Updated efg.pm (added ACE Telecom connection).

diff --git a/sources/efg.pm/config b/sources/efg.pm/config
index 7c37fde757e1cc35e1232ea89bd9bb1ce898543e..024e02a28802d4fabb508fe87b4d45424a2fdc7f 100644 (file)
--- a/sources/efg.pm/config
+++ b/sources/efg.pm/config
@@ -17,6 +17,12 @@ lxc.net.1.link = bre-dev
 lxc.net.1.name = eth1
 lxc.net.1.hwaddr = 02:0c:18:03:28:92
 
+lxc.net.2.type = veth
+lxc.net.2.flags = up
+lxc.net.2.link = bre-dev
+lxc.net.2.name = eth2
+lxc.net.2.hwaddr = 02:0c:18:03:89:89
+
 lxc.cgroup.devices.allow =
 lxc.cgroup.devices.deny =
 

diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh
index 18d9e7942a9d4871b03eb9d25a762c0cde83dfe7..ccf9a400639df8cd754928e9d93fee90879b6e63 100755 (executable)
--- a/sources/efg.pm/firstboot/01_setupnetworking.sh
+++ b/sources/efg.pm/firstboot/01_setupnetworking.sh
@@ -17,15 +17,15 @@ done
 [ $WAITED -eq 1 ] && echo
 
 CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
-#while [ $CONNECTION_DEVICES_UP -lt 1 ]
-while [ $CONNECTION_DEVICES_UP -lt 2 ]
+while [ $CONNECTION_DEVICES_UP -lt 3 ]
 do
     sleep 1
     nmcli --terse connection show
     CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
 done
 
-EXTERNAL_DEVICE=eth1
+EXTERNAL_ACE_DEVICE=eth2
+EXTERNAL_TELEKOM_DEVICE=eth1
 PERIMETER_DEVICE=eth0
 
 CONNECTIONS=$(nmcli --terse connection show | wc -l)
@@ -56,8 +56,8 @@ nmcli connection show
 
 nmcli connection add \
     connection.autoconnect yes \
-    connection.id external \
-    connection.interface-name $EXTERNAL_DEVICE \
+    connection.id telekom \
+    connection.interface-name $EXTERNAL_TELEKOM_DEVICE \
     connection.type 802-3-ethernet \
     ipv4.addresses "192.168.65.1/24, 194.149.40.146/28, 194.149.40.147/28, 194.149.40.148/28, 194.149.40.149/28, 194.149.40.150/28" \
     ipv4.gateway "194.149.40.145" \
@@ -66,3 +66,16 @@ nmcli connection add \
     save yes
 
 nmcli connection show
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id ace \
+    connection.interface-name $EXTERNAL_ACE_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "37.220.137.137/29, 37.220.137.138/29" \
+    ipv4.method "manual" \
+    ipv4.routes "0.0.0.0/0 37.220.137.142 table=13" \
+    ipv6.method "auto" \
+    save yes
+
+nmcli connection show

diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config
index 0cbf00b3583f7cb91096d1b2df81db152ea3bb6d..f547dc3dc0933c6267e41a5d3e71e7add3f0db14 100644 (file)
--- a/sources/efg.pm/firstboot/nftables.config
+++ b/sources/efg.pm/firstboot/nftables.config
@@ -5,8 +5,9 @@
 # interface definitions
 ################################
 
-# external interface
-define EXTERNAL_IF = eth1
+# external interfaces
+define EXTERNAL_ACE_IF = eth2
+define EXTERNAL_TELEKOM_IF = eth1
 
 # loopback interface
 define LOOPBACK_IF = lo
@@ -22,19 +23,24 @@ define PERIMETER_IF = eth0
 define LOOPBACK_IP = 127.0.0.1
 
 # public addresses
-define PUBLIC_EFG_IP       = 194.149.40.146
-define PUBLIC_MX_IP        = 194.149.40.147
-define PUBLIC_NS_IP        = 194.149.40.148
-define PUBLIC_VPN_IP       = 194.149.40.149
-define PUBLIC_WS_IP        = 194.149.40.150
-define PUBLIC_MINECRAFT_IP = 194.149.40.151
-define PUBLIC_IP_152       = 194.149.40.152
-define PUBLIC_IP_153       = 194.149.40.153
-define PUBLIC_IP_154       = 194.149.40.154
-define PUBLIC_IP_155       = 194.149.40.155
-define PUBLIC_IP_156       = 194.149.40.156
-define PUBLIC_IP_157       = 194.149.40.157
-define PUBLIC_DL380E_IP    = 194.149.40.158
+define PUBLIC_ACE_EFG_IP           = 37.220.137.137
+define PUBLIC_ACE_VPN_IP           = 37.220.137.138
+define PUBLIC_ACE_IP_139           = 37.220.137.139
+define PUBLIC_ACE_IP_140           = 37.220.137.140
+define PUBLIC_ACE_IP_141           = 37.220.137.141
+define PUBLIC_TELEKOM_EFG_IP       = 194.149.40.146
+define PUBLIC_TELEKOM_MX_IP        = 194.149.40.147
+define PUBLIC_TELEKOM_NS_IP        = 194.149.40.148
+define PUBLIC_TELEKOM_VPN_IP       = 194.149.40.149
+define PUBLIC_TELEKOM_WS_IP        = 194.149.40.150
+define PUBLIC_TELEKOM_MINECRAFT_IP = 194.149.40.151
+define PUBLIC_TELEKOM_IP_152       = 194.149.40.152
+define PUBLIC_TELEKOM_IP_153       = 194.149.40.153
+define PUBLIC_TELEKOM_IP_154       = 194.149.40.154
+define PUBLIC_TELEKOM_IP_155       = 194.149.40.155
+define PUBLIC_TELEKOM_IP_156       = 194.149.40.156
+define PUBLIC_TELEKOM_IP_157       = 194.149.40.157
+define PUBLIC_TELEKOM_DL380E_IP    = 194.149.40.158
 
 # efg address (perimeter network)
 define EFG_PERIMETER_IP = 192.168.173.254
@@ -128,28 +134,33 @@ create chain ip6 efg_filter output { type filter hook output priority 0; policy
 ################################
 
 add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_IF \
-    ip daddr $PUBLIC_VPN_IP udp dport 1194 \
-    counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic"
+    iifname $EXTERNAL_ACE_IF \
+    ip daddr $PUBLIC_ACE_VPN_IP udp dport 1194 \
+    counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (ACE)"
+
+add rule ip efg_nat prerouting \
+    iifname $EXTERNAL_TELEKOM_IF \
+    ip daddr $PUBLIC_TELEKOM_VPN_IP udp dport 1194 \
+    counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (TELEKOM)"
 
 #add rule ip efg_nat prerouting \
-#    iifname $EXTERNAL_IF \
-#    ip daddr $PUBLIC_MX_IP tcp dport $MX_PORTS \
+#    iifname $EXTERNAL_TELEKOM_IF \
+#    ip daddr $PUBLIC_TELEKOM_MX_IP tcp dport $MX_PORTS \
 #    counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic"
 
 add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_IF udp sport 1024-65535 \
-    ip daddr $PUBLIC_NS_IP udp dport 53 \
+    iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
+    ip daddr $PUBLIC_TELEKOM_NS_IP udp dport 53 \
     counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)"
 
 add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_IF tcp sport 1024-65535 \
-    ip daddr $PUBLIC_NS_IP tcp dport 53 \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
+    ip daddr $PUBLIC_TELEKOM_NS_IP tcp dport 53 \
     counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)"
 
 add rule ip efg_nat prerouting \
-    iifname $EXTERNAL_IF tcp sport 1024-65535 \
-    ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
+    ip daddr $PUBLIC_TELEKOM_WS_IP tcp dport $WS_PORTS \
     counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests"
 
 
@@ -184,83 +195,99 @@ add rule ip6 efg_filter input \
 
 add rule ip efg_filter forward \
     ct state established, related \
-    iifname $EXTERNAL_IF \
+    iifname $EXTERNAL_ACE_IF \
+    oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \
+    counter accept comment "Established sessions (ACE)"
+
+add rule ip efg_filter forward \
+    ct state established, related \
+    iifname $EXTERNAL_TELEKOM_IF \
     oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \
-    counter accept comment "Established sessions"
+    counter accept comment "Established sessions (TELEKOM)"
+
+add rule ip efg_filter forward \
+    iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \
+    oifname $EXTERNAL_ACE_IF \
+    counter accept comment "Internet access (ACE)"
 
 add rule ip efg_filter forward \
     iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \
-    oifname $EXTERNAL_IF \
-    counter accept comment "Internet access"
+    oifname $EXTERNAL_TELEKOM_IF \
+    counter accept comment "Internet access (TELEKOM)"
+
+add rule ip efg_filter forward \
+    iifname $EXTERNAL_ACE_IF \
+    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+    counter accept comment "Incoming VPN traffic (ACE)"
 
 add rule ip efg_filter forward \
-    iifname $EXTERNAL_IF \
+    iifname $EXTERNAL_TELEKOM_IF \
     oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
-    counter accept comment "Incoming VPN traffic"
+    counter accept comment "Incoming VPN traffic (TELEKOM)"
 
 add rule ip efg_filter forward \
-    iifname $EXTERNAL_IF tcp sport 1024-65535 \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
     oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
     counter accept comment "Incoming http(s) requests"
 
 add rule ip efg_filter forward \
     ct state established \
     iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \
-    oifname $EXTERNAL_IF tcp dport 1024-65535 \
+    oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
     counter accept comment "Outgoing http(s) replies"
 
 add rule ip efg_filter forward \
-    iifname $EXTERNAL_IF udp sport 1024-65535 \
+    iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
     oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \
     counter accept comment "Incoming DNS requests/notifications (udp)"
 
 add rule ip efg_filter forward \
     ct state established, related \
     iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \
-    oifname $EXTERNAL_IF udp dport 1024-65535 \
+    oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
     counter accept comment "Outgoing DNS replies (udp)"
 
 add rule ip efg_filter forward \
-    iifname $EXTERNAL_IF tcp sport 1024-65535 \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
     oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \
     counter accept comment "Incoming DNS requests (tcp)"
 
 add rule ip efg_filter forward \
     ct state established, related \
     iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \
-    oifname $EXTERNAL_IF tcp dport 1024-65535 \
+    oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
     counter accept comment "Outgoing DNS replies (tcp)"
 
 add rule ip efg_filter forward \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \
-    oifname $EXTERNAL_IF udp dport 53 \
+    oifname $EXTERNAL_TELEKOM_IF udp dport 53 \
     counter accept comment "Outgoing DNS requests/notifications (udp)"
 
 add rule ip efg_filter forward \
     ct state established, related \
-    iifname $EXTERNAL_IF udp sport 53 \
+    iifname $EXTERNAL_TELEKOM_IF udp sport 53 \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (udp)"
 
 add rule ip efg_filter forward \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
-    oifname $EXTERNAL_IF tcp dport 53 \
+    oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \
     counter accept comment "Outgoing DNS requests (tcp)"
 
 add rule ip efg_filter forward \
     ct state established, related \
-    iifname $EXTERNAL_IF tcp sport 53 \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (tcp)"
 
 add rule ip efg_filter forward \
     iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
-    oifname $EXTERNAL_IF tcp dport $WS_PORTS \
+    oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \
     counter accept comment "Outgoing let's encrypt requests"
 
 add rule ip efg_filter forward \
     ct state established \
-    iifname $EXTERNAL_IF tcp sport $WS_PORTS \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \
     oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
     counter accept comment "Incoming let's encrypt replies"
 
@@ -301,25 +328,33 @@ add rule ip6 efg_filter output \
 ################################
 
 add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_IF ip saddr $VPN_INTERNAL_IP \
-    counter snat $PUBLIC_VPN_IP comment "Outgoing VPN traffic"
+    oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IP \
+    counter snat $PUBLIC_ACE_VPN_IP comment "Outgoing VPN traffic (ACE)"
+
+add rule ip efg_nat postrouting \
+    oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IP \
+    counter snat $PUBLIC_TELEKOM_VPN_IP comment "Outgoing VPN traffic (TELEKOM)"
+
+add rule ip efg_nat postrouting \
+    oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_NETS \
+    counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing internal traffic (ACE)"
 
 add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_IF ip saddr $INTERNAL_NETS \
-    counter snat $PUBLIC_EFG_IP comment "Outgoing internal traffic"
+    oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_NETS \
+    counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing internal traffic (TELEKOM)"
 
 #add rule ip efg_nat postrouting \
-#    oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IP \
-#    counter snat $PUBLIC_MX_IP comment "Outgoing MX traffic"
+#    oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IP \
+#    counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic"
 
 add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_IF ip saddr $ENS_PERIMETER_IP \
-    counter snat $PUBLIC_NS_IP comment "Outgoing external DNS traffic"
+    oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IP \
+    counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic"
 
 add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_IF ip saddr $PNS_PERIMETER_IP \
-    counter snat $PUBLIC_EFG_IP comment "Outgoing perimeter DNS traffic"
+    oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IP \
+    counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic"
 
 add rule ip efg_nat postrouting \
-    oifname $EXTERNAL_IF ip saddr $WS_PERIMETER_IP \
-    counter snat $PUBLIC_WS_IP comment "Outgoing WS traffic"
+    oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IP \
+    counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic"