https://git.useribm.hu / user-lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: df6d648)
Updated efg.pm (added netlock machine rules).
authorZoltán Felleg <zoltan.felleg@userrendszerhaz.hu>
Thu, 25 May 2023 16:44:25 +0000 (18:44 +0200)
committerZoltán Felleg <zoltan.felleg@userrendszerhaz.hu>
Thu, 25 May 2023 16:44:25 +0000 (18:44 +0200)
sources/efg.pm/c3d/firstboot/data/nftables.config patch | blob | history
sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh patch | blob | history
sources/efg.pm/c3d/postinstall/install-data/etc/sysctl.d/01_ipforward.conf patch | blob | history

diff --git a/sources/efg.pm/c3d/firstboot/data/nftables.config b/sources/efg.pm/c3d/firstboot/data/nftables.config
index eb7fdff63621afbd04e4a2b864eecfae7c3e8f3a..1c3bd6d986ba95427c2921d78a2bbb03a9e17100 100644 (file)
--- a/sources/efg.pm/c3d/firstboot/data/nftables.config
+++ b/sources/efg.pm/c3d/firstboot/data/nftables.config
@@ -32,7 +32,7 @@ define PUBLIC_NS_IPV4        = 213.253.216.164
 define PUBLIC_STORE_IPV4     = 213.253.216.165
 define PUBLIC_VPN_IPV4       = 213.253.216.166
 define PUBLIC_WS_IPV4        = 213.253.216.167
-define PUBLIC_IPV4_168       = 213.253.216.168
+define PUBLIC_NETLOCK_IPV4   = 213.253.216.168
 define PUBLIC_IPV4_169       = 213.253.216.169
 define PUBLIC_IPV4_170       = 213.253.216.170
 define PUBLIC_IPV4_171       = 213.253.216.171
@@ -84,6 +84,9 @@ define PNS_INTERNAL_IPV4 = 10.228.109.174
 # internal name server address (internal network)
 define INS_INTERNAL_IPV4 = 10.228.109.104
 
+# netlock server address (internal network)
+define NETLOCK_INTERNAL_IPV4 = 10.228.32.197
+
 # worksheet address (internal network)
 define WORKSHEET_SR_IPV4 = 192.168.42.248
 
@@ -146,6 +149,11 @@ add rule ip efg-nat prerouting \
     ip daddr $PUBLIC_VPN_IPV4 udp dport $VPN_PORT \
     counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
 
+add rule ip efg-nat prerouting \
+    iifname $EXTERNAL_IF tcp sport 1024-65535 \
+    ip daddr $PUBLIC_STORE_IPV4 tcp dport { http, https } \
+    counter dnat $STORE_INTERNAL_IPV4 comment "Incoming store requests"
+
 #add rule ip efg-nat prerouting \
 #    iifname $EXTERNAL_IF \
 #    ip daddr $PUBLIC_MX_IPV4 tcp dport $MX_PORTS \
@@ -166,6 +174,11 @@ add rule ip efg-nat prerouting \
     ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
     counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
 
+add rule ip efg-nat prerouting \
+    iifname $EXTERNAL_IF tcp sport 1024-65535 \
+    ip daddr $PUBLIC_NETLOCK_IPV4 tcp dport ssh \
+    counter dnat $NETLOCK_INTERNAL_IPV4 comment "Incoming netlock ssh requests"
+
 
 ################################
 # FILTER input rules
@@ -244,6 +257,16 @@ add rule ip efg-filter forward \
     oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORT \
     counter accept comment "Incoming VPN traffic"
 
+add rule ip efg-filter forward \
+    iifname $EXTERNAL_IF \
+    oifname $PERIMETER_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport { http, https } \
+    counter accept comment "Incoming store traffic"
+
+add rule ip efg-filter forward \
+    iifname $EXTERNAL_IF \
+    oifname $PERIMETER_IF ip daddr $NETLOCK_INTERNAL_IPV4 tcp dport ssh \
+    counter accept comment "Incoming netlock ssh traffic"
+
 add rule ip efg-filter forward \
     iifname $EXTERNAL_IF tcp sport 1024-65535 \
     oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
diff --git a/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh
index 4f1fedc18cab318712b689e39f70e51c5efb9f53..894b42c624e94c4bcd72b7e4973d5ddddf717e08 100755 (executable)
--- a/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh
+++ b/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh
@@ -76,7 +76,9 @@ nmcli connection add \
     ipv4.dns "192.168.173.174" \
     ipv4.dns-search "pm.user.hu" \
     ipv4.method "manual" \
-    ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \
+    ipv4.routes "10.228.0.0/16 192.168.173.1, \
+                 192.168.42.0/24 192.168.173.1, \
+                 192.168.43.0/24 192.168.173.1" \
     ipv6.addresses "2001:1aa1:000a:00ad:000c:18ff:fe03:adfe/64" \
     ipv6.dns "2001:1aa1:000a:00ad:000c:18ff:fe03:adae" \
     ipv6.dns-search "pm.useribm.hu" \
@@ -86,10 +88,13 @@ nmcli connection add \
 
 nmcli connection add \
     connection.autoconnect yes \
-    connection.id invitech \
+    connection.id external \
     connection.interface-name $CONNECTION_DEVICE_EX \
     connection.type 802-3-ethernet \
-    ipv4.addresses "213.253.216.162/28, 213.253.216.163/28, 213.253.216.164/28, 213.253.216.166/28, 213.253.216.167/28" \
+    ipv4.addresses "213.253.216.162/28, 213.253.216.163/28, \
+                    213.253.216.164/28, 213.253.216.165/28, \
+                    213.253.216.166/28, 213.253.216.167/28, \
+                    213.253.216.168/28" \
     ipv4.gateway "213.253.216.161" \
     ipv4.method "manual" \
     ipv4.route-metric 100 \
diff --git a/sources/efg.pm/c3d/postinstall/install-data/etc/sysctl.d/01_ipforward.conf b/sources/efg.pm/c3d/postinstall/install-data/etc/sysctl.d/01_ipforward.conf
index 5334abcc8e49384222920b0f5d3c4b81d7cbfef7..2f5020edb3fa84a725dd0880cc19489da56ba460 100644 (file)
--- a/sources/efg.pm/c3d/postinstall/install-data/etc/sysctl.d/01_ipforward.conf
+++ b/sources/efg.pm/c3d/postinstall/install-data/etc/sysctl.d/01_ipforward.conf
@@ -1,2 +1,4 @@
 net.ipv4.conf.all.forwarding = 1
 net.ipv6.conf.all.forwarding = 1
+#net.ipv6.conf.eth0.forwarding = 1
+#net.ipv6.conf.eth1.forwarding = 1
user-lxc repository