Alpine Linux - User contributions [en]

User:Summer

2015-11-23T17:01:03Z

Summer: Contributions

* [[Raspberry Pi]]
* [[Uncomplicated Firewall]]
* [[GCC]]

GCC

2015-11-23T17:00:41Z

Summer:

[https://gcc.gnu.org/ GCC], which stands for GNU Compiler Collection, is a free, open-source compiler system produced by the [https://gnu.org/ GNU Project].

== Installation ==

The quickest way to install GCC on Alpine Linux is by issuing the following command:
{{cmd|apk add build-base}}

<code>build-base</code> is a meta-package that will install the GCC, libc-dev and binutils packages (amongst others).

GNU Compiler Collection

2015-11-23T16:59:14Z

Summer: Redirects to GCC

#REDIRECT[[GCC]]

Gcc

2015-11-23T16:55:13Z

Summer: Summer moved page Gcc to GCC: Title should be all in capital letters (in this case)

#REDIRECT [[GCC]]

GCC

2015-11-23T16:55:13Z

Summer: Summer moved page Gcc to GCC: Title should be all in capital letters (in this case)

[https://gcc.gnu.org/ GCC] (GNU Compiler Collection) is a free, open-source compiler system produced by the [https://gnu.org/ GNU Project].

== Installation ==

The quickest way to install GCC on Alpine Linux is by issuing the following command:
{{cmd|apk add build-base}}

<code>build-base</code> is a meta-package that will install the GCC, libc-dev and binutils packages (amongst others).

GCC

2015-11-23T16:50:21Z

Summer:

GCC

2015-11-23T16:49:14Z

Summer: Added links to the GNU project

[https://gcc.gnu.org/ GCC] is a free, open-source compiler system produced by the [https://gnu.org/ GNU Project].

== Installation ==

The quickest way to install GCC on Alpine Linux is by issuing the following command:
{{cmd|apk add build-base}}

<code>build-base</code> is a meta-package that will install the GCC, libc-dev and binutils packages (amongst others).

GCC

2015-11-23T16:46:20Z

Summer: Added GCC tutorial page

GCC is a free, open-source compiler system produced by the GNU Project.

== Installation ==

The quickest way to install GCC on Alpine Linux is by issuing the following command:
{{cmd|apk add build-base}}

<code>build-base</code> is a meta-package that will install the GCC, libc-dev and binutils (amongst others) packages.

Raspberry Pi

2015-10-14T16:26:19Z

Summer: Added Post-installation section

[[Category:Installation]]
This tutorial will help you install Alpine Linux on your Raspberry Pi.

== Preparation ==

This section will help you format and partition your SD card:

# [http://alpinelinux.org/downloads/ Download] Alpine for Raspberry Pi tarball which is named as <code>alpine-rpi-<version>-armhf.rpi.tar.gz</code>. You will need version 3.2.0 or greater if you have a Raspberry Pi 2.
# Mount your SD card to your workstation
# Use [https://en.wikipedia.org/wiki/GNOME_Disks gnome-disks] or [http://linux.die.net/man/8/fdisk fdisk] to create a FAT32 partition. If you are using fdisk, the FAT32 partition type is called ''W95 FAT32 (LBA)'' and its ID is 0xC.
# Mark the newly created partition as bootable and save
# Mount the previously created partition
# Extract the tarball contents to your FAT32 partition
# Unmount the SD Card.

== Installation ==

Alpine Linux will be installed as [[Installation#Installation_Handbook|diskless mode]], hence you need to use [[Alpine local backup|Alpine Local Backup (lbu)]] to save your modifications between reboots. Follow these steps to install Alpine Linux:

# Insert the SD Card into the Raspberry Pi and turn it on
# Login into the Alpine system as root. Leave the password empty.
# Type <code>setup-alpine</code>
# Once the installation is complete, commit the changes by typing <code>lbu commit</code>

Type <code>reboot</code> to verify that the installation was indeed successful.

== Post Installation ==

=== Update the System ===

Upon installation, make sure that your system is up-to-date:

{{cmd|apk update
apk upgrade}}

Don't forget to save the changes:

{{cmd|lbu commit}}

=== Clock-related error messages ===

During the booting time, you might notice errors related to the hardware clock. The Raspberry Pi does not have
a hardware clock and therefore you need to disable the hwclock daemon and enable swclock:

{{cmd|rc-update add swclock boot # enable the software clock
rc-update del hwclock boot # disable the hardware clock}}

Since Raspberry Pi does not have a clock, the Alpine Linux needs to know what the time is by using a
[https://en.wikipedia.org/wiki/Network_Time_Protocol Network Time Protocol (NTP)] daemon. Make sure that you a
NTP daemon installed and running. If you are not sure, then you can install NTP client by running the following
command:

{{cmd|setup-ntp}}

Busybox NTP client might be the most lightweight solution. Save the changes and reboot, once the NTP software is
installed and running:

{{cmd|lbu commit
reboot}}

After reboot, make sure that the <code>date</code> command outputs the correct date and time.

== See Also ==

* [[Create a bootable SDHC from a Mac]]

Raspberry Pi

2015-10-13T20:29:51Z

Summer: /* Installation */

Raspberry Pi

2015-10-13T15:59:27Z

Summer: Added See Also section

Raspberry Pi

2015-10-04T10:02:19Z

Summer: /* Installation */

Raspberry Pi

2015-10-04T10:00:59Z

Summer: /* Preparation */

Raspberry Pi

2015-10-04T09:57:18Z

Summer: /* Preparation */

Uncomplicated Firewall

2015-10-04T09:38:35Z

Summer: Fixed formatting

UFW stands for [https://launchpad.net/ufw Uncomplicated Firewall], and is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

== Installation ==

UFW can be found in the testing repository. Read [[Alpine_Linux_package_management#Repository_pinning]] to enable the testing repository.

Once the testing repository has been enabled, UFW can be installed by issuing the following command:
{{cmd| apk add ip6tables ufw@testing}}

== Basic configuration ==

The following is a simple configuration that will deny all incoming and outgoing data communication by default and allow incoming SSH, outgoing DNS and NTP traffic:

<pre>ufw default deny incoming
ufw default deny outgoing
ufw limit SSH # open SSH port and protect against brute-force login attacks
ufw allow out 123/udp # allow outgoing NTP (Network Time Protocol)

# The following instructions will allow apk to work:
ufw allow out DNS # allow outgoing DNS
ufw allow out 80/tcp # allow outgoing HTTP traffic</pre>

The following lines are only needed the first time you install the package:
{{cmd|ufw enable # enable the firewall
rc-update add ufw # add UFW init scripts}}

Check the status of UFW:
{{cmd|ufw status}}

== Diskless mode ==

If you have installed Alpine Linux as [[Installation#Installation_Handbook|diskless]] then you need to use [[Alpine local backup|Alpine Local Backup (lbu)]] to save your UFW configuration. UFW data is stored in <code>/usr/lib/ufw</code>, therefore use the following commands to save the UFW configuration:
{{cmd|lbu add /usr/lib/ufw
lbu commit}}

[[Category:Networking]]
[[Category:Security]]

Uncomplicated Firewall

2015-10-04T09:33:17Z

Summer: /* Basic configuration */

UFW stands for [https://launchpad.net/ufw Uncomplicated Firewall], and is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

== Installation ==

UFW can be found in the testing repository. Read [[Alpine_Linux_package_management#Repository_pinning]] to enable the testing repository.

Once the testing repository has been enabled, UFW can be installed by issuing the following command:
{{cmd| apk add ip6tables ufw@testing}}

== Basic configuration ==

The following is a simple configuration that will deny all incoming and outgoing data communication by default and allow incoming SSH, outgoing DNS and NTP traffic:

{{cmd|ufw default deny incoming
ufw default deny outgoing
ufw limit SSH # open SSH port and protect against brute-force login attacks
ufw allow out 123/udp # allow outgoing NTP (Network Time Protocol)

# The following instructions will allow apk to work:
ufw allow out DNS # allow outgoing DNS
ufw allow out 80/tcp # allow outgoing HTTP traffic
}}

The following lines are only needed the first time you install the package:
{{cmd|ufw enable
rc-update add ufw # add UFW init scripts}}

Check the status of UFW:
{{cmd|ufw status}}

== Diskless mode ==

If you have installed Alpine Linux as [[Installation#Installation_Handbook|diskless]] then you need to use [[Alpine local backup|Alpine Local Backup (lbu)]] to save your UFW configuration. UFW data is stored in <code>/usr/lib/ufw</code>, therefore use the following commands to save the UFW configuration:
{{cmd|lbu add /usr/lib/ufw
lbu commit}}

[[Category:Networking]]
[[Category:Security]]

Linux Router with VPN on a Raspberry Pi

2015-10-01T17:23:35Z

Summer: Installation: Added link to Raspberry Pi installation article

[[Category:Networking]]
= Rationale =

This guide demonstrates how to set up a Raspberry Pi as an open source Linux router with a VPN tunnel. You will need a USB ethernet adaptor. I chose the [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support. Be sure to not buy a cheap [https://projectgus.com/2013/03/anatomy-of-a-cheap-usb-ethernet-adapter/ counterfeit] one as they do exist. You may choose to also buy an [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi RTC clock]. If you don't have an RTC clock, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.

For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k] and I was keen to avoid blob drivers.

You could choose to use an old x86/amd64 system instead. This may be a more attractive option if you want to route high speeds. If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like AES-NI.

The network in this tutorial looks like this: [[File:network_diagram.png|center|Network Diagram]]

= Installation =
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.

= Modem in full bridge mode =
Your modem will need to be configured in "full bridge mode". The method for doing this varies depending on the interface on your device and is out of the scope of this tutorial.

The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].

= Configuring PPP =
Next up we need to configure our router to be able to dial a PPP connection with our modem.

{{cmd|apk add ppp-pppoe}}

Check that the interface between your router and modem is eth1, or change it. Enter your credentials at the bottom of the file or use /etc/ppp/chap-secrets

== /etc/ppp/peers/yourISP ==
<pre>
nolog

# Try to get the IP address from the ISP
noipdefault

# Try to get the name server addresses from the ISP
usepeerdns

# Use this connection as the default route.
defaultroute

defaultroute-metric 300

# detatch after ppp0 interface is created
updetach

# Replace previous default route
#replacedefaultroute

# rp-pppoe plug-in makes PPPoE connection so rp-pppoe package is not needed
# Possibly, you may need to change interface according your configuration
plugin rp-pppoe.so eth1

# Uncomment if you need on-demand connection
#demand

# Disconnect after 300 seconds (5 minutes) of idle time.
#idle 300

# Hide password from log entries
hide-password

# Send echo requests
lcp-echo-interval 20
lcp-echo-failure 3

# Do not authenticate ISP peer
noauth

# Control connection consistency
persist
maxfail 0

# Control MTU size if your ISP does not force it
#mtu 1492

# Set your credentials
# Alternatively you may use /etc/ppp/pap-secrets or /etc/ppp/chap-secrets files
user username@yourISP.tld
password <SECRET></pre>

== /etc/modules ==
Update modules to include pppoe:
<pre>pppoe</pre>

= Network =

== /etc/hostname ==
Set this to your hostname eg:

<pre><HOST_NAME></pre>

== /etc/hosts ==
Set your host and hostname
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME>

::1 <HOST_NAME> ipv6-gateway ipv6-loopback
ff00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts</pre>

== /etc/network/interfaces ==
Configure your network interfaces:

<pre>auto lo
iface lo inet loopback

# internal interface
auto eth0
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0

# external interface
auto eth1
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.252

# internet connection
auto ppp0
iface ppp0 inet ppp
pre-up ip link set dev eth1 up
provider <yourISP> # Make sure this is the same as /etc/ppp/peers/yourISP</pre>

== Basic IPtables firewall with routing ==
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.

First install iptables:

{{cmd|apk add iptables ip6tables}}

<pre>#################################
# Basic iptables routing rule set
#################################

#
# Mangle Table
# We leave this empty for the moment.
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
*filter

# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]

# Create a log drop chain
:LOG_DROP - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0

# Forward LAN traffic out
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward SSH packets from network to modem
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward HTTP to modem's webserver
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward traffic to ISP
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# SSH to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DNS to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# FreeRadius Client (eg a UniFi AP)
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# NTP to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept traffic
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# HTTP to modem
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20

# Allows routing to our modem subnet so we can access the web interface or SSH
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
COMMIT</pre>

I'd also highly suggest reading these resources if you are new to iptables:

* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]

== /etc/sysctl.conf ==
These sysctl settings harden a few things and were mostly borrowed from the [https://wiki.archlinux.org/index.php/Sysctl#TCP.2FIP_stack_hardening ArchLinux wiki].

<pre>net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
kernel.panic = 120

#### ipv4 networking and equivalent ipv6 parameters ####

## TCP SYN cookie protection (default)
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1

## sets the kernels reverse path filtering mechanism to value 1(on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv6.conf.all.rp_filter = 1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1

## log martian packets
net.ipv4.conf.all.log_martians = 1

## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1

## ignore bogus icmp errors (default)
net.ipv4.icmp_ignore_bogus_error_responses = 1

## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## ICMP routing redirects (only secure)
#net.ipv4.conf.all.secure_redirects = 1 (default)
net/ipv4/conf/default/accept_redirects=0
net/ipv4/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0

# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1</pre>

= DHCP =
{{cmd|apk add dhcp}}

== /etc/conf.d/dhcpd ==
Change DHCPD_IFACE="eth0" to the interface you want DHCP to run on.

== /etc/dhcp/dhcpd.conf ==
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets like below. The broadcast-address would be different if you used VLANs. However in this case we are not.

<pre>authoritative;
ddns-update-style interim;

shared-network home {
# Subnet for regular nodes that require direct Internet access
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.240;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option ntp-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
allow unknown-clients;

host Gaming_Computer {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address 192.168.1.20;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
}
}

# Subnet for regular nodes that require VPN access
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.10 192.168.2.240;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.2.1;
option ntp-servers 192.168.2.1;
option domain-name-servers 192.168.1.1;
ignore unknown-clients;

host Linux_Workstation {
hardware ethernet YY:YY:YY:YY:YY:YY;
fixed-address 192.168.2.20;
option subnet-mask 255.255.255.0;
option routers 192.168.2.1;
}
}

# Subnet for regular nodes that require no Internet access
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.10 192.168.3.240;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.3.1;
option ntp-servers 192.168.3.1;
option domain-name-servers 192.168.1.1;
ignore unknown-clients;

host printer {
hardware ethernet ZZ:ZZ:ZZ:ZZ:ZZ:ZZ;
fixed-address 192.168.3.9;
option subnet-mask 255.255.255.0;
option routers 192.168.3.1;
}
}
}</pre>

Make sure to add this to the default run level once configured:
{{cmd|rc-update add dhcp default}}

= Synchronizing the clock =

You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD]

== Busybox /etc/conf.d/ntpd ==
Allow clients to synchronize their clocks with the router.

<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre>

Make sure to add this to the default run level once configured:
{{cmd|rc-update add ntpd default}}

Or if you prefer to synchronize with multiple servers...

== OpenNTPD /etc/ntpd.conf ==

Install OpenNTPD
{{cmd|apk add openntpd}}

Add to default run level.
{{cmd|rc-update add openntpd default}}

=== /etc/ntpd.conf ===
<pre># sample ntpd configuration file, see ntpd.conf(5)

# Addresses to listen on (ntpd does not listen by default)
listen on 192.168.1.1
listen on 192.168.2.1

# sync to a single server
#server ntp.example.org

# use a random selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org</pre>

== tlsdate ==
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:

{{cmd|apk add tlsdate}}
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}

== timezone ==
You might also want to set a timezone, see [[Setting the timezone]].

= Saving Time =
There are two ways to do this. If you didn't buy an RTC clock see [[Saving time with Software Clock]]. If you did like the PiFace Real Time Clock see [[Saving time with Hardware Clock]]

= Unbound DNS forwarder with dnscrypt =
We want to be able to do our lookups using [http://dnscrypt.org dnscrypt] without installing dnscrypt on every client on the network. Therefore the router will also run a DNS forwarder and request unknown domains over dnscrypt for our clients.

== Unbound ==
First install {{cmd|apk add unbound}}

=== /etc/unbound/unbound.conf ===
<pre># unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.

server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
server:
verbosity: 1
num-threads: 4
interface: 192.168.1.1
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 192.168.1.0/24 allow # Specify the subnets you want to listen on
access-control: 192.168.2.0/24 allow
do-not-query-localhost: no
chroot: ""
logfile: "/var/log/unbound.log"
use-syslog: no
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
private-domain: "<HOSTNAME>"
#local-zone: "localhost." static
#local-data: "freebox.localhost. IN A 192.168.0.254"
#local-data-ptr: "192.168.0.254 freebox.localhost"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 127.0.0.2@53</pre>

=== /etc/network/interfaces ===
You'll need a second loopback device, put it under the already existing one.

<pre>auto lo
iface lo inet loopback

auto lo:1
iface lo:1 inet static
address 127.0.0.2
netmask 255.0.0.0</pre>

== Blocking nasties on the network by domain ==
It seems Microsoft has added a whole bunch of telemetry (spyware) analytics to Windows itself, whereby the OS now calls home with various information regarding it's usage. Back porting to previous versions of Windows is not an option, because the telemetry patches have also been back ported to 7/8.1.

Changing the knobs in Windows to stop this activity doesn't silence it completely, and they can always be reset with another update from Microsoft. It is however unlikely they will change the domains that are looked up. More information about that can be found [https://www.privacytools.io/#win10 here]. You should also consider ditching Windows entirely and using a proper operating system that does not contain intrusive malware [https://www.privacytools.io/#os here are a few choices to consider].

As this is a network router, it might be prudent to block those domains.

This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as [https://www.reddit.com/r/privacy/comments/3htei2/stop_windows_10_from_phoning_home_by_blocking/cuafuvg here] and in this [https://github.com/10se1ucgo/DisableWinTracking/blob/master/run.py#L188 script].

You could also use this to block advertising, but that's probably easier to do in a web browser with something like [https://en.wikipedia.org/wiki/UBlock UBlock/UBlock Origin].

=== /etc/unbound/unbound.conf ===
In your main unbound configuration add
<pre>include: /etc/unbound/filter.conf</pre>

=== Script to prepare/sort domains for Unbound ===
<pre>#!/bin/sh

##################################################
# Script taken from http://npr.me.uk/unbound.html
# Note you need GNU sed
##################################################

# Remove "#" comments
# Remove space and tab
# Remove blank lines
# Remove localhost and broadcasthost lines
# Keep just the hosts
# Remove leading and trailing space and tab (again)
# Make everything lower case

sed -e "s/#.*//" \
-e "s/[ \x09]*$//"\
-e "/^$/ d" \
-e "/^.*local.*/ d" \
-e "/^.*broadcasthost.*/ d" \
-e "s/$^.*$ $[a-zA-Z0-9\.\-]*$/\2/" \
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \
-e "s/$.*$/\L\1/" hosts.txt > temp1.txt

# Remove any duplicate hosts

sort temp1.txt | uniq >temp2.txt

# Remove any hosts starting with "."
# Create the two required lines for each host.

sed -e "/^\..*/ d" \
-e "s/$^.*$/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \
temp2.txt > filter.conf

# Clean up
rm temp1.txt
rm temp2.txt</pre>

== /etc/unbound/filter.conf ==
<pre>local-zone: "a-0001.a-msedge.net" redirect
local-data: "a-0001.a-msedge.net A 0.0.0.1"
local-zone: "a-0002.a-msedge.net" redirect
local-data: "a-0002.a-msedge.net A 0.0.0.1"
local-zone: "a-0003.a-msedge.net" redirect
local-data: "a-0003.a-msedge.net A 0.0.0.1"
local-zone: "a-0004.a-msedge.net" redirect
local-data: "a-0004.a-msedge.net A 0.0.0.1"
local-zone: "a-0005.a-msedge.net" redirect
local-data: "a-0005.a-msedge.net A 0.0.0.1"
local-zone: "a-0006.a-msedge.net" redirect
local-data: "a-0006.a-msedge.net A 0.0.0.1"
local-zone: "a-0007.a-msedge.net" redirect
local-data: "a-0007.a-msedge.net A 0.0.0.1"
local-zone: "a-0008.a-msedge.net" redirect
local-data: "a-0008.a-msedge.net A 0.0.0.1"
local-zone: "a-0009.a-msedge.net" redirect
local-data: "a-0009.a-msedge.net A 0.0.0.1"
local-zone: "a-msedge.net" redirect
local-data: "a-msedge.net A 0.0.0.1"
local-zone: "a.ads1.msn.com" redirect
local-data: "a.ads1.msn.com A 0.0.0.1"
local-zone: "a.ads2.msads.net" redirect
local-data: "a.ads2.msads.net A 0.0.0.1"
local-zone: "a.ads2.msn.com" redirect
local-data: "a.ads2.msn.com A 0.0.0.1"
local-zone: "a.rad.msn.com" redirect
local-data: "a.rad.msn.com A 0.0.0.1"
local-zone: "ac3.msn.com" redirect
local-data: "ac3.msn.com A 0.0.0.1"
local-zone: "ad.doubleclick.net" redirect
local-data: "ad.doubleclick.net A 0.0.0.1"
local-zone: "adnexus.net" redirect
local-data: "adnexus.net A 0.0.0.1"
local-zone: "adnxs.com" redirect
local-data: "adnxs.com A 0.0.0.1"
local-zone: "ads.msn.com" redirect
local-data: "ads.msn.com A 0.0.0.1"
local-zone: "ads1.msads.net" redirect
local-data: "ads1.msads.net A 0.0.0.1"
local-zone: "ads1.msn.com" redirect
local-data: "ads1.msn.com A 0.0.0.1"
local-zone: "aidps.atdmt.com" redirect
local-data: "aidps.atdmt.com A 0.0.0.1"
local-zone: "aka-cdn-ns.adtech.de" redirect
local-data: "aka-cdn-ns.adtech.de A 0.0.0.1"
local-zone: "apps.skype.com" redirect
local-data: "apps.skype.com A 0.0.0.1"
local-zone: "az361816.vo.msecnd.net" redirect
local-data: "az361816.vo.msecnd.net A 0.0.0.1"
local-zone: "az512334.vo.msecnd.net" redirect
local-data: "az512334.vo.msecnd.net A 0.0.0.1"
local-zone: "b.ads1.msn.com" redirect
local-data: "b.ads1.msn.com A 0.0.0.1"
local-zone: "b.ads2.msads.net" redirect
local-data: "b.ads2.msads.net A 0.0.0.1"
local-zone: "b.rad.msn.com" redirect
local-data: "b.rad.msn.com A 0.0.0.1"
local-zone: "bs.serving-sys.com" redirect
local-data: "bs.serving-sys.com A 0.0.0.1"
local-zone: "c.atdmt.com" redirect
local-data: "c.atdmt.com A 0.0.0.1"
local-zone: "c.msn.com" redirect
local-data: "c.msn.com A 0.0.0.1"
local-zone: "cdn.atdmt.com" redirect
local-data: "cdn.atdmt.com A 0.0.0.1"
local-zone: "cds26.ams9.msecn.net" redirect
local-data: "cds26.ams9.msecn.net A 0.0.0.1"
local-zone: "choice.microsoft.com" redirect
local-data: "choice.microsoft.com A 0.0.0.1"
local-zone: "choice.microsoft.com.nsatc.net" redirect
local-data: "choice.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "compatexchange.cloudapp.net" redirect
local-data: "compatexchange.cloudapp.net A 0.0.0.1"
local-zone: "corp.sts.microsoft.com" redirect
local-data: "corp.sts.microsoft.com A 0.0.0.1"
local-zone: "corpext.msitadfs.glbdns2.microsoft.com" redirect
local-data: "corpext.msitadfs.glbdns2.microsoft.com A 0.0.0.1"
local-zone: "cs1.wpc.v0cdn.net" redirect
local-data: "cs1.wpc.v0cdn.net A 0.0.0.1"
local-zone: "db3aqu.atdmt.com" redirect
local-data: "db3aqu.atdmt.com A 0.0.0.1"
local-zone: "df.telemetry.microsoft.com" redirect
local-data: "df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "diagnostics.support.microsoft.com" redirect
local-data: "diagnostics.support.microsoft.com A 0.0.0.1"
local-zone: "ec.atdmt.com" redirect
local-data: "ec.atdmt.com A 0.0.0.1"
local-zone: "fe2.update.microsoft.com.akadns.net" redirect
local-data: "fe2.update.microsoft.com.akadns.net A 0.0.0.1"
local-zone: "feedback.microsoft-hohm.com" redirect
local-data: "feedback.microsoft-hohm.com A 0.0.0.1"
local-zone: "feedback.search.microsoft.com" redirect
local-data: "feedback.search.microsoft.com A 0.0.0.1"
local-zone: "feedback.windows.com" redirect
local-data: "feedback.windows.com A 0.0.0.1"
local-zone: "flex.msn.com" redirect
local-data: "flex.msn.com A 0.0.0.1"
local-zone: "g.msn.com" redirect
local-data: "g.msn.com A 0.0.0.1"
local-zone: "h1.msn.com" redirect
local-data: "h1.msn.com A 0.0.0.1"
local-zone: "h2.msn.com" redirect
local-data: "h2.msn.com A 0.0.0.1"
local-zone: "i1.services.social.microsoft.com" redirect
local-data: "i1.services.social.microsoft.com A 0.0.0.1"
local-zone: "i1.services.social.microsoft.com.nsatc.net" redirect
local-data: "i1.services.social.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "lb1.www.ms.akadns.net" redirect
local-data: "lb1.www.ms.akadns.net A 0.0.0.1"
local-zone: "live.rads.msn.com" redirect
local-data: "live.rads.msn.com A 0.0.0.1"
local-zone: "m.adnxs.com" redirect
local-data: "m.adnxs.com A 0.0.0.1"
local-zone: "m.hotmail.com" redirect
local-data: "m.hotmail.com A 0.0.0.1"
local-zone: "msedge.net" redirect
local-data: "msedge.net A 0.0.0.1"
local-zone: "msftncsi.com" redirect
local-data: "msftncsi.com A 0.0.0.1"
local-zone: "msnbot-65-55-108-23.search.msn.com" redirect
local-data: "msnbot-65-55-108-23.search.msn.com A 0.0.0.1"
local-zone: "msntest.serving-sys.com" redirect
local-data: "msntest.serving-sys.com A 0.0.0.1"
local-zone: "oca.telemetry.microsoft.com" redirect
local-data: "oca.telemetry.microsoft.com A 0.0.0.1"
local-zone: "oca.telemetry.microsoft.com.nsatc.net" redirect
local-data: "oca.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "pre.footprintpredict.com" redirect
local-data: "pre.footprintpredict.com A 0.0.0.1"
local-zone: "preview.msn.com" redirect
local-data: "preview.msn.com A 0.0.0.1"
local-zone: "pricelist.skype.com" redirect
local-data: "pricelist.skype.com A 0.0.0.1"
local-zone: "rad.live.com" redirect
local-data: "rad.live.com A 0.0.0.1"
local-zone: "rad.msn.com" redirect
local-data: "rad.msn.com A 0.0.0.1"
local-zone: "redir.metaservices.microsoft.com" redirect
local-data: "redir.metaservices.microsoft.com A 0.0.0.1"
local-zone: "reports.wes.df.telemetry.microsoft.com" redirect
local-data: "reports.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "s.gateway.messenger.live.com" redirect
local-data: "s.gateway.messenger.live.com A 0.0.0.1"
local-zone: "s0.2mdn.net" redirect
local-data: "s0.2mdn.net A 0.0.0.1"
local-zone: "schemas.microsoft.akadns.net" redirect
local-data: "schemas.microsoft.akadns.net A 0.0.0.1"
local-zone: "secure.adnxs.com" redirect
local-data: "secure.adnxs.com A 0.0.0.1"
local-zone: "secure.flashtalking.com" redirect
local-data: "secure.flashtalking.com A 0.0.0.1"
local-zone: "services.wes.df.telemetry.microsoft.com" redirect
local-data: "services.wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "settings-sandbox.data.microsoft.com" redirect
local-data: "settings-sandbox.data.microsoft.com A 0.0.0.1"
local-zone: "settings-win.data.microsoft.com" redirect
local-data: "settings-win.data.microsoft.com A 0.0.0.1"
local-zone: "sls.update.microsoft.com.akadns.net" redirect
local-data: "sls.update.microsoft.com.akadns.net A 0.0.0.1"
local-zone: "so.2mdn.net" redirect
local-data: "so.2mdn.net A 0.0.0.1"
local-zone: "sqm.df.telemetry.microsoft.com" redirect
local-data: "sqm.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "sqm.telemetry.microsoft.com" redirect
local-data: "sqm.telemetry.microsoft.com A 0.0.0.1"
local-zone: "sqm.telemetry.microsoft.com.nsatc.net" redirect
local-data: "sqm.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "static.2mdn.net" redirect
local-data: "static.2mdn.net A 0.0.0.1"
local-zone: "statsfe1.ws.microsoft.com" redirect
local-data: "statsfe1.ws.microsoft.com A 0.0.0.1"
local-zone: "statsfe2.update.microsoft.com.akadns.net" redirect
local-data: "statsfe2.update.microsoft.com.akadns.net A 0.0.0.1"
local-zone: "statsfe2.ws.microsoft.com" redirect
local-data: "statsfe2.ws.microsoft.com A 0.0.0.1"
local-zone: "survey.watson.microsoft.com" redirect
local-data: "survey.watson.microsoft.com A 0.0.0.1"
local-zone: "telecommand.telemetry.microsoft.com" redirect
local-data: "telecommand.telemetry.microsoft.com A 0.0.0.1"
local-zone: "telecommand.telemetry.microsoft.com.nsatc.net" redirect
local-data: "telecommand.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "telemetry.appex.bing.net" redirect
local-data: "telemetry.appex.bing.net A 0.0.0.1"
local-zone: "telemetry.appex.bing.net:443" redirect
local-data: "telemetry.appex.bing.net:443 A 0.0.0.1"
local-zone: "telemetry.microsoft.com" redirect
local-data: "telemetry.microsoft.com A 0.0.0.1"
local-zone: "telemetry.urs.microsoft.com" redirect
local-data: "telemetry.urs.microsoft.com A 0.0.0.1"
local-zone: "ui.skype.com" redirect
local-data: "ui.skype.com A 0.0.0.1"
local-zone: "view.atdmt.com" redirect
local-data: "view.atdmt.com A 0.0.0.1"
local-zone: "vortex-bn2.metron.live.com.nsatc.net" redirect
local-data: "vortex-bn2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-cy2.metron.live.com.nsatc.net" redirect
local-data: "vortex-cy2.metron.live.com.nsatc.net A 0.0.0.1"
local-zone: "vortex-sandbox.data.microsoft.com" redirect
local-data: "vortex-sandbox.data.microsoft.com A 0.0.0.1"
local-zone: "vortex-win.data.microsoft.com" redirect
local-data: "vortex-win.data.microsoft.com A 0.0.0.1"
local-zone: "vortex.data.microsoft.com" redirect
local-data: "vortex.data.microsoft.com A 0.0.0.1"
local-zone: "watson.live.com" redirect
local-data: "watson.live.com A 0.0.0.1"
local-zone: "watson.microsoft.com" redirect
local-data: "watson.microsoft.com A 0.0.0.1"
local-zone: "watson.ppe.telemetry.microsoft.com" redirect
local-data: "watson.ppe.telemetry.microsoft.com A 0.0.0.1"
local-zone: "watson.telemetry.microsoft.com" redirect
local-data: "watson.telemetry.microsoft.com A 0.0.0.1"
local-zone: "watson.telemetry.microsoft.com.nsatc.net" redirect
local-data: "watson.telemetry.microsoft.com.nsatc.net A 0.0.0.1"
local-zone: "wes.df.telemetry.microsoft.com" redirect
local-data: "wes.df.telemetry.microsoft.com A 0.0.0.1"
local-zone: "www.msftncsi.com" redirect
local-data: "www.msftncsi.com A 0.0.0.1"</pre>

== DNSCrypt ==
You'll need to pin the testing repository. See: [[Alpine Linux package management#Repository pinning]]

Then install:

{{cmd|apk add dnscrypt-proxy@testing}}

=== /etc/conf.d/dnscrypt-proxy ===
Enter a dnscrypt server, it should look something like this:

<pre># DNSCRYPT_LOGFILE=/var/log/dnscrypt-proxy/dnscrypt-proxy.log

# override listen address where DNSCRYPT listen
DNSCRYPT_LOCALIP=127.0.0.2:53

RESOLVER=208.67.220.220:443
PROVIDER=2.dnscrypt-cert.opendns.com
PUBKEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79</pre>

Finally add both to the default run level
{{cmd|rc-update add unbound default}}
{{cmd|rc-update add dnscrypt-proxy default}}

= WiFi 802.1x EAP and FreeRadius =
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]

= VPN Tunnel on specific subnet =
As mentioned earlier in this article it might be useful to have a VPN subnet and a non-VPN subnet. Typically gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.

Install the necessary packages:
{{cmd|apk add openvpn iproute2 iputils}}

== /etc/modules ==
You'll want to add the tun module
<pre>tun</pre>

== /etc/iproute2/rt_tables ==
Add the two routing tables to the bottom of rt_tables. It should look something like this:
<pre>#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 ISP
2 VPN</pre>

== /etc/network/interfaces ==
Next up add the virtual interface: eth0:2, just under eth0 will do:

<pre>auto eth0
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0

# Virtual interface
auto eth0:2
iface eth0:2 inet static
address 192.168.2.1
netmask 255.255.255.0
post-up /etc/network/fwmark_rules</pre>

== /etc/sysctl.conf ==
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.

<pre>net.ipv4.conf.all.rp_filter = 2</pre>

fwmark won't work if you have this set to 1.

== /etc/network/fwmark_rules ==
In this file we want to put the fwmark rules and set the correct priorities.

<pre>#!/bin/sh

# Normal packets to go direct out WAN
/sbin/ip rule add fwmark 1 table ISP prio 100

# Put packets destined into VPN when VPN is up
/sbin/ip rule add fwmark 2 table VPN prio 200

# Prevent packets from being routed out when VPN is down.
# This prevents packets from falling back to the main table
# that has a priority of 32766
/sbin/ip rule add prohibit fwmark 2 prio 300</pre>

== /etc/ppp/ip-up ==
Next up we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.

<pre>#!/bin/sh
#
# This script is run by pppd when there's a successful ppp connection.
#

# Flush out any old rules that might be there
/sbin/ip route flush table ISP

# Add route to table from subnets on LAN
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP

# Add route from IP given by ISP to the table
/sbin/ip rule add from ${IPLOCAL} table ISP prio 100

# Add a default route
/sbin/ip route add table ISP default via ${IPLOCAL}</pre>

== /etc/ppp/ip-down ==
<pre>#!/bin/sh
#
# This script is run by pppd after the connection has ended.
#

# Delete the rules when we take the interface down
/sbin/ip rule del from ${IPLOCAL} table ISP prio 100</pre>

== /etc/openvpn/route-up-fwmark.sh ==
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]

<pre>#!/bin/sh
#
# This script is run by OpenVPN when there's a successful VPN connection.
#

# Flush out any old rules that might be there
/sbin/ip route flush table VPN

# Add route to table from 192.168.2.0/24 subnet on LAN
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN

# Add route from VPN interface IP to the VPN table
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200

# Add a default route
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre>

== /etc/openvpn/route-pre-down-fwmark.sh ==

<pre>#!/bin/sh
#
# This script is run by OpenVPN after the connection has ended
#

# Delete the rules when we take the interface down
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre>

What I did find was when starting and stopping the OpenVPN service if you used:

{{cmd|service openvpn stop}}

The rules in route-pre-down-fwmark.sh were not executed.

However:

{{cmd|/etc/init.d/openvpn stop}}

seemed to work correctly.

== Advanced IPtables rules that allow us to route into our two routing tables ==
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.

I used these guides to write complete this:

* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]

<pre>#########################################################################
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
# 192.168.2.0 via VPN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
#
#########################################################################

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat

# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20

# Allows routing to our modem subnet so we can access the web interface
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows hosts of the network to use the VPN tunnel
-A POSTROUTING -o tun0 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]

# Create a log drop chain
:LOG_DROP - [0:0]

# Create a reject chain
:LOG_REJECT - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0

# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0

# Forward traffic to ISP
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT

# Forward traffic to VPN
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT

# Allow excepted server to be FORWARD to ppp0
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# Forward SSH packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward HTTP packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward Bittorrent Port to workstation
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# SSH to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DNS to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# FreeRadius Client (eg a UniFi AP)
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Ubiquiti UAP Device Discovery Broadcast
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# NTP to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept traffic to router on both subnets
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow excepted server to be INPUT to eth0 from LAN
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# HTTP To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_PPP0 -j LOG_DROP

# Accept incoming tracked TUN0 connection
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on TUN0
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_TUN0 -j LOG_DROP
COMMIT

#
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle

# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT

# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT

# Mark packets coming from 192.168.2.0/24 are 0x2
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff

# If packet MARK is 1, then it means there is already a connection mark and the
# original packet came in on ISP
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT

# Mark packets 192.168.1.0/24 are 0x1
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff

# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff

# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff

# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT</pre>

You may want to delete certain rules here that do not apply to you, eg the FreeRadius rules. That is covered later in this article.

== OpenVPN Routing ==
Usually when you connect with OpenVPN the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.

You'll need to add this to the bottom of your OpenVPN configuration file:
<pre># Prevents default gateway from being set on the default routing table
route-noexec

# Allows route-up script to be executed
script-security 2

# Calls custom shell script after connection to add necessary routes
route-up /etc/openvpn/route-up-fwmark.sh
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre>

My VPNs are arranged like this in /etc/openvpn:

OpenVPN configuration file for that server:
<pre>countrycode.serverNumber.openvpn.conf</pre>

OpenVPN certs for that server:
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key
countrycode.serverNumber.openvpn/myKey.crt
countrycode.serverNumber.openvpn/myKey.key</pre>

So I use this helpful script to automate the process of changing between servers:

<pre>#!/bin/sh

vpn_server_filename=$1

rm /etc/openvpn/openvpn.conf
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf
chown -R openvpn:openvpn /etc/openvpn
chmod -R a=-rwx,u=+rX /etc/openvpn
chmod u=x /etc/openvpn/*.sh*

if grep -Fxq "#CustomStuffHere" openvpn.conf
then
echo "Not adding custom routes, this server has been used previously"
else
echo "Adding custom route rules"

echo -e "#CustomStuffHere\
\n# Prevents default gateway from being set on the default routing table\
\nroute-noexec\
\n# Allows route-up script to be executed\
\nscript-security 2 \
\n# Calls custom shell script after connection to add necessary routes\
\nroute-up /etc/openvpn/route-up-fwmark.sh\
\nroute-pre-down /etc/openvpn/route-pre-down-fwmark.sh\
\n# Logging of OpenVPN to file\
\n#log /etc/openvpn/openvpn.log"\
>> /etc/openvpn/openvpn.conf
fi

echo "Remember to set BitTorrent port forward in vcp.ovpn.to control panel"</pre>

That way I can simply change between servers by running:
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}

and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:

{{cmd|service openvpn restart}}

Finally add openvpn to the default run level
{{cmd|rc-update add openvpn default}}

= Creating a LAN only Subnet =
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.

At the end of this section we will have something like:

[[File:network_diagram2.png|center|Network Diagram]]

== /etc/iproute2/rt_tables ==
First up we'll add a third routing table:

<pre>3 LAN</pre>

== /etc/network/interfaces ==
Add a an extra interface.

<pre>auto eth0:3
iface eth0:3 inet static
address 192.168.3.1
netmask 255.255.255.0
post-up /etc/network/route_LAN</pre>

== /etc/network/route_LAN ==
This file will have our route added to it

<pre>#!/bin/sh

# Add routes from ISP to LAN
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN

# Add route from VPN to LAN
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN

# Add route from LAN to it's own table
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre>

== /etc/ppp/ip-up ==
Append a route from the LAN subnet to the ISP table

<pre># Add route to LAN subnet
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre>

== /etc/openvpn/route-up-fwmark.sh ==
Append a route from the LAN subnet to the VPN table

<pre># Add route to LAN only subnet
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre>

== /etc/ntpd.conf ==
Add a listen address for ntp (OpenNTPD).

You should now have:

<pre># Addresses to listen on (ntpd does not listen by default)
listen on 192.168.1.1
listen on 192.168.2.1
listen on 192.168.3.1</pre>

Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.

== Blocking bogons ==
Our LAN now has 4 subnets in total that are possible:

* 192.168.0.0/30 (connection between modem and router)
* 192.168.1.0/24 (ISP table, directly routed out WAN)
* 192.168.2.0/24 (VPN table, routed out VPN)
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).

Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.

=== Installing ipset ===
Install ipset:

{{cmd|apk add ipset}}

Add it to start up:
{{cmd|rc-update add ipset default}}

Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.

For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list.

<pre>0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4</pre>

This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script:

<pre>#! /bin/bash

# /usr/local/sbin/fullbogons-ipv4
# BoneKracker
# Rev. 11 October 2012
# Tested with ipset 6.13

# Purpose: Periodically update an ipset used in a running firewall to block
# bogons. Bogons are addresses that nobody should be using on the public
# Internet because they are either private, not to be assigned, or have
# not yet been assigned.
#
# Notes: Call this from crontab. Feed updated every 4 hours.

# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
# Use alternative URL from pfSense, due to 404 error with URL above
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"
ipset_params="hash:net"

filename=$(basename ${target})
firewall_ipset=${filename%.*} # ipset will be filename minus ext
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same
data_file="${data_dir}/${filename}"

# if data directory does not exist, create it
mkdir -pm 0750 ${data_dir}

# function to get modification time of the file in log-friendly format
get_timestamp() {
date -r $1 +%m/%d' '%R
}

# file modification time on server is preserved during wget download
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})

# fetch file only if newer than the version we already have
wget -qNP ${data_dir} ${target}

if [ "$?" -ne "0" ]; then
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."
exit 1
fi

timestamp=$(get_timestamp ${data_file})

# compare timestamps because wget returns success even if no newer file
if [ "${timestamp}" != "${old_timestamp}" ]; then

temp_ipset="${firewall_ipset}_temp"
ipset create ${temp_ipset} ${ipset_params}

#sed -i '/^#/d' ${data_file} # strip comments
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml

while read network; do
ipset add ${temp_ipset} ${network}
done < ${data_file}

# if ipset does not exist, create it
ipset create -exist ${firewall_ipset} ${ipset_params}

# swap the temp ipset for the live one
ipset swap ${temp_ipset} ${firewall_ipset}
ipset destroy ${temp_ipset}

# log the file modification time for use in minimizing lag in cron schedule
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."

fi</pre>

Now you should see the list loaded into memory when you do:

{{cmd|ipset list}}

We want to save it so our router can refer to it next time it starts up so for that:

{{cmd|/etc/init.d/ipset save}}

== Restricting our LAN subnet with iptables, and blocking the bogons ==

Finally we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.

Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf

<pre>#########################################################################
# Advanced routing rule set
# Uses 192.168.1.0 via ISP
# 192.168.2.0 via VPN
# 192.168.3.0 via LAN
#
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto
# the internet
#
#########################################################################

#
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle

# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT

# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT

# Mark packets coming from 192.168.2.0/24 are 0x2
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff

# If packet MARK is 1, then it means there is already a connection mark and the
# original packet came in on ISP
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT

# Mark packets 192.168.1.0/24 are 0x1
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff

# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff

# Strip mark if packet is destined for modem.
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff

# Strip mark if unknown bogon range to be blocked
-A PREROUTING -m set --match-set bogon-bn-nonagg dst -j MARK --set-xmark 0x0/0xffffffff

# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]

# Create a drop chain
:LOG_DROP - [0:0]

# Create a reject chain
:LOG_REJECT - [0:0]

# Create an output chain
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0

# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0

# Pass output interface to corresponding chain
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0

# Forward traffic to Modem
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT

# Allow routing to remote address on VPN
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT

# Allow forwarding from LAN hosts to LAN ONLY subnet
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT

# Allow LAN ONLY subnet to contact other LAN hosts
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT

# Refuse to forward bogons to the internet! eg 192.168.9.0/24 or 10.0.0.0
# or any other range which we are not using on our LAN
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_REJECT

# Forward traffic to ISP
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT

# Forward traffic to VPN
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT

# Prevent 192.168.3.0/24 from accessing internet
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT

# Allow excepted server to be FORWARD to ppp0
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# Forward SSH packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward HTTP packets from network to mode
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward Bittorrent Port to workstation
-A FWD_TUN0 -d 192.168.2.30/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.2.30/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# SSH to Router
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DNS to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# FreeRadius Client (eg a UniFi AP)
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Ubiquiti UAP Device Discovery Broadcast
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# NTP to Router
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept traffic to router on both subnets
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow excepted server to be INPUT to eth0 from LAN
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT

# SSH To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# HTTP To Modem from Router
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Deny bogons from ISP
-A IN_PPP0 -m set --match-set bogon-bn-nonagg src -j LOG_REJECT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_PPP0 -j LOG_DROP

# Accept traffic from IP on VPN (exception not a bogon)
-A IN_TUN0 -d 172.16.32.0/20 -j ACCEPT

# Accept incoming tracked TUN0 connection
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on TUN0
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6
-A IN_TUN0 -j LOG_DROP

# Log rejected packets
-A LOG_REJECT -j LOG --log-prefix "Rejected Bogon: " --log-level 6
-A LOG_REJECT -j REJECT --reject-with icmp-port-unreachable

# Deny bogons to ISP
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_REJECT

# Allow traffic to IP on VPN (exception not a bogon)
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT

# Deny bogons to VPN
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_REJECT
COMMIT

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20

# Allows routing to our modem subnet so we can access the web interface
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows hosts of the network to use the VPN tunnel
-A POSTROUTING -o tun0 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT</pre>

= Other Tips =

== lbu cache ==
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]

This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.

== lbu encryption /etc/lbu/lbu.conf ==
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.

<pre># what cipher to use with -e option
DEFAULT_CIPHER=aes-256-cbc

# Uncomment the row below to encrypt config by default
ENCRYPTION=$DEFAULT_CIPHER

# Uncomment below to avoid <media> option to 'lbu commit'
# Can also be set to 'floppy'
LBU_MEDIA=mmcblk0p1

# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls
# in a normal directory instead of mounting an external media.
# LBU_BACKUPDIR=/root/config-backups

# Uncomment below to let lbu make up to 3 backups
# BACKUP_LIMIT=3</pre>

Remember to set a root password, by default Alpine Linux's root account is passwordless.
{{cmd|passwd root}}

== Backup apkprov ==
It's a good idea to back up your apk provision file. You can pull it off your router to your local workstation with:

{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}

And decrypt it with:
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}

It can be encrypted with:
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}

== Harden SSH ==

=== Generate a SSH key ===
{{cmd|ssh-keygen -t rsa -b 4096}}

You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys

You can put multiple public keys on multiple lines if more than one person has access to the router.

=== /etc/ssh/sshd_config ===
A couple of good options to set in here can be:

<pre>ListenAddress 192.168.1.1
ListenAddress 192.168.2.1</pre>

While this isn't usually a good idea, a router doesn't need more than one user.
<pre>PermitRootLogin yes</pre>

The most important options:
<pre>RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
AllowTcpForwarding no
X11Forwarding no</pre>

=== /etc/conf.d/sshd ===
You will want to add <pre>rc_need="net"</pre>

This instructs OpenRC to make sure the network is up before starting ssh.

Finally add sshd to the default run level
{{cmd|rc-update add sshd default}}

= References =
* https://wiki.gentoo.org/wiki/Home_Router
* https://help.ubuntu.com/community/ADSLPPPoE
* https://wiki.archlinux.org/index.php/Router
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]

UFW

2015-10-01T17:12:01Z

Summer: Redirects to Uncomplicated Firewall

#REDIRECT[[Uncomplicated Firewall]]

Uncomplicated Firewall

2015-10-01T17:08:24Z

Summer: Diskless mode

UFW stands for [https://launchpad.net/ufw Uncomplicated Firewall], and is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

== Installation ==

UFW can be found in the testing repository. Read [[Alpine_Linux_package_management#Repository_pinning]] to enable the testing repository.

Once the testing repository has been enabled, UFW can be installed by issuing the following command:
{{cmd| apk add ip6tables ufw@testing}}

== Basic configuration ==

The following is a simple configuration that will deny all incoming and outgoing data communication by default and allow incoming SSH, outgoing DNS and NTP traffic:

{{cmd|ufw default deny incoming
ufw default deny outgoing
ufw limit SSH # open SSH port and protect against brute-force login attacks
ufw allow out DNS # allow outgoing DNS
ufw allout out 123 # allow outgoing NTP}}

The following lines are only needed the first time you install the package:
{{cmd|ufw enable
rc-update add ufw # add UFW init scripts}}

Check the status of UFW:
{{cmd|ufw status}}

== Diskless mode ==

If you have installed Alpine Linux as [[Installation#Installation_Handbook|diskless]] then you need to use [[Alpine local backup|Alpine Local Backup (lbu)]] to save your UFW configuration. UFW data is stored in <code>/usr/lib/ufw</code>, therefore use the following commands to save the UFW configuration:
{{cmd|lbu add /usr/lib/ufw
lbu commit}}

[[Category:Networking]]
[[Category:Security]]

Uncomplicated Firewall

2015-10-01T16:58:23Z

Summer: Basic configuration section

Uncomplicated Firewall

2015-10-01T16:43:42Z

Summer: Added installation section

Uncomplicated Firewall

2015-10-01T16:37:36Z

Summer: Created UFW wiki page

Raspberry Pi

2015-10-01T16:14:03Z

Summer: /* Installation */

Tutorials and Howtos

2015-09-28T20:49:14Z

Summer: Added Raspberry Pi installation tutorial link

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.

We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}
== Storage ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' 
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]

* [[Setting up disks manually]] 
* [[Setting up a software RAID array]]

* [[Raid Administration]]
* [[Setting up encrypted volumes with LUKS]]
* [[Setting up LVM on LUKS]]
* [[Setting up Logical Volumes with LVM]]
** [[Setting up LVM on GPT-labeled disks]]
** [[Installing on GPT LVM]]
* [[Filesystems|Formatting HD/Floppy/Other]] 

* [[Setting up iSCSI]]
** [[iSCSI Raid and Clustered File Systems]]
* [[Setting up NBD]]
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' 
* [[Linux iSCSI Target (TCM)]]
* [[Disk Replication with DRBD]] 

* [[Burning ISOs]] 
* [[Partitioning and Bootmanagers]]
* [[Migrating data]]
* [[Raspberry Pi|Raspberry Pi (Installation)]]
* [[Create a bootable Raspberry Pi SDHC from a Mac]]

== Networking ==

* [[Configure Networking]]
* [[Connecting to a wireless access point]]
* [[Bonding]]
* [[Vlan]]
* [[Bridge]]
* [[OpenVSwitch]]
* [[How to configure static routes]]

* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''

* [[PXE boot]]

* [[Using serial modem]]
* [[Using HSDPA modem]]
* [[Linux Router with VPN on a Raspberry Pi]]
* [[Setting up Satellite Internet Connection]]
* [[Using Alpine on Windows domain with IPSEC isolation]]

* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' 
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''

* [[Experiences with OpenVPN-client on ALIX.2D3]] 

* [[Generating SSL certs with ACF]] 
* [[Setting up unbound DNS server]]
* [[Setting up nsd DNS server]]
* [[TinyDNS Format]]
* [[Fault Tolerant Routing with Alpine Linux]] 
* [[Freeradius Active Directory Integration]]
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[OwnCloud]] ''(Installing OwnCloud)''

* [[Apache with php-fpm]]
* [[Seafile: setting up your own private cloud]]

== Post-Install ==


* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''

** [[Comparison with other distros]]
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services]]

* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]
* [[Upgrading Alpine]]


* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''
* [[Changing passwords for ACF|Changing passwords]]
* [[Ansible]] ''(Configuration management)''

* [[Enable Serial Console on Boot]]


== Virtualization==

* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''
* [[Xen Dom0 on USB or SD]]
* [[Create Alpine Linux PV DomU]]
* [[Xen PCI Passthrough]]
* [[Xen LiveCD]]
* [[qemu]]
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''
* [[Docker]]

== Desktop Environment ==

* [[Awesome(wm) Setup]]
* [[EyeOS]] ''(Cloud Computing Desktop)''
* [[Gnome Setup]]
* [[MATE|MATE Setup]]
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')
* [[Remote Desktop Server]]
* [[Suspend on LID close]]
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]
* [[Installing Adobe flash player for Firefox]]

== Applications ==

=== Telephony ===
* [[Setting up Zaptel/Asterisk on Alpine]]
** [[Setting up Streaming an Asterisk Channel]]
* [[Freepbx on Alpine Linux]]
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

=== Mail ===
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
** [[Hosting Web/Email services on Alpine]]
* [[ISP Mail Server HowTo]] 
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* [[Protecting your email server with Alpine]]
* [[Setting up clamsmtp]]
* [[Setting up dovecot with imap and ssl]]

=== HTTP ===
* [[Lighttpd]]
** [[Lighttpd Https access]]
** [[Setting Up Lighttpd with PHP]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Cherokee]]
* [[Nginx]]
* [[Apache]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]

* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' 

* [[Setting up Transparent Squid Proxy]] 
** [[SqStat]] ''(Script to look at active squid users connections)''
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[Setting up Explicit Squid Proxy]]

* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[WordPress]] ''(Web software to create website or blog)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[DokuWiki]]
* [[Darkhttpd]]

=== Other Servers ===
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''

* [[Setting up a nfs-server]]
* [[Phpizabi]] ''(Social Networking Platform)''
* [[Statusnet]] ''(Microblogging Platform)''
* [[Pastebin]] ''(Pastebin software application)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]

* [[Patchwork]] ''(Patch review management system)''
* [[Redmine]] ''(Project management system)''
* [[Request-Tracker]] ''(Ticket system)''
* [[OsTicket]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

* [[Cgit]]
** [[Setting up a git repository server with gitolite and cgit]] 
* [[Roundcube]] ''(Webmail system)''
* [[Glpi]] ''(Manage inventory of technical resources)''

* [[How to setup a Alpine Linux mirror]]
* [[Cups]]
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Sending SMS using gnokii]]

=== Monitoring ===
* Setting up [[collectd]]
* [[Traffic monitoring]] 
* [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Setting up monitoring using rrdtool (and rrdcollect)]]
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' 
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' 
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 

* [[IP Accounting]] 
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[SqStat]] ''(Script to look at active squid users connections)''

* [[Piwik]] ''(A real time web analytics software program)''
* [[Awstats]] ''(Free log file analyzer)''
* [[Intrusion Detection using Snort]]
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''

* [[Webmin]] ''(A web-based interface for Linux system)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Linfo]]

* [[Setting up lm_sensors]]

* [[ZoneMinder video camera security and surveillance]]

== Misc ==

* [[:Category:Shell]]
* [[:Category:Programming]]
* [[Running glibc programs]]
* [[:Category:Drivers]]
* [[:Category:Multimedia]]
* [[Kernel Modesetting]]

== Complete Solutions ==
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[High performance SCST iSCSI Target on Linux software Raid]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[Experiences with OpenVPN-client on ALIX.2D3]]
* [[Building a cloud with Alpine Linux]]

* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''

Raspberry Pi

2015-09-28T20:45:41Z

Summer:

Raspberry Pi

2015-09-28T20:44:18Z

Summer:

[[Category:Installation]]
This tutorial will help you install Alpine Linux on your Raspberry Pi.

== Preparation ==

# [http://alpinelinux.org/downloads/ Download] Alpine for Raspberry Pi tarball
# Mount your SD card to your workstation
# Use [https://en.wikipedia.org/wiki/GNOME_Disks gnome-disks] or fdisk to create a vfat partition (file system id='c')
# Mark the newly created partition as bootable and save
# Mount the previously created filesystem
# Extract the tarball contents to your SD Card
# Unmount the SD Card.

== Installation ==

Alpine Linux will be installed as [[Installation#Installation_Handbook|diskless mode]], hence you need to use [[Alpine local backup|Alpine Local Backup (lbu)]] to save your modifications between reboots.

# Insert the SD Card into the Raspberry Pi and turn it on
# Login into the Alpine system
# Type <code>setup-alpine</code>
# Once the installation is complete, commit the changes by typing <code>lbu commit</code>
# Reboot to verify that the installation was indeed successful.

Raspberry Pi

2015-09-28T20:41:44Z

Summer:

Raspberry Pi

2015-09-28T20:37:33Z

Summer: /* Installation */

[[Category:Installation]]

This tutorial will help you install Alpine Linux on your Raspberry Pi.

== Preparation ==

# [http://alpinelinux.org/downloads/ Download] Alpine for Raspberry Pi tarball
# Mount your SD card to your workstation
# Use [https://en.wikipedia.org/wiki/GNOME_Disks gnome-disks] or fdisk to create a vfat partition (file system id='c')
# Mark the newly created partition as bootable and save
# Mount the previously created filesystem
# Extract the tarball contents to your SD Card
# Unmount the SD Card.

== Installation ==

Alpine Linux will be installed as [[Installation#Installation_Handbook|diskless mode]], hence you need to use [[Alpine local backup|Alpine Local Backup (lbu)]] to save your modifications between reboots.

# Insert the SD Card into the Raspberry Pi and turn it on
# Login into the Alpine system
# Type <code>setup-alpine</code>
# Once the installation is complete, commit the changes by typing <code>lbu commit</code>
# Reboot to verify that the installation was indeed successful.

Raspberry Pi

2015-09-28T20:32:56Z

Summer: Added installation section

[[Category:Installation]]

This tutorial will help you install Alpine Linux on your Raspberry Pi.

== Preparation ==

# [http://alpinelinux.org/downloads/ Download] Alpine for Raspberry Pi tarball
# Mount your SD card to your workstation
# Use [https://en.wikipedia.org/wiki/GNOME_Disks gnome-disks] or fdisk to create a vfat partition (file system id='c')
# Mark the newly created partition as bootable and save
# Mount the previously created filesystem
# Extract the tarball contents to your SD Card
# Unmount the SD Card.

== Installation ==

# Insert the SD Card into the Raspberry Pi and turn it on
# Login into the Alpine system
# Type <code>setup-alpine</code>
# Once the installation is complete, commit the changes by typing <code>lbu commit</code>

Raspberry Pi

2015-09-28T20:27:23Z

Summer: Preparation section

[[Category:Installation]]

This tutorial will help you install Alpine Linux on your Raspberry Pi.

=Preparation=

# [http://alpinelinux.org/downloads/ Download] Alpine for Raspberry Pi tarball
# Mount your SD card to your workstation
# Use [https://en.wikipedia.org/wiki/GNOME_Disks gnome-disks] or fdisk to create a vfat partition (file system id='c')
# Mark the newly created partition as bootable and save
# Mount the previously created filesystem
# Extract the tarball contents to your SD Card
# Unmount the SD Card.

Raspberry Pi

2015-09-28T20:13:35Z

Summer: Created a tutorial for Raspberry Pi

[[Category:Installation]]

This tutorial will help you install Alpine Linux on your Raspberry Pi.