mirror of https://github.com/dirtbags/moth.git
New OpenWRT configuration
This commit is contained in:
parent
0b93d6bbc8
commit
60d7281342
|
@ -1,57 +1,37 @@
|
||||||
This directory contains the files used to set up an OpenWRT router.
|
Using an OpenWRT router
|
||||||
|
=======================
|
||||||
|
|
||||||
|
You can use an off-the-shelf, OpenWRT capable wireless router,
|
||||||
|
configuring only through the web interface. The OpenWRT setup is
|
||||||
|
intended for smaller contests, wired or non-wired, in which
|
||||||
|
participants can be counted on not to launch link level attacks (ARP
|
||||||
|
or NDP). Bear in mind that the cheap consumer routers have relatively
|
||||||
|
slow CPUs and won't stand up to high volume.
|
||||||
|
|
||||||
Bear in mind that the cheap consumer routers have relatively slow CPUs
|
The CTF repository includes a "router" package, which will boot a DBTL
|
||||||
and won't stand up to high volume. This same configuration applies to
|
device as a IPv6 router complete with multicast forwarding and up to
|
||||||
OpenWRT running on an x86 PC, or any other target of OpenWRT. For
|
24 tagged VLANs (by using a managed switch). This is a better option
|
||||||
larger contests, it would be a good idea to use a faster machine for the
|
for larger contests, and can better handle high-speed (Gigabit)
|
||||||
router. I don't have any specific recommendations at this time (Oct
|
traffic.
|
||||||
2010).
|
|
||||||
|
|
||||||
The router comes up as 10.0.0.1/16 on eth0.
|
Instructions for setting up OpenWRT
|
||||||
|
-----------------------------------
|
||||||
|
|
||||||
If the router has a built-in switch, it is brought up without VLAN
|
After installing OpenWRT:
|
||||||
support, since these switches typically only support 16 VLANs, and do
|
|
||||||
not support QinQ (double VLAN tags). All 5 ports work like an unmanaged
|
|
||||||
switch, which ends up being handy for the contest table.
|
|
||||||
|
|
||||||
Plugging a managed switch into the router enables access to 48 VLANs,
|
* Change the root password
|
||||||
each configured to a /16 network. The router on VLAN number v comes up
|
* Install the kmod-ipv6, radvd, and luci-app-radvd packages
|
||||||
as 10.v.0.1/16.
|
* Configure the LAN interface as 10.0.0.1/16 and
|
||||||
|
fd84:b410:3441::1/64
|
||||||
|
* Tell DHCP to begin at 257 after the base IP: this will assure
|
||||||
|
all DHCP addresses are after 10.0.1.0
|
||||||
|
* Disable router solicitations on LAN
|
||||||
|
* Enable WPA2, with the password "correct horse battery staple"
|
||||||
|
* Turn on router advertisements (under radvd) on LAN
|
||||||
|
* Enable prefix fd84:b410:3441::1/54 under radvd
|
||||||
|
|
||||||
If the router has the ability to come up as a wireless access point, it
|
This should be sufficient to bring up the router for running the
|
||||||
will do so with SSID "CTF" and IP 10.254.0.1/16.
|
contest. If you want to get fancy, you can scp the files in
|
||||||
|
www in this directory, into /www on the router. This will give
|
||||||
All subnets can route to all other subnets, through the router.
|
users some guidance if they accidentally browse to the router IP,
|
||||||
10.0.0.1/16 and 10.254.0.1/16 may have a higher TTL when routed to a
|
and also disables the default redirection to luci.
|
||||||
VLAN (I haven't checked). Keep in mind that anything connected directly
|
|
||||||
to the router (ie. not through the managed switch) can do its own VLAN
|
|
||||||
tagging. This would be the way to hop on another team's subnet to do
|
|
||||||
something like check service availability in such a way as to prevent
|
|
||||||
teams from firewalling each other out.
|
|
||||||
|
|
||||||
|
|
||||||
SSID "CTF"
|
|
||||||
10.254.0.1/16
|
|
||||||
((Y))
|
|
||||||
|
|
|
||||||
-------------
|
|
||||||
| OpenWRT |
|
|
||||||
-0-1-2-3-4---
|
|
||||||
/| | | | |
|
|
||||||
/ | | | | |
|
|
||||||
/ | | | | |
|
|
||||||
/ 10.0.0.1/16
|
|
||||||
/
|
|
||||||
-------------------t---
|
|
||||||
| Managed Switch |
|
|
||||||
-1-2-3-4-5-...-47-48---
|
|
||||||
/ | | \
|
|
||||||
/ | | \
|
|
||||||
/ | | \
|
|
||||||
/ | | \
|
|
||||||
10.1.0.1/16 | | 10.48.0.1/16
|
|
||||||
| |
|
|
||||||
10.3.0.1/16 |
|
|
||||||
|
|
|
||||||
10.47.0.1/16
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
config dnsmasq
|
|
||||||
option leasefile '/tmp/dhcp.leases'
|
|
|
@ -1,27 +0,0 @@
|
||||||
#### Switch configuration
|
|
||||||
config switch eth0
|
|
||||||
option enable 1
|
|
||||||
option enable_vlan 0
|
|
||||||
|
|
||||||
#### Loopback configuration
|
|
||||||
config interface loopback
|
|
||||||
option ifname "lo"
|
|
||||||
option proto static
|
|
||||||
option ipaddr 127.0.0.1
|
|
||||||
option netmask 255.0.0.0
|
|
||||||
|
|
||||||
#### Administrative network
|
|
||||||
config interface admin
|
|
||||||
option ifname "eth0"
|
|
||||||
option proto static
|
|
||||||
option ipaddr 10.0.0.1
|
|
||||||
option netmask 255.255.0.0
|
|
||||||
|
|
||||||
#### Wireless
|
|
||||||
config interface wifi
|
|
||||||
option proto static
|
|
||||||
option ipaddr 10.254.0.1
|
|
||||||
option netmask 255.255.0.0
|
|
||||||
|
|
||||||
# OpenWRT's "ifup/ifdown" are horribly slow, so the 48
|
|
||||||
# vlans are set up in an init script :)
|
|
|
@ -1,9 +0,0 @@
|
||||||
config wifi-device wl0
|
|
||||||
option type broadcom
|
|
||||||
option channel 1
|
|
||||||
|
|
||||||
config wifi-iface
|
|
||||||
option device wl0
|
|
||||||
option network wifi
|
|
||||||
option mode ap
|
|
||||||
option ssid CTF
|
|
|
@ -1,26 +0,0 @@
|
||||||
#! /bin/sh /etc/rc.common
|
|
||||||
|
|
||||||
START=45
|
|
||||||
STOP=89
|
|
||||||
|
|
||||||
start () {
|
|
||||||
stop
|
|
||||||
|
|
||||||
iptables -P INPUT ACCEPT
|
|
||||||
iptables -P OUTPUT ACCEPT
|
|
||||||
iptables -P FORWARD ACCEPT
|
|
||||||
|
|
||||||
iptables -A INPUT -p udp --dport 53 -j ACCEPT
|
|
||||||
iptables -A INPUT -p udp --dport 67 -j ACCEPT
|
|
||||||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
||||||
iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
|
|
||||||
iptables -A INPUT -j REJECT
|
|
||||||
}
|
|
||||||
|
|
||||||
stop () {
|
|
||||||
iptables -F INPUT
|
|
||||||
iptables -F OUTPUT
|
|
||||||
iptables -F FORWARD
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,20 +0,0 @@
|
||||||
#! /bin/sh /etc/rc.common
|
|
||||||
|
|
||||||
START=41
|
|
||||||
STOP=89
|
|
||||||
|
|
||||||
VLANS=48
|
|
||||||
|
|
||||||
start () {
|
|
||||||
for i in $(seq 1 $VLANS); do
|
|
||||||
vconfig add eth0 $i
|
|
||||||
ifconfig eth0.$i 10.$i.0.1 netmask 255.255.0.0
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
stop () {
|
|
||||||
for i in $(seq 1 $VLANS); do
|
|
||||||
vconfig rem eth0.$i
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
../init.d/iptables
|
|
|
@ -1 +0,0 @@
|
||||||
../init.d/vlan
|
|
|
@ -1 +0,0 @@
|
||||||
../init.d/vlan
|
|
|
@ -1 +0,0 @@
|
||||||
../init.d/iptables
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
<DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Router</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<p>
|
||||||
|
You're in the wrong place. This is the router.
|
||||||
|
</p>
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
CTF Server:
|
||||||
|
<a href="http://[fd84:b410:3441::2]/">IPv6</a>, <a href="http://10.0.0.2/">IPv4</a>
|
||||||
|
</li>
|
||||||
|
<li><a href="password_strength.png">WPA2 password</a></li>
|
||||||
|
</p>
|
||||||
|
</body>
|
||||||
|
</html>
|
Binary file not shown.
After Width: | Height: | Size: 91 KiB |
Binary file not shown.
After Width: | Height: | Size: 128 KiB |
|
@ -47,7 +47,7 @@
|
||||||
<h2>Rules</h2>
|
<h2>Rules</h2>
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
No DoS attacks.
|
No DoS attacks. No link layer (ARP, NDP) attacks.
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
Contest servers lie within <samp>fd84:b410:3441::/112</samp>
|
Contest servers lie within <samp>fd84:b410:3441::/112</samp>
|
||||||
|
|
Loading…
Reference in New Issue