# internal interface
define INTERNAL_IF = eth0
+# linuxone interface
+define LINUXONE_IF = eth1
+
# loopback interface
define LOOPBACK_IF = lo
# perimeter interface
-define PERIMETER_IF = eth1
+define PERIMETER_IF = eth2
################################
# address definitions
# transfer web server address (perimeter network)
define XFR_PERIMETER_IPV4 = 192.168.173.174
+# perimeter mail exchanger address (perimeter network)
+define MX_PERIMETER_IPV4 = 192.168.173.154
+define MX_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad9a
+
# external name server address (perimeter network)
define ENS_PERIMETER_IPV4 = 192.168.173.147
define ENS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad93
define IFG_PERIMETER_IPV4 = 192.168.173.1
define IFG_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad01
+# ifg addresses (linuxone network)
+define LINUXONE_INTERNAL_IPV4 = 172.24.121.254
+define LINUXONE_INTERNAL_IPV6 = 2001:1aa1:000a:577d:000c:18ff:fe03:79fe
+
# ifg addresses (internal network)
define IFG_INTERNAL_IPV4 = 10.228.109.254
define IFG_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6dfe
define FDC_INTERNAL_IPV4 = 10.228.109.131
define FDC_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d83
+# slycrm address (internal network)
+define SLYCRM_INTERNAL_IPV4 = 10.228.109.53
+define SLYCRM_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d35
+
# slycrm proxy address (internal network)
define SLYCPX_INTERNAL_IPV4 = 10.228.109.44
define SLYCPX_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d2c
# internal networks
define INTERNAL_IPV4_NET = 10.228.0.0/16
define INTERNAL_IPV6_NET = 2001:1aa1:000a:7dae::/64
+define LINUXONE_IPV4_NET = 172.24.121.0/24
+define LINUXONE_IPV6_NET = 2001:1aa1:000a:577d::/64
define SR_IPV4_NET = 192.168.42.0/24
define IN_IPV4_NET = 192.168.43.0/24
define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \
# port definitions
################################
-#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define MX_PORTS = { smtp, pop3, imap, 465, submission, imaps, pop3s }
+# 465: SMTP over SSL (TLS)
+
define VPN_PORT = 51820
+# 51820: wireguard
################################
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
+add rule ip ifg-nat prerouting \
+ ip protocol tcp \
+ iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET tcp sport 1024-65535 \
+ ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
+ counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
################################
iifname $PERIMETER_IF \
oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \
counter accept comment "Established sessions"
+add rule ip ifg-filter forward \
+ ct state established, related \
+ iifname $PERIMETER_IF \
+ oifname $LINUXONE_IF ip daddr $LINUXONE_IPV4_NET \
+ counter accept comment "Established sessions"
+add rule ip6 ifg-filter forward \
+ ct state established, related \
+ iifname $PERIMETER_IF \
+ oifname $LINUXONE_IF ip6 daddr $LINUXONE_IPV6_NET \
+ counter accept comment "Established sessions"
add rule ip ifg-filter forward \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \
oifname $PERIMETER_IF \
counter accept comment "Internet access"
+add rule ip ifg-filter forward \
+ iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET \
+ oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
+ counter accept comment "Internet access"
+add rule ip6 ifg-filter forward \
+ iifname $LINUXONE_IF ip6 saddr $LINUXONE_IPV6_NET \
+ oifname $PERIMETER_IF \
+ counter accept comment "Internet access"
+
+add rule ip ifg-filter forward \
+ iifname $LINUXONE_IF oifname $INTERNAL_IF \
+ counter accept comment "LinuxONE internal communication"
+add rule ip6 ifg-filter forward \
+ iifname $LINUXONE_IF oifname $INTERNAL_IF \
+ counter accept comment "LinuxONE internal communication"
+add rule ip ifg-filter forward \
+ iifname $INTERNAL_IF oifname $LINUXONE_IF \
+ counter accept comment "internal LinuxONE communication"
+add rule ip6 ifg-filter forward \
+ iifname $INTERNAL_IF oifname $LINUXONE_IF \
+ counter accept comment "internal LinuxONE communication"
add rule ip ifg-filter forward \
- ct state new, established \
- ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
- counter accept comment "Webserver access"
+ oifname $PERIMETER_IF ip daddr $MX_PERIMETER_IPV4 tcp dport $MX_PORTS \
+ counter accept comment "Mailserver access"
add rule ip ifg-filter forward \
ct state new, established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport ssh \
- counter accept comment "Webserver SSH access"
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
+ counter accept comment "Webserver access"
add rule ip ifg-filter forward \
ct state new \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr { $DVREDMINE_INTERNAL_IPV4, \
$FDC_INTERNAL_IPV4, \
+ $SLYCPX_INTERNAL_IPV4, \
$STORE_INTERNAL_IPV4, \
$WIKI_INTERNAL_IPV4 } tcp sport http \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Fdc, redmine, store and wiki replies"
+ counter accept comment "Fdc, redmine, slycpx, store and wiki replies"
add rule ip6 ifg-filter forward \
ct state established \
iifname $INTERNAL_IF ip6 saddr { $FDC_INTERNAL_IPV6, \
$STORE_INTERNAL_IPV6, \
+ $SLYCPX_INTERNAL_IPV6, \
$WIKI_INTERNAL_IPV6 } tcp sport http \
oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
- counter accept comment "Fdc, store and wiki replies"
+ counter accept comment "Fdc, slycpx, store and wiki replies"
add rule ip ifg-filter forward \
ip protocol tcp \
counter accept comment "Git, mercurial and subversion directory server replies"
add rule ip ifg-filter forward \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr { $MX_PERIMETER_IPV4, \
+ $WS_PERIMETER_IPV4 } tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \
- counter accept comment "Webserver letsencrypt transfer requests"
+ counter accept comment "Mail- and webserver letsencrypt transfer requests"
add rule ip6 ifg-filter forward \
- iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
+ iifname $PERIMETER_IF ip6 saddr { $MX_PERIMETER_IPV6, \
+ $WS_PERIMETER_IPV6 } tcp sport 1024-65535 \
oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \
- counter accept comment "Webserver letsencrypt transfer requests"
+ counter accept comment "Mail- and webserver letsencrypt transfer requests"
add rule ip ifg-filter forward \
ct state established \
iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Webserver letsencrypt transfer replies"
+ oifname $PERIMETER_IF ip daddr { $MX_PERIMETER_IPV4, \
+ $WS_PERIMETER_IPV4 } tcp dport 1024-65535 \
+ counter accept comment "Mail- and webserver letsencrypt transfer replies"
add rule ip6 ifg-filter forward \
ct state established \
iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \
- oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
- counter accept comment "Webserver letsencrypt transfer replies"
+ oifname $PERIMETER_IF ip6 daddr { $MX_PERIMETER_IPV6, \
+ $WS_PERIMETER_IPV6 } tcp dport 1024-65535 \
+ counter accept comment "Mail- and webserver letsencrypt transfer replies"
add rule ip ifg-filter forward \
ip protocol icmp \
done
[ $CYCLES_WAITED -gt 0 ] && echo
-# wait for the three network connections to come up
+# wait for the four network connections to come up
CONNECTION_DEVICES_UP=$(nmcli --terse connection show \
| grep --invert-match ':$' | wc -l)
CYCLES_WAITED=0
-while [ $CONNECTION_DEVICES_UP -lt 3 ]
+while [ $CONNECTION_DEVICES_UP -lt 4 ]
do
if [ $CYCLES_WAITED -ge 10 ]
then
[ $CYCLES_WAITED -gt 0 ] && echo
CONNECTIONS=$(nmcli --terse connection show | wc -l)
-if [ $CONNECTIONS -ne 3 ]
+if [ $CONNECTIONS -ne 4 ]
then
- echo "Number of connections: $CONNECTIONS instead of 3" >&2
+ echo "Number of connections: $CONNECTIONS instead of 4" >&2
exit 1
fi
CONNECTION_DEVICE_IN="eth0"
-CONNECTION_DEVICE_PM="eth1"
+CONNECTION_DEVICE_L1="eth1"
+CONNECTION_DEVICE_PM="eth2"
CONNECTION_ID_IN="internal"
+CONNECTION_ID_L1="linuxone"
CONNECTION_ID_PM="perimeter"
CONNECTION_LINE_IN=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_IN}$")
+CONNECTION_LINE_L1=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_L1}$")
CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_PM}$")
CONNECTION_UUID_IN=$(echo $CONNECTION_LINE_IN | cut -f 2 -d ':')
+CONNECTION_UUID_L1=$(echo $CONNECTION_LINE_L1 | cut -f 2 -d ':')
CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':')
nmcli connection delete uuid "$CONNECTION_UUID_IN"
+nmcli connection delete uuid "$CONNECTION_UUID_L1"
nmcli connection delete uuid "$CONNECTION_UUID_PM"
nmcli connection add \
keep-configuration=no
EOF
+nmcli connection add \
+ connection.autoconnect yes \
+ connection.id $CONNECTION_ID_L1 \
+ connection.interface-name $CONNECTION_DEVICE_L1 \
+ connection.type 802-3-ethernet \
+ ipv4.addresses "172.24.121.254/24" \
+ ipv4.method "manual" \
+ ipv6.addresses "2001:1aa1:000a:577d:000c:18ff:fe03:79fe/64" \
+ ipv6.method "manual" \
+ save yes
+
+cat <<EOF >/etc/NetworkManager/conf.d/${CONNECTION_DEVICE_PM}.conf
+[device]
+match-device=interface-name:$CONNECTION_DEVICE_PM
+allowed-connections=id:$CONNECTION_ID_PM
+keep-configuration=no
+EOF
+
nmcli connection add \
connection.autoconnect yes \
connection.id $CONNECTION_ID_PM \
https://git.useribm.hu / user-lxc.git / commitdiff