# distrib ubuntu focal-security
Пакеты:
apt install git make gcc linux-libc-dev pkg-config libncurses-dev flex bison libssl-dev libelf-dev dwarves rsync bc fakeroot build-essential
apt install xz-utils libncurses5-dev tcpdump frr nmap tmux ansible htop vim
cat > etc/network/interfaces "EOF"
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
auto eth0:0
iface eth0 inet static
address 192.168.127.122/24
auto eth1
allow-hotplug eth1
iface eth1 inet static
address 10.22.1.1/24
auto eth2
iface eth2 inet static
address 10.22.2.1/24
auto eth3
iface eth3 inet static
address 10.22.3.1/24
auto eth4
iface eth4 inet static
address 10.22.4.1/24
#add router link
auto eth3:0
iface eth3:0 inet static
address 10.11.3.254/24
#virtal interface
auto dummy0
iface dummy0 inet static
address 2.2.2.2
netmask 255.255.255.255
pre-up modprobe dummy || true
post-up ip link set dummy0 up
EOF
cat > /etc/frr/frr.conf << "EOF"
## Ahtung!!! need off babeld service
## systemctl stop babeld && systemctl disable babeld
frr defaults traditional
log syslog informational
service integrated-vtysh-config
router babel
network eth1
network eth2
network eth3
network eth4
redistribute ipv4 connected
redistribute ipv6 connected
babel diversity
babel diversity-factor 128
interface eth1
babel wired
babel split-horizon
babel hello-interval 12000
babel update-interval 36000
interface eth2
babel wired
babel split-horizon
babel hello-interval 12000
babel update-interval 36000
interface eth3
babel wired
babel split-horizon
babel hello-interval 12000
babel update-interval 36000
interface eth4
babel wired
babel split-horizon
babel hello-interval 12000
babel update-interval 36000
EOF
cat > /etc/frr/daemons << "EOF"
# This file tells the frr package which daemons to start.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activating a daemon for the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
user@ansible:~/prod$ cat frr_daemons.j2
# This file tells the frr package which daemons to start.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activating a daemon for the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
# The watchfrr, zebra and staticd daemons are always started.
#
bgpd=no
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=yes
sharpd=no
pbrd=no
bfdd=no
fabricd=no
vrrpd=no
#
# If this option is set the /etc/init.d/frr script automatically loads
# the config via "vtysh -b" when the servers are started.
# Check /etc/pam.d/frr if you intend to use "vtysh"!
#
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 10.0.0.7"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
ldpd_options=" -A 127.0.0.1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
babeld_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
fabricd_options="-A 127.0.0.1"
vrrpd_options=" -A 127.0.0.1"
# configuration profile
#
#frr_profile="traditional"
#frr_profile="datacenter"
#
# This is the maximum number of FD's that will be available.
# Upon startup this is read by the control files and ulimit
# is called. Uncomment and use a reasonable value for your
# setup if you are expecting a large number of peers in
# say BGP.
#MAX_FDS=1024
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
# To make watchfrr create/join the specified netns, use the following option:
#watchfrr_options="--netns"
# This only has an effect in /etc/frr//daemons, and you need to
# start FRR with "/usr/lib/frr/frrinit.sh start ".
# for debugging purposes, you can specify a "wrap" command to start instead
# of starting the daemon directly, e.g. to use valgrind on ospfd:
# ospfd_wrap="/usr/bin/valgrind"
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
# all_wrap="/usr/bin/perf record --call-graph -"
# the normal daemon command is added to this at the end.
EOF
/etc/sysctl.conf
net.ipv4.ip_forward=1 net.ipv4.tcp_max_tw_buckets = 65536 net.ipv4.tcp_tw_reuse = 0 net.ipv4.tcp_max_syn_backlog = 131072 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_retries2 = 8 net.ipv4.tcp_mem = 262144 524288 1048576 net.ipv4.tcp_max_orphans = 65536 net.ipv4.tcp_fin_timeout = 10 net.ipv4.tcp_low_latency = 1 net.core.rmem_max = 134217728 net.core.wmem_max = 134217728 net.ipv4.tcp_rmem = 16384 174760 67108864 net.ipv4.tcp_wmem = 16384 131072 67108864
/etc/babeld.conf
# need off frr protocol babeld # systemctl stop frr && systemctl disable frr # For more information about this configuration file, refer to # babeld(8) smoothing-half-life 0 link-detect true interface eth1 type wired hello-interval 2 interface eth2 type wired hello-interval 2 interface eth3 type wired hello-interval 2 interface eth4 type wired hello-interval 2 #redestribute all default redistribute ip 10.0.0.0/8 allow redistribute deny #in blok me network in ip 2.2.2.2/32 deny in ip 10.11.3.254/24 deny in ip 10.22.1.0/24 deny in ip 10.22.2.0/24 deny in ip 10.22.3.0/24 deny in ip 10.22.4.0/24 deny in ip 192.168.55.0/24 deny in ip 192.168.127.0/24 deny in allow