Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
162 lines (137 sloc) 4.43 KB
#!/bin/bash
set -e
source common.sh
################################################################################
# SSH tunnel middlebox bootstrap script for Arch Linux on a RasPi 3
#
# DEFAULTS:
# -- SOCKS proxy on the built-in wired network interface (eth0)
# -- Outbound via an external USB wired network interface (eth1)
#
# OPTIONS:
# -- Outbound via the built-in wireless network interface (wlan0)
# -- Randomise MAC addresses
################################################################################
action_msg "pacman"
pacman -Syu
pacman -S --needed htop rng-tools screen sudo vim
pacman -S --needed autossh dnsmasq macchanger ntp
action_msg "/etc/sudoers"
echo "alarm ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
action_msg "/etc/conf.d/rngd && rngd.service"
echo 'RNGD_OPTS="-o /dev/random -r /dev/hwrng"' > /etc/conf.d/rngd
systemctl enable rngd.service
action_msg "/etc/hostname"
echo $(tr -dc 'A-Z0-9' < /dev/urandom | head -c12) > /etc/hostname
action_msg "network.service"
rm /etc/systemd/network/eth0.network
cat > /etc/wpa_supplicant/default.conf << __EOF__
network={
ssid="foobar"
scan_ssid=1
key_mgmt=WPA-PSK
psk="f00b4r"
}
__EOF__
cat > /etc/systemd/system/network.service << __EOF__
[Unit]
Description=Configure eth0 and eth1,wlan0 network interfaces
Wants=network.target
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
# eth0
ExecStart=/sbin/ip link set dev eth0 up
ExecStart=/sbin/ip addr add 172.16.0.1/24 broadcast 172.16.0.255 dev eth0
ExecStop=/sbin/ip addr flush dev eth0
ExecStop=/sbin/ip link set dev eth0 down
# eth1
#ExecStart=/usr/bin/macchanger -e eth1
ExecStart=/sbin/ip link set dev eth1 up
ExecStart=/usr/bin/dhcpcd eth1
ExecStop=/sbin/ip addr flush dev eth1
ExecStop=/sbin/ip link set dev eth1 down
# wlan0
#ExecStart=/usr/bin/macchanger -e wlan0
#ExecStart=/sbin/ip link set dev wlan0 up
#ExecStart=/usr/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/default.conf
#ExecStart=/usr/bin/dhcpcd wlan0
#ExecStop=/sbin/ip addr flush dev wlan0
#ExecStop=/sbin/ip link set dev wlan0 down
[Install]
WantedBy=multi-user.target
__EOF__
systemctl enable network.service
action_msg "ntpdate.service && ntpd.service"
systemctl enable ntpdate
systemctl enable ntpd.service
action_msg "sshd.service"
systemctl enable sshd.service
# Outbound iptables rules only allow connections to our SSH jump host.
action_msg "/etc/iptables/iptables.rules && iptables.service"
cat > /etc/iptables/iptables.rules << __EOF__
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -o eth1 -d 127.0.0.1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -d 172.16.0.0/24 -j ACCEPT
COMMIT
__EOF__
systemctl enable iptables.service
# DNS resolutions are blocked due to the strict outbound iptables rules.
action_msg "/etc/resolv.conf"
rm /etc/resolv.conf
cat > /etc/resolv.conf << __EOF__
nameserver 127.0.0.1
__EOF__
chattr +i /etc/resolv.conf
action_msg "/etc/dnsmasq.conf && dnsmasq.service"
sed -i 's/After=network.target/After=network.target autossh.service/' /usr/lib/systemd/system/dnsmasq.service
cat > /etc/dnsmasq.conf << __EOF__
bind-interfaces
bogus-priv
dhcp-range=interface:eth0,172.16.0.100,172.16.0.199,255.255.255.0,12h
domain-needed
filterwin2k
interface=eth0
no-hosts
__EOF__
systemctl enable dnsmasq.service
action_msg "/etc/ssh/ssh_config && autossh.service"
cat >> /etc/ssh/ssh_config << __EOF__
Host ssh-tunnel
DynamicForward 1080
Hostname foobar.tld
IdentitiesOnly yes
IdentityFile /etc/ssh/tunnel_id_rsa
ProxyJump root@foobar.tld
ServerAliveCountMax 3
ServerAliveInterval 30
User root
__EOF__
cat > /etc/systemd/system/autossh.service << __EOF__
[Unit]
Description=Start and maintain an SSH tunnel at boot
After=network.target
[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -f -T -N ssh-tunnel
[Install]
WantedBy=multi-user.target
__EOF__
systemctl enable autossh.service
action_msg "/etc/bash.bashrc"
echo "HISTFILESIZE=100" >> /etc/bash.bashrc
action_msg "/etc/fstab"
echo "tmpfs /var/log tmpfs nodev,nosuid,size=16M 0 0" >> /etc/fstab
echo "tmpfs /tmp tmpfs nodev,nosuid,size=16M 0 0" >> /etc/fstab
rm -R /var/log /tmp