mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
111 lines
3.6 KiB
Bash
111 lines
3.6 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
. common.sh
|
||
|
|
||
|
cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
|
||
|
|
||
|
HOSTNAME=mfp-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
|
||
|
uci set system.@system[0].hostname=$HOSTNAME
|
||
|
uci set network.wan.hostname=$HOSTNAME
|
||
|
|
||
|
EOF
|
||
|
|
||
|
mkdir -p $OVERLAY/etc/config/
|
||
|
touch $OVERLAY/etc/config/wireless
|
||
|
|
||
|
cat << EOF > $OVERLAY/etc/uci-defaults/50-mfp
|
||
|
|
||
|
# Disable rebind protection for DNS
|
||
|
uci set dhcp.@dnsmasq[0].rebind_protection=0
|
||
|
uci set dhcp.@dnsmasq[0].domain='mfp.lan'
|
||
|
uci delete dhcp.@dnsmasq[0].local
|
||
|
|
||
|
# Disable bridge for LAN since WiFi is disabled
|
||
|
uci delete network.lan.type
|
||
|
uci set dhcp.lan.limit=1
|
||
|
|
||
|
uci set network.vpn=interface
|
||
|
uci set network.vpn.ifname='ipsec0'
|
||
|
uci set network.vpn.proto='none'
|
||
|
|
||
|
uci set firewall.vpn=zone
|
||
|
uci set firewall.vpn.name="vpn"
|
||
|
uci set firewall.vpn.input="ACCEPT"
|
||
|
uci set firewall.vpn.forward="ACCEPT"
|
||
|
uci set firewall.vpn.output="ACCEPT"
|
||
|
uci set firewall.vpn.network="vpn"
|
||
|
|
||
|
uci set firewall.lan2vpn=forwarding
|
||
|
uci set firewall.lan2vpn.src='lan'
|
||
|
uci set firewall.lan2vpn.dest='vpn'
|
||
|
|
||
|
uci add firewall redirect
|
||
|
uci set firewall.@redirect[-1].name="Allow IPP on MFP"
|
||
|
uci set firewall.@redirect[-1].src=vpn
|
||
|
uci set firewall.@redirect[-1].src_dport=631
|
||
|
uci set firewall.@redirect[-1].dest=lan
|
||
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
||
|
uci set firewall.@redirect[-1].target=DNAT
|
||
|
uci set firewall.@redirect[-1].proto=tcp
|
||
|
|
||
|
uci add firewall redirect
|
||
|
uci set firewall.@redirect[-1].name="Allow HTTP on MFP"
|
||
|
uci set firewall.@redirect[-1].src=vpn
|
||
|
uci set firewall.@redirect[-1].src_dport=80
|
||
|
uci set firewall.@redirect[-1].dest=lan
|
||
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
||
|
uci set firewall.@redirect[-1].target=DNAT
|
||
|
uci set firewall.@redirect[-1].proto=tcp
|
||
|
|
||
|
uci add firewall redirect
|
||
|
uci set firewall.@redirect[-1].name="Allow HTTPS on MFP"
|
||
|
uci set firewall.@redirect[-1].src=vpn
|
||
|
uci set firewall.@redirect[-1].src_dport=443
|
||
|
uci set firewall.@redirect[-1].dest=lan
|
||
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
||
|
uci set firewall.@redirect[-1].target=DNAT
|
||
|
uci set firewall.@redirect[-1].proto=tcp
|
||
|
|
||
|
uci add firewall redirect
|
||
|
uci set firewall.@redirect[-1].name="Allow JetDirect on MFP"
|
||
|
uci set firewall.@redirect[-1].src=vpn
|
||
|
uci set firewall.@redirect[-1].src_dport=9100
|
||
|
uci set firewall.@redirect[-1].dest=lan
|
||
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
||
|
uci set firewall.@redirect[-1].target=DNAT
|
||
|
uci set firewall.@redirect[-1].proto=tcp
|
||
|
uci set firewall.@redirect[-1].enabled=0
|
||
|
|
||
|
uci add firewall redirect
|
||
|
uci set firewall.@redirect[-1].name="Allow SNMP on MFP"
|
||
|
uci set firewall.@redirect[-1].src=vpn
|
||
|
uci set firewall.@redirect[-1].src_dport=161
|
||
|
uci set firewall.@redirect[-1].dest=lan
|
||
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
||
|
uci set firewall.@redirect[-1].target=DNAT
|
||
|
uci set firewall.@redirect[-1].proto=udp
|
||
|
uci set firewall.@redirect[-1].enabled=0
|
||
|
|
||
|
uci add firewall redirect
|
||
|
uci set firewall.@redirect[-1].name="Allow LPD on MFP"
|
||
|
uci set firewall.@redirect[-1].src=vpn
|
||
|
uci set firewall.@redirect[-1].src_dport=515
|
||
|
uci set firewall.@redirect[-1].dest=lan
|
||
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
||
|
uci set firewall.@redirect[-1].target=DNAT
|
||
|
uci set firewall.@redirect[-1].proto=tcp
|
||
|
uci set firewall.@redirect[-1].enabled=0
|
||
|
|
||
|
uci set uhttpd.main.listen_http=0.0.0.0:8080
|
||
|
|
||
|
/etc/init.d/dropbear disable
|
||
|
|
||
|
EOF
|
||
|
|
||
|
make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
|
||
|
iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci \
|
||
|
strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
|
||
|
pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm"
|
||
|
|
||
|
|