Centos7 安装并使用Bird2与DN42网络建立BGP邻居

原文章:https://dn42.dev/howto/Bird2

Bird2的安装

#注意,bird2只有一个进程,可以管理ipv4和ipv6,而bird1是两个分开的进程
    yum install epel* -y
    yum update -y
    yum install bird2

递归创建目录,备份默认配置文件,因为这两个目录默认都没有
    mkdir /etc/bird/peer -p
    mv /etc/bird.conf /etc/bird.conf.bak

创建bird的主配置文件(/etc/bird.conf)并根据自己的情况进行修改(这是我取自DN42 wiki上的模板)


\################################################ # Variable header # ################################################ #替换<OWNAS>为您的自治系统编号,例如4242421234 #替换<OWNIP>为路由器将要拥有的IP,这通常是子网中的第一个非零IP。(例如xxx64 / 28网络中的xxx65) #同样,用<OWNIPv6>ipv6子网中的第一个非零IP 替换。 #然后替换<OWNNET>为分配给您的IPv4子网。 #同样适用于<OWNNETv6>,但是它需要一个IPv6子网(谁曾想过)。 #请记住,您必须在OWNNET {,v6}和OWNNETSET {,v6}中都输入两个网络,这两个变量是必需的,因为它们难以设置变量。 define OWNAS = <OWNAS>; define OWNIP = <OWNIP>; define OWNIPv6 = <OWNIPv6>; define OWNNET = <OWNNET>; define OWNNETv6 = <OWNNETv6>; define OWNNETSET = [<OWNNET>+]; define OWNNETSETv6 = [<OWNNETv6>+]; ################################################ # Header end # ################################################ router id OWNIP; protocol device { scan time 10; } /* * Utility functions */ function is_self_net() { return net ~ OWNNETSET; } function is_self_net_v6() { return net ~ OWNNETSETv6; } function is_valid_network() { return net ~ [ 172.20.0.0/14{21,29}, # dn42 172.20.0.0/24{28,32}, # dn42 Anycast 172.21.0.0/24{28,32}, # dn42 Anycast 172.22.0.0/24{28,32}, # dn42 Anycast 172.23.0.0/24{28,32}, # dn42 Anycast 172.31.0.0/16+, # ChaosVPN 10.100.0.0/14+, # ChaosVPN 10.0.0.0/8{15,24} # Freifunk.net ]; } roa4 table dn42_roa; roa6 table dn42_roa_v6; protocol static { roa4 { table dn42_roa; }; include "/etc/bird/roa_dn42.conf"; }; protocol static { roa6 { table dn42_roa_v6; }; include "/etc/bird/roa_dn42_v6.conf"; }; function is_valid_network_v6() { return net ~ [ fd00::/8{44,64} # ULA address space as per RFC 4193 ]; } protocol kernel { scan time 20; ipv6 { import none; export filter { if source = RTS_STATIC then reject; krt_prefsrc = OWNIPv6; accept; }; }; }; protocol kernel { scan time 20; ipv4 { import none; export filter { if source = RTS_STATIC then reject; krt_prefsrc = OWNIP; accept; }; }; } protocol static { route OWNNET reject; ipv4 { import all; export none; }; } protocol static { route OWNNETv6 reject; ipv6 { import all; export none; }; } template bgp dnpeers { local as OWNAS; path metric 1; ipv4 { import filter { if is_valid_network() && !is_self_net() then { if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; reject; } else accept; } else reject; }; export filter { if is_valid_network() then accept; else reject; }; import limit 1000 action block; }; ipv6 { import filter { if is_valid_network_v6() && !is_self_net_v6() then { if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; reject; } else accept; } else reject; }; export filter { if is_valid_network_v6() then accept; else reject; }; import limit 1000 action block; }; } #注意这个要放在后面,我就踩过坑放前面,要出错 include "/etc/bird/peers/*";

路线原点授权

上面的示例config依赖于中的ROA配置文件/etc/bird/roa_dn42{,_v6}.conf。这些应该每隔一段时间自动下载和更新,以防止BGP劫持,可以使用简单的cronjob来实现:
*/15 * * * * root curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf && curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf && sed -i 's/roa/route/g' /etc/bird/roa_dn42{,_v6}.conf && birdc configure

配置peer

#由于IPv6的特殊链接本地地址,如果使用了链接本地地址,则必须使用%语法指定接口(建议使用)
    cat /etc/bird/peers/<NEIGHBOR_NAME>.conf

protocol bgp <NEIGHBOR_NAME> from dnpeers {
        neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>;
}

protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
        neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>;
}
声明:本文为原创,作者为 辣条①号,转载时请保留本声明及附带文章链接:https://boke.wsfnk.com/archives/1299.html
微信打赏微信打赏

如果文章对你有帮助,欢迎点击上方按钮打赏作者

最后编辑于:2020/3/22作者: 辣条①号

现在在做什么? 接下来打算做什么? 你的目标什么? 期限还有多少? 进度如何?

暂无评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注