Updated efg.pm (updated nftables, routing).

diff --git a/sources/efg.pm/envvars b/sources/efg.pm/envvars
index 107ca3044d779d30f97b25903b6eae2ddbeb2b6b..b3b1ad603c527f78e5ff865bd945fb2061cd68b7 100644 (file)
--- a/sources/efg.pm/envvars
+++ b/sources/efg.pm/envvars
@@ -2,4 +2,4 @@ DISTRIBUTION=Fedora
 DISTRIBUTION_VERSION=33
 ROOT_PACKAGES="hostname initscripts iproute rootfiles systemd-udev"
 BASE_PACKAGES="NetworkManager iputils logrotate rsyslog tar vim-minimal"
-SPEC_PACKAGES="ethtool nftables radvd tcpdump"
+SPEC_PACKAGES="cronie ethtool nftables radvd tcpdump"

diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh
index f809b4b8ceeb4226ba69e6238b76488b71362ba6..1cbe00593710c1cc47317c98dbfb79f2cd6445dc 100755 (executable)
--- a/sources/efg.pm/firstboot/01_setupnetworking.sh
+++ b/sources/efg.pm/firstboot/01_setupnetworking.sh
@@ -66,8 +66,11 @@ nmcli connection add \
     ipv4.addresses "192.168.65.1/24, 188.6.255.10/30" \
     ipv4.gateway "188.6.255.9" \
     ipv4.method "manual" \
+    ipv4.route-table 150 \
+    ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \
     ipv6.method "auto" \
     save yes
+    # magyar telekom -> mt (13 * 10 + 20)
 
 nmcli connection show
 
@@ -82,7 +85,9 @@ nmcli connection add \
     ipv6.addresses "2a02:d400:0000:f200:000c:18ff:fe03:8961/64" \
     ipv6.gateway "2a02:d400:0000:f200::1" \
     ipv6.method "manual" \
-
     save yes
 
 nmcli connection show
+
+echo "@reboot /usr/local/bin/setuprouting.sh" >>/etc/crontab
+/usr/local/bin/setuprouting.sh

diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config
index defad83a800b0b2cdaf38fdbd646ca1bc1e5e252..66e3758cd65a5b1d2fc0ba951c3d00530bc3c4e6 100644 (file)
--- a/sources/efg.pm/firstboot/nftables.config
+++ b/sources/efg.pm/firstboot/nftables.config
@@ -38,18 +38,6 @@ define PUBLIC_ACE_IPV4_107           = 37.220.137.107
 define PUBLIC_ACE_ZFDL360E_IPV4      = 37.220.137.108
 define PUBLIC_ACE_ZFDL380E_IPV4      = 37.220.137.109
 define PUBLIC_TELEKOM_EFG_IPV4       = 188.6.255.10
-define PUBLIC_TELEKOM_MX_IPV4        = 194.149.40.147
-define PUBLIC_TELEKOM_NS_IPV4        = 194.149.40.148
-define PUBLIC_TELEKOM_VPN_IPV4       = 194.149.40.149
-define PUBLIC_TELEKOM_WS_IPV4        = 194.149.40.150
-define PUBLIC_TELEKOM_MINECRAFT_IPV4 = 194.149.40.151
-define PUBLIC_TELEKOM_IPV4_152       = 194.149.40.152
-define PUBLIC_TELEKOM_IPV4_153       = 194.149.40.153
-define PUBLIC_TELEKOM_IPV4_154       = 194.149.40.154
-define PUBLIC_TELEKOM_IPV4_155       = 194.149.40.155
-define PUBLIC_TELEKOM_IPV4_156       = 194.149.40.156
-define PUBLIC_TELEKOM_IPV4_157       = 194.149.40.157
-define PUBLIC_TELEKOM_DL380E_IPV4    = 194.149.40.158
 
 # efg address (perimeter network)
 define EFG_PERIMETER_IPV4 = 192.168.173.254
@@ -151,53 +139,28 @@ create chain ip6 efg_filter output { type filter hook output priority 0; policy
 add rule ip efg_nat prerouting \
     iifname $EXTERNAL_ACE_IF \
     ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \
-    counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (ACE)"
-
-add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_TELEKOM_IF \
-    ip daddr $PUBLIC_TELEKOM_VPN_IPV4 udp dport 1194 \
-    counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (TELEKOM)"
+    counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
 
 #add rule ip efg_nat prerouting \
 #    iifname $EXTERNAL_ACE_IF \
 #    ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \
 #    counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
 
-#add rule ip efg_nat prerouting \
-#    iifname $EXTERNAL_TELEKOM_IF \
-#    ip daddr $PUBLIC_TELEKOM_MX_IPV4 tcp dport $MX_PORTS \
-#    counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
-
 add rule ip efg_nat prerouting \
     iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
     ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \
     counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
 
-add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
-    ip daddr $PUBLIC_TELEKOM_NS_IPV4 udp dport 53 \
-    counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
-
 add rule ip efg_nat prerouting \
     iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
     ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \
     counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
 
-add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
-    ip daddr $PUBLIC_TELEKOM_NS_IPV4 tcp dport 53 \
-    counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
-
 add rule ip efg_nat prerouting \
     iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
     ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport $WS_PORTS \
     counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
 
-add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
-    ip daddr $PUBLIC_TELEKOM_WS_IPV4 tcp dport $WS_PORTS \
-    counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
-
 
 ################################
 # FILTER input rules
@@ -217,7 +180,7 @@ add rule ip6 efg_filter input \
 add rule ip efg_filter input \
     ip protocol icmp \
     counter accept comment "ICMP"
-add rule inet efg_filter input \
+add rule ip6 efg_filter input \
     icmpv6 type { destination-unreachable, \
                   echo-reply, \
                   echo-request, \
@@ -425,6 +388,23 @@ add rule ip efg_filter forward \
 add rule ip efg_filter forward \
     ip protocol icmp \
     counter accept comment "ICMP"
+add rule ip6 efg_filter forward \
+    icmpv6 type { destination-unreachable, \
+                  echo-reply, \
+                  echo-request, \
+                  mld-listener-done, \
+                  mld-listener-query, \
+                  mld-listener-report, \
+                  nd-redirect, \
+                  nd-router-solicit, \
+                  nd-router-advert, \
+                  nd-neighbor-solicit, \
+                  nd-neighbor-advert, \
+                  packet-too-big, \
+                  parameter-problem, \
+                  router-renumbering, \
+                  time-exceeded } \
+    counter accept comment "ICMPv6"
 
 add rule ip efg_filter forward \
     counter log prefix "FORWARD"
@@ -451,7 +431,7 @@ add rule ip6 efg_filter output \
 add rule ip efg_filter output \
     ip protocol icmp \
     counter accept comment "ICMP"
-add rule inet efg_filter output \
+add rule ip6 efg_filter output \
     icmpv6 type { destination-unreachable, \
                   echo-reply, \
                   echo-request, \
@@ -481,15 +461,11 @@ add rule ip6 efg_filter output \
 
 add rule ip efg_nat postrouting \
     oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \
-    counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic (ACE)"
-
-add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IPV4 \
-    counter snat $PUBLIC_TELEKOM_VPN_IPV4 comment "Outgoing VPN traffic (TELEKOM)"
+    counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic"
 
 add rule ip efg_nat postrouting \
     oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \
-    counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic (ACE)"
+    counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic"
 
 add rule ip efg_nat postrouting \
     oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \
@@ -497,32 +473,16 @@ add rule ip efg_nat postrouting \
 
 #add rule ip efg_nat postrouting \
 #    oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \
-#    counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic (ACE)"
-
-#add rule ip efg_nat postrouting \
-#    oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IPV4 \
-#    counter snat $PUBLIC_TELEKOM_MX_IPV4 comment "Outgoing MX traffic (TELEKOM)"
+#    counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic"
 
 add rule ip efg_nat postrouting \
     oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \
-    counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic (ACE)"
-
-add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IPV4 \
-    counter snat $PUBLIC_TELEKOM_NS_IPV4 comment "Outgoing external DNS traffic (TELEKOM)"
+    counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic"
 
 add rule ip efg_nat postrouting \
     oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \
-    counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic (ACE)"
-
-add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IPV4 \
-    counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing perimeter DNS traffic (TELEKOM)"
+    counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic"
 
 add rule ip efg_nat postrouting \
     oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \
-    counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic (ACE)"
-
-add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IPV4 \
-    counter snat $PUBLIC_TELEKOM_WS_IPV4 comment "Outgoing WS traffic (TELEKOM)"
+    counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic"

diff --git a/sources/efg.pm/postinstall/install/usr/local/bin/setuprouting.sh b/sources/efg.pm/postinstall/install/usr/local/bin/setuprouting.sh
new file mode 100755 (executable)
index 0000000..2ee62a3
--- /dev/null
+++ b/sources/efg.pm/postinstall/install/usr/local/bin/setuprouting.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+ip rule add from 10.228.10.0/24 lookup 150
+ip rule add from 10.228.43.0/24 lookup 150
+ip rule add from 10.228.109.250/32 lookup 150