Bonjour,
Je vous partage ma recette après avoir pas mal galéré.
En espérant que cela puisse être utile aux autres abonnés fibre Orange.
Mon objectif était de simplifier la configuration d'un Linux en me basant sur ce qui a partagé ici (merci).
Plus précisèment je voulais remplacer une Livebox Pro V4 par un NUC avec une seconde interface Ethernet en USB.
La distribution que j'ai choisi est un Ubuntu. Au début une 16.04 pour rester en LTS mais le package ifupdown manquait d'une fonctionnalité alors j'ai du l'upgrade en 16.04.
Ma recette se contente d'un accès IPv4 + IPv6 (pas de TV ou de ToIP).
Elle utilise ufw, isc-dhcp, dnsmasq et dnscrypt.
/etc/udev/rules.d/70-persistent-net.rulesSUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC_ADDR_LB>", NAME="wan"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC_ADDR_LAN>", NAME="lan"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC_ADDR_WLAN>", NAME="wifi"
/etc/network/interfaces.d/lanallow-auto lan
iface lan inet static
address 192.168.0.1
netmask 255.255.255.0
/etc/network/interfaces.d/wanallow-auto wan
iface wan inet manual
hwaddress <MAC_ADDR_LB>
/etc/network/interfaces.d/wan.832allow-auto wan.832
iface wan.832 inet dhcp
vlan-id 832
vlan-raw-device wan
iface wan.832 inet6 dhcp
vlan-id 832
vlan-raw-device wan
accept_ra 2
request_prefix 1
Le package ifupdown de la release 16.04 ne supporte pas d'invoquer le client DHCPv6 en mode délégation de prefixe (option -P).
Cela a été rajouté dans une version ultérieure :
https://anonscm.debian.org/git/collab-maint/ifupdown.git/commit/?id=9af9a607274bec491ca165f9b8af6af26bbdf585.
La 17.04 à une version plus récente du package qui contient cette fonction.
/etc/dhcp/dhclient.confoption rfc3118-authentication code 90 = string;
option dhcp6.auth code 11 = string;
option dhcp6.userclass code 15 = string;
option dhcp6.vendorclass code 16 = string;
interface "wan.832" {
send vendor-class-identifier "sagem";
send dhcp-client-identifier <MAC_ADDR_LB>;
send user-class "+FSVDSL_livebox.Internet.softathome.Livebox3";
send rfc3118-authentication 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:<ORANGE_ID>;
request subnet-mask,
routers,
domain-name,
broadcast-address,
dhcp-lease-time,
dhcp-renewal-time,
dhcp-rebinding-time,
rfc3118-authentication;
send dhcp6.client-id 00:03:00:01:7c:26:64:64:cc:c8;
send dhcp6.vendorclass 00:00:04:0e:00:05:73:61:67:65:6d;
send dhcp6.userclass 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33;
send dhcp6.auth 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:<ORANGE_ID>;
request dhcp6.auth, dhcp6.name-servers, dhcp6.sip-servers-names;
}
/etc/dhcp/dhclient-exit-hooks.d/ipv6make_resolv_conf() { : ; }
ip_addr_add () {
local prefix=$1
local valid_lft=$2
local preferred_lft=$3
ip -6 addr add ${prefix%%/*}1/$((8 + ${prefix##*/})) dev lan \
scope global valid_lft ${valid_lft} preferred_lft ${preferred_lft}
return $?
}
ip_addr_del () {
local prefix=$1
ip -6 addr del ${prefix%%/*}1/$((8 + ${prefix##*/})) dev lan
return $?
}
ip_addr_flush () {
ip -6 addr flush dev lan scope global
return $?
}
if [ "$interface" = "wan.832" ]
then
case $reason in
PREINIT6)
ip_addr_flush
;;
BOUND6)
if [ -z "${ip6_prefix}" ]; then
exit 2
fi
ip_addr_add ${ip6_prefix} ${max_life} ${preferred_life}
exit_status=$((exit_status|$?))
;;
REBIND6|RENEW6)
if [ -z "${new_ip6_prefix}" ]; then
exit 2
fi
if [ -n "${old_ip6_prefix}" ] && [ "${new_ip6_address}" != "${old_ip6_address}" ]; then
ip_addr_del ${old_ip6_prefix}
fi
ip_addr_add ${new_ip6_prefix} ${new_max_life} ${new_preferred_life}
exit_status=$((exit_status|$?))
;;
EXPIRE6|RELEASE6|STOP6)
;;
esac
fi
/etc/dnsmasq.conflog-queries
log-dhcp
server=127.0.0.1#54
domain-needed
bogus-priv
filterwin2k
localise-queries
local=/local/
domain=local
expand-hosts
no-negcache
no-resolv
no-poll
enable-ra
dhcp-range=tag:lan, ::100, ::1ff, constructor:lan, ra-names, 64, 12h
dhcp-authoritative
dhcp-leasefile=/tmp/dhcp.leases
dhcp-range=192.168.0.100,192.168.0.200,12h
dhcp-option=1,255.255.255.0
dhcp-option=3,192.168.0.1
dhcp-option=6,192.168.0.1
read-ethers
/etc/dnscrypt-proxy/dnscrypt-proxy.conf# A more comprehensive example config can be found in
# /usr/share/doc/dnscrypt-proxy/examples/dnscrypt-proxy.conf
ResolverName random
Daemonize no
# LocalAddress only applies to users of the init script. systemd users must
# change the dnscrypt-proxy.socket file.
# LocalAddress 127.0.2.1:53
/lib/systemd/system/dnscrypt-proxy.socket[Unit]
Description=dnscrypt-proxy listening socket
Documentation=man:dnscrypt-proxy(8)
Wants=dnscrypt-proxy-resolvconf.service
[Socket]
ListenStream=127.0.0.1:54
ListenDatagram=127.0.0.1:54
[Install]
WantedBy=sockets.target
/etc/ufw/before.rules#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i wan.832 -p tcp --dport 3122 -j DNAT --to-destination 192.168.0.10:22
-A POSTROUTING -s 192.168.0.0/24 -o wan.832 -j MASQUERADE
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
/etc/ufw/before6.rules#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw6-before-input
# ufw6-before-output
# ufw6-before-forward
#
*mangle
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -o wan.832 -p udp --dport 547 -j DSCP --set-dscp-class CS6
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
# End required lines
# allow all on loopback
-A ufw6-before-input -i lo -j ACCEPT
-A ufw6-before-output -o lo -j ACCEPT
# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP
# quickly process packets for which we already have a connection
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# ok icmp codes for FORWARD (rfc4890, 4.3.1)
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# ok icmp codes for FORWARD (rfc4890, 4.3.2)
# Home Agent Address Discovery Reques
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
# Home Agent Address Discovery Reply
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
# Mobile Prefix Solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
# Mobile Prefix Advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
# allow MULTICAST mDNS for service discovery
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
/etc/default/ufw# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=yes
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_irc nf_nat_irc nf_conntrack_ftp nf_nat_ftp nf_conntrack_tftp nf_nat_tftp"
On laisse tout passer sur l'interface interne :
sudo ufw allow in on lan from any to any
Résultat, mes machines sur le LAN recupèrent bien un accès IPv4 et IPv6 (la machine agissant comme resolver DNS dual stack, DHCPv4 et DHCPv6).
Je n'ai pas testé tous les cas que script dhcp-exit-hook doit couvrir mais pour l'instant cela fonctionne comme voulu.
Je suis preneur de vos contributions si vous voyez des problèmes avec ma méthode.