kyle
/
wesley-dust-route


			
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
							#!/bin/bash

# external network
: this is the address provided by Mediacom Cable
: "173.29.124.66/21 brd 173.29.127.255"

: "UPDATE on 2020 Dec 15th mediacom issued new lease before old expired
173.31.30.236/21 and the internet on the other computers went 'out'
to fix it the nat needs to forward packets using the new address
wes added a new rule for 
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to-source 173.31.30.236;

then it did not work, but this is because there were two rule for the same thing
iptables -t nat -L --line-numbers
then look for the line number of the previous matching rule
then delete it
iptables -t nat -D POSTROUTING 1
"

# local network
: this is a random number that matches the SurfBoard Modem
: "local address inet 192.168.100.10/24"

# Hardware
: "ethernet adapter" "enp6s0 b8:70:f4:a6:62:e8"
: "unused wifi adapter" "wlp7s0 92:01:0f:e1:90:20"


# STEP 1
: "# add network addresses computer" "
ip addr add 192.168.100.10/24 dev enp6s0;
ip addr add 173.29.124.66/21 dev enp6s0;
"

# STEP 2
: "# add a route to the internet gateway" "
ip route add default via 173.29.120.1 dev enp6s0;
"

# STEP 3
: "# add NAT" "
iptables -F;  # this actually removes previous rules
iptables -t nat -F;
iptables -P INPUT ACCEPT;
iptables -P OUTPUT ACCEPT;
iptables -P FORWARD DROP;
"

# STEP 4
: "# add the LAN side of NAT" "
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to-source 173.29.124.66;
iptables -A FORWARD -i enp6s0 -o enp6s0 -s 192.168.100.0/24 -j ACCEPT;
iptables -A FORWARD -i enp6s0 -o enp6s0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
"

# STEP 5
: "# enable kernel forwarding module" "
echo 1 >/proc/sys/net/ipv4/ip_forward;
"

# STEP 5.5
: "# enable pptp for soheyl's Synology VPN" "
## probably needs conntrack installed....
## this adds conntection tracking to outbound Msft GRE (invalid tcp)
## packets and converts them into ESTABLISHED,RELATED
iptables -t nat -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp
"


### TROUBLESHOOTING
: "test if forwarding is enabled (1 is enabled, 0 not)" "
sysctl net.ipv4.ip_forward
"

: "MS PPTP stuff" "

### [!] actually ignore this, use the instructions for pptp above ###
# modprobe the following:
#  ip_nat_pptp ->  alias for nf_nat_pptp
#  ip_conntrack_pptp (probably not needed loaded as dep for above)
#  ip_gre (probably not needed loaded as dep for above)

# install conntrack software
# sudo apt install conntrack

# Kernel 4.7 and net.netfilter.nf_conntack_helper = 0 is default
# someone decided that nf_conntrack_helper should not be enabled
#   edit /etc/sysctl.conf add:
#       net.netfilter.nf_conntrack_helper = 1
#   then reload: sysctl -p
"

: "MS PPTP part II" "
it turns out that the nf_conntrack_helper module enables too many security issues
and the consensus is to turn off the shotgun and instead enable security issues
on a one-by-one basis, for PPTP:
iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp
"