Added ifg.usr.f29.

diff --git a/sources/ifg.usr.f29/config b/sources/ifg.usr.f29/config
new file mode 100644 (file)
index 0000000..88a7c06
--- /dev/null
+++ b/sources/ifg.usr.f29/config
@@ -0,0 +1,24 @@
+lxc.include = /usr/share/lxc/config/common.conf
+
+lxc.arch = x86_64
+lxc.uts.name = ifg.usr.user.hu
+lxc.rootfs.path = __CONTAINER_PATH__/rootfs
+lxc.mount.auto = proc:rw sys:ro
+
+lxc.net.0.type = phys
+lxc.net.0.flags = up
+lxc.net.0.link = ifg
+
+lxc.net.1.type = veth
+lxc.net.1.flags = up
+lxc.net.1.link = brh
+lxc.net.1.hwaddr = 02:0c:18:03:ad:01
+
+lxc.autodev = 1
+lxc.console.logfile = /tmp/ifg.console.log
+
+lxc.signal.halt = SIGRTMIN+4
+
+lxc.start.auto = 1
+lxc.start.order = 2
+lxc.start.delay = 3

diff --git a/sources/ifg.usr.f29/envvars b/sources/ifg.usr.f29/envvars
new file mode 100644 (file)
index 0000000..e6552b4
--- /dev/null
+++ b/sources/ifg.usr.f29/envvars
@@ -0,0 +1,4 @@
+#BASE_PACKAGES="NetworkManager initscripts openssh-server openssh-clients openssh-ldap rootfiles rsyslog sudo tar vim-minimal"
+#SPEC_PACKAGES="authselect iptables iptables-services openldap-clients nss-pam-ldapd pam_ssh passwd"
+BASE_PACKAGES="NetworkManager initscripts rootfiles rsyslog tar"
+SPEC_PACKAGES="iptables iptables-services"

diff --git a/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..a0d3b96
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active NetworkManager.service
+NM_RC=$?
+WAITED=0
+while [ $NM_RC -ne 0 ]
+do
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active NetworkManager.service
+    NM_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+
+CONNECTIONS=$(nmcli connection show | grep -v '^NAME' | wc -l)
+if [ $CONNECTIONS -ne 2 ]
+then
+    echo "Number of connections: $CONNECTIONS" >&2
+    exit 1
+fi
+
+CONNECTION_LINE_1=$(nmcli connection show \
+                        | grep -v '^NAME' | head -n 1)
+CONNECTION_LINE_2=$(nmcli connection show \
+                        | grep -v '^NAME' | tail -n 1)
+CONNECTION_TOKENS=$(echo $CONNECTION_LINE_1 | wc -w)
+#CONNECTION_NAME_POS=$(( $CONNECTION_TOKENS - 3 ))
+CONNECTION_UUID_POS=$(( $CONNECTION_TOKENS - 2 ))
+#CONNECTION_TYPE_POS=$(( $CONNECTION_TOKENS - 1 ))
+CONNECTION_DEVICE_POS=$CONNECTION_TOKENS
+#CONNECTION_NAME_1=$(echo $CONNECTION_LINE_1 \
+#                        | cut -f -$CONNECTION_NAME_POS -d ' ')
+CONNECTION_UUID_1=$(echo $CONNECTION_LINE_1 \
+                        | cut -f $CONNECTION_UUID_POS -d ' ')
+#CONNECTION_TYPE_1=$(echo $CONNECTION_LINE_1 \
+#                        | cut -f $CONNECTION_TYPE_POS -d ' ')
+CONNECTION_DEVICE_1=$(echo $CONNECTION_LINE_1 \
+                          | cut -f $CONNECTION_DEVICE_POS -d ' ')
+CONNECTION_TOKENS=$(echo $CONNECTION_LINE_2 | wc -w)
+#CONNECTION_NAME_POS=$(( $CONNECTION_TOKENS - 3 ))
+CONNECTION_UUID_POS=$(( $CONNECTION_TOKENS - 2 ))
+#CONNECTION_TYPE_POS=$(( $CONNECTION_TOKENS - 1 ))
+CONNECTION_DEVICE_POS=$CONNECTION_TOKENS
+#CONNECTION_NAME_2=$(echo $CONNECTION_LINE_2 \
+#                        | cut -f -$CONNECTION_NAME_POS -d ' ')
+CONNECTION_UUID_2=$(echo $CONNECTION_LINE_2 \
+                        | cut -f $CONNECTION_UUID_POS -d ' ')
+#CONNECTION_TYPE_2=$(echo $CONNECTION_LINE_2 \
+#                        | cut -f $CONNECTION_TYPE_POS -d ' ')
+CONNECTION_DEVICE_2=$(echo $CONNECTION_LINE_2 \
+                          | cut -f $CONNECTION_DEVICE_POS -d ' ')
+nmcli connection delete uuid "$CONNECTION_UUID_1"
+nmcli connection delete uuid "$CONNECTION_UUID_2"
+
+nmcli connection add \
+    type 802-3-ethernet \
+    ifname $CONNECTION_DEVICE_1 \
+    con-name internal \
+    autoconnect yes \
+    save yes \
+    ipv4.addresses "10.228.109.254/16, 192.168.42.254/24, 192.168.43.254/24" \
+    ipv4.dns "10.228.109.104, 10.228.109.253" \
+    ipv4.dns-search "usr.user.hu" \
+    ipv4.method "manual" \
+    ipv4.routes "172.16.223.0/24 10.228.109.236, 10.162.104.0/24 10.228.109.236"
+
+nmcli connection add \
+    type 802-3-ethernet \
+    ifname $CONNECTION_DEVICE_2 \
+    con-name perimeter \
+    autoconnect yes \
+    save yes \
+    ipv4.addresses "192.168.173.1/24" \
+    ipv4.gateway "192.168.173.254" \
+    ipv4.method "manual"
+
+nmcli connection show

diff --git a/sources/ifg.usr.f29/firstboot/02_settimezone.sh b/sources/ifg.usr.f29/firstboot/02_settimezone.sh
new file mode 100755 (executable)
index 0000000..20b2a71
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/02_settimezone.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active dbus.service
+DBUS_RC=$?
+WAITED=0
+while [ $DBUS_RC -ne 0 ]
+do
+    if [ $WAITED -eq 0 ]
+    then
+        echo -n "Waiting for dbus.service"
+    fi
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active dbus.service
+    DBUS_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+timedatectl set-timezone Europe/Budapest

diff --git a/sources/ifg.usr.f29/firstboot/03_setupldap.sh b/sources/ifg.usr.f29/firstboot/03_setupldap.sh
new file mode 100755 (executable)
index 0000000..4b58626
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/03_setupldap.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+
+exit 0
+authselect select sssd with-mkhomedir --force
+
+cat >>/etc/openldap/ldap.conf <<EOF
+BASE dc=user,dc=hu
+URI ldap://ldap.usr.user.hu
+EOF

diff --git a/sources/ifg.usr.f29/firstboot/10_iptables_reset.sh b/sources/ifg.usr.f29/firstboot/10_iptables_reset.sh
new file mode 100755 (executable)
index 0000000..f63b04d
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/10_iptables_reset.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+
+REAL_PATH=$(realpath $(dirname $0))
+
+################################
+# definitions
+################################
+source $REAL_PATH/definitions
+
+
+################################
+# delete all user-defined chains of all tables
+$IPTABLES --table filter --delete-chain
+$IPTABLES --table nat    --delete-chain
+$IPTABLES --table mangle --delete-chain
+$IPTABLES --table raw    --delete-chain
+
+################################
+# flush all chains of all tables
+$IPTABLES --table filter --flush INPUT
+$IPTABLES --table filter --flush FORWARD
+$IPTABLES --table filter --flush OUTPUT
+$IPTABLES --table nat    --flush PREROUTING
+$IPTABLES --table nat    --flush INPUT
+$IPTABLES --table nat    --flush OUTPUT
+$IPTABLES --table nat    --flush POSTROUTING
+$IPTABLES --table mangle --flush PREROUTING
+$IPTABLES --table mangle --flush INPUT
+$IPTABLES --table mangle --flush FORWARD
+$IPTABLES --table mangle --flush OUTPUT
+$IPTABLES --table mangle --flush POSTROUTING
+$IPTABLES --table raw    --flush PREROUTING
+$IPTABLES --table raw    --flush OUTPUT
+
+################################
+# reset counters for all chains of all tables
+$IPTABLES --table filter --zero INPUT
+$IPTABLES --table filter --zero FORWARD
+$IPTABLES --table filter --zero OUTPUT
+$IPTABLES --table nat    --zero PREROUTING
+$IPTABLES --table nat    --zero INPUT
+$IPTABLES --table nat    --zero OUTPUT
+$IPTABLES --table nat    --zero POSTROUTING
+$IPTABLES --table mangle --zero PREROUTING
+$IPTABLES --table mangle --zero INPUT
+$IPTABLES --table mangle --zero FORWARD
+$IPTABLES --table mangle --zero OUTPUT
+$IPTABLES --table mangle --zero POSTROUTING
+$IPTABLES --table raw    --zero PREROUTING
+$IPTABLES --table raw    --zero OUTPUT
+
+################################
+# set the default policy for all chains of all tables
+$IPTABLES --table filter --policy INPUT       DROP
+$IPTABLES --table filter --policy FORWARD     DROP
+$IPTABLES --table filter --policy OUTPUT      DROP
+$IPTABLES --table nat    --policy PREROUTING  ACCEPT
+$IPTABLES --table nat    --policy INPUT       ACCEPT
+$IPTABLES --table nat    --policy OUTPUT      ACCEPT
+$IPTABLES --table nat    --policy POSTROUTING ACCEPT
+$IPTABLES --table mangle --policy PREROUTING  ACCEPT
+$IPTABLES --table mangle --policy INPUT       ACCEPT
+$IPTABLES --table mangle --policy FORWARD     ACCEPT
+$IPTABLES --table mangle --policy OUTPUT      ACCEPT
+$IPTABLES --table mangle --policy POSTROUTING ACCEPT
+$IPTABLES --table raw    --policy PREROUTING  ACCEPT
+$IPTABLES --table raw    --policy OUTPUT      ACCEPT

diff --git a/sources/ifg.usr.f29/firstboot/11_iptables_set_ifg_rules.sh b/sources/ifg.usr.f29/firstboot/11_iptables_set_ifg_rules.sh
new file mode 100755 (executable)
index 0000000..e4c7734
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/11_iptables_set_ifg_rules.sh
@@ -0,0 +1,414 @@
+#!/bin/sh
+
+
+REAL_PATH=$(realpath $(dirname $0))
+
+################################
+# definitions
+################################
+source $REAL_PATH/definitions
+
+
+################################
+# nat PREROUTING rules
+# dnat ssh, smtp, imap and rsync packets
+#     from the usr, sr and in networks
+#     to the perimeter service host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "ssh, smtp, imap, rsync -> svc.pm" \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --destination $PUBLIC_IP_202 \
+          --match multiport \
+          --destination-ports 22,25,143,873 \
+          --jump DNAT --to-destination $SVC_PERIMETER_IP
+# dnat http and https packets
+#     from the usr, sr and in networks
+#     to the perimeter web server host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "http(s) -> ws.pm" \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --destination $PUBLIC_IP_202 \
+          --match multiport \
+          --destination-ports 80,443 \
+          --jump DNAT --to-destination $WS_PERIMETER_IP
+
+################################
+# filter INPUT rules
+# allow dns packets
+#     from the internal svc host
+$IPTABLES --table filter --append INPUT \
+          --match comment \
+          --comment "dns replies <- svc" \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --protocol udp \
+          --in-interface $INTERNAL_IF \
+          --source $SVC_INTERNAL_IP \
+          --source-port 53 \
+          --destination $IFG_USR_IP \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# allow ssh packets
+#     from the usr, sr, in and vpn networks
+$IPTABLES --table filter --append INPUT \
+          --match comment \
+          --comment "ssh <- usr, sr, in, vpn networks" \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \
+          --source-port 1024:65535 \
+          --destination $IFG_USR_IP \
+          --destination-port 22 \
+          --jump ACCEPT
+# allow packets
+#     from the loopback address
+#     to the loopback address
+$IPTABLES --table filter --append INPUT \
+          --in-interface $LOOPBACK_IF \
+          --source $LOOPBACK_IP \
+          --destination $LOOPBACK_IP \
+          --jump ACCEPT
+# allow icmp packets
+#     from anywhere
+$IPTABLES --table filter --append INPUT \
+          --protocol icmp \
+          --jump ACCEPT
+
+################################
+# filter FORWARD rules
+# forward packets
+#     of established sessions
+#     to the usr, sr and in networks
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "established sessions -> internal networks" \
+          --match conntrack \
+          --ctstate ESTABLISHED,RELATED \
+          --in-interface $PERIMETER_IF \
+          --out-interface $INTERNAL_IF \
+          --destination ${USR_NET},${SR_NET},$IN_NET \
+          --jump ACCEPT
+# forward packets
+#     from the usr, sr and in networks
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "usr network -> internet" \
+          --in-interface $INTERNAL_IF \
+          --source $USR_NET \
+          --out-interface $PERIMETER_IF \
+          ! --destination $PERIMETER_NET \
+          --jump ACCEPT
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "sr network -> internet" \
+          --in-interface $INTERNAL_IF \
+          --source $SR_NET \
+          --out-interface $PERIMETER_IF \
+          ! --destination $PERIMETER_NET \
+          --jump ACCEPT
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "in network -> internet" \
+          --in-interface $INTERNAL_IF \
+          --source $IN_NET \
+          --out-interface $PERIMETER_IF \
+          ! --destination $PERIMETER_NET \
+          --jump ACCEPT
+# forward ssh, smtp, imap and rsync requests
+#     from the usr, sr and in networks
+#     to the perimeter service host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface $PERIMETER_IF \
+          --destination $SVC_PERIMETER_IP \
+          --match multiport \
+          --destination-ports 22,25,143,873 \
+          --jump ACCEPT
+# forward ssh, http and https requests
+#     from the usr, sr and in networks
+#     to the perimeter web server host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface $PERIMETER_IF \
+          --destination $WS_PERIMETER_IP \
+          --match multiport \
+          --destination-ports 22,80,443 \
+          --jump ACCEPT
+# forward ssh, http, https and rsync requests
+#     from the usr, sr and in networks
+#     to the perimeter subversion host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface $PERIMETER_IF \
+          --destination $SVN_PERIMETER_IP \
+          --match multiport \
+          --destination-ports 22,80,443,873 \
+          --jump ACCEPT
+# forward http requests
+#     from the perimeter web server host
+#     to the internal store host
+#$IPTABLES --table filter --append FORWARD \
+#          --protocol tcp \
+#          --in-interface $PERIMETER_IF \
+#          --source $WS_PERIMETER_IP \
+#          --source-port 1024:65535 \
+#          --out-interface $INTERNAL_IF \
+#          --destination $STORE_INTERNAL_IP \
+#          --destination-port 80 \
+#          --jump ACCEPT
+# forward http replies
+#     from the internal store host
+#     to the perimeter web server host
+#$IPTABLES --table filter --append FORWARD \
+#          --match conntrack \
+#          --ctstate ESTABLISHED \
+#          --protocol tcp \
+#          --in-interface $INTERNAL_IF \
+#          --source $STORE_INTERNAL_IP \
+#          --source-port 80 \
+#          --out-interface $PERIMETER_IF \
+#          --destination $WS_PERIMETER_IP \
+#          --destination-port 1024:65535 \
+#          --jump ACCEPT
+# forward dns zone notify messages
+#     from the internal primary name server host
+#     to the perimeter external/perimeter name server hosts
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "dns notify -> ens.pm, pns.pm" \
+          --match conntrack \
+          --ctstate NEW \
+          --protocol udp \
+          --in-interface $INTERNAL_IF \
+          --source $PNS_INTERNAL_IP \
+          --source-port 1024:65535 \
+          --out-interface $PERIMETER_IF \
+          --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --destination-port 53 \
+          --jump ACCEPT
+# forward dns zone transfer requests
+#     from the perimeter external/perimeter name server hosts
+#     to the internal primary name server host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "dns xfr -> ens.pm, pns.pm" \
+          --match conntrack \
+          --ctstate NEW \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --source-port 1024:65535 \
+          --out-interface $INTERNAL_IF \
+          --destination $PNS_INTERNAL_IP \
+          --destination-port 53 \
+          --jump ACCEPT
+# forward dns zone transfer replies
+#     from the internal primary name server host
+#     to the perimeter external/perimeter name server hosts
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "dns xfr -> ens.pm, pns.pm" \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source $PNS_INTERNAL_IP \
+          --source-port 53 \
+          --out-interface $PERIMETER_IF \
+          --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# forward openvpn packets
+#     from the internet
+#     to the internal vpn host
+$IPTABLES --table filter --append FORWARD \
+          --protocol udp \
+          --in-interface $PERIMETER_IF \
+          ! --source $PERIMETER_NET \
+          --out-interface $INTERNAL_IF \
+          --destination $VPN_INTERNAL_IP \
+          --destination-port 1194 \
+          --jump ACCEPT
+# forward packets
+#     from the usr network
+#     to the sr, in, vpn and peep-bo networks
+$IPTABLES --table filter --append FORWARD \
+          --in-interface $INTERNAL_IF \
+          --source $USR_NET \
+          --out-interface $INTERNAL_IF \
+          --destination ${SR_NET},${IN_NET},${VPN_NET},$PEEP_BO_NET \
+          --jump ACCEPT
+# forward packets
+#     from the sr network
+#     to the usr, in and vpn networks
+$IPTABLES --table filter --append FORWARD \
+          --in-interface $INTERNAL_IF \
+          --source $SR_NET \
+          --out-interface $INTERNAL_IF \
+          --destination ${USR_NET},${IN_NET},$VPN_NET \
+          --jump ACCEPT
+# forward packets
+#     from the in network
+#     to the usr, sr and vpn networks
+$IPTABLES --table filter --append FORWARD \
+          --in-interface $INTERNAL_IF \
+          --source $IN_NET \
+          --out-interface $INTERNAL_IF \
+          --destination ${USR_NET},${SR_NET},$VPN_NET \
+          --jump ACCEPT
+# forward packets
+#     from the vpn network
+#     to the usr, sr and in networks
+$IPTABLES --table filter --append FORWARD \
+          --in-interface $INTERNAL_IF \
+          --source $VPN_NET \
+          --out-interface $INTERNAL_IF \
+          --destination ${USR_NET},${SR_NET},$IN_NET \
+          --jump ACCEPT
+# forward packets
+#     from the peep-bo network
+#     to the usr, sr and in networks
+$IPTABLES --table filter --append FORWARD \
+          --in-interface $INTERNAL_IF \
+          --source $PEEP_BO_NET \
+          --out-interface $INTERNAL_IF \
+          --destination ${USR_NET},${SR_NET},$IN_NET \
+          --jump ACCEPT
+# forward ssh packets
+#     from the usr, sr and in networks
+#     to the external firewall/gateway host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface $PERIMETER_IF \
+          --destination $EFG_PERIMETER_IP \
+          --destination-port 22 \
+          --jump ACCEPT
+# forward http requests
+#     from the perimeter web server
+#     to the dvredmine host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $WS_PERIMETER_IP \
+          --out-interface $INTERNAL_IF \
+          --destination $DVREDMINE_INTERNAL_IP \
+          --destination-port 80 \
+          --jump ACCEPT
+# forward http replies
+#     from the dvredmine host
+#     to the perimeter web server
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source $DVREDMINE_INTERNAL_IP \
+          --source-port 80 \
+          --out-interface $PERIMETER_IF \
+          --destination $WS_PERIMETER_IP \
+          --jump ACCEPT
+# forward http requests
+#     from the perimeter web server
+#     to the minicrm host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $WS_PERIMETER_IP \
+          --out-interface $INTERNAL_IF \
+          --destination $MINICRM_INTERNAL_IP \
+          --destination-port 8080 \
+          --jump ACCEPT
+# forward http replies
+#     from the minicrm host
+#     to the perimeter web server
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source $MINICRM_INTERNAL_IP \
+          --source-port 8080 \
+          --out-interface $PERIMETER_IF \
+          --destination $WS_PERIMETER_IP \
+          --jump ACCEPT
+# forward http requests
+#     from the perimeter web server
+#     to the workstation host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $WS_PERIMETER_IP \
+          --out-interface $INTERNAL_IF \
+          --destination $WORKSHEET_SR_IP \
+          --destination-port 8079 \
+          --jump ACCEPT
+# forward http replies
+#     from the workstation host
+#     to the perimeter web server
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $INTERNAL_IF \
+          --source $WORKSHEET_SR_IP \
+          --source-port 8079 \
+          --out-interface $PERIMETER_IF \
+          --destination $WS_PERIMETER_IP \
+          --jump ACCEPT
+# forward icmp packets
+#     from anywhere
+#     to anywhere
+$IPTABLES --table filter --append FORWARD \
+          --protocol icmp \
+          --jump ACCEPT
+
+################################
+# filter OUTPUT rules
+# allow dns requests
+#     to the internal svc host
+$IPTABLES --table filter --append OUTPUT \
+          --match comment \
+          --comment "dns requests -> svc" \
+          --match conntrack \
+          --ctstate NEW \
+          --protocol udp \
+          --source $IFG_USR_IP \
+          --out-interface $INTERNAL_IF \
+          --destination $SVC_INTERNAL_IP \
+          --destination-port 53 \
+          --jump ACCEPT
+# allow ssh packets
+#     of established sessions
+#     to the usr, sr, in and vpn networks
+$IPTABLES --table filter --append OUTPUT \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --protocol tcp \
+          --source $IFG_USR_IP \
+          --source-port 22 \
+          --out-interface $INTERNAL_IF \
+          --destination ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# allow packets
+#     from the loopback address
+#     to the loopback address
+$IPTABLES --table filter --append OUTPUT \
+          --source $LOOPBACK_IP \
+          --out-interface $LOOPBACK_IF \
+          --destination $LOOPBACK_IP \
+          --jump ACCEPT
+# allow icmp packets
+#     to anywhere
+$IPTABLES --table filter --append OUTPUT \
+          --protocol icmp \
+          --jump ACCEPT

diff --git a/sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh b/sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh
new file mode 100755 (executable)
index 0000000..b419bf6
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#set -x
+
+################################
+# iptables command
+IPTABLES=/sbin/iptables
+
+################################
+# log packets reaching the default policy rules in the filter table
+$IPTABLES --table filter --append INPUT \
+          --in-interface ifg \
+          --jump LOG \
+          --log-prefix 'filter ifg INPUT: '
+$IPTABLES --table filter --append INPUT \
+          --in-interface eth0 \
+          --jump LOG \
+          --log-prefix 'filter eth0 INPUT: '
+$IPTABLES --table filter --append INPUT \
+          --jump LOG \
+          --log-level warning \
+          --log-prefix 'filter INPUT: '
+$IPTABLES --table filter --append FORWARD \
+          --jump LOG \
+          --log-level warning \
+          --log-prefix 'filter FORWARD: '
+$IPTABLES --table filter --append OUTPUT \
+          --jump LOG \
+          --log-level warning \
+          --log-prefix 'filter OUTPUT: '

diff --git a/sources/ifg.usr.f29/firstboot/13_iptables_save.sh b/sources/ifg.usr.f29/firstboot/13_iptables_save.sh
new file mode 100755 (executable)
index 0000000..85932f3
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/13_iptables_save.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+#set -x
+
+/sbin/iptables-save >/etc/sysconfig/iptables

diff --git a/sources/ifg.usr.f29/firstboot/99_cleanup.sh b/sources/ifg.usr.f29/firstboot/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ifg.usr.f29/firstboot/definitions b/sources/ifg.usr.f29/firstboot/definitions
new file mode 100644 (file)
index 0000000..400a1f4
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/definitions
@@ -0,0 +1,107 @@
+################################
+# iptables command
+################################
+IPTABLES=/sbin/iptables
+
+################################
+# interfaces
+################################
+
+# internal interface
+INTERNAL_IF=ifg
+
+# loopback interface
+LOOPBACK_IF=lo
+
+# perimeter interface
+PERIMETER_IF=eth0
+
+################################
+# addresses
+################################
+
+# loopback address
+LOOPBACK_IP=127.0.0.1
+
+# public addresses
+PUBLIC_IP_194=84.2.25.194
+PUBLIC_IP_195=84.2.25.195
+PUBLIC_IP_196=84.2.25.196
+PUBLIC_IP_197=84.2.25.197
+PUBLIC_IP_198=84.2.25.198
+PUBLIC_IP_199=84.2.25.199
+PUBLIC_IP_200=84.2.25.200
+PUBLIC_IP_201=84.2.25.201
+PUBLIC_IP_202=84.2.25.202
+PUBLIC_IP_203=84.2.25.203
+PUBLIC_IP_204=84.2.25.204
+PUBLIC_IP_205=84.2.25.205
+PUBLIC_IP_206=84.2.25.206
+
+# efg address (perimeter network)
+EFG_PERIMETER_IP=192.168.173.254
+
+# service address (perimeter network)
+SVC_PERIMETER_IP=192.168.173.253
+
+# transfer web server address (perimeter network)
+XFR_PERIMETER_IP=192.168.173.251
+
+# subversion address (perimeter network)
+SVN_PERIMETER_IP=192.168.173.250
+
+# web server address (perimeter network)
+WS_PERIMETER_IP=192.168.173.249
+
+# perimeter name server address (perimeter network)
+PNS_PERIMETER_IP=192.168.173.174
+
+# external name server address (perimeter network)
+ENS_PERIMETER_IP=192.168.173.64
+
+# ifg address (perimeter network)
+IFG_PERIMETER_IP=192.168.173.1
+
+# ifg addresses (internal network)
+IFG_USR_IP=10.228.109.254
+IFG_SR_IP=192.168.42.254
+IFG_IN_IP=192.168.43.254
+
+# dvredmine address (internal network)
+DVREDMINE_INTERNAL_IP=10.228.62.193
+
+# minicrm address (internal network)
+MINICRM_INTERNAL_IP=10.228.109.133
+
+# store address (internal network)
+STORE_INTERNAL_IP=10.228.109.250
+
+# service address (internal network)
+SVC_INTERNAL_IP=10.228.109.253
+
+# vpn address (internal network)
+VPN_INTERNAL_IP=10.228.109.236
+
+# primary name server address (internal network)
+PNS_INTERNAL_IP=10.228.109.174
+
+# worksheet address (internal network)
+WORKSHEET_SR_IP=192.168.42.248
+
+################################
+# networks
+################################
+
+# internal networks
+USR_NET=10.228.0.0/16
+SR_NET=192.168.42.0/24
+IN_NET=192.168.43.0/24
+
+# perimeter network
+PERIMETER_NET=192.168.173.0/24
+
+# vpn client network
+VPN_NET=172.16.223.0/24
+
+# peep-bo network
+PEEP_BO_NET=10.162.104.0/24

diff --git a/sources/ifg.usr.f29/firstboot/traversal.txt b/sources/ifg.usr.f29/firstboot/traversal.txt
new file mode 100644 (file)
index 0000000..97ebf2d
--- /dev/null
+++ b/sources/ifg.usr.f29/firstboot/traversal.txt
@@ -0,0 +1,53 @@
+###############################
+ chain traversal
+ for all tables
+###############################
+
+                   NETWORK
+                      |
+                ______v_____
+               /    raw     \
+               | PREROUTING |
+               \____________/
+                      |
+  ________      ______v_____
+ / mangle \    /   mangle   \
+ | INPUT  |<-  | PREROUTING |
+ \________/  | \____________/
+      |      |        |
+  ____v___   |  ______v_____
+ / filter \  | /    nat     \
+ | INPUT  |  | | PREROUTING |
+ \________/  | \____________/
+      |      |        |
+  ____v____  |    ____v___
+ |         | |   /        \
+ |  local  | |__/ routing  \__________
+ | process |    \ decision /          |
+ |_________|     \________/       ____v____
+      |                          / mangle  \
+   ___v____                      | FORWARD |
+  /        \                     \_________/
+ / routing  \                         |
+ \ decision /                     ____v____
+  \________/                     / filter  \
+      |                          | FORWARD |
+  ____v___        ________       \_________/
+ /  raw   \      /        \           |
+ | OUTPUT |     / routing  \          |
+ \________/   ->\ decision /<---------
+      |      |   \________/
+  ____v___   |        |
+ / mangle \  |  ______v______
+ | OUTPUT |  | /   mangle    \
+ \________/  | | POSTROUTING |
+      |      | \_____________/
+  ____v___   |        |
+ /  nat   \  |  ______v______
+ | OUTPUT |  | /     nat     \
+ \________/  | | POSTROUTING |
+      |      | \_____________/
+  ____v___   |        |
+ / filter \  |        v
+ | OUTPUT |--      NETWORK
+ \________/

diff --git a/sources/ifg.usr.f29/postinstall/01_setownership.sh b/sources/ifg.usr.f29/postinstall/01_setownership.sh
new file mode 100755 (executable)
index 0000000..f2e6b94
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/01_setownership.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chown -R root.root $SOURCE_PATH/*

diff --git a/sources/ifg.usr.f29/postinstall/02_setpermissions.sh b/sources/ifg.usr.f29/postinstall/02_setpermissions.sh
new file mode 100755 (executable)
index 0000000..241386a
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/02_setpermissions.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install

diff --git a/sources/ifg.usr.f29/postinstall/03_installfiles.sh b/sources/ifg.usr.f29/postinstall/03_installfiles.sh
new file mode 100755 (executable)
index 0000000..f190caf
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/03_installfiles.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+tar --create \
+    --directory=$REAL_PATH \
+    --to-stdout \
+    install \
+    | tar --extract \
+          --backup \
+          --directory=/ \
+          --no-overwrite-dir \
+          --strip-components=1 \
+          --suffix=.orig

diff --git a/sources/ifg.usr.f29/postinstall/10_setupservices.sh b/sources/ifg.usr.f29/postinstall/10_setupservices.sh
new file mode 100755 (executable)
index 0000000..80c2db2
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/10_setupservices.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+systemctl enable iptables.service
+systemctl enable NetworkManager-wait-online.service
+
+systemctl mask wpa_supplicant.service

diff --git a/sources/ifg.usr.f29/postinstall/99_cleanup.sh b/sources/ifg.usr.f29/postinstall/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/hosts b/sources/ifg.usr.f29/postinstall/install/etc/hosts
new file mode 100644 (file)
index 0000000..98645cf
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/hosts
@@ -0,0 +1,6 @@
+127.0.0.1      localhost.localdomain localhost localhost4.localdomain4 localhost4
+::1            localhost6.localdomain6 localhost6
+
+10.228.109.254 ifg.usr.user.hu ifg
+192.168.42.254 ifg.sr.user.hu
+192.168.43.254 ifg.in.user.hu

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/resolv.conf b/sources/ifg.usr.f29/postinstall/install/etc/resolv.conf
new file mode 100644 (file)
index 0000000..656e3f2
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/resolv.conf
@@ -0,0 +1,4 @@
+nameserver 10.228.109.253
+nameserver 10.228.109.104
+domain usr.user.hu
+search usr.user.hu

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network
new file mode 100644 (file)
index 0000000..5b2803b
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network
@@ -0,0 +1 @@
+NOZEROCONF=yes

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0 b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0
new file mode 100644 (file)
index 0000000..d53531e
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0
@@ -0,0 +1,16 @@
+NAME=eth0
+DEVICE=eth0
+TYPE=Ethernet
+ONBOOT=yes
+BOOTPROTO=static
+IPADDR=192.168.173.1
+PREFIX=24
+DEFROUTE=yes
+GATEWAY=192.168.173.254
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_PEERDNS=yes
+IPV6_PEERROUTES=yes
+IPV6_FAILURE_FATAL=no

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg
new file mode 100644 (file)
index 0000000..b28e8ce
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg
@@ -0,0 +1,19 @@
+NAME=ifg
+DEVICE=ifg
+TYPE=Ethernet
+ONBOOT=yes
+BOOTPROTO=none
+IPADDR0=10.228.109.254
+PREFIX0=16
+IPADDR1=192.168.42.254
+PREFIX1=24
+IPADDR2=192.168.43.254
+PREFIX2=24
+DEFROUTE=no
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_PEERDNS=yes
+IPV6_PEERROUTES=yes
+IPV6_FAILURE_FATAL=no

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg
new file mode 100644 (file)
index 0000000..9bc258f
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg
@@ -0,0 +1,2 @@
+10.162.104.0/24 via 10.228.109.236
+172.16.223.0/24 via 10.228.109.236

diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf
new file mode 100644 (file)
index 0000000..05b3f78
--- /dev/null
+++ b/sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf
@@ -0,0 +1 @@
+net.ipv4.conf.all.forwarding = 1