Added efg.pm.f29.

diff --git a/sources/cvmb.usr.f29/01_setupnetworking.sh b/sources/cvmb.usr.f29/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..df80106
--- /dev/null
+++ b/sources/cvmb.usr.f29/01_setupnetworking.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+
+CONNECTION_LINE=$(nmcli --terse connection show | grep '^internal:')
+CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+
+USR_DEVICE=internal
+
+nmcli connection delete uuid "$CONNECTION_UUID"
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id internal \
+    connection.interface-name $USR_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "10.228.92.52/16" \
+    ipv4.dns "10.228.109.104, 10.228.109.253" \
+    ipv4.dns-search "usr.user.hu" \
+    ipv4.gateway "10.228.109.254" \
+    ipv4.method "manual" \
+    ipv6.method "ignore" \
+    save yes
+
+nmcli connection show

diff --git a/sources/efg.pm.f29/config b/sources/efg.pm.f29/config
new file mode 100644 (file)
index 0000000..4a11c89
--- /dev/null
+++ b/sources/efg.pm.f29/config
@@ -0,0 +1,27 @@
+lxc.include = /usr/share/lxc/config/common.conf
+
+lxc.arch = x86_64
+lxc.uts.name = efg.pm.user.hu
+lxc.rootfs.path = __CONTAINER_PATH__/rootfs
+lxc.mount.auto = proc:rw sys:ro
+
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.link = brh
+lxc.net.0.hwaddr = 02:0c:18:03:ad:fe
+
+lxc.net.1.type = phys
+lxc.net.1.flags = up
+lxc.net.1.link = efgd
+
+lxc.net.2.type = phys
+lxc.net.2.flags = up
+lxc.net.2.link = efgs
+
+lxc.autodev = 1
+
+lxc.signal.halt = SIGRTMIN+4
+
+lxc.start.auto = 1
+lxc.start.order = 1
+lxc.start.delay = 3

diff --git a/sources/efg.pm.f29/envvars b/sources/efg.pm.f29/envvars
new file mode 100644 (file)
index 0000000..ca29584
--- /dev/null
+++ b/sources/efg.pm.f29/envvars
@@ -0,0 +1,2 @@
+BASE_PACKAGES="NetworkManager NetworkManager-dispatcher-routing-rules hostname initscripts iproute iputils rootfiles rsyslog tar vim-minimal"
+SPEC_PACKAGES="authselect iptables iptables-services"

diff --git a/sources/efg.pm.f29/firstboot/01_setupnetworking.sh b/sources/efg.pm.f29/firstboot/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..f1c81e4
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/01_setupnetworking.sh
@@ -0,0 +1,105 @@
+#!/bin/sh
+set -x
+
+
+sleep 1
+systemctl --quiet is-active NetworkManager.service
+NM_RC=$?
+WAITED=0
+while [ $NM_RC -ne 0 ]
+do
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active NetworkManager.service
+    NM_RC=$?
+done
+[ $WAITED -eq 1 ] && echo
+
+CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
+while [ $CONNECTION_DEVICES_UP -lt 3 ]
+do
+    sleep 1
+    nmcli --terse connection show
+    CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
+done
+
+DYNAMIC_DEVICE=efgd
+STATIC_DEVICE=efgs
+PM_DEVICE=eth0
+
+CONNECTIONS=$(nmcli --terse connection show | wc -l)
+while [ $CONNECTIONS -gt 0 ]
+do
+    CONNECTION_LINE=$(nmcli --terse connection show | head -n 1)
+    CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+    nmcli connection delete uuid "$CONNECTION_UUID"
+    CONNECTIONS=$(nmcli --terse connection show | wc -l)
+done
+
+#CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${PM_DEVICE}$")
+#CONNECTION_LINE_DYNAMIC=$(nmcli --terse connection show | grep ":${DYNAMIC_DEVICE}$")
+#CONNECTION_LINE_STATIC=$(nmcli --terse connection show | grep ":${STATIC_DEVICE}$")
+#CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':')
+#CONNECTION_UUID_DYNAMIC=$(echo $CONNECTION_LINE_DYNAMIC | cut -f 2 -d ':')
+#CONNECTION_UUID_STATIC=$(echo $CONNECTION_LINE_STATIC | cut -f 2 -d ':')
+
+#nmcli connection delete uuid "$CONNECTION_UUID_PM"
+#nmcli connection delete uuid "$CONNECTION_UUID_DYNAMIC"
+#nmcli connection delete uuid "$CONNECTION_UUID_STATIC"
+
+nmcli connection show
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id perimeter \
+    connection.interface-name $PM_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "192.168.173.254/24" \
+    ipv4.dns "192.168.173.174" \
+    ipv4.dns-search "pm.user.hu" \
+    ipv4.method "manual" \
+    ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \
+    save yes
+
+nmcli connection show
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id dynamic \
+    connection.interface-name $DYNAMIC_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "192.168.65.1/24" \
+    ipv4.gateway "192.168.65.254" \
+    ipv4.method "manual" \
+    save yes
+
+nmcli connection show
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id static \
+    connection.interface-name $STATIC_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "84.2.25.202/28, 192.168.210.1/24" \
+    ipv4.method "manual" \
+    save yes
+
+nmcli connection show
+
+ip rule add from 10.228.109.236 lookup static
+ip rule add from 10.228.109.253 lookup static
+ip rule add from 192.168.173.64 lookup static
+ip rule add from 192.168.173.174 lookup static
+ip rule add from 192.168.173.249 lookup static
+ip rule add from 192.168.173.252 lookup static
+ip rule add from 192.168.173.253 lookup static
+
+ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic
+ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic
+ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic
+ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static
+ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static
+ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static
+ip route add default via 192.168.65.254 dev efgd table dynamic
+ip route add default via 84.2.25.193 dev efgs table static

diff --git a/sources/efg.pm.f29/firstboot/02_ldap_setup.sh b/sources/efg.pm.f29/firstboot/02_ldap_setup.sh
new file mode 100755 (executable)
index 0000000..5cb0824
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/02_ldap_setup.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+
+exit 0
+REAL_PATH=$(realpath $(dirname $0))
+
+
+authconfig --enableldap \
+           --enableldapauth \
+           --ldapserver=ldap.usr.user.hu \
+           --ldapbasedn="dc=user,dc=hu" \
+           --enablemkhomedir \
+           --update

diff --git a/sources/efg.pm.f29/firstboot/02_settimezone.sh b/sources/efg.pm.f29/firstboot/02_settimezone.sh
new file mode 100755 (executable)
index 0000000..20b2a71
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/02_settimezone.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active dbus.service
+DBUS_RC=$?
+WAITED=0
+while [ $DBUS_RC -ne 0 ]
+do
+    if [ $WAITED -eq 0 ]
+    then
+        echo -n "Waiting for dbus.service"
+    fi
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active dbus.service
+    DBUS_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+timedatectl set-timezone Europe/Budapest

diff --git a/sources/efg.pm.f29/firstboot/10_iptables_reset.sh b/sources/efg.pm.f29/firstboot/10_iptables_reset.sh
new file mode 100755 (executable)
index 0000000..f63b04d
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/10_iptables_reset.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+
+REAL_PATH=$(realpath $(dirname $0))
+
+################################
+# definitions
+################################
+source $REAL_PATH/definitions
+
+
+################################
+# delete all user-defined chains of all tables
+$IPTABLES --table filter --delete-chain
+$IPTABLES --table nat    --delete-chain
+$IPTABLES --table mangle --delete-chain
+$IPTABLES --table raw    --delete-chain
+
+################################
+# flush all chains of all tables
+$IPTABLES --table filter --flush INPUT
+$IPTABLES --table filter --flush FORWARD
+$IPTABLES --table filter --flush OUTPUT
+$IPTABLES --table nat    --flush PREROUTING
+$IPTABLES --table nat    --flush INPUT
+$IPTABLES --table nat    --flush OUTPUT
+$IPTABLES --table nat    --flush POSTROUTING
+$IPTABLES --table mangle --flush PREROUTING
+$IPTABLES --table mangle --flush INPUT
+$IPTABLES --table mangle --flush FORWARD
+$IPTABLES --table mangle --flush OUTPUT
+$IPTABLES --table mangle --flush POSTROUTING
+$IPTABLES --table raw    --flush PREROUTING
+$IPTABLES --table raw    --flush OUTPUT
+
+################################
+# reset counters for all chains of all tables
+$IPTABLES --table filter --zero INPUT
+$IPTABLES --table filter --zero FORWARD
+$IPTABLES --table filter --zero OUTPUT
+$IPTABLES --table nat    --zero PREROUTING
+$IPTABLES --table nat    --zero INPUT
+$IPTABLES --table nat    --zero OUTPUT
+$IPTABLES --table nat    --zero POSTROUTING
+$IPTABLES --table mangle --zero PREROUTING
+$IPTABLES --table mangle --zero INPUT
+$IPTABLES --table mangle --zero FORWARD
+$IPTABLES --table mangle --zero OUTPUT
+$IPTABLES --table mangle --zero POSTROUTING
+$IPTABLES --table raw    --zero PREROUTING
+$IPTABLES --table raw    --zero OUTPUT
+
+################################
+# set the default policy for all chains of all tables
+$IPTABLES --table filter --policy INPUT       DROP
+$IPTABLES --table filter --policy FORWARD     DROP
+$IPTABLES --table filter --policy OUTPUT      DROP
+$IPTABLES --table nat    --policy PREROUTING  ACCEPT
+$IPTABLES --table nat    --policy INPUT       ACCEPT
+$IPTABLES --table nat    --policy OUTPUT      ACCEPT
+$IPTABLES --table nat    --policy POSTROUTING ACCEPT
+$IPTABLES --table mangle --policy PREROUTING  ACCEPT
+$IPTABLES --table mangle --policy INPUT       ACCEPT
+$IPTABLES --table mangle --policy FORWARD     ACCEPT
+$IPTABLES --table mangle --policy OUTPUT      ACCEPT
+$IPTABLES --table mangle --policy POSTROUTING ACCEPT
+$IPTABLES --table raw    --policy PREROUTING  ACCEPT
+$IPTABLES --table raw    --policy OUTPUT      ACCEPT

diff --git a/sources/efg.pm.f29/firstboot/11_iptables_set_efg_rules.sh b/sources/efg.pm.f29/firstboot/11_iptables_set_efg_rules.sh
new file mode 100755 (executable)
index 0000000..ad6a36f
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/11_iptables_set_efg_rules.sh
@@ -0,0 +1,539 @@
+#!/bin/sh
+#set -x
+
+
+REAL_PATH=$(realpath $(dirname $0))
+
+################################
+# definitions
+################################
+source $REAL_PATH/definitions
+
+
+################################
+# nat PREROUTING rules
+# dnat openvpn packets
+#     from the internet
+#     to the internal vpn host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "openvpn -> internal vpn host" \
+          --protocol udp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --destination $PUBLIC_IP_202 \
+          --destination-port 1194 \
+          --jump DNAT --to-destination $VPN_INTERNAL_IP
+# dnat smtp packets
+#     from the internet
+#     to the perimeter svc host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "smtp -> perimeter service host" \
+          --protocol tcp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --destination $PUBLIC_IP_202 \
+          --destination-port 25 \
+          --jump DNAT --to-destination $SVC_PERIMETER_IP
+# dnat dns packets
+#     from the internet
+#     to the perimeter external name server host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "dns (udp) -> perimeter name server host" \
+          --protocol udp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --destination $PUBLIC_IP_202 \
+          --destination-port 53 \
+          --jump DNAT --to-destination $ENS_PERIMETER_IP
+# dnat dns packets
+#     from the internet
+#     to the perimeter external name server host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "dns (tcp) -> perimeter name server host" \
+          --protocol tcp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --destination $PUBLIC_IP_202 \
+          --destination-port 53 \
+          --jump DNAT --to-destination $ENS_PERIMETER_IP
+# dnat http and https packets
+#     from the internet
+#     to the perimeter web server host
+$IPTABLES --table nat --append PREROUTING \
+          --match comment \
+          --comment "http, https -> perimeter www host" \
+          --protocol tcp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --destination $PUBLIC_IP_202 \
+          --match multiport \
+          --destination-ports 80,443 \
+          --jump DNAT --to-destination $WS_PERIMETER_IP
+## dnat http and https packets
+##     from the internet
+##     to the perimeter whmcs host
+#$IPTABLES --table nat --append PREROUTING \
+#          --match comment \
+#          --comment "http, https -> perimeter whmcs host" \
+#          --protocol tcp \
+#          --in-interface $EXTERNAL_IF_194 \
+#          --destination $PUBLIC_IP \
+#          --match multiport \
+#          --destination-ports 80,443 \
+#          --jump DNAT --to-destination $WHMCS_PERIMETER_IP
+
+################################
+# filter INPUT rules
+# allow dns replies
+#     from the perimeter ns host
+$IPTABLES --table filter --append INPUT \
+          --match comment \
+          --comment "dns replies <- pns.pm" \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --protocol udp \
+          --in-interface $PERIMETER_IF \
+          --source $PNS_PERIMETER_IP \
+          --source-port 53 \
+          --destination $EFG_PERIMETER_IP \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# allow ssh packets
+#     from the usr, sr and in networks
+$IPTABLES --table filter --append INPUT \
+          --match comment \
+          --comment "ssh from the usr, sr and in networks" \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --source-port 1024:65535 \
+          --destination $EFG_PERIMETER_IP \
+          --destination-port 22 \
+          --jump ACCEPT
+# allow icmp packets
+#     from anywhere
+$IPTABLES --table filter --append INPUT \
+          --protocol icmp \
+          --jump ACCEPT
+# allow packets
+#     from the loopback address
+#     to the loopback address
+$IPTABLES --table filter --append INPUT \
+          --in-interface $LOOPBACK_IF \
+          --source $LOOPBACK_IP \
+          --destination $LOOPBACK_IP \
+          --jump ACCEPT
+
+################################
+# filter FORWARD rules
+# forward packets
+#     of established sessions
+#     from the internet
+#     to the usr, sr and in networks
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "established sessions to the usr, sr and in networks" \
+          --match conntrack \
+          --ctstate ESTABLISHED,RELATED \
+          --in-interface ${EXTERNAL_IF_PREFIX}+ \
+          --out-interface $PERIMETER_IF \
+          --destination ${USR_NET},${SR_NET},$IN_NET \
+          --jump ACCEPT
+# forward packets
+#     from the usr, sr and in networks
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "from the usr, sr and in networks" \
+          --in-interface $PERIMETER_IF \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface ${EXTERNAL_IF_PREFIX}+ \
+          --jump ACCEPT
+# forward openvpn packets
+#     from the internet
+#     to the internal vpn host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "openvpn -> internal openvpn host" \
+          --protocol udp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --out-interface $PERIMETER_IF \
+          --destination $VPN_INTERNAL_IP \
+          --destination-port 1194 \
+          --jump ACCEPT
+# forward smtp and dns requests
+#     from the internet
+#     to the perimeter svc host
+#$IPTABLES --table filter --append FORWARD \
+#          --match comment \
+#          --comment "smtp, dns -> perimeter service host" \
+#          --protocol tcp \
+#          --in-interface $EXTERNAL_IF_STATIC \
+#          --out-interface $PERIMETER_IF \
+#          --destination $SVC_PERIMETER_IP \
+#          --match multiport \
+#          --destination-ports 25,53 \
+#          --jump ACCEPT
+# forward smtp and dns replies
+#     of established sessions
+#     from the perimeter svc host
+#     to the internet
+#$IPTABLES --table filter --append FORWARD \
+#          --match comment \
+#          --comment "perimeter service host smtp, dns replies" \
+#          --protocol tcp \
+#          --match conntrack \
+#          --ctstate ESTABLISHED \
+#          --in-interface $PERIMETER_IF \
+#          --source $SVC_PERIMETER_IP \
+#          --match multiport \
+#          --source-ports 25,53 \
+#          --out-interface $EXTERNAL_IF_STATIC \
+#          --jump ACCEPT
+# forward http and https requests
+#     from the internet
+#     to the perimeter web server host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "http, https -> perimeter web server host" \
+          --protocol tcp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --out-interface $PERIMETER_IF \
+          --destination $WS_PERIMETER_IP \
+          --match multiport \
+          --destination-ports 80,443 \
+          --jump ACCEPT
+# forward http and https replies
+#     of established sessions
+#     from the perimeter web server host
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "perimeter web server host http, https replies" \
+          --protocol tcp \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --in-interface $PERIMETER_IF \
+          --source $WS_PERIMETER_IP \
+          --match multiport \
+          --source-ports 80,443 \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump ACCEPT
+## forward http and https requests
+##     from the internet
+##     to the perimeter whmcs host
+#$IPTABLES --table filter --append FORWARD \
+#          --match comment \
+#          --comment "http, https -> perimeter whmcs host" \
+#          --protocol tcp \
+#          --in-interface $EXTERNAL_IF_194 \
+#          --out-interface $PERIMETER_IF \
+#          --destination $WHMCS_PERIMETER_IP \
+#          --match multiport \
+#          --destination-ports 80,443 \
+#          --jump ACCEPT
+## forward http and https replies
+##     of established sessions
+##     from the perimeter whmcs host
+##     to the internet
+#$IPTABLES --table filter --append FORWARD \
+#          --match comment \
+#          --comment "perimeter whmcs host http, https replies" \
+#          --protocol tcp \
+#          --match conntrack \
+#          --ctstate ESTABLISHED \
+#          --in-interface $PERIMETER_IF \
+#          --source $WHMCS_PERIMETER_IP \
+#          --match multiport \
+#          --source-ports 80,443 \
+#          --out-interface $EXTERNAL_IF_194 \
+#          --jump ACCEPT
+# forward dns requests and notifications
+#     from the internet
+#     to the external name server host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns requests from internet (udp) -> ens.pm" \
+          --protocol udp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --source-port 1024:65535 \
+          --out-interface $PERIMETER_IF \
+          --destination $ENS_PERIMETER_IP \
+          --destination-port 53 \
+          --jump ACCEPT
+# forward dns replies
+#     from the external name server host
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns replies from ens.pm (udp) -> internet" \
+          --match conntrack \
+          --ctstate ESTABLISHED,RELATED \
+          --protocol udp \
+          --in-interface $PERIMETER_IF \
+          --source $ENS_PERIMETER_IP \
+          --source-port 53 \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# forward dns requests
+#     from the external and perimeter name server hosts
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns requests from (e|p)ns.pm (udp) -> internet" \
+          --protocol udp \
+          --in-interface $PERIMETER_IF \
+          --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --source-port 1024:65535 \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --destination-port 53 \
+          --jump ACCEPT
+# forward dns replies
+#     from the internet
+#     to the external and perimeter name server hosts
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns replies (udp) -> (e|p)ns.pm" \
+          --match conntrack \
+          --ctstate ESTABLISHED,RELATED \
+          --protocol udp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --source-port 53 \
+          --out-interface $PERIMETER_IF \
+          --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# forward dns requests
+#     from the internet
+#     to the external name server host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns requests (tcp) -> ens.pm" \
+          --protocol tcp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --source-port 1024:65535 \
+          --out-interface $PERIMETER_IF \
+          --destination $ENS_PERIMETER_IP \
+          --destination-port 53 \
+          --jump ACCEPT
+# forward dns replies
+#     of established sessions
+#     from the external name server host
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns replies from ens.pm (tcp) -> internet" \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $ENS_PERIMETER_IP \
+          --source-port 53 \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# forward dns requests
+#     from the external and perimeter name server hosts
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns requests from (e|p)ns.pm -> internet" \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --source-port 1024:65535 \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --destination-port 53 \
+          --jump ACCEPT
+# forward dns replies
+#     of established sessions
+#     from the internet
+#     to the external and perimeter name server hosts
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+         --comment "dns replies (tcp) -> (e|p)ns.pm" \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --protocol tcp \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --source-port 53 \
+          --out-interface $PERIMETER_IF \
+          --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
+          --destination-port 1024:65535 \
+          --jump ACCEPT
+# forward smtp, dns, http and https requests
+#     from the perimeter svc host
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $SVC_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --match multiport \
+          --destination-ports 25,53,80,443 \
+          --jump ACCEPT
+# forward smtp, dns, http and https replies
+#     of established sessions
+#     from the internet
+#     to the perimeter svc host
+$IPTABLES --table filter --append FORWARD \
+          --protocol tcp \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --match multiport \
+          --source-ports 25,53,80,443 \
+          --out-interface $PERIMETER_IF \
+          --destination $SVC_PERIMETER_IP \
+          --jump ACCEPT
+# forward http and https requests
+#     from the perimeter web server host
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "perimeter ws host http, https requests (let's encrypt)" \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $WS_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --match multiport \
+          --destination-ports 80,443 \
+          --jump ACCEPT
+# forward http and https replies
+#     of established sessions
+#     from the internet
+#     to the perimeter web server host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "perimeter ws host http, https replies (let's encrypt)" \
+          --protocol tcp \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --match multiport \
+          --source-ports 80,443 \
+          --out-interface $PERIMETER_IF \
+          --destination $WS_PERIMETER_IP \
+          --jump ACCEPT
+# forward http and https requests
+#     from the perimeter whmcs host
+#     to the internet
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "perimeter whmcs host http, https requests (let's encrypt)" \
+          --protocol tcp \
+          --in-interface $PERIMETER_IF \
+          --source $WHMCS_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --match multiport \
+          --destination-ports 80,443 \
+          --jump ACCEPT
+# forward http and https replies
+#     of established sessions
+#     from the internet
+#     to the perimeter whmcs host
+$IPTABLES --table filter --append FORWARD \
+          --match comment \
+          --comment "perimeter whmcs host http, https replies (let's encrypt)" \
+          --protocol tcp \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --in-interface $EXTERNAL_IF_STATIC \
+          --match multiport \
+          --source-ports 80,443 \
+          --out-interface $PERIMETER_IF \
+          --destination $WHMCS_PERIMETER_IP \
+          --jump ACCEPT
+# forward icmp packets
+#     from anywhere
+#     to anywhere
+$IPTABLES --table filter --append FORWARD \
+          --protocol icmp \
+          --jump ACCEPT
+
+################################
+# filter OUTPUT rules
+# allow dns requests
+#     to the perimeter name server host
+$IPTABLES --table filter --append OUTPUT \
+          --match comment \
+          --comment "dns requests -> pns.pm" \
+          --match conntrack \
+          --ctstate NEW \
+          --protocol udp \
+          --source $EFG_PERIMETER_IP \
+          --source-port 1024:65535 \
+          --out-interface $PERIMETER_IF \
+          --destination $PNS_PERIMETER_IP \
+          --destination-port 53 \
+          --jump ACCEPT
+# allow ssh packets
+#     of established sessions
+#     to the usr, sr and in networks
+$IPTABLES --table filter --append OUTPUT \
+          --protocol tcp \
+          --match conntrack \
+          --ctstate ESTABLISHED \
+          --source $EFG_PERIMETER_IP \
+          --source-port 22 \
+          --out-interface $PERIMETER_IF \
+          --destination ${USR_NET},${SR_NET},$IN_NET \
+          --jump ACCEPT
+# allow icmp packets
+#     to anywhere
+$IPTABLES --table filter --append OUTPUT \
+          --protocol icmp \
+          --jump ACCEPT
+# allow packets
+#     from the loopback address
+#     to the loopback address
+$IPTABLES --table filter --append OUTPUT \
+          --source $LOOPBACK_IP \
+          --out-interface $LOOPBACK_IF \
+          --destination $LOOPBACK_IP \
+          --jump ACCEPT
+
+################################
+# nat POSTROUTING rules
+# snat packets
+#     from the usr, sr and in networks
+$IPTABLES --table nat --append POSTROUTING \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface $EXTERNAL_IF_DYNAMIC \
+          --jump SNAT --to-source $DYNAMIC_MANAGEMENT_IP
+# snat packets
+#     from the usr, sr and in networks
+$IPTABLES --table nat --append POSTROUTING \
+          --source ${USR_NET},${SR_NET},$IN_NET \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump SNAT --to-source $PUBLIC_IP_202
+# snat packets
+#     from the perimeter svc host
+$IPTABLES --table nat --append POSTROUTING \
+          --source $SVC_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump SNAT --to-source $PUBLIC_IP_202
+# snat packets
+#     from the perimeter web server host
+$IPTABLES --table nat --append POSTROUTING \
+          --source $WS_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump SNAT --to-source $PUBLIC_IP_202
+# snat packets
+#     from the perimeter whmcs host
+$IPTABLES --table nat --append POSTROUTING \
+          --source $WHMCS_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump SNAT --to-source $PUBLIC_IP_202
+# snat packets
+#     from the perimeter name server host (perimeter network)
+$IPTABLES --table nat --append POSTROUTING \
+          --source $PNS_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump SNAT --to-source $PUBLIC_IP_202
+# snat packets
+#     from the external name server host (perimeter network)
+$IPTABLES --table nat --append POSTROUTING \
+          --source $ENS_PERIMETER_IP \
+          --out-interface $EXTERNAL_IF_STATIC \
+          --jump SNAT --to-source $PUBLIC_IP_202

diff --git a/sources/efg.pm.f29/firstboot/12_iptables_log_dropped.sh b/sources/efg.pm.f29/firstboot/12_iptables_log_dropped.sh
new file mode 100755 (executable)
index 0000000..87311ad
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/12_iptables_log_dropped.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+#set -x
+
+################################
+# iptables command
+IPTABLES=/sbin/iptables
+
+################################
+# log packets reaching the default policy rules in the filter table
+$IPTABLES --table filter --append INPUT \
+          --jump LOG \
+          --log-prefix 'filter INPUT: '
+$IPTABLES --table filter --append FORWARD \
+          --jump LOG \
+          --log-prefix 'filter FORWARD: '
+$IPTABLES --table filter --append OUTPUT \
+          --jump LOG \
+          --log-prefix 'filter OUTPUT: '

diff --git a/sources/efg.pm.f29/firstboot/13_iptables_save.sh b/sources/efg.pm.f29/firstboot/13_iptables_save.sh
new file mode 100755 (executable)
index 0000000..85932f3
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/13_iptables_save.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+#set -x
+
+/sbin/iptables-save >/etc/sysconfig/iptables

diff --git a/sources/efg.pm.f29/firstboot/20_routing_setup.sh.old b/sources/efg.pm.f29/firstboot/20_routing_setup.sh.old
new file mode 100755 (executable)
index 0000000..9e2c4eb
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/20_routing_setup.sh.old
@@ -0,0 +1,50 @@
+#!/bin/sh
+set -x
+
+REAL_PATH=$(realpath $(dirname $0))
+
+source $REAL_PATH/definitions
+
+
+#echo '65      dynamic' >>/etc/iproute2/rt_tables
+#echo '210     static' >>/etc/iproute2/rt_tables
+
+ip a
+ip r
+
+# normal routes (table main)
+#ip route add 212.40.120.172 via 192.168.43.161 dev eth0
+#ip route add 212.40.120.173 via 192.168.43.210 dev eth0
+
+# default route for dynamic
+#ip route add default via 192.168.65.254 dev $EXTERNAL_IF_DYNAMIC table dynamic
+
+# default route for static
+#ip route add default via 84.2.25.193 dev $EXTERNAL_IF_STATIC table static
+
+# normal routes for dynamic
+#ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic
+#ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic
+#ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic
+
+# normal routes for static
+#ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static
+#ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static
+#ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static
+
+# source routes for dynamic
+#ip rule add from $USR_NET lookup table dynamic
+#ip rule add from $SR_NET lookup table dynamic
+
+# source routes for static
+# do NOT use network addresses!!!
+#ip rule add from $SVC_PERIMETER_IP lookup static
+#ip rule add from $WWW_PERIMETER_IP lookup static
+#ip rule add from $NS_PERIMETER_IP lookup static
+#ip rule add from $VPN_INTERNAL_IP lookup static
+#ip rule add from $IN_NET lookup static
+#ip rule add from 192.168.43.176/28 lookup epc201
+#ip rule add from 192.168.43.1 lookup epc201
+
+# flush cache
+ip route flush cache

diff --git a/sources/efg.pm.f29/firstboot/99_cleanup.sh b/sources/efg.pm.f29/firstboot/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/efg.pm.f29/firstboot/definitions b/sources/efg.pm.f29/firstboot/definitions
new file mode 100644 (file)
index 0000000..9b46e0d
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/definitions
@@ -0,0 +1,102 @@
+################################
+# iptables command
+################################
+IPTABLES=/sbin/iptables
+
+################################
+# interfaces
+################################
+
+# external interfaces
+EXTERNAL_IF_PREFIX=efg
+EXTERNAL_IF_DYNAMIC=${EXTERNAL_IF_PREFIX}d
+EXTERNAL_IF_STATIC=${EXTERNAL_IF_PREFIX}s
+
+# loopback interface
+LOOPBACK_IF=lo
+
+# perimeter interface
+PERIMETER_IF=eth0
+
+################################
+# addresses
+################################
+
+# loopback address
+LOOPBACK_IP=127.0.0.1
+
+# public address
+PUBLIC_IP_194=84.2.25.194
+PUBLIC_IP_195=84.2.25.195
+PUBLIC_IP_196=84.2.25.196
+PUBLIC_IP_197=84.2.25.197
+PUBLIC_IP_198=84.2.25.198
+PUBLIC_IP_199=84.2.25.199
+PUBLIC_IP_200=84.2.25.200
+PUBLIC_IP_201=84.2.25.201
+PUBLIC_IP_202=84.2.25.202
+PUBLIC_IP_203=84.2.25.203
+PUBLIC_IP_204=84.2.25.204
+PUBLIC_IP_205=84.2.25.205
+PUBLIC_IP_206=84.2.25.206
+
+# modem management addresses
+DYNAMIC_MANAGEMENT_IP=192.168.65.1
+STATIC_MANAGEMENT_IP=192.168.210.1
+
+# modem/gateway addresses
+DYNAMIC_GATEWAY_IP=192.168.65.254
+STATIC_GATEWAY_IP=84.2.25.193
+
+# efg address (perimeter network)
+EFG_PERIMETER_IP=192.168.173.254
+
+# service address (perimeter network)
+SVC_PERIMETER_IP=192.168.173.253
+
+# transfer server address (perimeter network)
+XFR_PERIMETER_IP=192.168.173.251
+
+# whmcs server address (perimeter network)
+WHMCS_PERIMETER_IP=192.168.173.250
+
+# web server address (perimeter network)
+WS_PERIMETER_IP=192.168.173.249
+
+# subversion address (perimeter network)
+SVN_PERIMETER_IP=192.168.173.249
+
+# perimeter name server address (perimeter network)
+PNS_PERIMETER_IP=192.168.173.174
+
+# external name server address (perimeter network)
+ENS_PERIMETER_IP=192.168.173.64
+
+# ifg address (perimeter network)
+IFG_PERIMETER_IP=192.168.173.1
+
+# ipg addresses (internal network)
+IFG_USR_IP=10.228.109.254
+IFG_SR_IP=192.168.42.254
+IFG_IN_IP=192.168.43.254
+
+# service address (internal network)
+SVC_INTERNAL_IP=10.228.109.253
+
+# vpn address (internal network)
+VPN_INTERNAL_IP=10.228.109.236
+
+################################
+# networks
+################################
+
+# internal networks
+USR_NET=10.228.0.0/16
+SR_NET=192.168.42.0/24
+IN_NET=192.168.43.0/24
+
+# perimeter network
+PERIMETER_NET=192.168.173.0/24
+
+# vpn client network
+VPN_NET=172.16.223.0/24

diff --git a/sources/efg.pm.f29/firstboot/traversal.txt b/sources/efg.pm.f29/firstboot/traversal.txt
new file mode 100644 (file)
index 0000000..97ebf2d
--- /dev/null
+++ b/sources/efg.pm.f29/firstboot/traversal.txt
@@ -0,0 +1,53 @@
+###############################
+ chain traversal
+ for all tables
+###############################
+
+                   NETWORK
+                      |
+                ______v_____
+               /    raw     \
+               | PREROUTING |
+               \____________/
+                      |
+  ________      ______v_____
+ / mangle \    /   mangle   \
+ | INPUT  |<-  | PREROUTING |
+ \________/  | \____________/
+      |      |        |
+  ____v___   |  ______v_____
+ / filter \  | /    nat     \
+ | INPUT  |  | | PREROUTING |
+ \________/  | \____________/
+      |      |        |
+  ____v____  |    ____v___
+ |         | |   /        \
+ |  local  | |__/ routing  \__________
+ | process |    \ decision /          |
+ |_________|     \________/       ____v____
+      |                          / mangle  \
+   ___v____                      | FORWARD |
+  /        \                     \_________/
+ / routing  \                         |
+ \ decision /                     ____v____
+  \________/                     / filter  \
+      |                          | FORWARD |
+  ____v___        ________       \_________/
+ /  raw   \      /        \           |
+ | OUTPUT |     / routing  \          |
+ \________/   ->\ decision /<---------
+      |      |   \________/
+  ____v___   |        |
+ / mangle \  |  ______v______
+ | OUTPUT |  | /   mangle    \
+ \________/  | | POSTROUTING |
+      |      | \_____________/
+  ____v___   |        |
+ /  nat   \  |  ______v______
+ | OUTPUT |  | /     nat     \
+ \________/  | | POSTROUTING |
+      |      | \_____________/
+  ____v___   |        |
+ / filter \  |        v
+ | OUTPUT |--      NETWORK
+ \________/

diff --git a/sources/efg.pm.f29/postinstall/01_setownership.sh b/sources/efg.pm.f29/postinstall/01_setownership.sh
new file mode 100755 (executable)
index 0000000..5590180
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/01_setownership.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chown -R root.root $SOURCE_PATH/*
+
+chgrp ssh_keys $SOURCE_PATH/etc/ssh/*_key

diff --git a/sources/efg.pm.f29/postinstall/02_setpermissions.sh b/sources/efg.pm.f29/postinstall/02_setpermissions.sh
new file mode 100755 (executable)
index 0000000..c8c018c
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/02_setpermissions.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chmod 400 $SOURCE_PATH/etc/ssh/*_key
+chmod 444 $SOURCE_PATH/etc/ssh/*.pub

diff --git a/sources/efg.pm.f29/postinstall/03_installfiles.sh b/sources/efg.pm.f29/postinstall/03_installfiles.sh
new file mode 100755 (executable)
index 0000000..f190caf
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/03_installfiles.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+tar --create \
+    --directory=$REAL_PATH \
+    --to-stdout \
+    install \
+    | tar --extract \
+          --backup \
+          --directory=/ \
+          --no-overwrite-dir \
+          --strip-components=1 \
+          --suffix=.orig

diff --git a/sources/efg.pm.f29/postinstall/10_setupservices.sh b/sources/efg.pm.f29/postinstall/10_setupservices.sh
new file mode 100755 (executable)
index 0000000..80c2db2
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/10_setupservices.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+systemctl enable iptables.service
+systemctl enable NetworkManager-wait-online.service
+
+systemctl mask wpa_supplicant.service

diff --git a/sources/efg.pm.f29/postinstall/99_cleanup.sh b/sources/efg.pm.f29/postinstall/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/efg.pm.f29/postinstall/install/etc/hosts b/sources/efg.pm.f29/postinstall/install/etc/hosts
new file mode 100644 (file)
index 0000000..278fb43
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/hosts
@@ -0,0 +1,4 @@
+127.0.0.1      localhost.localdomain localhost localhost4.localdomain4 localhost4
+::1            localhost6.localdomain6 localhost6
+
+192.168.173.254        efg.pm.user.hu efg

diff --git a/sources/efg.pm.f29/postinstall/install/etc/iproute2/rt_tables b/sources/efg.pm.f29/postinstall/install/etc/iproute2/rt_tables
new file mode 100644 (file)
index 0000000..41d5b37
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/iproute2/rt_tables
@@ -0,0 +1,13 @@
+#
+# reserved values
+#
+255    local
+254    main
+253    default
+0      unspec
+#
+# local
+#
+#1     inr.ruhep
+65     dynamic
+210    static

diff --git a/sources/efg.pm.f29/postinstall/install/etc/resolv.conf b/sources/efg.pm.f29/postinstall/install/etc/resolv.conf
new file mode 100644 (file)
index 0000000..1a69e03
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/resolv.conf
@@ -0,0 +1,3 @@
+nameserver 192.168.173.174
+domain pm.user.hu
+search pm.user.hu

diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd
new file mode 100644 (file)
index 0000000..389bbbd
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd
@@ -0,0 +1,16 @@
+NAME=efgd
+DEVICE=efgd
+TYPE=Ethernet
+ONBOOT=yes
+BOOTPROTO=static
+IPADDR=192.168.65.1
+PREFIX=24
+GATEWAY=192.168.65.254
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_PEERDNS=yes
+IPV6_PEERROUTES=yes
+IPV6_FAILURE_FATAL=no

diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs
new file mode 100644 (file)
index 0000000..9613b3e
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs
@@ -0,0 +1,17 @@
+NAME=efgs
+DEVICE=efgs
+TYPE=Ethernet
+ONBOOT=yes
+BOOTPROTO=static
+IPADDR0=84.2.25.202
+PREFIX0=28
+IPADDR1=192.168.210.1
+PREFIX1=24
+DEFROUTE=no
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_PEERDNS=yes
+IPV6_PEERROUTES=yes
+IPV6_FAILURE_FATAL=no

diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0
new file mode 100644 (file)
index 0000000..eaa509b
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0
@@ -0,0 +1,15 @@
+NAME=eth0
+DEVICE=eth0
+TYPE=Ethernet
+ONBOOT=yes
+BOOTPROTO=static
+IPADDR=192.168.173.254
+PREFIX=24
+DEFROUTE=no
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_PEERDNS=yes
+IPV6_PEERROUTES=yes
+IPV6_FAILURE_FATAL=no

diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/route-eth0 b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/route-eth0
new file mode 100644 (file)
index 0000000..f0f9015
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/route-eth0
@@ -0,0 +1,11 @@
+#10.228.0.0/16 via 192.168.173.1 dev eth0
+#192.168.42.0/24 via 192.168.173.1 dev eth0
+#192.168.43.0/24 via 192.168.173.1 dev eth0
+10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic
+192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic
+192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic
+10.228.0.0/16 via 192.168.173.1 dev eth0 table static
+192.168.42.0/24 via 192.168.173.1 dev eth0 table static
+192.168.43.0/24 via 192.168.173.1 dev eth0 table static
+default via 192.168.65.254 dev efgd table dynamic
+default via 84.2.25.193 dev efgs table static

diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/rule-eth0
new file mode 100644 (file)
index 0000000..31adc78
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/rule-eth0
@@ -0,0 +1,7 @@
+from 10.228.109.236 lookup static
+from 10.228.109.253 lookup static
+from 192.168.173.64 lookup static
+from 192.168.173.174 lookup static
+from 192.168.173.249 lookup static
+from 192.168.173.252 lookup static
+from 192.168.173.253 lookup static

diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/efg.pm.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf
new file mode 100644 (file)
index 0000000..05b3f78
--- /dev/null
+++ b/sources/efg.pm.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf
@@ -0,0 +1 @@
+net.ipv4.conf.all.forwarding = 1

diff --git a/sources/ifg.usr.f29/envvars b/sources/ifg.usr.f29/envvars
index e6552b481e139aa48b7fa9dec4d7d1bf3cdb61db..03031a08972c8e768cf23c2d3a67c93c5a06a953 100644 (file)
--- a/sources/ifg.usr.f29/envvars
+++ b/sources/ifg.usr.f29/envvars
@@ -1,4 +1,2 @@
-#BASE_PACKAGES="NetworkManager initscripts openssh-server openssh-clients openssh-ldap rootfiles rsyslog sudo tar vim-minimal"
-#SPEC_PACKAGES="authselect iptables iptables-services openldap-clients nss-pam-ldapd pam_ssh passwd"
-BASE_PACKAGES="NetworkManager initscripts rootfiles rsyslog tar"
+BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils rootfiles rsyslog tar vim-minimal"
 SPEC_PACKAGES="iptables iptables-services"

diff --git a/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh
index e94cd129dad918e34bc9e6bb0a13b46239a3a4eb..f8c14981e3c37b266d01c9d9b22068e18df7dd51 100755 (executable)
--- a/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh
+++ b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh
@@ -15,32 +15,40 @@ do
 done
 [ $WAITED -eq 1 ] && echo
 
-nmcli --terse connection show | grep ':$' >/dev/null
-CONNECTION_DEVICES_UP=$?
-while [ $CONNECTION_DEVICES_UP -eq 0 ]
+# wait for two network connections
+CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
+CYCLES_WAITED=0
+while [ $CONNECTION_DEVICES_UP -lt 2 ]
 do
+    if [ $CYCLES_WAITED -ge 10 ]
+    then
+        nmcli connection show
+        exit 1
+    fi
     sleep 1
-    nmcli --terse connection show | grep ':$' >/dev/null
-    CONNECTION_DEVICES_UP=$?
+    CYCLES_WAITED=$(( $CYCLES_WAITED + 1 ))
+    CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
 done
 
 CONNECTIONS=$(nmcli --terse connection show | wc -l)
-if [ $CONNECTIONS -ne 2 ]
-then
-    echo "Number of connections: $CONNECTIONS" >&2
-    exit 1
-fi
+while [ $CONNECTIONS -gt 0 ]
+do
+    CONNECTION_LINE=$(nmcli --terse connection show | head -n 1)
+    CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+    nmcli connection delete uuid "$CONNECTION_UUID"
+    CONNECTIONS=$(nmcli --terse connection show | wc -l)
+done
 
 INTERNAL_DEVICE=ifg
 PM_DEVICE=eth0
 
-CONNECTION_LINE_INTERNAL=$(nmcli --terse connection show | grep ":${INTERNAL_DEVICE}$")
-CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${PM_DEVICE}$")
-CONNECTION_UUID_INTERNAL=$(echo $CONNECTION_LINE_INTERNAL | cut -f 2 -d ':')
-CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':')
+#CONNECTION_LINE_INTERNAL=$(nmcli --terse connection show | grep ":${INTERNAL_DEVICE}$")
+#CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${PM_DEVICE}$")
+#CONNECTION_UUID_INTERNAL=$(echo $CONNECTION_LINE_INTERNAL | cut -f 2 -d ':')
+#CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':')
 
-nmcli connection delete uuid "$CONNECTION_UUID_INTERNAL"
-nmcli connection delete uuid "$CONNECTION_UUID_PM"
+#nmcli connection delete uuid "$CONNECTION_UUID_INTERNAL"
+#nmcli connection delete uuid "$CONNECTION_UUID_PM"
 
 nmcli connection add \
     connection.autoconnect yes \

diff --git a/sources/ws.pm.f29/envvars b/sources/ws.pm.f29/envvars
index 91bef484de2fa4ee8e2e370bb180dd9c9787f940..1657c3660c004b51a4ebed1556d70646f2bc9575 100644 (file)
--- a/sources/ws.pm.f29/envvars
+++ b/sources/ws.pm.f29/envvars
@@ -1,4 +1,2 @@
-#BASE_PACKAGES="NetworkManager initscripts openssh-server openssh-clients openssh-ldap rootfiles rsyslog sudo tar vim-minimal"
-#SPEC_PACKAGES="authselect httpd mod_ssl openldap-clients nss-pam-ldapd pam_ssh passwd python2-certbot-apache python3-certbot-apache"
-BASE_PACKAGES="NetworkManager initscripts rootfiles rsyslog tar"
-SPEC_PACKAGES="httpd mod_ssl python3-certbot-apache"
+BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils rootfiles rsyslog tar"
+SPEC_PACKAGES="httpd mailx mod_ssl php postfix python3-certbot-apache"