Merge remote-tracking branch 'origin/operators/tools-rewamp' into operators/tools-rewamp

This commit is contained in:
RadekSabacky
2025-11-24 15:11:20 +01:00
3 changed files with 63 additions and 5 deletions
@@ -32,6 +32,10 @@ chmod +x quic_bridge_deployment.sh
```sh
./quic_bridge_deployment.sh full_bridge_setup
```
- If you prefer a non-interactive mode, run the command with this variable (and skip next step):
```sh
NONINTERACTIVE=1 quick_bridge_deployment.sh full_bridge_setup
```
###### 3. Follow the interactive prompts
- Make sure you don't just press enter to insert default values if your setup is different, for example in case of path to the config file
@@ -62,7 +62,7 @@ Networking configuration across different ISPs and various operation systems doe
<Tabs items={[
<strong>New <code>nym-node</ code> full configuration</strong>,
<strong>Existing <code>nym-node</ code> full configuration</strong>,
<strong>Step-by-step or Pprtial configuration</strong>
<strong>Step-by-step or Partial configuration</strong>
]} defaultIndex={0}>
<Tabs.Tab>
This design is meant for operators setting up a new node on a fresh machine and it will result with a complete server readiness for routing as Entry Gateway and Exit Gateway in both Mixnet and WireGuard mode.
@@ -80,9 +80,14 @@ chmod +x network-tunnel-manager.sh && \
- **If you setting up a new node and not upgrading an existing one, keep it running and [bond](/operators/nodes/nym-node/bonding.mdx) your node now! Then come back here and follow the rest of the configuration.**
###### 3. Execute complete network configuration:
###### 3. Run command for configuration:
- Nodes with **WireGuard enabled**: Configures interfaces (`nymtun0` and `nymwg`), IPv4 and IPv6 routing, WireGuard exit policy and does validation tests
```sh
./network-tunnel-manager.sh complete_networking_setup
./network-tunnel-manager.sh complete_networking_configuration
```
- Nodes with **WireGuard disabled**: Does everything like the command above *without WireGuard exit policy*
```sh
./network-tunnel-manager.sh full_tunnel_setup
```
</ Steps>
</Tabs.Tab>
@@ -98,9 +103,14 @@ chmod +x network-tunnel-manager.sh && \
./network-tunnel-manager.sh --help
```
###### 2. Execute complete network configuration:
###### 2. Run command for configuration:
- Nodes with **WireGuard enabled**: Configures interfaces (`nymtun0` and `nymwg`), IPv4 and IPv6 routing, WireGuard exit policy and does validation tests
```sh
./network-tunnel-manager.sh complete_networking_setup
./network-tunnel-manager.sh complete_networking_configuration
```
- Nodes with **WireGuard disabled**: Does everything like the command above *without WireGuard exit policy*
```sh
./network-tunnel-manager.sh full_tunnel_setup
```
</ Steps>
</Tabs.Tab>
@@ -912,10 +912,54 @@ check_nym_exit_chain() {
return $errors
}
check_iptables_default_policies() {
info "checking base iptables default policies (INPUT/FORWARD)"
local issues=0
local input_policy forward_policy output_policy
input_policy=$(iptables -S INPUT 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
forward_policy=$(iptables -S FORWARD 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
output_policy=$(iptables -S OUTPUT 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
if [[ -z "${input_policy:-}" ]]; then
error "unable to read INPUT default policy (iptables -S INPUT failed?)"
issues=1
elif [[ "${input_policy^^}" != "DROP" ]]; then
error "INPUT default policy is ${input_policy^^}; expected DROP so traffic is only allowed by explicit rules."
issues=1
else
ok "INPUT default policy is DROP"
fi
if [[ -z "${forward_policy:-}" ]]; then
error "unable to read FORWARD default policy (iptables -S FORWARD failed?)"
issues=1
elif [[ "${forward_policy^^}" != "DROP" ]]; then
error "FORWARD default policy is ${forward_policy^^}; expected DROP to ensure traffic only flows via NYM-EXIT rules."
issues=1
else
ok "FORWARD default policy is DROP"
fi
if [[ -z "${output_policy:-}" ]]; then
error "unable to read OUTPUT default policy (iptables -S OUTPUT failed?)"
issues=1
elif [[ "${output_policy^^}" != "ACCEPT" ]]; then
error "OUTPUT default policy is ${output_policy^^}; expected ACCEPT"
issues=1
else
ok "OUTPUT default policy is ACCEPT"
fi
return $issues
}
check_firewall_setup() {
info "checking ipv4 firewall ordering…"
local errors=0
check_iptables_default_policies || errors=1
check_forward_chain || errors=1
check_nym_exit_chain || errors=1