Difference between revisions of "Mesh/Exit setup"
(Created page with "An exit node is like a relay node but with a connection out to the Internet. Exit nodes are run by sudo mesh and have the sudo mesh organization listed as...") |
|||
| Line 11: | Line 11: | ||
= NATed internet access = | = NATed internet access = | ||
Create the script /etc/init.d/meshnat containing the following: | |||
<pre> | |||
#!/bin/sh | |||
PUBIF="eth0" | |||
BATIF="bat0" | |||
case "$1" in | |||
start) | |||
echo "Starting mesh NAT" | |||
echo 1 > /proc/sys/net/ipv4/ip_forward | |||
iptables -t nat -A POSTROUTING -o $PUBIF -j MASQUERADE | |||
iptables -A FORWARD -i $PUBIF -o $BATIF -m state --state RELATED,ESTABLISHED $ | |||
iptables -A FORWARD -i $PUBIF -o $BATIF -j DROP | |||
;; | |||
stop) | |||
echo "Stopping mesh NAT" | |||
echo 0 > /proc/sys/net/ipv4/ip_forward | |||
iptables -F FORWARD | |||
iptables -t nat -F POSTROUTING | |||
;; | |||
*) | |||
echo "Usage: $0 start|stop" >&2 | |||
exit 3 | |||
;; | |||
esac | |||
</pre> | |||
Make it executable: | |||
chmod 755 /etc/init.d/meshnat | |||
Now modify the tunneldigger broker session.up hook script to start the meshnat script. Change the section: | |||
if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then | |||
ifup bat0 | |||
fi | |||
To: | |||
if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then | |||
ifup bat0 && /etc/init.d/meshnat start | |||
fi | |||
Now NAT should be set up correctly. | |||
= Setting up DNS = | = Setting up DNS = | ||
| Line 21: | Line 66: | ||
sudo aptitude install dnsmasq | sudo aptitude install dnsmasq | ||
Ensure that you have one or more domain name server IPs in /etc/resolv.conf | |||
Make sure that ENABLED=1 is set in /etc/default/dnsmasq | |||
Restart dnsmasq if you changed anything: | |||
sudo /etc/init.d/dnsmasq restart | |||
= Fake captive portal = | = Fake captive portal = | ||
TODO write this section | TODO write this section | ||
Revision as of 07:30, 24 December 2013
An exit node is like a relay node but with a connection out to the Internet. Exit nodes are run by sudo mesh and have the sudo mesh organization listed as the whois abuse complaint contact. This ensures that legal inquires for Internet-bound traffic from the mesh are sent to sudo mesh so node-operators don't have to deal with e.g. DMCA complaints and other legal issues unless absolutely necessary. We encourage anyone and everyone to run relay nodes, but we do not expect anyone else to run public exit nodes. If you're still interested in running an exit node, come talk to us!
Exit nodes do everything relay nodes do and adds the following:
- NATed internet access
- DNS server
- Fake captive portal
This guide builds on top of the relay node guide, so follow that first and them come back here!
NATed internet access
Create the script /etc/init.d/meshnat containing the following:
#!/bin/sh
PUBIF="eth0"
BATIF="bat0"
case "$1" in
start)
echo "Starting mesh NAT"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $PUBIF -j MASQUERADE
iptables -A FORWARD -i $PUBIF -o $BATIF -m state --state RELATED,ESTABLISHED $
iptables -A FORWARD -i $PUBIF -o $BATIF -j DROP
;;
stop)
echo "Stopping mesh NAT"
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F FORWARD
iptables -t nat -F POSTROUTING
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
Make it executable:
chmod 755 /etc/init.d/meshnat
Now modify the tunneldigger broker session.up hook script to start the meshnat script. Change the section:
if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
ifup bat0
fi
To:
if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
ifup bat0 && /etc/init.d/meshnat start
fi
Now NAT should be set up correctly.
Setting up DNS
First, ensure that tunneldigger broker is not running on port 53 by removing port 53 from the "ports=" entry in /opt/tunneldigger/broker/l2tp_broker.cfg
Now, install dnsmasq:
sudo aptitude install dnsmasq
Ensure that you have one or more domain name server IPs in /etc/resolv.conf
Make sure that ENABLED=1 is set in /etc/default/dnsmasq
Restart dnsmasq if you changed anything:
sudo /etc/init.d/dnsmasq restart
Fake captive portal
TODO write this section