Newer
Older
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
# mesh utilities used by the batman and bmx commands
#
# License
# =======
#
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# File which contains the current protocol in use
MESH_CURRENT_PROTOCOL=/root/.mesh_protocol
MESH_DEFAULT_PROTOCOL=/root/.mesh_protocol_default
function mesh_generate_ipv6_address {
network=fd66:66:66
if [ "$1" ]; then
search_ipv6=$(ifconfig "$1" | grep "$network")
if [ "$search_ipv6" ]; then
result=$(ifconfig "$1" | grep "$network" | awk -F ' ' '{print $2}')
ip -6 addr add "${result}/128" dev "$1"
return
fi
fi
ipv6_array=( 1 2 3 4 5 6 7 8 9 0 a b c d e f )
a=${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}
b=${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}
c=${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}
d=${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}
e=${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}${ipv6_array[$RANDOM%16]}
result=$network:$a:$b:$c:$d:$e
function mesh_protocol_init {
if [[ $1 == "start" ]]; then
# install avahi
sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv4=.*|use-ipv4=no|g" /etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv6=.*|use-ipv6=yes|g" /etc/avahi/avahi-daemon.conf
sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
sed -i "s|hosts:.*|hosts: files mdns4_minimal mdns4 mdns dns|g" /etc/nsswitch.conf
if [ -f "$COMPLETION_FILE" ]; then
if grep -q "WIFI_SSID:" "$COMPLETION_FILE"; then
WIFI_SSID=$(grep "WIFI_SSID:" "$COMPLETION_FILE" | awk -F ':' '{print $2}')
sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" "$COMPLETION_FILE"
if [ -f /home/fbone/ssid.txt ]; then
WIFI_SSID=$(cat /home/fbone/ssid.txt)
fi
if [ -f "$COMPLETION_FILE" ]; then
if grep -q "Wifi channel:" "$COMPLETION_FILE"; then
CHANNEL=$(grep "Wifi channel:" "$COMPLETION_FILE" | awk -F ':' '{print $2}')
sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" "$COMPLETION_FILE"
ZERONET_PORT=15441
IPFS_PORT=4001
TOX_PORT=33445
TRACKER_PORT=6969
LIBREVAULT_PORT=42345
TAHOELAFS_PORT=50213
GIT_SSB_PORT=7718
NGINX_GIT_SSB_PORT=7719
# Ethernet bridge definition (bridged to bat0)
BRIDGE=br-mesh
BRIDGE_HOTSPOT=br-hotspot
IFACE=
IFACE_SECONDARY=
EIFACE=eth0
if [[ "$MESH_INTERFACE_TYPE" == 'wlan'* ]]; then
WLAN_ADAPTORS=$(count_wlan)
if [ "$WLAN_ADAPTORS" -eq 0 ]; then
echo $'No wlan adaptors found'
exit 0
fi
}
function global_rate_limit {
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
echo 'net.ipv6.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
else
sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
sed -i 's|net.ipv6.tcp_challenge_ack_limit.*|net.ipv6.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
fi
sysctl -p -q
}
function assign_peer_address {
for i in {1..6}; do
number=$RANDOM
octet=$(echo "obase=16;$number" | bc)
if [ ${#octet} -lt 2 ]; then
octet="0${octet}"
fi
if [ $i -gt 1 ]; then
echo -n ":"
fi
echo -n "${octet}"
done
}
function mesh_create_app_downloads_page {
return
fi
if [ ! -d /var/www/html ]; then
return
fi
# Don't go straight to cryptpad when navigating to the peer's IP address
if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
rm /etc/nginx/sites-enabled/cryptpad
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
if [ -d /etc/cryptpad ]; then
systemctl stop cryptpad
systemctl disable cryptpad
fi
systemctl restart nginx
fi
# Don't show the cryptpad icon on the desktop
if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
fi
cp "/root/$PROJECT_NAME/website/EN/meshindex.html" /var/www/html/index.html
cp "/root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk" /var/www/html/ssb.apk
fi
if [ ! -f /var/www/html/trifa.apk ]; then
cp "/root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk" /var/www/html/trifa.apk
fi
if [ ! -d /var/www/html/images ]; then
mkdir /var/www/html/images
fi
if [ ! -f /var/www/html/images/logo.png ]; then
cp "/root/$PROJECT_NAME/img/logo.png" /var/www/html/images/logo.png
fi
if [ ! -f /var/www/html/images/ssb.png ]; then
cp "/root/$PROJECT_NAME/img/icon_patchwork.png" /var/www/html/images/ssb.png
fi
if [ ! -f /var/www/html/images/trifa.png ]; then
cp "/root/$PROJECT_NAME/img/trifa.png" /var/www/html/images/trifa.png
if [ ! -f "/var/www/html/${PROJECT_NAME}.css" ]; then
cp "/root/$PROJECT_NAME/website/${PROJECT_NAME}.css" "/var/www/html/${PROJECT_NAME}.css"
fi
chown -R www-data:www-data /var/www/html/*
}
function enable_mesh_firewall {
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p tcp --dport "$TRACKER_PORT" -j ACCEPT
iptables -A INPUT -p udp --dport "$TRACKER_PORT" -j ACCEPT
iptables -A INPUT -p udp --dport 6240 -j ACCEPT
iptables -A INPUT -p tcp --dport 6240 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 548 -j ACCEPT
iptables -A INPUT -p udp --dport 548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
iptables -A INPUT -p udp --dport 5354 -j ACCEPT
iptables -A INPUT -p tcp --dport "$ZERONET_PORT" -j ACCEPT
iptables -A INPUT -p udp --dport "$ZERONET_PORT" -j ACCEPT
iptables -A INPUT -p tcp --dport "$IPFS_PORT" -j ACCEPT
iptables -A INPUT -p tcp --dport "$TOX_PORT" -j ACCEPT
iptables -A INPUT -p udp --dport "$TOX_PORT" -j ACCEPT
iptables -A INPUT -p tcp --dport "$LIBREVAULT_PORT" -j ACCEPT
iptables -A INPUT -p udp --dport "$LIBREVAULT_PORT" -j ACCEPT
iptables -A INPUT -p tcp --dport "$TAHOELAFS_PORT" -j ACCEPT
iptables -A INPUT -p udp --dport 8008 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
iptables -A INPUT -p udp --dport 8010 -j ACCEPT
iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
# OLSR2/MANET
iptables -A INPUT -p udp --dport 269 -j ACCEPT
iptables -A INPUT -p tcp --dport 138 -j ACCEPT
# Babel
iptables -A INPUT -p udp --dport 6696 -j ACCEPT
ip6tables -A INPUT -p udp --dport 6696 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p tcp --dport "$TRACKER_PORT" -j ACCEPT
ip6tables -A INPUT -p udp --dport "$TRACKER_PORT" -j ACCEPT
ip6tables -A INPUT -p udp --dport 6240 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 6240 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p udp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 548 -j ACCEPT
ip6tables -A INPUT -p udp --dport 548 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 5353 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 5354 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5354 -j ACCEPT
ip6tables -A INPUT -p tcp --dport "$ZERONET_PORT" -j ACCEPT
ip6tables -A INPUT -p udp --dport "$ZERONET_PORT" -j ACCEPT
ip6tables -A INPUT -p tcp --dport "$IPFS_PORT" -j ACCEPT
ip6tables -A INPUT -p tcp --dport "$TOX_PORT" -j ACCEPT
ip6tables -A INPUT -p udp --dport "$TOX_PORT" -j ACCEPT
ip6tables -A INPUT -p tcp --dport "$LIBREVAULT_PORT" -j ACCEPT
ip6tables -A INPUT -p udp --dport "$LIBREVAULT_PORT" -j ACCEPT
ip6tables -A INPUT -p tcp --dport "$TAHOELAFS_PORT" -j ACCEPT
ip6tables -A INPUT -p udp --dport 8008 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8008 -j ACCEPT
ip6tables -A INPUT -p udp --dport 8010 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8010 -j ACCEPT
# OLSR2/MANET
ip6tables -A INPUT -p udp --dport 269 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 138 -j ACCEPT
# Babel
iptables -A INPUT -p udp --dport 6696 -j ACCEPT
ip6tables -A INPUT -p udp --dport 6696 -j ACCEPT
# vpn over the internet
iptables -A INPUT -p tcp --dport 653 -j ACCEPT
iptables -A INPUT -p udp --dport 653 -j ACCEPT
iptables -A INPUT -i "${EIFACE}" -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o "${EIFACE}" -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i "${EIFACE}" -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "${EIFACE}" -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
}
function disable_mesh_firewall {
iptables -D INPUT -p tcp --dport "$TRACKER_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport "$TRACKER_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport 6240 -j ACCEPT
iptables -D INPUT -p tcp --dport 6240 -j ACCEPT
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
iptables -D INPUT -p udp --dport 80 -j ACCEPT
iptables -D INPUT -p tcp --dport 548 -j ACCEPT
iptables -D INPUT -p udp --dport 548 -j ACCEPT
iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
iptables -D INPUT -p udp --dport 5353 -j ACCEPT
iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
iptables -D INPUT -p udp --dport 5354 -j ACCEPT
iptables -D INPUT -p tcp --dport "$ZERONET_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport "$ZERONET_PORT" -j ACCEPT
iptables -D INPUT -p tcp --dport "$IPFS_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport "$IPFS_PORT" -j ACCEPT
iptables -D INPUT -p tcp --dport "$TOX_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport "$TOX_PORT" -j ACCEPT
iptables -D INPUT -p tcp --dport "$LIBREVAULT_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport "$LIBREVAULT_PORT" -j ACCEPT
iptables -D INPUT -p tcp --dport "$TAHOELAFS_PORT" -j ACCEPT
iptables -D INPUT -p udp --dport 8008 -j ACCEPT
iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
iptables -D INPUT -p udp --dport 8010 -j ACCEPT
iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
# OLSR2/MANET
iptables -D INPUT -p udp --dport 269 -j ACCEPT
iptables -D INPUT -p tcp --dport 138 -j ACCEPT
# Babel
iptables -D INPUT -p udp --dport 6696 -j ACCEPT
ip6tables -D INPUT -p udp --dport 6696 -j ACCEPT
ip6tables -D INPUT -p tcp --dport "$TRACKER_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport "$TRACKER_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport 6240 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 6240 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -D INPUT -p udp --dport 80 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 548 -j ACCEPT
ip6tables -D INPUT -p udp --dport 548 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 5353 -j ACCEPT
ip6tables -D INPUT -p udp --dport 5353 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 5354 -j ACCEPT
ip6tables -D INPUT -p udp --dport 5354 -j ACCEPT
ip6tables -D INPUT -p tcp --dport "$ZERONET_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport "$ZERONET_PORT" -j ACCEPT
ip6tables -D INPUT -p tcp --dport "$IPFS_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport "$IPFS_PORT" -j ACCEPT
ip6tables -D INPUT -p tcp --dport "$TOX_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport "$TOX_PORT" -j ACCEPT
ip6tables -D INPUT -p tcp --dport "$LIBREVAULT_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport "$LIBREVAULT_PORT" -j ACCEPT
ip6tables -D INPUT -p tcp --dport "$TAHOELAFS_PORT" -j ACCEPT
ip6tables -D INPUT -p udp --dport 8008 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 8008 -j ACCEPT
ip6tables -D INPUT -p udp --dport 8010 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 8010 -j ACCEPT
# OLSR2/MANET
ip6tables -D INPUT -p udp --dport 269 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 138 -j ACCEPT
# Babel
iptables -D INPUT -p udp --dport 6696 -j ACCEPT
ip6tables -D INPUT -p udp --dport 6696 -j ACCEPT
# vpn over the internet
iptables -D INPUT -p tcp --dport 653 -j ACCEPT
iptables -D INPUT -p udp --dport 653 -j ACCEPT
iptables -D INPUT -i "${EIFACE}" -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -D INPUT -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -o "${EIFACE}" -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i "${EIFACE}" -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${EIFACE}" -j MASQUERADE
iptables -D OUTPUT -o tun+ -j ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
}
function enable_mesh_scuttlebot {
if [ -f /etc/scuttlebot/.ssb/config ]; then
ethernet_connected=$(cat /sys/class/net/eth0/carrier)
if [[ "$ethernet_connected" != "0" ]]; then
sed -i "s|\"host\": .*|\"host\": \"$(get_ipv6_wlan)\",|g" /etc/scuttlebot/.ssb/config
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
systemctl restart scuttlebot
else
if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
systemctl stop scuttlebot
else
systemctl restart scuttlebot
fi
fi
fi
sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
systemctl restart scuttlebot
}
function enable_mesh_tor {
# if we have an ethernet connection to an internet router then create
# an onion address for this peer
if [[ "$ethernet_connected" != "0" ]]; then
systemctl enable tor
systemctl start tor
HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
systemctl restart tor
fi
else
systemctl stop tor
systemctl disable tor
fi
}
function enable_mesh_seconary_wifi {
sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
mesh_hotspot_address=$(mesh_hotspot_ip_address)
if [[ "$mesh_hotspot_address" == *'.'* ]]; then
{ echo "interface=${IFACE_SECONDARY}";
echo "bridge=${BRIDGE}";
echo 'driver=nl80211';
echo "country_code=UK";
echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}";
echo 'hw_mode=g';
echo "channel=${HOTSPOT_CHANNEL}";
echo 'wpa=2';
echo "wpa_passphrase=$HOTSPOT_PASSPHRASE";
echo 'wpa_key_mgmt=WPA-PSK';
echo 'wpa_pairwise=TKIP';
echo 'rsn_pairwise=CCMP';
echo 'auth_algs=1';
echo 'macaddr_acl=0'; } > /etc/hostapd/hostapd.conf
sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
systemctl enable dnsmasq
systemctl restart dnsmasq
systemctl enable hostapd
systemctl restart hostapd
mesh_create_app_downloads_page
else
secondary_wifi_available=
echo $'WARNING: No IP address could be obtained for the hotspot'
fi
fi
systemctl stop hostapd
systemctl disable hostapd
# Recreate the cryptpad symlink
if [ -f /etc/nginx/sites-available/cryptpad ]; then
if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
rm /etc/nginx/sites-enabled/default
fi
systemctl enable cryptpad
systemctl start cryptpad
if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad