Rock64-wall image
#3
(10-11-2017, 02:21 AM)Luke Wrote:
(10-11-2017, 01:43 AM)stuartiannaylor Wrote: https://sourceforge.net/projects/rock64-...g/download

https://sourceforge.net/projects/rock64-wall/

Will be knocking up a simple firewall router image based on Ayufans xenial image.

Currently just a simple base with webmin / dnsmasq with iptables completely open with routing enable

Base uploaded next will be openvpn, snort

Finish off with dansuardian / squid.

May include samba4 and use kerberos will see how things go

This is really good. May I suggest that perhaps you put together a script instead of a dedicated image and push that to ayufan ? Kind of like how ayufan added the OMV script to his minimal.

Prob not a script as I fail totally with regexs, but yeah loaded up the image for those who just want to grab at various stages without having to bother.
With each image just going to document the cli commands used and a little bit of rationale & reason why.

Image first then go back to scratch and do it again a just document cli, which prob this aft will do.

I may use the full isc dhcp & bind9 but to be honest I have used them before and always been a little bemused as yeah I know what they can do above dnsmasq but frankly never have.
dnsmasq is just a great lightweight dns/dhcp that if someone can post good reasons I might also go down that route.

Will see what you guys say.

So far it been extremely simple, so not much to script, but thought maybe my fudges and poor attempts may be a gauntlet thrown to someone else Smile


## CLI Commands from start

Starting with xenial-minimal-rock64-0.5.10-118-arm64 https://github.com/ayufan-rock64/linux-b...m64.img.xz

```
sudo -i
systemctl -l
```

Looking through the list of services we have 2 failures ureadahead & zram-config.
Also noticed network-manager in that list! Bye to him as well.

```
apt-get remove ureadahead
apt-get remove zram-config
apt-get remove network-manager
apt-get remove dnsmasq-base
```

Really not more than a little bit of housekeeping but yeah get rid of network manager for a server base.
So now to turn on IP4 forwarding and because I have over 1gb ram I am actually going to tell Ubuntu to prefer it a bit more.

```
nano /etc/sysctl.conf
```

change #net.ipv4.ip_forward=1 to net.ipv4.ip_forward=1 to enable
At the end tack on
# Improve cache management
vm.vfs_cache_pressure=50

I have also banged my 32Gb eMMC opened up gparted and created a 4Gb swap.
If you do add this line as it will prefer memory and is a good level with more fickle media such a SSD & flash.

vm.swappiness=10

So its up to you and either just delete the hash to enable net.ipv4.ip_forward=1 and ignore the rest if you so wish.

```
ip addr show
```

If you have plugged in a USB ethernet adapter you will see that it is down and highly likely to have an ethernet name from hell like mine which is enx00e04c534458!

So we are going to create a udev persistant rule to give us a much nicer name.
```
nano /etc/udev/rules.d/70-persistent-net.rules
```
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:53:44:58", KERNEL=="eth*", NAME="eth1"

From the ip addr show I returned

3: enx00e04c534458: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fas t state DOWN group default qlen 1000
link/ether 00:e0:4c:53:44:58 brd ff:ff:ff:ff:ff:ff

You can see where I copied and pasted the mac notation into the persistant rule and on next boot I will have eth1.
Same with multiple Nics if you are going to go crazy and maybe have a DMZ or even port trunking just increment NAME="ethx".
Again not essential but for me are much more logical when adminstering the system.

So before we install webmin a bit more housekeeping.
```
apt-get update
apt-get upgrade
apt autoremove
```
So webmin needs.
```
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

wget http://prdownloads.sourceforge.net/webad...50_all.deb

dpkg --install webmin_1.850_all.deb

rm webmin_1.850_all.deb
```
At this stage you could fire up webmin on the eth0 IP and configure from there but prefer cli to start with also dnsmasq module for webmin needs to be downloaded and installed and doesn't at all like remarks in the config file.

My router creates a private lan on 192.168.1.0 which will be the WAN subnet.
I have chosen 192.168.0.0 for my LAN subnet but...
"The private address segments (10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255) are commonly referred to as "non-routable" addresses."

Any of those 10.0.0.0 is common but plenty to choose from, but it is important its a "non-routable" addresses." scope.
```
nano /etc/network/interfaces.d/eth1
```
Copy & paste or chose your own based on

auto eth1
iface eth1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
post-up iptables-restore < /etc/iptables.up.rules

Now dnsmasq
```
apt-get install dnsmasq

cp /etc/dnsmasq.conf /etc/dnsmasq.old
```
As we edit dnsmasq.conf delete all the remarks and we have a backup copy in dnsmasq.old for reference as the webmin module just doesn't like them.
```
nano /etc/dnsmasq.conf
```
Delete all the guff and start with something simple you can always refer back to dnsmasq.old for more complex setups.

domain-needed
bogus-priv
no-resolv
no-poll
server=192.168.1.1
server=8.8.8.8
interface=eth1
domain=rock.lan
dhcp-range=192.168.0.24,192.168.0.254,12h

Then we will set up a FQDN in /etc/hosts & /etc/hostname
```
nano /etc/hosts
```
so its looks something like

127.0.0.1 localhost
127.0.1.1 rock64.rock.lan rock64
192.168.0.1 rock64.rock.lan rock64


# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```
nano /etc/hostname
```
rock64.rock.lan

Obviously change to whatever registered or non registered domain name that fits your organisation.

Then set the iptables and NAT masquerade up the easy way.
```
apt-get install iptables
```
In a browser type in https://wan-assigned-router-addr:10000
Mine is https://192.168.1.20:10000 and log into webmin with the sudo user rock64

In networking -> linux firewall
Select Do network address translation on external interface in my case set to eth0
Enable firewall at boot and click setup firewall.

Now to get the dnsmasq module that is a bit old & creaky but after getting rid of all the remarks in dnsmasq.conf seems to work quite well and is good for refernce at least.

So google search for webmin dnsmasq
I downloaded from http://nixbit.com/software/dnsmasq-webmi...le-review/

Webmin -> Webmin Configuration -> Webmin modules.
Select From uploaded files and browse to the .wbm download
Click install module

System -> Bootup & Shutdown scroll down to the bottom and click Shutdown system & confirm click shutdown system

Swap your ethernet cables around so router is on eth0 (wan) and you switch/hub is on eth1 (lan)

Press the power on button on the rock64.

What you might have to do is force dhcp to get the new ip address (windows way).
```
ipconfig /release
ipconfig /renew

ipconfig /all
```
Should see us rocking on the rock.lan
  Reply


Messages In This Thread
Rock64-wall image - by stuartiannaylor - 10-11-2017, 01:43 AM
RE: Rock64-wall image - by Luke - 10-11-2017, 02:21 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 03:49 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 08:55 AM
RE: Rock64-wall image - by Luke - 10-11-2017, 09:17 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 09:38 AM
RE: Rock64-wall image - by Luke - 10-11-2017, 10:11 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 07:27 PM
RE: Rock64-wall image - by stuartiannaylor - 10-13-2017, 07:39 AM
RE: Rock64-wall image - by stuartiannaylor - 10-14-2017, 04:32 AM
RE: Rock64-wall image - by Noobie7 - 03-12-2018, 08:44 PM
RE: Rock64-wall image - by Noobie7 - 03-15-2018, 07:05 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  irradium (based on crux linux) Rock64 riscv64, aarch64 mara 7 1,002 11-19-2024, 02:54 PM
Last Post: mara
  Upgrading ancient Rock64 timxjr1300 0 54 11-15-2024, 09:50 AM
Last Post: timxjr1300
  arch rock64 does not boot nemnob 1 959 09-20-2024, 11:18 AM
Last Post: AwU2HBg
  DietPi OS for ROCK64 MichaIng 42 43,561 09-01-2024, 06:43 AM
Last Post: RaymondDay
Smile First Lakka image for Rock64! Luke 47 81,018 09-01-2024, 06:05 AM
Last Post: RaymondDay
  Rock64 v2 - did not work song / audio sqw200zu 2 1,863 03-14-2024, 03:09 AM
Last Post: dmitrymyadzelets
  Rock64 won't boot dstallmo 0 635 12-27-2023, 10:34 AM
Last Post: dstallmo
  HDMI doesn't work on rock64 Noung1991 1 1,077 11-21-2023, 08:33 AM
Last Post: as365n4
  Rock64 + Klipper + KlipperScreen Instructions godzilla62 0 1,082 10-22-2023, 01:52 AM
Last Post: godzilla62
  Rock64 Debian 11 (Bullseye) install problem jbize 15 11,180 10-12-2023, 05:14 PM
Last Post: tpaul

Forum Jump:


Users browsing this thread: 1 Guest(s)