packet allow eth1: " level info<br />
}<br />
<br />
chain tun0-allowed-net {<br />
ip saddr @tun0-allowed-net-ip4-set accept<br />
#log prefix "Allowed packet allow tun0: " level info<br />
}<br />
<br />
chain LOG_DROP_BOGON_IN {<br />
log prefix "Dropped Bogon outgoing " drop<br />
}<br />
chain LOG_DROP_BOGON_OUT {<br />
log prefix "Dropped Bogon incoming " drop<br />
}<br />
chain LOG_DROP_BOGON_PR {<br />
log prefix "Dropped Bogon prerouting " drop<br />
}<br />
}</pre><br />
<br />
Add nftables to the default run level:<br />
<br />
{{cmd|rc-update add nftables default}}<br />
<br />
= Router Advertisements =<br />
<br />
Now we need to configure radvd to give router advertisements to out VLANs for addressing and routing.<br />
<br />
{{cmd|apk add radvd}}<br />
<br />
Once radvd is installed, you may configure it:<br />
<br />
== /etc/radvd.conf ==<br />
<br />
<pre>interface eth0.2 {<br />
<br />
# We are sending advertisements (route)<br />
AdvSendAdvert on;<br />
<br />
# When set, host use the administered (stateful) protocol<br />
# for address autoconfiguration. The use of this flag is<br />
# described in RFC 4862<br />
AdvManagedFlag on;<br />
<br />
# When set, host use the administered (stateful) protocol<br />
# for address autoconfiguration. For other (non-address)<br />
# information.<br />
# The use of this flag is described in RFC 4862<br />
AdvOtherConfigFlag on;<br />
<br />
# Suggested Maximum Transmission setting for using the<br />
# Hurricane Electric Tunnel Broker.<br />
# AdvLinkMTU 1480;<br />
<br />
# We have native Dual Stack IPv6 so we can use the regular MTU<br />
# http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues<br />
AdvLinkMTU 1500;<br />
<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on; ## SLAAC based on EUI<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
interface eth0.3 {<br />
<br />
AdvSendAdvert on;<br />
AdvManagedFlag on;<br />
AdvOtherConfigFlag on;<br />
AdvLinkMTU 1500;<br />
<br />
# Helps the route not get lost when on WiFi with packet loss<br />
MaxRtrAdvInterval 30;<br />
AdvDefaultLifetime 9000;<br />
<br />
prefix fde4:8dba:82e1:fff3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on; ## SLAAC based on EUI<br />
};<br />
};</pre><br />
<br />
Add radvd to the default run level:<br />
<br />
{{cmd|rc-update add radvd default}}<br />
<br />
= DHCP =<br />
You may decide you want more control over your network address assignment. I like to have certain hosts get certain addresses when they connect on a particular VLAN, note v2 and v3. You can do this with:<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.21 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
<br />
host wifi_ap {<br />
hardware ethernet <mac_addess>;<br />
fixed-address 192.168.1.11;<br />
option subnet-mask 255.255.255.0;<br />
option routers 192.168.1.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.40 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.2.1;<br />
allow unknown-clients;<br />
<br />
host host-v2 {<br />
hardware ethernet <mac_address>;<br />
fixed-address 192.168.2.30;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.20 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.3.1;<br />
ignore unknown-clients;<br />
<br />
host host-v3 {<br />
hardware ethernet <mac_address>;<br />
fixed-address 192.168.3.30;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.4.0 netmask 255.255.255.0 {<br />
range 192.168.4.40 192.168.4.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.4.255;<br />
option routers 192.168.4.1;<br />
option ntp-servers 192.168.4.1;<br />
option domain-name-servers 192.168.4.1;<br />
<br />
host printer {<br />
hardware ethernet <PRINTER_MAC_ADDRESS>;<br />
fixed-address 192.168.4.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.4.255;<br />
option routers 192.168.4.1;<br />
option host-name "My_Printer";<br />
} ignore unknown-clients;<br />
}</pre><br />
<br />
For IPv6 I don't use DHCPv6 because Android doesn't support it. I just let SLAAC assign addresses.<br />
<br />
= VPN Tunnel VLAN3 =<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN<br />
3 LAN</pre><br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
/sbin/ip -6 rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
/sbin/ip -6 rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300<br />
/sbin/ip -6 rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/network/route_LAN ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script adds the LAN routes.<br />
#<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0.2 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0.2 table ISP<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}<br />
<br />
# Add route to LAN subnet<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table ISP</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.3.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table VPN<br />
/sbin/ip -6 route add fde4:8dba:82e1:fff3::/64 dev eth0.3 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
/sbin/ip -6 rule add from fde4:8dba:82e1:fff3::/64 table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN<br />
/sbin/ip -6 route add default dev tun0 table VPN <br />
<br />
# Add route to LAN only subnet<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table VPN<br />
<br />
# Add route to IP on VPN for traffic originating from the router<br />
/sbin/ip route add 172.16.32.1 dev tun0</pre><br />
<br />
== /etc/openvpn/route-down-fwmark.sh ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200<br />
/sbin/ip -6 rule del from fde4:8dba:82e1:fff3::/64 table VPN prio 200<br />
<br />
# Delete route to IP on VPN for traffic originating from the router<br />
/sbin/ip route del 172.16.32.1 dev tun0</pre><br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in your VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
<br />
[[category: Raspberry]]<br />
[[category: VPN]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi_(IPv6)&diff=16942Linux Router with VPN on a Raspberry Pi (IPv6)2020-02-25T09:43:19Z<p>Dngray: Add nftables rulesets</p>
<hr />
<div>{{TOC right}}<br />
<br />
I have split this off the main article [[Linux Router with VPN on a Raspberry Pi]] IPv6 implementation requires a few changes to the initial article to work. I haven't duplicated everything here however, just the stuff that relates to IPv6.<br />
<br />
= Introduction =<br />
IPv6 introduces a number of new complexities into our network. If you've completed previous IPv4 only guide [[Linux Router with VPN on a Raspberry Pi]] then read on.<br />
<br />
Your VPN provider may only offers you a single stack connection (no IPv6). You won't be able to implement IPv6 addressing on VLAN 3 to carry your IPv6 traffic out of the VPN. If your ISP gives you IPv6 addressing you may still implement addressing on VLAN2 to carry traffic directly to your ISP. In this example I do both.<br />
<br />
If you don't know much about IPv6 then these pages might be of interest to get you up to speed.<br />
<br />
* [http://tldp.org/HOWTO/Linux+IPv6-HOWTO Linux IPv6 HOWTO (en)] - in particular the "basics" and "address types".<br />
* [https://en.wikipedia.org/wiki/IPv6 IPv6]<br />
* [https://en.wikipedia.org/wiki/IPv6_address IPv6 Address]<br />
* [https://en.wikipedia.org/wiki/Prefix_delegation Prefix delegation] we use this with dhcpcd when doing DHCPv6-PD to inform our ISP of our network devices.<br />
* [https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol Neighbor Discovery Protocol] we use this with radvd to distribute our routes.<br />
* [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_version_6 Internet Control Message Protocol version 6] ICMPv6 differs from ICMPv4 and is used for many critical parts of IPv6 infrastructure.<br />
* [http://ipv6-test.com IPv6-test.com] Useful for diagnosing if IPv6 is working.<br />
<br />
<br />
[[File:Network_Diagram_ipv4_ipv6_with_vlans.svg|900px|center|Network Diagram IPv4 and IPv6]]<br />
<br />
= Enabling IPv6 support =<br />
<br />
Assuming you're using the Alpine Linux kernel, IPv6 support is available separately as a module.<br />
<br />
{{cmd|modprobe ipv6}}<br />
To add the module to our startup configuration.<br />
{{cmd|echo "ipv6" >> /etc/modules}}<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
Modify the sysctl section to include IPv6 support:<br />
<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# http://vk5tu.livejournal.com/37206.html<br />
# What's this special value "2"? Originally the value was "1", but this <br />
# disabled autoconfiguration on all interfaces. That is, you couldn't appear <br />
# to be a router on some interfaces and appear to be a host on other <br />
# interfaces. But that's exactly the mental model of a ADSL router. <br />
<br />
# Controls IP packet forwarding<br />
net.ipv6.conf.all.forwarding = 2<br />
net.ipv6.conf.default.forwarding = 2<br />
<br />
# Accept Router Advertisments<br />
net.ipv6.conf.all.accept_ra = 2<br />
net.ipv6.conf.default.accept_ra = 2<br />
<br />
# We are a router so disable temporary addresses<br />
net.ipv6.conf.all.use_tempaddr = 0<br />
net.ipv6.conf.default.use_tempaddr = 0</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add an IPv6 interface for each VLAN. Note we don't need to add one for VLAN2 because dhcpcd will take care of that for us using our ISPs router advertisements. Also note the . (dot notation) represents a VLAN interface where as : (colon notation) used in the previous article represented an IP address aliased on an interface. <br />
<br />
The reason we need VLANs here is because each VLAN has it's own broadcast and we don't want our router advertisements to be putting routes and addresses on all the interfaces. It also helps us with a more secure design, but requires a managed switch.<br />
<br />
<pre># VLAN 2 - DESTINED FOR ISP<br />
auto eth0.2<br />
iface eth0.2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules<br />
<br />
# VLAN 3 - DESTINED FOR VPN<br />
auto eth0.3<br />
iface eth0.3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
<br />
iface eth0.3 inet6 static<br />
address fde4:8dba:82e1:fff3::1<br />
netmask 64<br />
autoconf 0<br />
accept_ra 0<br />
privext 0<br />
<br />
# VLAN 4 - LAN ONLY<br />
auto eth0.4<br />
iface eth0.4 inet static<br />
address 192.168.4.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.4.255<br />
post-up /etc/network/route_LAN<br />
<br />
iface eth0.4 inet6 static<br />
address fde4:8dba:82e1:fff4::1<br />
netmask 64<br />
autoconf 0<br />
accept_ra 0<br />
privext 0</pre><br />
<br />
= Configuring PPP =<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem. <br />
<br />
See [[PPP]], you will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
== Check system log ==<br />
Restart ppp.<br />
<br />
{{cmd|poff yourISP}}<br />
{{cmd|pon yourISP}}<br />
<br />
In /var/log/messages you should see something like<br />
<br />
<pre>pppd[]: Plugin rp-pppoe.so loaded.<br />
pppd[]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7<br />
pppd[]: pppd 2.4.7 started by root, uid 0<br />
pppd[]: PPP session is 49969<br />
pppd[]: Connected to 00:53:00:ff:ff:f0 via interface eth1<br />
pppd[]: Using interface ppp0<br />
pppd[]: Connect: ppp0 <--> eth1<br />
pppd[]: CHAP authentication succeeded<br />
pppd[]: CHAP authentication succeeded<br />
pppd[]: peer from calling number 00:53:00:FF:FF:F0 authorized<br />
pppd[]: local LL address fe80::0db8:ffff:ffff:fff1<br />
pppd[]: remote LL address fe80::0db8:ffff:ffff:fff0<br />
pppd[]: local IP address 192.0.2.1<br />
pppd[]: remote IP address 192.0.2.0<br />
pppd[]: primary DNS address 192.0.2.10<br />
pppd[]: secondary DNS address 192.0.2.20</pre><br />
<br />
You should be able to now ping things such as<br />
<br />
{{cmd|ping6 ipv6.google.com}}<br />
<br />
from your router.<br />
<br />
= Prefix Delegation =<br />
<br />
The next step will be to configure DHCPv6 Prefix Delegation with your ISP. Install dhcpcd. While many guides do use the wide-dhcpv6-client [http://bugs.alpinelinux.org/issues/564 it should be noted this is unmaintained] and not included in Alpine Linux.<br />
<br />
Don't use the ISC's dhclient either as [https://bugs.gentoo.org/show_bug.cgi?id=432652 this does not support Prefix Delegations on PPP links] without a patch.<br />
<br />
{{cmd|apk add dhcpcd}}<br />
<br />
You can check out the manual for [http://roy.marples.name/man/html5/dhcpcd.conf.html dhcpcd.conf]. Installing dhcpcd-doc will allow you to read the man file. Eg:<br />
<br />
{{cmd|apk add dhcpcd-doc}}<br />
<br />
=== /etc/dhcpcd.conf ===<br />
<br />
{{cmd|apk add dhcpcd}}<br />
<br />
If the main repositories have dhcpcd below version 7.0.7 (at time of writing AlpineLinux 3.8 and below) you will need to use the latest version from edge as it fixes a bug with unique link local addresses on our VLANs [https://roy.marples.name/blog/dhcpcd-7-0-7-released dhcpcd ChangeLog] this [https://patchwork.alpinelinux.org/patch/4016/ patch] already applied in v7.0.7<br />
<br />
{{cmd|apk add dhcpcd@edge}}<br />
<br />
If you haven't you may need to add the edge repository for pinning [[Alpine Linux package management#Repository_pinning]]<br />
<br />
<pre># Enable extra debugging<br />
#debug<br />
#logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of our hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
#clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# IPv6 Only<br />
ipv6only<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
# Use the interface connected to WAN<br />
interface ppp0<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64</pre><br />
<br />
Add dhcpcd to the default run level:<br />
<br />
{{cmd|rc-update add dhcpcd default}}<br />
<br />
= Configuring firewall for IPv4 and IPv6 traffic =<br />
<br />
== iptables ==<br />
Here are some rules for iptables that I am currently using, yours may look something similar.<br />
<br />
<pre>#########################################################################<br />
# Uses 192.168.1.0 VLAN1 Management Untagged - no route<br />
# 192.168.2.0 VLAN2 - route to ISP<br />
# 192.168.3.0 VLAN3 - route to VPN<br />
# 192.168.4.0 VLAN4 - no route<br />
# <br />
# Packets to/from 192.168.1.0/24 not in any VLAN ie tagged<br />
# Packets to/from 192.168.2.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.3.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.4.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
# These destinations will always be marked with 0x1 from VLAN3:<br />
#<br />
# <ip_of_exception> some exception<br />
#########################################################################<br />
<br />
# <br />
# Raw Table<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_DROP_MSFT - [0:0]<br />
<br />
# Create output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN's DNS server<br />
-A PREROUTING -s 172.16.32.1/32 -i tun0 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Block MSFT known tracking IPs from https://github.com/Nummer/Destroy-Windows-10-Spying<br />
-A PREROUTING -i ppp0 -m set --match-set dropped-msft-ip-ipv4 src -j LOG_DROP_MSFT<br />
-A PREROUTING -i tun0 -m set --match-set dropped-msft-ip-ipv4 src -j LOG_DROP_MSFT<br />
<br />
# Allows my excepted ranges<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Allows traffic originating from router to remote address on VPN<br />
-A OUT_TUN0 -d 172.16.32.1 -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT (ipv4) : " --log-level 6<br />
-A LOG_DROP_MSFT -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Block packets originating from the router destined to msft ranges<br />
-A OUT_PPP0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Blocks packets originating from the router destined to msft ranges<br />
-A OUT_TUN0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent through VPN<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 20001 -j DNAT --to-destination 192.168.3.30<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 20001 -j DNAT --to-destination 192.168.3.30<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows routing to Printer<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
:FWD_V1_MGMT - [0:0]<br />
:FWD_V2_ISP - [0:0]<br />
:FWD_V3_VPN - [0:0]<br />
:FWD_V4_LANONLY - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
:IN_V1_MGMT - [0:0]<br />
:IN_V2_ISP - [0:0]<br />
:IN_V3_VPN - [0:0]<br />
:IN_V4_LANONLY - [0:0]<br />
<br />
# Create a drop/reject chains<br />
:LOG_DROP - [0:0]<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_DROP_MSFT - [0:0]<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_V1_MGMT<br />
-A INPUT -i eth0.2 -j IN_V2_ISP<br />
-A INPUT -i eth0.3 -j IN_V3_VPN<br />
-A INPUT -i eth0.4 -j IN_V4_LANONLY<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_V1_MGMT<br />
-A FORWARD -i eth0.2 -j FWD_V2_ISP<br />
-A FORWARD -i eth0.3 -j FWD_V3_VPN<br />
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.3.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port<br />
-A FWD_TUN0 -d 192.168.3.30/32 -p tcp -m tcp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.3.30/32 -p udp -m udp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward established packets to hosts in VLAN2/3 from Printer<br />
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Refuse to forward bogons from VLAN1 (Untagged Management)<br />
-A FWD_V1_MGMT -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Refuse to forward msft from VLAN1 (Untagged Management)<br />
-A FWD_V1_MGMT -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Forward traffic from VLAN2 to Modem<br />
-A FWD_V2_ISP -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Forward traffic from VLAN2 to Printer<br />
-A FWD_V2_ISP -d 192.168.4.9/32 -j ACCEPT<br />
<br />
# Drop bogons from VLAN2<br />
-A FWD_V2_ISP -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Drop msft from VLAN2<br />
-A FWD_V2_ISP -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Allow rest from VLAN2<br />
-A FWD_V2_ISP -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Forward traffic from VLAN3 to Modem<br />
-A FWD_V3_VPN -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Forward traffic from VLAN3 to Printer<br />
-A FWD_V3_VPN -d 192.168.4.9/32 -j ACCEPT<br />
<br />
# Allow rest from VLAN3<br />
-A FWD_V3_VPN -s 192.168.3.0/24 -j ACCEPT<br />
<br />
# Drop bogons from VLAN3<br />
-A FWD_V3_VPN -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Drop msft from VLAN3<br />
-A FWD_V3_VPN -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT<br />
<br />
# Forward some exception to ppp0 from VLAN3<br />
-A FWD_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT<br />
<br />
# Allow in NTP from Router (this machine)<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow in HTTP from Router (this machine)<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
# -A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
# -A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Allow in established packets from Printer to hosts in VLAN2/3<br />
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Clients (access point A & B)<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest in from VLAN1<br />
-A IN_V1_MGMT -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ssh in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow DNS in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# ALLOW NTP in from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest from VLAN2<br />
-A IN_V2_ISP -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ssh in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow DNS in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# Allow NTP in from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow rest from VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow some exception direct from ppp0 to VLAN3<br />
-A IN_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log dropped msft tracking that never got forwarded<br />
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT forward(ipv4) " --log-level 6<br />
-A LOG_DROP_MSFT -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only" --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.3.0/24 -m mark --mark 0x2<br />
<br />
# Check some exception are 0x1<br />
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -m mark --mark 0x1<br />
<br />
# Mark packets coming from 192.168.3.0/24 are 0x2<br />
-A PREROUTING -s 192.168.3.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x1<br />
<br />
# Mark packets 192.168.2.0/24 are 0x1<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark some exception as 0x1<br />
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Strip mark if packet is destined for printer<br />
-A PREROUTING -d 192.168.4.9/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
== ip6tables ==<br />
<br />
You'll need to modify your prefix in one of the rules.<br />
<br />
<pre>#########################################################################<br />
# Uses 2001:0db8:1234:ffff::1/64 VLAN2 - route to ISP<br />
# fde4:8dba:82e1:fff3::1/64 VLAN3 - route to VPN<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows my excepted ranges<br />
-A PREROUTING -m set --match-set allowed-nets-ipv6 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allows hosts of the network to use the VPN tunnel for IPv6<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Drop unusually large ping packets<br />
-A PREROUTING -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m length --length 170:65535 -j DROP<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
:FWD_V1_MGMT - [0:0]<br />
:FWD_V2_ISP - [0:0]<br />
:FWD_V3_VPN - [0:0]<br />
:FWD_V4_LANONLY - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
:IN_V1_MGMT - [0:0]<br />
:IN_V2_ISP - [0:0]<br />
:IN_V3_VPN - [0:0]<br />
:IN_V4_LANONLY - [0:0]<br />
<br />
# Create a drop/reject chains<br />
:LOG_DROP - [0:0]<br />
:LOG_DROP_BOGON - [0:0]<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chains<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_V1_MGMT<br />
-A INPUT -i eth0.2 -j IN_V2_ISP<br />
-A INPUT -i eth0.3 -j IN_V3_VPN<br />
-A INPUT -i eth0.4 -j IN_V4_LANONLY<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_V1_MGMT<br />
-A FORWARD -i eth0.2 -j FWD_V2_ISP<br />
-A FORWARD -i eth0.3 -j FWD_V3_VPN<br />
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Rate limit ICMPv6 PING<br />
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 30/min -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward VLAN2 to ISP<br />
-A FWD_V2_ISP -s 2001:0db8:1234:ffff::/64 -j ACCEPT<br />
<br />
# Forward VLAN3 to VPN<br />
-A FWD_V3_VPN -o tun0 -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Allow and rate limit ICMP<br />
-A IN_PPP0 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT<br />
-A IN_PPP0 -p ipv6-icmp -m limit --limit 30/sec -j ACCEPT<br />
<br />
# Allow DHCPv6 PD on Link Local from ISP<br />
-A IN_PPP0 -s fe80::/10 -p udp -m udp --sport 547 --dport 546 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets on VPN<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Allow tracked connections in from ppp0 to VLAN2<br />
-A IN_V2_ISP -s 2001:0db8:1234:ffff::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ICMP in from VLAN2<br />
-A IN_V2_ISP -p ipv6-icmp -j ACCEPT<br />
<br />
# Allow tracked connections in from tun0 to VLAN3<br />
-A IN_V3_VPN -s fde4:8dba:82e1:fff3::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow ICMP in from VLAN3<br />
-A IN_V3_VPN -p ipv6-icmp -j ACCEPT<br />
COMMIT</pre><br />
<br />
Add ip6tables to the default run level:<br />
<br />
{{cmd|rc-update add ip6tables default}}<br />
<br />
== nftables ==<br />
<br />
Optionally one might decide to use nftables instead of old legacy iptables. nftables has a few improvements such as a cleaner rule syntax, ipv4 and ipv6 is all in one table, and the ability to use [https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables variables], [https://wiki.nftables.org/wiki-nftables/index.php/Sets sets], [https://wiki.nftables.org/wiki-nftables/index.php/Dictionaries dictionaries] and [https://wiki.nftables.org/wiki-nftables/index.php/Maps maps]. This also means you no longer need to worry about using [[Linux Router with VPN on a Raspberry Pi#Installing_ipset | ipset]].<br />
<br />
<pre>#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
###################################################################################<br />
#<br />
#| Address | Route To | Interface | VLAN | Mark |<br />
#|------------------------------------|-----------------|-----------|------|------|<br />
#| 192.168.0.0/24 | Modem | eth1 | 1 | |<br />
#| 192.168.1.0/24 | Nowhere | eth0 | 1 | |<br />
#| 192.168.2.0/24 | ISP | eth0.2 | 2 | 0x1 |<br />
#| 2001:0db8:1234:ffff::/64 | ISP | eth0.2 | 2 | 0x1 |<br />
#| 192.168.3.0/24 | VPN | eth0.3 | 3 | 0x2 |<br />
#| fde4:8dba:82e1:fff3::/64 | VPN | eth0.3 | 3 | 0x2 |<br />
#| 192.168.4.0/24 | Nowhere | eth0.4 | 4 | |<br />
#| <ip_of_exception> | Exception (ISP) | eth0.2 | 4 | 0x1 |<br />
#<br />
###################################################################################<br />
<br />
define net_v0_ip4 = 192.168.0.0/24<br />
define net_v1_ip4 = 192.168.1.0/24<br />
define net_v2_ip4 = 192.168.2.0/24<br />
define net_v3_ip4 = 192.168.3.0/24<br />
define network_v4_ip4 = 192.168.4.0/24<br />
define mailserver = <ip_of_exception><br />
define modem = 192.168.0.2<br />
define router= 192.168.1.1<br />
define printer = 192.168.4.9<br />
define workstation = 192.168.3.30<br />
define wifi_aps = { 192.168.1.10, 192.168.1.11 }<br />
define net_ula_v1_ip6 = fde4:8dba:82e1:fff1::/64<br />
define net_gua_v2_ip6 = 2001:0db8:1234:ffff::/64<br />
define net_ula_v3_ip6 = fde4:8dba:82e1:fff3::/64<br />
define net_ula_v4_ip6 = fde4:8dba:82e1:fff4::/64<br />
define vpn_gateway = 172.16.32.1<br />
<br />
#<br />
# Mangle Table (IPv4)<br />
# Markings happen: whether they be 0x1 or 0x2<br />
#<br />
table ip mangle {<br />
chain PREROUTING {<br />
type filter hook prerouting priority mangle; policy accept;<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
mark set ct mark<br />
<br />
# If packet MARK is 2, then it means there is already a<br />
# connection mark and theoriginal packet came in on VPN<br />
ip saddr $net_v3_ip4 mark 0x00000002<br />
<br />
# Check mail server are 0x1<br />
ip saddr $net_v3_ip4 ip daddr $mailserver mark 0x00000001<br />
<br />
# Mark packets coming from VLAN3 as 0x2<br />
ip saddr $net_v3_ip4 mark set 0x00000002<br />
<br />
# If packet MARK is 1, then it means there is already a<br />
# connection mark and the original packet came in on ISP<br />
ip saddr $net_v2_ip4 mark 0x00000001<br />
<br />
# Mark packets coming from VLAN2 as 0x1<br />
ip saddr $net_v2_ip4 mark set 0x00000001<br />
<br />
# Mark mail server as 0x1<br />
ip saddr $net_v3_ip4 ip daddr $mailserver mark set 0x00000001<br />
<br />
# Strip mark if packet is destined for modem<br />
ip daddr $modem mark set 0x00000000<br />
<br />
# Strip mark if packet is destined for printer<br />
ip daddr $printer mark set 0x00000000<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
ct mark set mark<br />
}<br />
}<br />
<br />
#<br />
# Filter Table (IPv4)<br />
# Filtering things coming IN and OUT of the router<br />
#<br />
table ip filter {<br />
# Create rule chain per input interface for input packets (for host itself)<br />
chain INPUT {<br />
type filter hook input priority filter; policy drop;<br />
iifname "lo" accept<br />
iifname "eth0" jump IN_V1_MGMT<br />
iifname "eth0.2" jump IN_V2_ISP<br />
iifname "eth0.3" jump IN_V3_VPN<br />
iifname "eth1" jump IN_ETH1<br />
iifname "tun0" jump IN_TUN0<br />
}<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
chain FORWARD {<br />
type filter hook forward priority filter; policy drop;<br />
ct state established,related accept<br />
iifname "eth0" jump FWD_V1_MGMT<br />
iifname "eth0.2" jump FWD_V2_ISP<br />
iifname "eth0.3" jump FWD_V3_VPN<br />
iifname "eth1" jump FWD_ETH1<br />
iifname "tun0" jump FWD_TUN0<br />
}<br />
<br />
chain FWD_ETH1 {<br />
ip saddr $modem ip daddr $net_v2_ip4 tcp sport http ct state established,new accept<br />
ip saddr $modem ip daddr $net_v3_ip4 tcp sport http ct state established,new accept<br />
}<br />
<br />
chain FWD_TUN0 {<br />
# Forward bittorrent<br />
ip daddr $workstation tcp dport 20001 ct state established,new accept<br />
ip daddr $workstation udp dport 20001 ct state established,new accept<br />
}<br />
<br />
chain FWD_V1_MGMT {<br />
# Forward established packets to hosts in VLAN2/3 from printer<br />
ip saddr $printer ip daddr $net_v2_ip4 ct state established,new accept<br />
ip saddr $printer ip daddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Forward established packets to hosts in VLAN2/3 from modem<br />
ip saddr $modem ip daddr $net_v3_ip4 tcp sport http ct state established,new accept<br />
}<br />
<br />
chain FWD_V2_ISP {<br />
# Forward traffic from VLAN2 to Modem<br />
ip daddr $modem tcp dport http accept<br />
<br />
# Forward traffic from VLAN2 to printer<br />
ip daddr $printer accept<br />
<br />
# Allow rest from VLAN2<br />
ip saddr $net_v2_ip4 accept<br />
}<br />
<br />
chain FWD_V3_VPN {<br />
# Forward traffic from VLAN3 to Modem<br />
ip daddr $modem tcp dport http accept<br />
<br />
# Forward traffic from VLAN3 to printer<br />
ip daddr $printer accept<br />
<br />
# Allow rest from VLAN3<br />
ip saddr $net_v3_ip4 accept<br />
<br />
# Allow mailserver direct from VLAN3 out<br />
oifname "eth1" ip saddr $net_v3_ip4 ip daddr $mailserver accept<br />
}<br />
<br />
chain IN_ETH1 {<br />
# Accept incoming tracked connection from eth1<br />
ip saddr $router ip daddr $modem tcp sport http ct state established,new accept<br />
<br />
# Allow incoming NTP in from VLAN1<br />
ip saddr $net_v0_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Log dropped packets coming in on eth1<br />
ct state established,related accept<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_TUN0 {<br />
# Log dropped packets coming in on tun0<br />
ct state established,related accept<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_V1_MGMT {<br />
# Allow in established packets from printer to VLAN2 and VLAN3<br />
ip saddr $printer ip daddr $net_v2_ip4 ct state established,new accept<br />
ip saddr $printer ip daddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Allow NTP in from VLAN1<br />
ip saddr $net_v1_ip4 udp dport ntp ct state established,new accept<br />
<br />
# FreeRadius Clients<br />
ip saddr $wifi_aps tcp dport radius ct state established,new accept<br />
ip saddr $wifi_aps udp dport radius ct state established,new accept<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
ip saddr $wifi_aps udp dport 10001 ct state established,new accept<br />
ip saddr $wifi_aps udp dport 3478 ct state established,new accept<br />
<br />
# Allow rest in from VLAN1<br />
ip saddr $net_v1_ip4 ct state established,new accept<br />
}<br />
<br />
chain IN_V2_ISP {<br />
# Allow ssh in from VLAN2<br />
ip saddr $net_v2_ip4 tcp dport ssh ct state established,new accept<br />
<br />
# Allow DNS in from VLAN2<br />
ip saddr $net_v2_ip4 udp dport domain ct state new accept<br />
<br />
# Allow NTP in from VLAN2<br />
ip saddr $net_v2_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Allow rest from VLAN2<br />
ip saddr $net_v2_ip4 ct state established,new accept<br />
}<br />
<br />
chain IN_V3_VPN {<br />
# Allow ssh in from VLAN3<br />
ip saddr $net_v3_ip4 tcp dport ssh ct state established,new accept<br />
<br />
# Allow DNS in from VLAN3<br />
ip saddr $net_v3_ip4 udp dport domain ct state new accept<br />
<br />
# Allow NTP in from VLAN3<br />
ip saddr $net_v3_ip4 udp dport ntp ct state established,new accept<br />
<br />
# Allow rest from VLAN3<br />
ip saddr $net_v3_ip4 ct state established,new accept<br />
<br />
# Allow mailserver direct from eth1 from VLAN3<br />
oifname "eth1" ip saddr $net_v3_ip4 ip daddr $mailserver accept<br />
}<br />
<br />
chain LOG_DROP {<br />
log prefix "Dropped v4: " drop<br />
}<br />
}<br />
<br />
#<br />
# NAT Table (IPv4)<br />
# Translation of packets happens to our single external address<br />
# Forwarding of ports through our public interfaces<br />
#<br />
table ip nat {<br />
chain PREROUTING {<br />
type nat hook prerouting priority dstnat; policy accept;<br />
# Port forwarding for Bittorrent on workstation through VPN<br />
iifname "tun0" tcp dport 20001 dnat to $workstation<br />
iifname "tun0" udp dport 20001 dnat to $workstation<br />
}<br />
<br />
chain POSTROUTING {<br />
type nat hook postrouting priority srcnat; policy accept;<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
oifname "eth0" ip saddr $net_v2_ip4 ip daddr $modem tcp dport http masquerade<br />
oifname "eth0" ip saddr $net_v3_ip4 ip daddr $modem tcp dport http masquerade<br />
<br />
# Allows routing to printer<br />
oifname "eth0" ip saddr $net_v2_ip4 ip daddr $printer masquerade<br />
oifname "eth0" ip saddr $net_v3_ip4 ip daddr $printer masquerade<br />
<br />
# Masquerade behind NAT<br />
oifname "tun0" masquerade<br />
oifname "eth1" masquerade<br />
}<br />
}<br />
<br />
#<br />
# Filter Table (IPv6)<br />
# Filtering things coming IN and OUT of the router<br />
#<br />
table ip6 filter {<br />
chain INPUT {<br />
# Create rule chain per input interface for input packets (for host itself)<br />
type filter hook input priority filter; policy drop;<br />
iifname "lo" accept<br />
iifname "eth0.2" jump IN_V2_ISP<br />
iifname "eth0.3" jump IN_V3_VPN<br />
iifname "eth1" jump IN_ETH1<br />
iifname "tun0" jump IN_TUN0<br />
}<br />
<br />
chain FORWARD {<br />
# Track forwarded packets<br />
type filter hook forward priority filter; policy drop;<br />
ct state established,related accept<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
iifname "eth0.2" jump FWD_V2_ISP<br />
iifname "eth0.3" jump FWD_V3_VPN<br />
# iifname "tun0" jump FWD_TUN0<br />
<br />
# Rate limit ICMPv6 PING<br />
icmpv6 type echo-request limit rate 30/minute accept<br />
}<br />
<br />
chain OUTPUT {<br />
type filter hook output priority filter; policy accept;<br />
}<br />
<br />
# chain FWD_TUN0 {<br />
# We could forward ports IPv6 ports through the VPN here<br />
# }<br />
<br />
chain FWD_V2_ISP {<br />
# Forward VLAN2 to ISP<br />
ip6 saddr $net_gua_v2_ip6 accept<br />
}<br />
<br />
chain FWD_V3_VPN {<br />
# Forward VLAN3 to VPN<br />
ip6 saddr $net_ula_v3_ip6 accept<br />
}<br />
<br />
chain IN_ETH1 {<br />
# Accept incoming tracked ETH1 connection<br />
ct state established,related accept<br />
<br />
# Allow and rate limit ICMP<br />
icmpv6 type packet-too-big accept<br />
meta l4proto ipv6-icmp limit rate 30/second accept<br />
<br />
# Allow DHCPv6 PD on Link Local from ISP<br />
ip6 saddr fe80::/10 udp sport dhcpv6-server udp dport dhcpv6-client ct state established,new accept<br />
<br />
# Allow Router advetisements/solict form ISP<br />
ip6 saddr fe80::/10 icmpv6 type nd-router-advert accept<br />
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit accept<br />
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-advert accept<br />
<br />
# Log dropped packets coming in on ETH1<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_TUN0 {<br />
# Accept incoming tracked TUN0 connection<br />
ct state established,related accept<br />
<br />
# Allow and rate limit ICMP<br />
icmpv6 type packet-too-big accept<br />
meta l4proto ipv6-icmp limit rate 30/second accept<br />
<br />
# Log dropped packets on VPN<br />
jump LOG_DROP<br />
}<br />
<br />
chain IN_V2_ISP {<br />
# Allow tracked connections in from ETH1 to VLAN2<br />
ip6 saddr $net_gua_v2_ip6 ct state established,new accept<br />
<br />
# Allow ICMP in from VLAN2<br />
meta l4proto ipv6-icmp accept<br />
}<br />
<br />
chain IN_V3_VPN {<br />
# Allow tracked connections in from tun0 to VLAN3<br />
ip6 saddr $net_ula_v3_ip6 ct state established,new accept<br />
<br />
# Allow ICMP in from VLAN3<br />
meta l4proto ipv6-icmp accept<br />
}<br />
<br />
chain LOG_DROP {<br />
log prefix "Dropped v6: " drop<br />
}<br />
}<br />
<br />
#<br />
# Mangle Table (IPv6)<br />
#<br />
table ip6 mangle {<br />
chain PREROUTING {<br />
type filter hook prerouting priority mangle; policy accept;<br />
<br />
# Drop unusually large ping packets<br />
icmpv6 type echo-request meta length 170-65535 drop<br />
}<br />
}<br />
<br />
#<br />
# NAT Table (IPv6)<br />
# Translation of packets happens to our single external address<br />
# only used for the VPN as our ISP give us a /56 range to split up<br />
#<br />
table ip6 nat {<br />
chain POSTROUTING {<br />
type nat hook postrouting priority srcnat; policy accept;<br />
oifname "tun0" masquerade<br />
}<br />
}<br />
<br />
#<br />
# Raw Table - IPv4/IPv6<br />
#<br />
table inet raw {<br />
set bogon-bn-nonagg-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 0.0.0.0/8, 10.0.0.0/8,<br />
100.64.0.0/10, 127.0.0.0/8,<br />
169.254.0.0/16, 172.16.0.0/12,<br />
192.0.0.0/24, 192.0.2.0/24,<br />
192.168.0.0/16, 198.18.0.0/15,<br />
198.51.100.0/24, 203.0.113.0/24,<br />
224.0.0.0/4, 240.0.0.0-255.255.255.255 }<br />
}<br />
<br />
set lo-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 127.0.0.0/8 }<br />
}<br />
<br />
set eth0-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { $net_v1_ip4 }<br />
}<br />
<br />
set eth0.2-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth0.3-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth0.4-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.2.0/24, 192.168.3.0/24,<br />
192.168.4.0/24 }<br />
}<br />
<br />
set eth1-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 192.168.0.0/30, 255.255.255.255 }<br />
}<br />
<br />
set tun0-allowed-net-ip4-set {<br />
type ipv4_addr<br />
flags interval<br />
elements = { 172.16.32.0/20, 172.16.48.0/20 }<br />
}<br />
<br />
set lo-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { ::1/128 }<br />
}<br />
<br />
set eth0-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff1::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.2-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { 2001:0db8:1234:ffff::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.3-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff3::/64,<br />
fe80::/10 }<br />
}<br />
<br />
set eth0.4-allowed-net-ip6-set {<br />
type ipv6_addr<br />
flags interval<br />
elements = { fde4:8dba:82e1:fff4::/64,<br />
fe80::/10 }<br />
}<br />
<br />
chain PREROUTING {<br />
type filter hook prerouting priority raw; policy accept;<br />
<br />
# Allows traffic from NNTP/DNS ovpn.to<br />
iifname "tun0" ip saddr $gateway_ovpn_to accept;<br />
<br />
# Allows traffic originating from router to gateway.ovpn.to<br />
ip daddr $gateway_ovpn_to accept<br />
<br />
# Allows traffic originating from router to modem<br />
ip daddr $modem accept<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
#iifname "eth1" ip saddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_PR;<br />
#iifname "tun0" ip saddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_PR;<br />
}<br />
<br />
chain OUTPUT {<br />
type filter hook output priority raw; policy accept;<br />
<br />
# Allows my excepted ranges<br />
iifname vmap { lo : jump lo-allowed-net, eth0 : jump eth0-allowed-net,<br />
eth0.2 : jump eth0.2-allowed-net, eth0.3 : jump eth0.3-allowed-net,<br />
eth0.4 : jump eth0.4-allowed-net, eth1 : jump eth1-allowed-net,<br />
tun0 : jump tun0-allowed-net };<br />
<br />
oifname vmap { lo : jump lo-allowed-net, eth0 : jump eth0-allowed-net,<br />
eth0.2 : jump eth0.2-allowed-net, eth0.3 : jump eth0.3-allowed-net,<br />
eth0.4 : jump eth0.4-allowed-net, eth1 : jump eth1-allowed-net,<br />
tun0 : jump tun0-allowed-net };<br />
<br />
<br />
# Drop any remaining bogons that try to leave the router<br />
oifname "eth1" ip daddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_IN;<br />
oifname "tun0" ip daddr @bogon-bn-nonagg-set jump LOG_DROP_BOGON_IN;<br />
}<br />
<br />
chain lo-allowed-net {<br />
ip saddr @lo-allowed-net-ip4-set accept<br />
ip6 saddr @lo-allowed-net-ip6-set accept<br />
}<br />
<br />
chain eth0-allowed-net {<br />
ip saddr @eth0-allowed-net-ip4-set accept<br />
ip6 saddr @eth0-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 0: " level info<br />
}<br />
<br />
chain eth0.2-allowed-net {<br />
ip saddr @eth0.2-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.2-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 2: " level info<br />
}<br />
<br />
chain eth0.3-allowed-net {<br />
ip saddr @eth0.3-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.3-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 3: " level info<br />
}<br />
<br />
chain eth0.4-allowed-net {<br />
ip saddr @eth0.4-allowed-net-ip4-set accept<br />
ip6 saddr @eth0.4-allowed-net-ip6-set accept<br />
#log prefix "Allowed packet allow net 4: " level info<br />
}<br />
<br />
chain eth1-allowed-net {<br />
ip saddr @eth1-allowed-net-ip4-set accept<br />
#log prefix "Allowed packet allow eth1: " level info<br />
}<br />
<br />
chain tun0-allowed-net {<br />
ip saddr @tun0-allowed-net-ip4-set accept<br />
#log prefix "Allowed packet allow tun0: " level info<br />
}<br />
<br />
chain LOG_DROP_BOGON_IN {<br />
log prefix "Dropped Bogon outgoing " drop<br />
}<br />
chain LOG_DROP_BOGON_OUT {<br />
log prefix "Dropped Bogon incoming " drop<br />
}<br />
chain LOG_DROP_BOGON_PR {<br />
log prefix "Dropped Bogon prerouting " drop<br />
}<br />
}</pre><br />
<br />
Add nftables to the default run level:<br />
<br />
{{cmd|rc-update add nftables default}}<br />
<br />
= Router Advertisements =<br />
<br />
Now we need to configure radvd to give router advertisements to out VLANs for addressing and routing.<br />
<br />
{{cmd|apk add radvd}}<br />
<br />
Once radvd is installed, you may configure it:<br />
<br />
== /etc/radvd.conf ==<br />
<br />
<pre>interface eth0.2 {<br />
<br />
# We are sending advertisements (route)<br />
AdvSendAdvert on;<br />
<br />
# When set, host use the administered (stateful) protocol<br />
# for address autoconfiguration. The use of this flag is<br />
# described in RFC 4862<br />
AdvManagedFlag on;<br />
<br />
# When set, host use the administered (stateful) protocol<br />
# for address autoconfiguration. For other (non-address)<br />
# information.<br />
# The use of this flag is described in RFC 4862<br />
AdvOtherConfigFlag on;<br />
<br />
# Suggested Maximum Transmission setting for using the<br />
# Hurricane Electric Tunnel Broker.<br />
# AdvLinkMTU 1480;<br />
<br />
# We have native Dual Stack IPv6 so we can use the regular MTU<br />
# http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues<br />
AdvLinkMTU 1500;<br />
<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on; ## SLAAC based on EUI<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
interface eth0.3 {<br />
<br />
AdvSendAdvert on;<br />
AdvManagedFlag on;<br />
AdvOtherConfigFlag on;<br />
AdvLinkMTU 1500;<br />
<br />
# Helps the route not get lost when on WiFi with packet loss<br />
MaxRtrAdvInterval 30;<br />
AdvDefaultLifetime 9000;<br />
<br />
prefix fde4:8dba:82e1:fff3::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on; ## SLAAC based on EUI<br />
};<br />
};</pre><br />
<br />
Add radvd to the default run level:<br />
<br />
{{cmd|rc-update add radvd default}}<br />
<br />
= DHCP =<br />
You may decide you want more control over your network address assignment. I like to have certain hosts get certain addresses when they connect on a particular VLAN, note v2 and v3. You can do this with:<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.21 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
<br />
host wifi_ap {<br />
hardware ethernet <mac_addess>;<br />
fixed-address 192.168.1.11;<br />
option subnet-mask 255.255.255.0;<br />
option routers 192.168.1.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.40 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.2.1;<br />
allow unknown-clients;<br />
<br />
host host-v2 {<br />
hardware ethernet <mac_address>;<br />
fixed-address 192.168.2.30;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.20 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.3.1;<br />
ignore unknown-clients;<br />
<br />
host host-v3 {<br />
hardware ethernet <mac_address>;<br />
fixed-address 192.168.3.30;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option host-name "<hostname>";<br />
}<br />
}<br />
<br />
subnet 192.168.4.0 netmask 255.255.255.0 {<br />
range 192.168.4.40 192.168.4.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.4.255;<br />
option routers 192.168.4.1;<br />
option ntp-servers 192.168.4.1;<br />
option domain-name-servers 192.168.4.1;<br />
<br />
host printer {<br />
hardware ethernet <PRINTER_MAC_ADDRESS>;<br />
fixed-address 192.168.4.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.4.255;<br />
option routers 192.168.4.1;<br />
option host-name "My_Printer";<br />
} ignore unknown-clients;<br />
}</pre><br />
<br />
For IPv6 I don't use DHCPv6 because Android doesn't support it. I just let SLAAC assign addresses.<br />
<br />
= VPN Tunnel VLAN3 =<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN<br />
3 LAN</pre><br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
/sbin/ip -6 rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
/sbin/ip -6 rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300<br />
/sbin/ip -6 rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/network/route_LAN ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script adds the LAN routes.<br />
#<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0.2 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0.2 table ISP<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}<br />
<br />
# Add route to LAN subnet<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table ISP</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.3.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.3.0/24 dev eth0.3 table VPN<br />
/sbin/ip -6 route add fde4:8dba:82e1:fff3::/64 dev eth0.3 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
/sbin/ip -6 rule add from fde4:8dba:82e1:fff3::/64 table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN<br />
/sbin/ip -6 route add default dev tun0 table VPN <br />
<br />
# Add route to LAN only subnet<br />
/sbin/ip route add 192.168.4.0/24 dev eth0.4 table VPN<br />
<br />
# Add route to IP on VPN for traffic originating from the router<br />
/sbin/ip route add 172.16.32.1 dev tun0</pre><br />
<br />
== /etc/openvpn/route-down-fwmark.sh ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200<br />
/sbin/ip -6 rule del from fde4:8dba:82e1:fff3::/64 table VPN prio 200<br />
<br />
# Delete route to IP on VPN for traffic originating from the router<br />
/sbin/ip route del 172.16.32.1 dev tun0</pre><br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in your VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
<br />
[[category: Raspberry]]<br />
[[category: VPN]]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=16445Linux Router with VPN on a Raspberry Pi2019-09-17T10:26:28Z<p>Dngray: /* Configuring Dante */</p>
<hr />
<div>[[Category:Networking]]<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Configuring PPP =<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem. <br />
<br />
See [[PPP]], you will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255<br />
<br />
# External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Blocking Microsoft Telemetry on the network by domain ==<br />
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].<br />
<br />
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].<br />
<br />
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
Configuring DNSCrypt to send it's lookups through the VPN and not directly out your ppp interface is done using a socks proxy.<br />
<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']<br />
proxy = "socks5://127.0.0.1:1080"</pre><br />
<br />
== Dante ==<br />
First install dante, you'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]].<br />
<br />
{{cmd|apk add dante-server@testing}}<br />
<br />
Configure it like so:<br />
<br />
=== /etc/sockd.conf ===<br />
<pre>logoutput: stderr<br />
internal: 127.0.0.1 port = 1080<br />
external: tun0<br />
clientmethod: none<br />
socksmethod: none<br />
user.unprivileged: sockd<br />
<br />
# Allow connections from localhost to any host<br />
client pass {<br />
from: 127.0.0.1/8 to: 0.0.0.0/0<br />
log: error # connect/disconnect<br />
}<br />
<br />
# Generic pass statement - bind/outgoing traffic<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bind connect udpassociate<br />
log: error # connect disconnect iooperation<br />
}<br />
<br />
# Generic pass statement for incoming connections/packets<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bindreply udpreply<br />
log: error # connect disconnect iooperation<br />
}</pre><br />
<br />
Finally the services to the the default run level:<br />
{{cmd|rc-update add sockd default}}<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]</div>Dngrayhttps://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=16444Linux Router with VPN on a Raspberry Pi2019-09-17T10:25:59Z<p>Dngray: /* Unbound DNS forwarder with dnscrypt */</p>
<hr />
<div>[[Category:Networking]]<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi like I did, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I only chose a Raspberry Pi due to the fact it was inexpensive. My WAN link is pathetic so I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly to this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify parts which do not apply to you. <br />
<br />
In this example I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Configuring PPP =<br />
Next up we need to configure our router to be able to dial a PPP connection with our modem. <br />
<br />
See [[PPP]], you will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255<br />
<br />
# External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in that dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options - see the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
Or if you prefer to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do our lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Blocking Microsoft Telemetry on the network by domain ==<br />
Microsoft has added telemetry analytics to Windows which you may want to block at a network level. More information about that can be found [https://www.privacytools.io/operating-systems/#win10 here].<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie [https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS/DWSResources.cs#L210 Destroy-Windows-10-Spying], [https://github.com/10se1ucgo/DisableWinTracking/blob/master/dwt.py#L333 DisableWinTracking], [https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1#L19 Debloat-Windows-10] and [https://github.com/pragmatrix/Dominator/blob/master/Dominator.Windows10/Settings/telemetry.txt Dominator.Windows10]. I have prepared the list further down: [[Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf]].<br />
<br />
You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/uBlock_Origin uBlock Origin].<br />
<br />
Another way is to disable this stuff with a group policy see [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services Manage connections from Windows operating system components to Microsoft services] only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== /etc/unbound/filter.conf ==<br />
<pre>local-zone: "a-0001.a-msedge.net" redirect<br />
local-data: "a-0001.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0001.dc-msedge.net" redirect<br />
local-data: "a-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "a-0002.a-msedge.net" redirect<br />
local-data: "a-0002.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0003.a-msedge.net" redirect<br />
local-data: "a-0003.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0004.a-msedge.net" redirect<br />
local-data: "a-0004.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0005.a-msedge.net" redirect<br />
local-data: "a-0005.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0006.a-msedge.net" redirect<br />
local-data: "a-0006.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0007.a-msedge.net" redirect<br />
local-data: "a-0007.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0008.a-msedge.net" redirect<br />
local-data: "a-0008.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0009.a-msedge.net" redirect<br />
local-data: "a-0009.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0010.a-msedge.net" redirect<br />
local-data: "a-0010.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0011.a-msedge.net" redirect<br />
local-data: "a-0011.a-msedge.net A 0.0.0.1"<br />
local-zone: "a-0012.a-msedge.net" redirect<br />
local-data: "a-0012.a-msedge.net A 0.0.0.1"<br />
local-zone: "a.ads1.msn.com" redirect<br />
local-data: "a.ads1.msn.com A 0.0.0.1"<br />
local-zone: "a.ads2.msads.net" redirect<br />
local-data: "a.ads2.msads.net A 0.0.0.1"<br />
local-zone: "a.ads2.msn.com" redirect<br />
local-data: "a.ads2.msn.com A 0.0.0.1"<br />
local-zone: "ac3.msn.com" redirect<br />
local-data: "ac3.msn.com A 0.0.0.1"<br />
local-zone: "activity.windows.com" redirect<br />
local-data: "activity.windows.com A 0.0.0.1"<br />
local-zone: "adnexus.net" redirect<br />
local-data: "adnexus.net A 0.0.0.1"<br />
local-zone: "adnxs.com" redirect<br />
local-data: "adnxs.com A 0.0.0.1"<br />
local-zone: "ads1.msads.net" redirect<br />
local-data: "ads1.msads.net A 0.0.0.1"<br />
local-zone: "ads1.msn.com" redirect<br />
local-data: "ads1.msn.com A 0.0.0.1"<br />
local-zone: "ads.msn.com" redirect<br />
local-data: "ads.msn.com A 0.0.0.1"<br />
local-zone: "aidps.atdmt.com" redirect<br />
local-data: "aidps.atdmt.com A 0.0.0.1"<br />
local-zone: "aka-cdn-ns.adtech.de" redirect<br />
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"<br />
local-zone: "a-msedge.net" redirect<br />
local-data: "a-msedge.net A 0.0.0.1"<br />
local-zone: "a.rad.msn.com" redirect<br />
local-data: "a.rad.msn.com A 0.0.0.1"<br />
local-zone: "array101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array102-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array102-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array103-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array103-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array104-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array104-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array202-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array202-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array203-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array203-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array204-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array204-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array402-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array402-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array403-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array403-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array404-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array404-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array405-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array405-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array406-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array406-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array407-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array407-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "array408-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "array408-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "ars.smartscreen.microsoft.com" redirect<br />
local-data: "ars.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "az361816.vo.msecnd.net" redirect<br />
local-data: "az361816.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "az512334.vo.msecnd.net" redirect<br />
local-data: "az512334.vo.msecnd.net A 0.0.0.1"<br />
local-zone: "b.ads1.msn.com" redirect<br />
local-data: "b.ads1.msn.com A 0.0.0.1"<br />
local-zone: "b.ads2.msads.net" redirect<br />
local-data: "b.ads2.msads.net A 0.0.0.1"<br />
local-zone: "bingads.microsoft.com" redirect<br />
local-data: "bingads.microsoft.com A 0.0.0.1"<br />
local-zone: "bl3301-a.1drv.com" redirect<br />
local-data: "bl3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-c.1drv.com" redirect<br />
local-data: "bl3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "bl3301-g.1drv.com" redirect<br />
local-data: "bl3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "blob.weather.microsoft.com" redirect<br />
local-data: "blob.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "bn1304-e.1drv.com" redirect<br />
local-data: "bn1304-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-a.1drv.com" redirect<br />
local-data: "bn1306-a.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-e.1drv.com" redirect<br />
local-data: "bn1306-e.1drv.com A 0.0.0.1"<br />
local-zone: "bn1306-g.1drv.com" redirect<br />
local-data: "bn1306-g.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor002.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor003.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor003.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2b-cor004.api.p001.1drv.com" redirect<br />
local-data: "bn2b-cor004.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn2wns1.wns.windows.com" redirect<br />
local-data: "bn2wns1.wns.windows.com A 0.0.0.1"<br />
local-zone: "bn3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "bn3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "bn3sch020022328.wns.windows.com" redirect<br />
local-data: "bn3sch020022328.wns.windows.com A 0.0.0.1"<br />
local-zone: "b.rad.msn.com" redirect<br />
local-data: "b.rad.msn.com A 0.0.0.1"<br />
local-zone: "bs.serving-sys.com" redirect<br />
local-data: "bs.serving-sys.com A 0.0.0.1"<br />
local-zone: "by3301-a.1drv.com" redirect<br />
local-data: "by3301-a.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-c.1drv.com" redirect<br />
local-data: "by3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "by3301-e.1drv.com" redirect<br />
local-data: "by3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "c-0001.dc-msedge.net" redirect<br />
local-data: "c-0001.dc-msedge.net A 0.0.0.1"<br />
local-zone: "cache.datamart.windows.com" redirect<br />
local-data: "cache.datamart.windows.com A 0.0.0.1"<br />
local-zone: "candycrushsoda.king.com" redirect<br />
local-data: "candycrushsoda.king.com A 0.0.0.1"<br />
local-zone: "c.atdmt.com" redirect<br />
local-data: "c.atdmt.com A 0.0.0.1"<br />
local-zone: "ca.telemetry.microsoft.com" redirect<br />
local-data: "ca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "cdn.atdmt.com" redirect<br />
local-data: "cdn.atdmt.com A 0.0.0.1"<br />
local-zone: "cdn.content.prod.cms.msn.com" redirect<br />
local-data: "cdn.content.prod.cms.msn.com A 0.0.0.1"<br />
local-zone: "cdn.onenote.net" redirect<br />
local-data: "cdn.onenote.net A 0.0.0.1"<br />
local-zone: "cds1204.lon.llnw.net" redirect<br />
local-data: "cds1204.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds1293.lon.llnw.net" redirect<br />
local-data: "cds1293.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds20417.lcy.llnw.net" redirect<br />
local-data: "cds20417.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20431.lcy.llnw.net" redirect<br />
local-data: "cds20431.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20450.lcy.llnw.net" redirect<br />
local-data: "cds20450.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20457.lcy.llnw.net" redirect<br />
local-data: "cds20457.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds20475.lcy.llnw.net" redirect<br />
local-data: "cds20475.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds21244.lon.llnw.net" redirect<br />
local-data: "cds21244.lon.llnw.net A 0.0.0.1"<br />
local-zone: "cds26.ams9.msecn.net" redirect<br />
local-data: "cds26.ams9.msecn.net A 0.0.0.1"<br />
local-zone: "cds425.lcy.llnw.net" redirect<br />
local-data: "cds425.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds459.lcy.llnw.net" redirect<br />
local-data: "cds459.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds494.lcy.llnw.net" redirect<br />
local-data: "cds494.lcy.llnw.net A 0.0.0.1"<br />
local-zone: "cds965.lon.llnw.net" redirect<br />
local-data: "cds965.lon.llnw.net A 0.0.0.1"<br />
local-zone: "ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-c.1drv.com" redirect<br />
local-data: "ch3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-e.1drv.com" redirect<br />
local-data: "ch3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "ch3301-g.1drv.com" redirect<br />
local-data: "ch3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-c.1drv.com" redirect<br />
local-data: "ch3302-c.1drv.com A 0.0.0.1"<br />
local-zone: "ch3302-e.1drv.com" redirect<br />
local-data: "ch3302-e.1drv.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com" redirect<br />
local-data: "choice.microsoft.com A 0.0.0.1"<br />
local-zone: "choice.microsoft.com.nsatc.net" redirect<br />
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "clientconfig.passport.net" redirect<br />
local-data: "clientconfig.passport.net A 0.0.0.1"<br />
local-zone: "client-s.gateway.messenger.live.com" redirect<br />
local-data: "client-s.gateway.messenger.live.com A 0.0.0.1"<br />
local-zone: "client.wns.windows.com" redirect<br />
local-data: "client.wns.windows.com A 0.0.0.1"<br />
local-zone: "c.msn.com" redirect<br />
local-data: "c.msn.com A 0.0.0.1"<br />
local-zone: "compatexchange1.trafficmanager.net" redirect<br />
local-data: "compatexchange1.trafficmanager.net A 0.0.0.1"<br />
local-zone: "compatexchange.cloudapp.net" redirect<br />
local-data: "compatexchange.cloudapp.net A 0.0.0.1"<br />
local-zone: "continuum.dds.microsoft.com" redirect<br />
local-data: "continuum.dds.microsoft.com A 0.0.0.1"<br />
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect<br />
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "corp.sts.microsoft.com" redirect<br />
local-data: "corp.sts.microsoft.com A 0.0.0.1"<br />
local-zone: "cp101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cp401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "cp401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "cs1.wpc.v0cdn.net" redirect<br />
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"<br />
local-zone: "db3aqu.atdmt.com" redirect<br />
local-data: "db3aqu.atdmt.com A 0.0.0.1"<br />
local-zone: "db3wns2011111.wns.windows.com" redirect<br />
local-data: "db3wns2011111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100122.wns.windows.com" redirect<br />
local-data: "db5sch101100122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100127.wns.windows.com" redirect<br />
local-data: "db5sch101100127.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100831.wns.windows.com" redirect<br />
local-data: "db5sch101100831.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100835.wns.windows.com" redirect<br />
local-data: "db5sch101100835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100917.wns.windows.com" redirect<br />
local-data: "db5sch101100917.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100925.wns.windows.com" redirect<br />
local-data: "db5sch101100925.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100928.wns.windows.com" redirect<br />
local-data: "db5sch101100928.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101100938.wns.windows.com" redirect<br />
local-data: "db5sch101100938.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101001.wns.windows.com" redirect<br />
local-data: "db5sch101101001.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101022.wns.windows.com" redirect<br />
local-data: "db5sch101101022.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101024.wns.windows.com" redirect<br />
local-data: "db5sch101101024.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101031.wns.windows.com" redirect<br />
local-data: "db5sch101101031.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101034.wns.windows.com" redirect<br />
local-data: "db5sch101101034.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101042.wns.windows.com" redirect<br />
local-data: "db5sch101101042.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101044.wns.windows.com" redirect<br />
local-data: "db5sch101101044.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101122.wns.windows.com" redirect<br />
local-data: "db5sch101101122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101123.wns.windows.com" redirect<br />
local-data: "db5sch101101123.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101125.wns.windows.com" redirect<br />
local-data: "db5sch101101125.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101128.wns.windows.com" redirect<br />
local-data: "db5sch101101128.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101129.wns.windows.com" redirect<br />
local-data: "db5sch101101129.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101133.wns.windows.com" redirect<br />
local-data: "db5sch101101133.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101145.wns.windows.com" redirect<br />
local-data: "db5sch101101145.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101209.wns.windows.com" redirect<br />
local-data: "db5sch101101209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101221.wns.windows.com" redirect<br />
local-data: "db5sch101101221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101228.wns.windows.com" redirect<br />
local-data: "db5sch101101228.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101231.wns.windows.com" redirect<br />
local-data: "db5sch101101231.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101237.wns.windows.com" redirect<br />
local-data: "db5sch101101237.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101317.wns.windows.com" redirect<br />
local-data: "db5sch101101317.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101324.wns.windows.com" redirect<br />
local-data: "db5sch101101324.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101329.wns.windows.com" redirect<br />
local-data: "db5sch101101329.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101333.wns.windows.com" redirect<br />
local-data: "db5sch101101333.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101334.wns.windows.com" redirect<br />
local-data: "db5sch101101334.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101338.wns.windows.com" redirect<br />
local-data: "db5sch101101338.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101419.wns.windows.com" redirect<br />
local-data: "db5sch101101419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101424.wns.windows.com" redirect<br />
local-data: "db5sch101101424.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101426.wns.windows.com" redirect<br />
local-data: "db5sch101101426.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101427.wns.windows.com" redirect<br />
local-data: "db5sch101101427.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101430.wns.windows.com" redirect<br />
local-data: "db5sch101101430.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101445.wns.windows.com" redirect<br />
local-data: "db5sch101101445.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101511.wns.windows.com" redirect<br />
local-data: "db5sch101101511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101519.wns.windows.com" redirect<br />
local-data: "db5sch101101519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101529.wns.windows.com" redirect<br />
local-data: "db5sch101101529.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101535.wns.windows.com" redirect<br />
local-data: "db5sch101101535.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101541.wns.windows.com" redirect<br />
local-data: "db5sch101101541.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101543.wns.windows.com" redirect<br />
local-data: "db5sch101101543.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101608.wns.windows.com" redirect<br />
local-data: "db5sch101101608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101618.wns.windows.com" redirect<br />
local-data: "db5sch101101618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101629.wns.windows.com" redirect<br />
local-data: "db5sch101101629.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101631.wns.windows.com" redirect<br />
local-data: "db5sch101101631.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101633.wns.windows.com" redirect<br />
local-data: "db5sch101101633.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101640.wns.windows.com" redirect<br />
local-data: "db5sch101101640.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101711.wns.windows.com" redirect<br />
local-data: "db5sch101101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101722.wns.windows.com" redirect<br />
local-data: "db5sch101101722.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101739.wns.windows.com" redirect<br />
local-data: "db5sch101101739.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101745.wns.windows.com" redirect<br />
local-data: "db5sch101101745.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101813.wns.windows.com" redirect<br />
local-data: "db5sch101101813.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101820.wns.windows.com" redirect<br />
local-data: "db5sch101101820.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101826.wns.windows.com" redirect<br />
local-data: "db5sch101101826.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101835.wns.windows.com" redirect<br />
local-data: "db5sch101101835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101837.wns.windows.com" redirect<br />
local-data: "db5sch101101837.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101844.wns.windows.com" redirect<br />
local-data: "db5sch101101844.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101907.wns.windows.com" redirect<br />
local-data: "db5sch101101907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101914.wns.windows.com" redirect<br />
local-data: "db5sch101101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101929.wns.windows.com" redirect<br />
local-data: "db5sch101101929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101939.wns.windows.com" redirect<br />
local-data: "db5sch101101939.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101101941.wns.windows.com" redirect<br />
local-data: "db5sch101101941.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102015.wns.windows.com" redirect<br />
local-data: "db5sch101102015.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102017.wns.windows.com" redirect<br />
local-data: "db5sch101102017.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102019.wns.windows.com" redirect<br />
local-data: "db5sch101102019.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102023.wns.windows.com" redirect<br />
local-data: "db5sch101102023.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102025.wns.windows.com" redirect<br />
local-data: "db5sch101102025.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102032.wns.windows.com" redirect<br />
local-data: "db5sch101102032.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101102033.wns.windows.com" redirect<br />
local-data: "db5sch101102033.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110108.wns.windows.com" redirect<br />
local-data: "db5sch101110108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110109.wns.windows.com" redirect<br />
local-data: "db5sch101110109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110114.wns.windows.com" redirect<br />
local-data: "db5sch101110114.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110135.wns.windows.com" redirect<br />
local-data: "db5sch101110135.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110142.wns.windows.com" redirect<br />
local-data: "db5sch101110142.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110204.wns.windows.com" redirect<br />
local-data: "db5sch101110204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110206.wns.windows.com" redirect<br />
local-data: "db5sch101110206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110214.wns.windows.com" redirect<br />
local-data: "db5sch101110214.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110225.wns.windows.com" redirect<br />
local-data: "db5sch101110225.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110232.wns.windows.com" redirect<br />
local-data: "db5sch101110232.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110245.wns.windows.com" redirect<br />
local-data: "db5sch101110245.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110315.wns.windows.com" redirect<br />
local-data: "db5sch101110315.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110323.wns.windows.com" redirect<br />
local-data: "db5sch101110323.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110325.wns.windows.com" redirect<br />
local-data: "db5sch101110325.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110328.wns.windows.com" redirect<br />
local-data: "db5sch101110328.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110331.wns.windows.com" redirect<br />
local-data: "db5sch101110331.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110341.wns.windows.com" redirect<br />
local-data: "db5sch101110341.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110343.wns.windows.com" redirect<br />
local-data: "db5sch101110343.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110345.wns.windows.com" redirect<br />
local-data: "db5sch101110345.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110403.wns.windows.com" redirect<br />
local-data: "db5sch101110403.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110419.wns.windows.com" redirect<br />
local-data: "db5sch101110419.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110438.wns.windows.com" redirect<br />
local-data: "db5sch101110438.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110442.wns.windows.com" redirect<br />
local-data: "db5sch101110442.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110501.wns.windows.com" redirect<br />
local-data: "db5sch101110501.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110527.wns.windows.com" redirect<br />
local-data: "db5sch101110527.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110533.wns.windows.com" redirect<br />
local-data: "db5sch101110533.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110618.wns.windows.com" redirect<br />
local-data: "db5sch101110618.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110622.wns.windows.com" redirect<br />
local-data: "db5sch101110622.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110624.wns.windows.com" redirect<br />
local-data: "db5sch101110624.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110626.wns.windows.com" redirect<br />
local-data: "db5sch101110626.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110634.wns.windows.com" redirect<br />
local-data: "db5sch101110634.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110705.wns.windows.com" redirect<br />
local-data: "db5sch101110705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110724.wns.windows.com" redirect<br />
local-data: "db5sch101110724.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110740.wns.windows.com" redirect<br />
local-data: "db5sch101110740.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110810.wns.windows.com" redirect<br />
local-data: "db5sch101110810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110816.wns.windows.com" redirect<br />
local-data: "db5sch101110816.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110821.wns.windows.com" redirect<br />
local-data: "db5sch101110821.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110822.wns.windows.com" redirect<br />
local-data: "db5sch101110822.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110825.wns.windows.com" redirect<br />
local-data: "db5sch101110825.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110828.wns.windows.com" redirect<br />
local-data: "db5sch101110828.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110835.wns.windows.com" redirect<br />
local-data: "db5sch101110835.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110919.wns.windows.com" redirect<br />
local-data: "db5sch101110919.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110921.wns.windows.com" redirect<br />
local-data: "db5sch101110921.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110923.wns.windows.com" redirect<br />
local-data: "db5sch101110923.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch101110929.wns.windows.com" redirect<br />
local-data: "db5sch101110929.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103081814.wns.windows.com" redirect<br />
local-data: "db5sch103081814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082011.wns.windows.com" redirect<br />
local-data: "db5sch103082011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082111.wns.windows.com" redirect<br />
local-data: "db5sch103082111.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082308.wns.windows.com" redirect<br />
local-data: "db5sch103082308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082406.wns.windows.com" redirect<br />
local-data: "db5sch103082406.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082409.wns.windows.com" redirect<br />
local-data: "db5sch103082409.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082609.wns.windows.com" redirect<br />
local-data: "db5sch103082609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082611.wns.windows.com" redirect<br />
local-data: "db5sch103082611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082709.wns.windows.com" redirect<br />
local-data: "db5sch103082709.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082712.wns.windows.com" redirect<br />
local-data: "db5sch103082712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103082806.wns.windows.com" redirect<br />
local-data: "db5sch103082806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090115.wns.windows.com" redirect<br />
local-data: "db5sch103090115.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090415.wns.windows.com" redirect<br />
local-data: "db5sch103090415.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090513.wns.windows.com" redirect<br />
local-data: "db5sch103090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090515.wns.windows.com" redirect<br />
local-data: "db5sch103090515.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090608.wns.windows.com" redirect<br />
local-data: "db5sch103090608.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090806.wns.windows.com" redirect<br />
local-data: "db5sch103090806.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090814.wns.windows.com" redirect<br />
local-data: "db5sch103090814.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103090906.wns.windows.com" redirect<br />
local-data: "db5sch103090906.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091011.wns.windows.com" redirect<br />
local-data: "db5sch103091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091012.wns.windows.com" redirect<br />
local-data: "db5sch103091012.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091106.wns.windows.com" redirect<br />
local-data: "db5sch103091106.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091108.wns.windows.com" redirect<br />
local-data: "db5sch103091108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091212.wns.windows.com" redirect<br />
local-data: "db5sch103091212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091311.wns.windows.com" redirect<br />
local-data: "db5sch103091311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091414.wns.windows.com" redirect<br />
local-data: "db5sch103091414.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091511.wns.windows.com" redirect<br />
local-data: "db5sch103091511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091617.wns.windows.com" redirect<br />
local-data: "db5sch103091617.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091715.wns.windows.com" redirect<br />
local-data: "db5sch103091715.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091817.wns.windows.com" redirect<br />
local-data: "db5sch103091817.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091908.wns.windows.com" redirect<br />
local-data: "db5sch103091908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103091911.wns.windows.com" redirect<br />
local-data: "db5sch103091911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092010.wns.windows.com" redirect<br />
local-data: "db5sch103092010.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092108.wns.windows.com" redirect<br />
local-data: "db5sch103092108.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092109.wns.windows.com" redirect<br />
local-data: "db5sch103092109.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092209.wns.windows.com" redirect<br />
local-data: "db5sch103092209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092210.wns.windows.com" redirect<br />
local-data: "db5sch103092210.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103092509.wns.windows.com" redirect<br />
local-data: "db5sch103092509.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100117.wns.windows.com" redirect<br />
local-data: "db5sch103100117.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100121.wns.windows.com" redirect<br />
local-data: "db5sch103100121.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100221.wns.windows.com" redirect<br />
local-data: "db5sch103100221.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100313.wns.windows.com" redirect<br />
local-data: "db5sch103100313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100314.wns.windows.com" redirect<br />
local-data: "db5sch103100314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100510.wns.windows.com" redirect<br />
local-data: "db5sch103100510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100511.wns.windows.com" redirect<br />
local-data: "db5sch103100511.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100611.wns.windows.com" redirect<br />
local-data: "db5sch103100611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103100712.wns.windows.com" redirect<br />
local-data: "db5sch103100712.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101105.wns.windows.com" redirect<br />
local-data: "db5sch103101105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101208.wns.windows.com" redirect<br />
local-data: "db5sch103101208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101212.wns.windows.com" redirect<br />
local-data: "db5sch103101212.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101314.wns.windows.com" redirect<br />
local-data: "db5sch103101314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101411.wns.windows.com" redirect<br />
local-data: "db5sch103101411.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101413.wns.windows.com" redirect<br />
local-data: "db5sch103101413.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101513.wns.windows.com" redirect<br />
local-data: "db5sch103101513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101610.wns.windows.com" redirect<br />
local-data: "db5sch103101610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101611.wns.windows.com" redirect<br />
local-data: "db5sch103101611.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101705.wns.windows.com" redirect<br />
local-data: "db5sch103101705.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101711.wns.windows.com" redirect<br />
local-data: "db5sch103101711.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101909.wns.windows.com" redirect<br />
local-data: "db5sch103101909.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103101914.wns.windows.com" redirect<br />
local-data: "db5sch103101914.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102009.wns.windows.com" redirect<br />
local-data: "db5sch103102009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102112.wns.windows.com" redirect<br />
local-data: "db5sch103102112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102203.wns.windows.com" redirect<br />
local-data: "db5sch103102203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102209.wns.windows.com" redirect<br />
local-data: "db5sch103102209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102310.wns.windows.com" redirect<br />
local-data: "db5sch103102310.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102404.wns.windows.com" redirect<br />
local-data: "db5sch103102404.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102609.wns.windows.com" redirect<br />
local-data: "db5sch103102609.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102610.wns.windows.com" redirect<br />
local-data: "db5sch103102610.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5sch103102805.wns.windows.com" redirect<br />
local-data: "db5sch103102805.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5wns1d.wns.windows.com" redirect<br />
local-data: "db5wns1d.wns.windows.com A 0.0.0.1"<br />
local-zone: "db5.wns.windows.com" redirect<br />
local-data: "db5.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090104.wns.windows.com" redirect<br />
local-data: "db6sch102090104.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090112.wns.windows.com" redirect<br />
local-data: "db6sch102090112.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090116.wns.windows.com" redirect<br />
local-data: "db6sch102090116.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090122.wns.windows.com" redirect<br />
local-data: "db6sch102090122.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090203.wns.windows.com" redirect<br />
local-data: "db6sch102090203.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090206.wns.windows.com" redirect<br />
local-data: "db6sch102090206.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090208.wns.windows.com" redirect<br />
local-data: "db6sch102090208.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090209.wns.windows.com" redirect<br />
local-data: "db6sch102090209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090211.wns.windows.com" redirect<br />
local-data: "db6sch102090211.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090305.wns.windows.com" redirect<br />
local-data: "db6sch102090305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090306.wns.windows.com" redirect<br />
local-data: "db6sch102090306.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090308.wns.windows.com" redirect<br />
local-data: "db6sch102090308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090311.wns.windows.com" redirect<br />
local-data: "db6sch102090311.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090313.wns.windows.com" redirect<br />
local-data: "db6sch102090313.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090410.wns.windows.com" redirect<br />
local-data: "db6sch102090410.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090412.wns.windows.com" redirect<br />
local-data: "db6sch102090412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090504.wns.windows.com" redirect<br />
local-data: "db6sch102090504.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090510.wns.windows.com" redirect<br />
local-data: "db6sch102090510.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090512.wns.windows.com" redirect<br />
local-data: "db6sch102090512.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090513.wns.windows.com" redirect<br />
local-data: "db6sch102090513.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090514.wns.windows.com" redirect<br />
local-data: "db6sch102090514.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090519.wns.windows.com" redirect<br />
local-data: "db6sch102090519.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090613.wns.windows.com" redirect<br />
local-data: "db6sch102090613.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090619.wns.windows.com" redirect<br />
local-data: "db6sch102090619.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090810.wns.windows.com" redirect<br />
local-data: "db6sch102090810.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090811.wns.windows.com" redirect<br />
local-data: "db6sch102090811.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090902.wns.windows.com" redirect<br />
local-data: "db6sch102090902.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090905.wns.windows.com" redirect<br />
local-data: "db6sch102090905.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090907.wns.windows.com" redirect<br />
local-data: "db6sch102090907.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090908.wns.windows.com" redirect<br />
local-data: "db6sch102090908.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090910.wns.windows.com" redirect<br />
local-data: "db6sch102090910.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102090911.wns.windows.com" redirect<br />
local-data: "db6sch102090911.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091003.wns.windows.com" redirect<br />
local-data: "db6sch102091003.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091007.wns.windows.com" redirect<br />
local-data: "db6sch102091007.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091008.wns.windows.com" redirect<br />
local-data: "db6sch102091008.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091009.wns.windows.com" redirect<br />
local-data: "db6sch102091009.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091011.wns.windows.com" redirect<br />
local-data: "db6sch102091011.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091103.wns.windows.com" redirect<br />
local-data: "db6sch102091103.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091105.wns.windows.com" redirect<br />
local-data: "db6sch102091105.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091204.wns.windows.com" redirect<br />
local-data: "db6sch102091204.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091209.wns.windows.com" redirect<br />
local-data: "db6sch102091209.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091305.wns.windows.com" redirect<br />
local-data: "db6sch102091305.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091307.wns.windows.com" redirect<br />
local-data: "db6sch102091307.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091308.wns.windows.com" redirect<br />
local-data: "db6sch102091308.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091309.wns.windows.com" redirect<br />
local-data: "db6sch102091309.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091314.wns.windows.com" redirect<br />
local-data: "db6sch102091314.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091412.wns.windows.com" redirect<br />
local-data: "db6sch102091412.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091503.wns.windows.com" redirect<br />
local-data: "db6sch102091503.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091507.wns.windows.com" redirect<br />
local-data: "db6sch102091507.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091602.wns.windows.com" redirect<br />
local-data: "db6sch102091602.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091603.wns.windows.com" redirect<br />
local-data: "db6sch102091603.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091606.wns.windows.com" redirect<br />
local-data: "db6sch102091606.wns.windows.com A 0.0.0.1"<br />
local-zone: "db6sch102091607.wns.windows.com" redirect<br />
local-data: "db6sch102091607.wns.windows.com A 0.0.0.1"<br />
local-zone: "deploy.static.akamaitechnologies.com" redirect<br />
local-data: "deploy.static.akamaitechnologies.com A 0.0.0.1"<br />
local-zone: "device.auth.xboxlive.com" redirect<br />
local-data: "device.auth.xboxlive.com A 0.0.0.1"<br />
local-zone: "dev.virtualearth.net" redirect<br />
local-data: "dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "df.telemetry.microsoft.com" redirect<br />
local-data: "df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "diagnostics.support.microsoft.com" redirect<br />
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"<br />
local-zone: "disc101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "disc401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "disc401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "dmd.metaservices.microsoft.com" redirect<br />
local-data: "dmd.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "dns.msftncsi.com" redirect<br />
local-data: "dns.msftncsi.com A 0.0.0.1"<br />
local-zone: "ec.atdmt.com" redirect<br />
local-data: "ec.atdmt.com A 0.0.0.1"<br />
local-zone: "ecn.dev.virtualearth.net" redirect<br />
local-data: "ecn.dev.virtualearth.net A 0.0.0.1"<br />
local-zone: "eu.vortex.data.microsoft.com" redirect<br />
local-data: "eu.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.microsoft-hohm.com" redirect<br />
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"<br />
local-zone: "feedback.search.microsoft.com" redirect<br />
local-data: "feedback.search.microsoft.com A 0.0.0.1"<br />
local-zone: "feedback.windows.com" redirect<br />
local-data: "feedback.windows.com A 0.0.0.1"<br />
local-zone: "flex.msn.com" redirect<br />
local-data: "flex.msn.com A 0.0.0.1"<br />
local-zone: "fs.microsoft.com" redirect<br />
local-data: "fs.microsoft.com A 0.0.0.1"<br />
local-zone: "geo-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geo-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "geover-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "geover-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "g.msn.com" redirect<br />
local-data: "g.msn.com A 0.0.0.1"<br />
local-zone: "h1.msn.com" redirect<br />
local-data: "h1.msn.com A 0.0.0.1"<br />
local-zone: "h2.msn.com" redirect<br />
local-data: "h2.msn.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com" redirect<br />
local-data: "i1.services.social.microsoft.com A 0.0.0.1"<br />
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect<br />
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "i-bl6p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-bl6p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-by3p-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-by3p-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-ch1-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-ch1-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "img-s-msn-com.akamaized.net" redirect<br />
local-data: "img-s-msn-com.akamaized.net A 0.0.0.1"<br />
local-zone: "inference.location.live.net" redirect<br />
local-data: "inference.location.live.net A 0.0.0.1"<br />
local-zone: "insiderppe.cloudapp.net" redirect<br />
local-data: "insiderppe.cloudapp.net A 0.0.0.1"<br />
local-zone: "i-sn2-cor001.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor001.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "i-sn2-cor002.api.p001.1drv.com" redirect<br />
local-data: "i-sn2-cor002.api.p001.1drv.com A 0.0.0.1"<br />
local-zone: "kv101-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv101-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv201-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv201-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "kv401-prod.do.dsp.mp.microsoft.com" redirect<br />
local-data: "kv401-prod.do.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "lb1.www.ms.akadns.net" redirect<br />
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"<br />
local-zone: "licensing.mp.microsoft.com" redirect<br />
local-data: "licensing.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "live.rads.msn.com" redirect<br />
local-data: "live.rads.msn.com A 0.0.0.1"<br />
local-zone: "ls2web.redmond.corp.microsoft.com" redirect<br />
local-data: "ls2web.redmond.corp.microsoft.com A 0.0.0.1"<br />
local-zone: "m.adnxs.com" redirect<br />
local-data: "m.adnxs.com A 0.0.0.1"<br />
local-zone: "mediaredirect.microsoft.com" redirect<br />
local-data: "mediaredirect.microsoft.com A 0.0.0.1"<br />
local-zone: "mobile.pipe.aria.microsoft.com" redirect<br />
local-data: "mobile.pipe.aria.microsoft.com A 0.0.0.1"<br />
local-zone: "msedge.net" redirect<br />
local-data: "msedge.net A 0.0.0.1"<br />
local-zone: "msftncsi.com" redirect<br />
local-data: "msftncsi.com A 0.0.0.1"<br />
local-zone: "msntest.serving-sys.com" redirect<br />
local-data: "msntest.serving-sys.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com" redirect<br />
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "officeclient.microsoft.com" redirect<br />
local-data: "officeclient.microsoft.com A 0.0.0.1"<br />
local-zone: "oneclient.sfx.ms" redirect<br />
local-data: "oneclient.sfx.ms A 0.0.0.1"<br />
local-zone: "pre.footprintpredict.com" redirect<br />
local-data: "pre.footprintpredict.com A 0.0.0.1"<br />
local-zone: "preview.msn.com" redirect<br />
local-data: "preview.msn.com A 0.0.0.1"<br />
local-zone: "pti.store.microsoft.com" redirect<br />
local-data: "pti.store.microsoft.com A 0.0.0.1"<br />
local-zone: "query.prod.cms.rt.microsoft.com" redirect<br />
local-data: "query.prod.cms.rt.microsoft.com A 0.0.0.1"<br />
local-zone: "rad.msn.com" redirect<br />
local-data: "rad.msn.com A 0.0.0.1"<br />
local-zone: "redir.metaservices.microsoft.com" redirect<br />
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"<br />
local-zone: "register.cdpcs.microsoft.com" redirect<br />
local-data: "register.cdpcs.microsoft.com A 0.0.0.1"<br />
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "s0.2mdn.net" redirect<br />
local-data: "s0.2mdn.net A 0.0.0.1"<br />
local-zone: "schemas.microsoft.akadns.net" redirect<br />
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "search.msn.com" redirect<br />
local-data: "search.msn.com A 0.0.0.1"<br />
local-zone: "secure.adnxs.com" redirect<br />
local-data: "secure.adnxs.com A 0.0.0.1"<br />
local-zone: "secure.flashtalking.com" redirect<br />
local-data: "secure.flashtalking.com A 0.0.0.1"<br />
local-zone: "services.wes.df.telemetry.microsoft.com" redirect<br />
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.glbdns2.microsoft.com" redirect<br />
local-data: "settings.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "settings.data.microsoft.com" redirect<br />
local-data: "settings.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-sandbox.data.microsoft.com" redirect<br />
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-ssl.xboxlive.com" redirect<br />
local-data: "settings-ssl.xboxlive.com A 0.0.0.1"<br />
local-zone: "settings-win.data.microsoft.com" redirect<br />
local-data: "settings-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "settings-win-ppe.data.microsoft.com" redirect<br />
local-data: "settings-win-ppe.data.microsoft.com A 0.0.0.1"<br />
local-zone: "sn3301-c.1drv.com" redirect<br />
local-data: "sn3301-c.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-e.1drv.com" redirect<br />
local-data: "sn3301-e.1drv.com A 0.0.0.1"<br />
local-zone: "sn3301-g.1drv.com" redirect<br />
local-data: "sn3301-g.1drv.com A 0.0.0.1"<br />
local-zone: "so.2mdn.net" redirect<br />
local-data: "so.2mdn.net A 0.0.0.1"<br />
local-zone: "spynet2.microsoft.com" redirect<br />
local-data: "spynet2.microsoft.com A 0.0.0.1"<br />
local-zone: "spynetalt.microsoft.com" redirect<br />
local-data: "spynetalt.microsoft.com A 0.0.0.1"<br />
local-zone: "spyneteurope.microsoft.akadns.net" redirect<br />
local-data: "spyneteurope.microsoft.akadns.net A 0.0.0.1"<br />
local-zone: "sqm.df.telemetry.microsoft.com" redirect<br />
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com" redirect<br />
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "static.2mdn.net" redirect<br />
local-data: "static.2mdn.net A 0.0.0.1"<br />
local-zone: "storecatalogrevocation.storequality.microsoft.com" redirect<br />
local-data: "storecatalogrevocation.storequality.microsoft.com A 0.0.0.1"<br />
local-zone: "storeedgefd.dsx.mp.microsoft.com" redirect<br />
local-data: "storeedgefd.dsx.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "store-images.s-microsoft.com" redirect<br />
local-data: "store-images.s-microsoft.com A 0.0.0.1"<br />
local-zone: "support.microsoft.com" redirect<br />
local-data: "support.microsoft.com A 0.0.0.1"<br />
local-zone: "survey.watson.microsoft.com" redirect<br />
local-data: "survey.watson.microsoft.com A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.dynamic.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.dynamic.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "t0.ssl.ak.tiles.virtualearth.net" redirect<br />
local-data: "t0.ssl.ak.tiles.virtualearth.net A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com" redirect<br />
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "telemetry.appex.bing.net" redirect<br />
local-data: "telemetry.appex.bing.net A 0.0.0.1"<br />
local-zone: "telemetry.microsoft.com" redirect<br />
local-data: "telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "telemetry.urs.microsoft.com" redirect<br />
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"<br />
local-zone: "test.activity.windows.com" redirect<br />
local-data: "test.activity.windows.com A 0.0.0.1"<br />
local-zone: "tile-service.weather.microsoft.com" redirect<br />
local-data: "tile-service.weather.microsoft.com A 0.0.0.1"<br />
local-zone: "time.windows.com" redirect<br />
local-data: "time.windows.com A 0.0.0.1"<br />
local-zone: "tk2.plt.msn.com" redirect<br />
local-data: "tk2.plt.msn.com A 0.0.0.1"<br />
local-zone: "tsfe.trafficshaping.dsp.mp.microsoft.com" redirect<br />
local-data: "tsfe.trafficshaping.dsp.mp.microsoft.com A 0.0.0.1"<br />
local-zone: "urs.smartscreen.microsoft.com" redirect<br />
local-data: "urs.smartscreen.microsoft.com A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "v10.vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "v10.vortex-win.data.microsoft.com" redirect<br />
local-data: "v10.vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "version.hybrid.api.here.com" redirect<br />
local-data: "version.hybrid.api.here.com A 0.0.0.1"<br />
local-zone: "view.atdmt.com" redirect<br />
local-data: "view.atdmt.com A 0.0.0.1"<br />
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.glbdns2.microsoft.com" redirect<br />
local-data: "vortex.data.glbdns2.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex.data.microsoft.com" redirect<br />
local-data: "vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-db5.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-db5.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-hk2.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-hk2.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-sandbox.data.microsoft.com" redirect<br />
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"<br />
local-zone: "vortex-win.data.metron.live.com.nsatc.net" redirect<br />
local-data: "vortex-win.data.metron.live.com.nsatc.net A 0.0.0.1"<br />
local-zone: "vortex-win.data.microsoft.com" redirect<br />
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.microsoft.com" redirect<br />
local-data: "watson.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.ppe.telemetry.microsoft.com" redirect<br />
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com" redirect<br />
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect<br />
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"<br />
local-zone: "wdcpalt.microsoft.com" redirect<br />
local-data: "wdcpalt.microsoft.com A 0.0.0.1"<br />
local-zone: "wdcp.microsoft.com" redirect<br />
local-data: "wdcp.microsoft.com A 0.0.0.1"<br />
local-zone: "web.vortex.data.microsoft.com" redirect<br />
local-data: "web.vortex.data.microsoft.com A 0.0.0.1"<br />
local-zone: "wes.df.telemetry.microsoft.com" redirect<br />
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"<br />
local-zone: "win10.ipv6.microsoft.com" redirect<br />
local-data: "win10.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "win10-trt.msedge.net" redirect<br />
local-data: "win10-trt.msedge.net A 0.0.0.1"<br />
local-zone: "win1710.ipv6.microsoft.com" redirect<br />
local-data: "win1710.ipv6.microsoft.com A 0.0.0.1"<br />
local-zone: "wscont.apps.microsoft.com" redirect<br />
local-data: "wscont.apps.microsoft.com A 0.0.0.1"<br />
local-zone: "www.msedge.net" redirect<br />
local-data: "www.msedge.net A 0.0.0.1"<br />
local-zone: "www.msftconnecttest.com" redirect<br />
local-data: "www.msftconnecttest.com A 0.0.0.1"<br />
local-zone: "www.msftncsi.com" redirect<br />
local-data: "www.msftncsi.com A 0.0.0.1"</pre><br />
<br />
== DNSCrypt ==<br />
Configuring DNSCrypt to send it's lookups through the VPN and not directly out your ppp interface is done using a socks proxy.<br />
<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine, you will need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']<br />
proxy = "socks5://127.0.0.1:1080"</pre><br />
<br />
=== Configuring Dante ===<br />
First install dante, you'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]].<br />
<br />
{{cmd|apk add dante-server@testing}}<br />
<br />
Configure it like so:<br />
<br />
=== /etc/sockd.conf ===<br />
<pre>logoutput: stderr<br />
internal: 127.0.0.1 port = 1080<br />
external: tun0<br />
clientmethod: none<br />
socksmethod: none<br />
user.unprivileged: sockd<br />
<br />
# Allow connections from localhost to any host<br />
client pass {<br />
from: 127.0.0.1/8 to: 0.0.0.0/0<br />
log: error # connect/disconnect<br />
}<br />
<br />
# Generic pass statement - bind/outgoing traffic<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bind connect udpassociate<br />
log: error # connect disconnect iooperation<br />
}<br />
<br />
# Generic pass statement for incoming connections/packets<br />
socks pass {<br />
from: 0.0.0.0/0 to: 0.0.0.0/0<br />
command: bindreply udpreply<br />
log: error # connect disconnect iooperation<br />
}</pre><br />
<br />
Finally the services to the the default run level:<br />
{{cmd|rc-update add sockd default}}<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section. Or for that matter any process which requires lots of random number generation such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use this also.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is already built in the kernel.<br />
<br />
Additionally the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next up add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I did find was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First up we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up so for that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6 if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally save the sets with this command so they can be loaded next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external media.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting ssh.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]</div>Dngray