# internal interface
define INTERNAL_IF = eth0
-# linuxone interface
-define LINUXONE_IF = eth1
-
# loopback interface
define LOOPBACK_IF = lo
# perimeter interface
-define PERIMETER_IF = eth2
+define PERIMETER_IF = eth1
################################
# address definitions
define IFG_PERIMETER_IPV4 = 192.168.173.1
define IFG_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad01
-# ifg addresses (linuxone network)
-define LINUXONE_INTERNAL_IPV4 = 172.24.121.254
-define LINUXONE_INTERNAL_IPV6 = 2001:1aa1:000a:577d:000c:18ff:fe03:79fe
-
# ifg addresses (internal network)
define IFG_INTERNAL_IPV4 = 10.228.109.254
define IFG_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6dfe
# internal networks
define INTERNAL_IPV4_NET = 10.228.0.0/16
define INTERNAL_IPV6_NET = 2001:1aa1:000a:7dae::/64
-define LINUXONE_IPV4_NET = 172.24.121.0/24
-define LINUXONE_IPV6_NET = 2001:1aa1:000a:577d::/64
define SR_IPV4_NET = 192.168.42.0/24
define IN_IPV4_NET = 192.168.43.0/24
define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
-add rule ip ifg-nat prerouting \
- ip protocol tcp \
- iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET tcp sport 1024-65535 \
- ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
- counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
-
################################
# FILTER input rules
iifname $PERIMETER_IF \
oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \
counter accept comment "Established sessions"
-add rule ip ifg-filter forward \
- ct state established, related \
- iifname $PERIMETER_IF \
- oifname $LINUXONE_IF ip daddr $LINUXONE_IPV4_NET \
- counter accept comment "Established sessions"
-add rule ip6 ifg-filter forward \
- ct state established, related \
- iifname $PERIMETER_IF \
- oifname $LINUXONE_IF ip6 daddr $LINUXONE_IPV6_NET \
- counter accept comment "Established sessions"
add rule ip ifg-filter forward \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \
oifname $PERIMETER_IF \
counter accept comment "Internet access"
-add rule ip ifg-filter forward \
- iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET \
- oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
- counter accept comment "Internet access"
-add rule ip6 ifg-filter forward \
- iifname $LINUXONE_IF ip6 saddr $LINUXONE_IPV6_NET \
- oifname $PERIMETER_IF \
- counter accept comment "Internet access"
-
-add rule ip ifg-filter forward \
- iifname $LINUXONE_IF oifname $INTERNAL_IF \
- counter accept comment "LinuxONE internal communication"
-add rule ip6 ifg-filter forward \
- iifname $LINUXONE_IF oifname $INTERNAL_IF \
- counter accept comment "LinuxONE internal communication"
-add rule ip ifg-filter forward \
- iifname $INTERNAL_IF oifname $LINUXONE_IF \
- counter accept comment "internal LinuxONE communication"
-add rule ip6 ifg-filter forward \
- iifname $INTERNAL_IF oifname $LINUXONE_IF \
- counter accept comment "internal LinuxONE communication"
add rule ip ifg-filter forward \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
done
[ $CYCLES_WAITED -gt 0 ] && echo
-# wait for the four network connections to come up
+# wait for the three network connections to come up
CONNECTION_DEVICES_UP=$(nmcli --terse connection show \
| grep --invert-match ':$' | wc -l)
CYCLES_WAITED=0
-while [ $CONNECTION_DEVICES_UP -lt 4 ]
+while [ $CONNECTION_DEVICES_UP -lt 3 ]
do
if [ $CYCLES_WAITED -ge 10 ]
then
[ $CYCLES_WAITED -gt 0 ] && echo
CONNECTIONS=$(nmcli --terse connection show | wc -l)
-if [ $CONNECTIONS -ne 4 ]
+if [ $CONNECTIONS -ne 3 ]
then
echo "Number of connections: $CONNECTIONS instead of 4" >&2
exit 1
fi
CONNECTION_DEVICE_IN="eth0"
-CONNECTION_DEVICE_L1="eth1"
-CONNECTION_DEVICE_PM="eth2"
+CONNECTION_DEVICE_PM="eth1"
CONNECTION_ID_IN="internal"
-CONNECTION_ID_L1="linuxone"
CONNECTION_ID_PM="perimeter"
CONNECTION_LINE_IN=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_IN}$")
-CONNECTION_LINE_L1=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_L1}$")
CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_PM}$")
CONNECTION_UUID_IN=$(echo $CONNECTION_LINE_IN | cut -f 2 -d ':')
-CONNECTION_UUID_L1=$(echo $CONNECTION_LINE_L1 | cut -f 2 -d ':')
CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':')
nmcli connection delete uuid "$CONNECTION_UUID_IN"
-nmcli connection delete uuid "$CONNECTION_UUID_L1"
nmcli connection delete uuid "$CONNECTION_UUID_PM"
nmcli connection add \
keep-configuration=no
EOF
-nmcli connection add \
- connection.autoconnect yes \
- connection.id $CONNECTION_ID_L1 \
- connection.interface-name $CONNECTION_DEVICE_L1 \
- connection.type 802-3-ethernet \
- ipv4.addresses "172.24.121.254/24" \
- ipv4.method "manual" \
- ipv6.addresses "2001:1aa1:000a:577d:000c:18ff:fe03:79fe/64" \
- ipv6.method "manual" \
- save yes
-
-cat <<EOF >/etc/NetworkManager/conf.d/${CONNECTION_DEVICE_PM}.conf
-[device]
-match-device=interface-name:$CONNECTION_DEVICE_PM
-allowed-connections=id:$CONNECTION_ID_PM
-keep-configuration=no
-EOF
-
nmcli connection add \
connection.autoconnect yes \
connection.id $CONNECTION_ID_PM \
https://git.useribm.hu / user-lxc.git / commitdiff