[ $WAITED -eq 1 ] && echo
CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
-while [ $CONNECTION_DEVICES_UP -lt 3 ]
+#while [ $CONNECTION_DEVICES_UP -lt 2 ]
+while [ $CONNECTION_DEVICES_UP -lt 1 ]
do
sleep 1
nmcli --terse connection show
CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
done
-DYNAMIC_DEVICE=efgd
-STATIC_DEVICE=efgs
-PM_DEVICE=eth0
+EXTERNAL_DEVICE=efg
+PERIMETER_DEVICE=eth0
CONNECTIONS=$(nmcli --terse connection show | wc -l)
while [ $CONNECTIONS -gt 0 ]
nmcli connection add \
connection.autoconnect yes \
connection.id perimeter \
- connection.interface-name $PM_DEVICE \
+ connection.interface-name $PERIMETER_DEVICE \
connection.type 802-3-ethernet \
ipv4.addresses "192.168.173.254/24" \
ipv4.dns "192.168.173.174" \
nmcli connection add \
connection.autoconnect yes \
connection.id dynamic \
- connection.interface-name $DYNAMIC_DEVICE \
+ connection.interface-name $EXTERNAL_DEVICE \
connection.type 802-3-ethernet \
- ipv4.addresses "192.168.65.1/24, 194.149.40.146/28" \
+ ipv4.addresses "192.168.65.1/24, 194.149.40.146/28, 194.149.40.147/28, 194.149.40.148/28, 194.149.40.149/28, 194.149.40.150/28" \
ipv4.gateway "194.149.40.145" \
ipv4.method "manual" \
save yes
nmcli connection show
-
-nmcli connection add \
- connection.autoconnect yes \
- connection.id static \
- connection.interface-name $STATIC_DEVICE \
- connection.type 802-3-ethernet \
- ipv4.addresses "84.2.25.202/28, 192.168.210.1/24" \
- ipv4.method "manual" \
- save yes
-
-nmcli connection show
-
-ip rule add from 10.228.109.236 lookup static
-ip rule add from 10.228.109.253 lookup static
-ip rule add from 192.168.173.64 lookup static
-ip rule add from 192.168.173.174 lookup static
-ip rule add from 192.168.173.249 lookup static
-ip rule add from 192.168.173.252 lookup static
-ip rule add from 192.168.173.253 lookup static
-
-ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic
-ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic
-ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic
-ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static
-ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static
-ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static
-ip route add default via 194.149.40.145 dev efgd table dynamic
-ip route add default via 84.2.25.193 dev efgs table static
--- /dev/null
+#!/usr/sbin/nft -f
+
+
+################################
+# interface definitions
+################################
+
+# external interface
+define EXTERNAL_IF = efg
+
+# loopback interface
+define LOOPBACK_IF = lo
+
+# perimeter interface
+define PERIMETER_IF = eth0
+
+################################
+# address definitions
+################################
+
+# loopback address
+define LOOPBACK_IP = 127.0.0.1
+
+# public addresses
+define PUBLIC_EFG_IP = 194.149.40.146
+define PUBLIC_MX_IP = 194.149.40.147
+define PUBLIC_NS_IP = 194.149.40.148
+define PUBLIC_VPN_IP = 194.149.40.149
+define PUBLIC_WS_IP = 194.149.40.150
+define PUBLIC_MINECRAFT_IP = 194.149.40.151
+define PUBLIC_IP_152 = 194.149.40.152
+define PUBLIC_IP_153 = 194.149.40.153
+define PUBLIC_IP_154 = 194.149.40.154
+define PUBLIC_IP_155 = 194.149.40.155
+define PUBLIC_IP_156 = 194.149.40.156
+define PUBLIC_IP_157 = 194.149.40.157
+define PUBLIC_DL380E_IP = 194.149.40.158
+
+# efg address (perimeter network)
+define EFG_PERIMETER_IP = 192.168.173.254
+
+# transfer web server address (perimeter network)
+define XFR_PERIMETER_IP = 192.168.173.251
+
+# web server address (perimeter network)
+define WS_PERIMETER_IP = 192.168.173.249
+
+# perimeter name server address (perimeter network)
+define PNS_PERIMETER_IP = 192.168.173.174
+
+# external name server address (perimeter network)
+define ENS_PERIMETER_IP = 192.168.173.64
+
+# ifg address (perimeter network)
+define IFG_PERIMETER_IP = 192.168.173.1
+
+# dvredmine address (internal network)
+define DVREDMINE_INTERNAL_IP = 10.228.62.193
+
+# minicrm address (internal network)
+define MINICRM_INTERNAL_IP = 10.228.109.133
+
+# store address (internal network)
+define STORE_INTERNAL_IP = 10.228.109.250
+
+# service address (internal network)
+define SVC_INTERNAL_IP = 10.228.109.253
+
+# vpn address (internal network)
+define VPN_INTERNAL_IP = 10.228.109.236
+
+# primary name server address (internal network)
+define PNS_INTERNAL_IP = 10.228.109.174
+
+# internal name server address (internal network)
+define INS_INTERNAL_IP = 10.228.109.104
+
+# worksheet address (internal network)
+define WORKSHEET_SR_IP = 192.168.42.248
+
+################################
+# network definitions
+################################
+
+# internal networks
+define USR_NET = 10.228.0.0/16
+define SR_NET = 192.168.42.0/24
+define IN_NET = 192.168.43.0/24
+define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET }
+
+# perimeter network
+define PERIMETER_NET = 192.168.173.0/24
+
+# vpn client network
+define VPN_NET = 172.16.223.0/24
+
+# peep-bo network
+define PEEP_BO_NET = 10.162.104.0/24
+
+################################
+# port definitions
+################################
+
+#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define WS_PORTS = { 80, 443 }
+
+
+################################
+# reset nftables
+################################
+
+create table inet efg_filter
+create table ip efg_nat
+
+create chain inet efg_filter input { type filter hook input priority 0; policy drop; }
+create chain inet efg_filter forward { type filter hook forward priority 0; policy drop; }
+create chain inet efg_filter output { type filter hook output priority 0; policy drop; }
+create chain ip efg_nat prerouting { type nat hook prerouting priority 0; policy accept; }
+create chain ip efg_nat postrouting { type nat hook postrouting priority 0; policy accept; }
+
+
+################################
+# NAT prerouting rules
+################################
+
+add rule ip efg_nat prerouting \
+ ip protocol udp \
+ iifname $EXTERNAL_IF \
+ ip daddr $PUBLIC_VPN_IP udp dport 1194 \
+ counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic"
+
+#add rule ip efg_nat prerouting \
+# ip protocol tcp \
+# iifname $EXTERNAL_IF \
+# ip daddr $PUBLIC_MX_IP tcp dport $MX_PORTS \
+# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic"
+
+add rule ip efg_nat prerouting \
+ ip protocol udp \
+ iifname $EXTERNAL_IF udp sport 1024-65535 \
+ ip daddr $PUBLIC_NS_IP udp dport 53 \
+ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)"
+
+add rule ip efg_nat prerouting \
+ ip protocol tcp \
+ iifname $EXTERNAL_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_NS_IP tcp dport 53 \
+ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)"
+
+add rule ip efg_nat prerouting \
+ ip protocol tcp \
+ iifname $EXTERNAL_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \
+ counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests"
+
+
+################################
+# FILTER input rules
+################################
+
+add rule inet efg_filter input \
+ ct state established \
+ ip protocol udp \
+ iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IP udp sport 53 \
+ ip daddr $EFG_PERIMETER_IP udp dport 1024-65535 \
+ counter accept comment "DNS replies"
+
+add rule inet efg_filter input \
+ ip protocol icmp \
+ counter accept comment "ICMP"
+
+add rule inet efg_filter input \
+ counter log prefix "INPUT"
+
+
+################################
+# FILTER forward rules
+################################
+
+add rule inet efg_filter forward \
+ ct state established, related \
+ iifname $EXTERNAL_IF \
+ oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \
+ counter accept comment "Established sessions"
+
+add rule inet efg_filter forward \
+ iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \
+ oifname $EXTERNAL_IF \
+ counter accept comment "Internet access"
+
+add rule inet efg_filter forward \
+ ip protocol udp \
+ iifname $EXTERNAL_IF \
+ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+ counter accept comment "Incoming VPN traffic"
+
+add rule inet efg_filter forward \
+ ip protocol tcp \
+ iifname $EXTERNAL_IF tcp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+ counter accept comment "Incoming http(s) requests"
+
+add rule inet efg_filter forward \
+ ip protocol udp \
+ iifname $EXTERNAL_IF udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \
+ counter accept comment "Incoming DNS requests/notifications (udp)"
+
+add rule inet efg_filter forward \
+ ct state established, related \
+ ip protocol udp \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \
+ oifname $EXTERNAL_IF udp dport 1024-65535 \
+ counter accept comment "Outgoing DNS replies (udp)"
+
+add rule inet efg_filter forward \
+ ip protocol tcp \
+ iifname $EXTERNAL_IF tcp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \
+ counter accept comment "Incoming DNS requests (tcp)"
+
+add rule inet efg_filter forward \
+ ct state established, related \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \
+ oifname $EXTERNAL_IF tcp dport 1024-65535 \
+ counter accept comment "Outgoing DNS replies (tcp)"
+
+add rule inet efg_filter forward \
+ ip protocol udp \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \
+ oifname $EXTERNAL_IF udp dport 53 \
+ counter accept comment "Outgoing DNS requests/notifications (udp)"
+
+add rule inet efg_filter forward \
+ ct state established, related \
+ ip protocol udp \
+ iifname $EXTERNAL_IF udp sport 53 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \
+ counter accept comment "Incoming DNS replies (udp)"
+
+add rule inet efg_filter forward \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
+ oifname $EXTERNAL_IF tcp dport 53 \
+ counter accept comment "Outgoing DNS requests (tcp)"
+
+add rule inet efg_filter forward \
+ ct state established, related \
+ ip protocol tcp \
+ iifname $EXTERNAL_IF tcp sport 53 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+ counter accept comment "Incoming DNS replies (tcp)"
+
+add rule inet efg_filter forward \
+ ip protocol tcp \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ oifname $EXTERNAL_IF tcp dport $WS_PORTS \
+ counter accept comment "Outgoing let's encrypt requests"
+
+add rule inet efg_filter forward \
+ ct state established \
+ ip protocol tcp \
+ iifname $EXTERNAL_IF tcp sport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ counter accept comment "Incoming let's encrypt replies"
+
+add rule inet efg_filter forward \
+ ip protocol icmp \
+ counter accept comment "ICMP"
+
+add rule inet efg_filter forward \
+ counter log prefix "FORWARD"
+
+
+################################
+# FILTER output rules
+################################
+
+add rule inet efg_filter output \
+ ct state new \
+ ip protocol udp \
+ ip saddr $EFG_PERIMETER_IP udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IP udp dport 53 \
+ counter accept comment "DNS requests"
+
+add rule inet efg_filter output \
+ ip protocol icmp \
+ counter accept comment "ICMP"
+
+add rule inet efg_filter output \
+ counter log prefix "OUTPUT"
+
+
+################################
+# NAT postrouting rules
+################################
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_IF ip saddr $VPN_INTERNAL_IP \
+ counter snat $PUBLIC_VPN_IP comment "Outgoing VPN traffic"
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_IF ip saddr $INTERNAL_NETS \
+ counter snat $PUBLIC_EFG_IP comment "Outgoing internal traffic"
+
+#add rule ip efg_nat postrouting \
+# oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IP \
+# counter snat $PUBLIC_MX_IP comment "Outgoing MX traffic"
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_IF ip saddr $EFG_PERIMETER_IP \
+ counter snat $PUBLIC_NS_IP comment "Outgoing external DNS traffic"
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_IF ip saddr $WS_PERIMETER_IP \
+ counter snat $PUBLIC_WS_IP comment "Outgoing WS traffic"
https://git.useribm.hu / user-lxc.git / commitdiff