mirror of https://github.com/dirtbags/moth.git
New OpenWRT configuration
This commit is contained in:
parent
b42b916d89
commit
3882487a11
|
@ -1,57 +1,37 @@
|
|||
This directory contains the files used to set up an OpenWRT router.
|
||||
Using an OpenWRT router
|
||||
=======================
|
||||
|
||||
You can use an off-the-shelf, OpenWRT capable wireless router,
|
||||
configuring only through the web interface. The OpenWRT setup is
|
||||
intended for smaller contests, wired or non-wired, in which
|
||||
participants can be counted on not to launch link level attacks (ARP
|
||||
or NDP). Bear in mind that the cheap consumer routers have relatively
|
||||
slow CPUs and won't stand up to high volume.
|
||||
|
||||
Bear in mind that the cheap consumer routers have relatively slow CPUs
|
||||
and won't stand up to high volume. This same configuration applies to
|
||||
OpenWRT running on an x86 PC, or any other target of OpenWRT. For
|
||||
larger contests, it would be a good idea to use a faster machine for the
|
||||
router. I don't have any specific recommendations at this time (Oct
|
||||
2010).
|
||||
The CTF repository includes a "router" package, which will boot a DBTL
|
||||
device as a IPv6 router complete with multicast forwarding and up to
|
||||
24 tagged VLANs (by using a managed switch). This is a better option
|
||||
for larger contests, and can better handle high-speed (Gigabit)
|
||||
traffic.
|
||||
|
||||
The router comes up as 10.0.0.1/16 on eth0.
|
||||
Instructions for setting up OpenWRT
|
||||
-----------------------------------
|
||||
|
||||
If the router has a built-in switch, it is brought up without VLAN
|
||||
support, since these switches typically only support 16 VLANs, and do
|
||||
not support QinQ (double VLAN tags). All 5 ports work like an unmanaged
|
||||
switch, which ends up being handy for the contest table.
|
||||
After installing OpenWRT:
|
||||
|
||||
Plugging a managed switch into the router enables access to 48 VLANs,
|
||||
each configured to a /16 network. The router on VLAN number v comes up
|
||||
as 10.v.0.1/16.
|
||||
* Change the root password
|
||||
* Install the kmod-ipv6, radvd, and luci-app-radvd packages
|
||||
* Configure the LAN interface as 10.0.0.1/16 and
|
||||
fd84:b410:3441::1/64
|
||||
* Tell DHCP to begin at 257 after the base IP: this will assure
|
||||
all DHCP addresses are after 10.0.1.0
|
||||
* Disable router solicitations on LAN
|
||||
* Enable WPA2, with the password "correct horse battery staple"
|
||||
* Turn on router advertisements (under radvd) on LAN
|
||||
* Enable prefix fd84:b410:3441::1/54 under radvd
|
||||
|
||||
If the router has the ability to come up as a wireless access point, it
|
||||
will do so with SSID "CTF" and IP 10.254.0.1/16.
|
||||
|
||||
All subnets can route to all other subnets, through the router.
|
||||
10.0.0.1/16 and 10.254.0.1/16 may have a higher TTL when routed to a
|
||||
VLAN (I haven't checked). Keep in mind that anything connected directly
|
||||
to the router (ie. not through the managed switch) can do its own VLAN
|
||||
tagging. This would be the way to hop on another team's subnet to do
|
||||
something like check service availability in such a way as to prevent
|
||||
teams from firewalling each other out.
|
||||
|
||||
|
||||
SSID "CTF"
|
||||
10.254.0.1/16
|
||||
((Y))
|
||||
|
|
||||
-------------
|
||||
| OpenWRT |
|
||||
-0-1-2-3-4---
|
||||
/| | | | |
|
||||
/ | | | | |
|
||||
/ | | | | |
|
||||
/ 10.0.0.1/16
|
||||
/
|
||||
-------------------t---
|
||||
| Managed Switch |
|
||||
-1-2-3-4-5-...-47-48---
|
||||
/ | | \
|
||||
/ | | \
|
||||
/ | | \
|
||||
/ | | \
|
||||
10.1.0.1/16 | | 10.48.0.1/16
|
||||
| |
|
||||
10.3.0.1/16 |
|
||||
|
|
||||
10.47.0.1/16
|
||||
This should be sufficient to bring up the router for running the
|
||||
contest. If you want to get fancy, you can scp the files in
|
||||
www in this directory, into /www on the router. This will give
|
||||
users some guidance if they accidentally browse to the router IP,
|
||||
and also disables the default redirection to luci.
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
config dnsmasq
|
||||
option leasefile '/tmp/dhcp.leases'
|
|
@ -1,27 +0,0 @@
|
|||
#### Switch configuration
|
||||
config switch eth0
|
||||
option enable 1
|
||||
option enable_vlan 0
|
||||
|
||||
#### Loopback configuration
|
||||
config interface loopback
|
||||
option ifname "lo"
|
||||
option proto static
|
||||
option ipaddr 127.0.0.1
|
||||
option netmask 255.0.0.0
|
||||
|
||||
#### Administrative network
|
||||
config interface admin
|
||||
option ifname "eth0"
|
||||
option proto static
|
||||
option ipaddr 10.0.0.1
|
||||
option netmask 255.255.0.0
|
||||
|
||||
#### Wireless
|
||||
config interface wifi
|
||||
option proto static
|
||||
option ipaddr 10.254.0.1
|
||||
option netmask 255.255.0.0
|
||||
|
||||
# OpenWRT's "ifup/ifdown" are horribly slow, so the 48
|
||||
# vlans are set up in an init script :)
|
|
@ -1,9 +0,0 @@
|
|||
config wifi-device wl0
|
||||
option type broadcom
|
||||
option channel 1
|
||||
|
||||
config wifi-iface
|
||||
option device wl0
|
||||
option network wifi
|
||||
option mode ap
|
||||
option ssid CTF
|
|
@ -1,26 +0,0 @@
|
|||
#! /bin/sh /etc/rc.common
|
||||
|
||||
START=45
|
||||
STOP=89
|
||||
|
||||
start () {
|
||||
stop
|
||||
|
||||
iptables -P INPUT ACCEPT
|
||||
iptables -P OUTPUT ACCEPT
|
||||
iptables -P FORWARD ACCEPT
|
||||
|
||||
iptables -A INPUT -p udp --dport 53 -j ACCEPT
|
||||
iptables -A INPUT -p udp --dport 67 -j ACCEPT
|
||||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
|
||||
iptables -A INPUT -j REJECT
|
||||
}
|
||||
|
||||
stop () {
|
||||
iptables -F INPUT
|
||||
iptables -F OUTPUT
|
||||
iptables -F FORWARD
|
||||
}
|
||||
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
#! /bin/sh /etc/rc.common
|
||||
|
||||
START=41
|
||||
STOP=89
|
||||
|
||||
VLANS=48
|
||||
|
||||
start () {
|
||||
for i in $(seq 1 $VLANS); do
|
||||
vconfig add eth0 $i
|
||||
ifconfig eth0.$i 10.$i.0.1 netmask 255.255.0.0
|
||||
done
|
||||
}
|
||||
|
||||
stop () {
|
||||
for i in $(seq 1 $VLANS); do
|
||||
vconfig rem eth0.$i
|
||||
done
|
||||
}
|
||||
|
|
@ -1 +0,0 @@
|
|||
../init.d/iptables
|
|
@ -1 +0,0 @@
|
|||
../init.d/vlan
|
|
@ -1 +0,0 @@
|
|||
../init.d/vlan
|
|
@ -1 +0,0 @@
|
|||
../init.d/iptables
|
|
@ -0,0 +1,18 @@
|
|||
<DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Router</title>
|
||||
</head>
|
||||
<body>
|
||||
<p>
|
||||
You're in the wrong place. This is the router.
|
||||
</p>
|
||||
<ul>
|
||||
<li>
|
||||
CTF Server:
|
||||
<a href="http://[fd84:b410:3441::2]/">IPv6</a>, <a href="http://10.0.0.2/">IPv4</a>
|
||||
</li>
|
||||
<li><a href="password_strength.png">WPA2 password</a></li>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
Binary file not shown.
After Width: | Height: | Size: 91 KiB |
Binary file not shown.
After Width: | Height: | Size: 128 KiB |
|
@ -47,7 +47,7 @@
|
|||
<h2>Rules</h2>
|
||||
<ul>
|
||||
<li>
|
||||
No DoS attacks.
|
||||
No DoS attacks. No link layer (ARP, NDP) attacks.
|
||||
</li>
|
||||
<li>
|
||||
Contest servers lie within <samp>fd84:b410:3441::/112</samp>
|
||||
|
|
Loading…
Reference in New Issue