From: Zoltán Felleg <zoltan.felleg@userrendszerhaz.hu>
Date: Tue, 28 Jan 2025 10:31:17 +0000 (+0100)
Subject: Updated ifg.in (added linuxone interface and rules).
X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=04f8a23e835ed81ea27b34e51659a5708ca1e539;p=user-lxc.git

Updated ifg.in (added linuxone interface and rules).
---

diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config
index 9af71cb..d44fcd4 100644
--- a/sources/ifg.in/c3d/firstboot/data/nftables.config
+++ b/sources/ifg.in/c3d/firstboot/data/nftables.config
@@ -8,11 +8,14 @@
 # internal interface
 define INTERNAL_IF = eth0
 
+# linuxone interface
+define LINUXONE_IF = eth1
+
 # loopback interface
 define LOOPBACK_IF = lo
 
 # perimeter interface
-define PERIMETER_IF = eth1
+define PERIMETER_IF = eth2
 
 ################################
 # address definitions
@@ -53,6 +56,10 @@ define PNS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:addf
 # transfer web server address (perimeter network)
 define XFR_PERIMETER_IPV4 = 192.168.173.174
 
+# perimeter mail exchanger address (perimeter network)
+define MX_PERIMETER_IPV4 = 192.168.173.154
+define MX_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad9a
+
 # external name server address (perimeter network)
 define ENS_PERIMETER_IPV4 = 192.168.173.147
 define ENS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad93
@@ -65,6 +72,10 @@ define GIT_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad2a
 define IFG_PERIMETER_IPV4 = 192.168.173.1
 define IFG_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad01
 
+# ifg addresses (linuxone network)
+define LINUXONE_INTERNAL_IPV4 = 172.24.121.254
+define LINUXONE_INTERNAL_IPV6 = 2001:1aa1:000a:577d:000c:18ff:fe03:79fe
+
 # ifg addresses (internal network)
 define IFG_INTERNAL_IPV4 = 10.228.109.254
 define IFG_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6dfe
@@ -101,6 +112,10 @@ define MINICRM_INTERNAL_IPV4 = 10.228.109.133
 define FDC_INTERNAL_IPV4 = 10.228.109.131
 define FDC_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d83
 
+# slycrm  address (internal network)
+define SLYCRM_INTERNAL_IPV4 = 10.228.109.53
+define SLYCRM_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d35
+
 # slycrm proxy address (internal network)
 define SLYCPX_INTERNAL_IPV4 = 10.228.109.44
 define SLYCPX_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d2c
@@ -129,6 +144,8 @@ define WORKSHEET_SR_IPV4 = 192.168.42.248
 # internal networks
 define INTERNAL_IPV4_NET = 10.228.0.0/16
 define INTERNAL_IPV6_NET = 2001:1aa1:000a:7dae::/64
+define LINUXONE_IPV4_NET = 172.24.121.0/24
+define LINUXONE_IPV6_NET = 2001:1aa1:000a:577d::/64
 define SR_IPV4_NET = 192.168.42.0/24
 define IN_IPV4_NET = 192.168.43.0/24
 define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \
@@ -149,8 +166,11 @@ define PEEP_BO_NET = 10.162.0.0/16
 # port definitions
 ################################
 
-#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define MX_PORTS = { smtp, pop3, imap, 465, submission, imaps, pop3s }
+# 465: SMTP over SSL (TLS)
+
 define VPN_PORT = 51820
+# 51820: wireguard
 
 
 ################################
@@ -179,6 +199,11 @@ add rule ip ifg-nat prerouting \
     iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
     ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
     counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
+add rule ip ifg-nat prerouting \
+    ip protocol tcp \
+    iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET tcp sport 1024-65535 \
+    ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
+    counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
 
 
 ################################
@@ -244,6 +269,16 @@ add rule ip6 ifg-filter forward \
     iifname $PERIMETER_IF \
     oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \
     counter accept comment "Established sessions"
+add rule ip ifg-filter forward \
+    ct state established, related \
+    iifname $PERIMETER_IF \
+    oifname $LINUXONE_IF ip daddr $LINUXONE_IPV4_NET \
+    counter accept comment "Established sessions"
+add rule ip6 ifg-filter forward \
+    ct state established, related \
+    iifname $PERIMETER_IF \
+    oifname $LINUXONE_IF ip6 daddr $LINUXONE_IPV6_NET \
+    counter accept comment "Established sessions"
 
 add rule ip ifg-filter forward \
     iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
@@ -253,20 +288,39 @@ add rule ip6 ifg-filter forward \
     iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \
     oifname $PERIMETER_IF \
     counter accept comment "Internet access"
+add rule ip ifg-filter forward \
+    iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET \
+    oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
+    counter accept comment "Internet access"
+add rule ip6 ifg-filter forward \
+    iifname $LINUXONE_IF ip6 saddr $LINUXONE_IPV6_NET \
+    oifname $PERIMETER_IF \
+    counter accept comment "Internet access"
+
+add rule ip ifg-filter forward \
+    iifname $LINUXONE_IF oifname $INTERNAL_IF \
+    counter accept comment "LinuxONE internal communication"
+add rule ip6 ifg-filter forward \
+    iifname $LINUXONE_IF oifname $INTERNAL_IF \
+    counter accept comment "LinuxONE internal communication"
+add rule ip ifg-filter forward \
+    iifname $INTERNAL_IF oifname $LINUXONE_IF \
+    counter accept comment "internal LinuxONE communication"
+add rule ip6 ifg-filter forward \
+    iifname $INTERNAL_IF oifname $LINUXONE_IF \
+    counter accept comment "internal LinuxONE communication"
 
 add rule ip ifg-filter forward \
-    ct state new, established \
-    ip protocol tcp \
     iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
-    counter accept comment "Webserver access"
+    oifname $PERIMETER_IF ip daddr $MX_PERIMETER_IPV4 tcp dport $MX_PORTS \
+    counter accept comment "Mailserver access"
 
 add rule ip ifg-filter forward \
     ct state new, established \
     ip protocol tcp \
     iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport ssh \
-    counter accept comment "Webserver SSH access"
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
+    counter accept comment "Webserver access"
 
 add rule ip ifg-filter forward \
     ct state new \
@@ -355,17 +409,19 @@ add rule ip ifg-filter forward \
     ip protocol tcp \
     iifname $INTERNAL_IF ip saddr { $DVREDMINE_INTERNAL_IPV4, \
                                     $FDC_INTERNAL_IPV4, \
+                                    $SLYCPX_INTERNAL_IPV4, \
                                     $STORE_INTERNAL_IPV4, \
                                     $WIKI_INTERNAL_IPV4 } tcp sport http \
     oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
-    counter accept comment "Fdc, redmine, store and wiki replies"
+    counter accept comment "Fdc, redmine, slycpx, store and wiki replies"
 add rule ip6 ifg-filter forward \
     ct state established \
     iifname $INTERNAL_IF ip6 saddr { $FDC_INTERNAL_IPV6, \
                                      $STORE_INTERNAL_IPV6, \
+                                     $SLYCPX_INTERNAL_IPV6, \
                                      $WIKI_INTERNAL_IPV6 } tcp sport http \
     oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
-    counter accept comment "Fdc, store and wiki replies"
+    counter accept comment "Fdc, slycpx, store and wiki replies"
 
 add rule ip ifg-filter forward \
     ip protocol tcp \
@@ -414,24 +470,28 @@ add rule ip6 ifg-filter forward \
     counter accept comment "Git, mercurial and subversion directory server replies"
 
 add rule ip ifg-filter forward \
-    iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+    iifname $PERIMETER_IF ip saddr { $MX_PERIMETER_IPV4, \
+                                     $WS_PERIMETER_IPV4 } tcp sport 1024-65535 \
     oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \
-    counter accept comment "Webserver letsencrypt transfer requests"
+    counter accept comment "Mail- and webserver letsencrypt transfer requests"
 add rule ip6 ifg-filter forward \
-    iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
+    iifname $PERIMETER_IF ip6 saddr { $MX_PERIMETER_IPV6, \
+                                      $WS_PERIMETER_IPV6 } tcp sport 1024-65535 \
     oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \
-    counter accept comment "Webserver letsencrypt transfer requests"
+    counter accept comment "Mail- and webserver letsencrypt transfer requests"
 
 add rule ip ifg-filter forward \
     ct state established \
     iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \
-    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
-    counter accept comment "Webserver letsencrypt transfer replies"
+    oifname $PERIMETER_IF ip daddr { $MX_PERIMETER_IPV4, \
+                                     $WS_PERIMETER_IPV4 } tcp dport 1024-65535 \
+    counter accept comment "Mail- and webserver letsencrypt transfer replies"
 add rule ip6 ifg-filter forward \
     ct state established \
     iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \
-    oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
-    counter accept comment "Webserver letsencrypt transfer replies"
+    oifname $PERIMETER_IF ip6 daddr { $MX_PERIMETER_IPV6, \
+                                      $WS_PERIMETER_IPV6 } tcp dport 1024-65535 \
+    counter accept comment "Mail- and webserver letsencrypt transfer replies"
 
 add rule ip ifg-filter forward \
     ip protocol icmp \
diff --git a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh
index 9058396..6c17647 100755
--- a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh
+++ b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh
@@ -26,11 +26,11 @@ do
 done
 [ $CYCLES_WAITED -gt 0 ] && echo
 
-# wait for the three network connections to come up
+# wait for the four network connections to come up
 CONNECTION_DEVICES_UP=$(nmcli --terse connection show \
                             | grep --invert-match ':$' | wc -l)
 CYCLES_WAITED=0
-while [ $CONNECTION_DEVICES_UP -lt 3 ]
+while [ $CONNECTION_DEVICES_UP -lt 4 ]
 do
     if [ $CYCLES_WAITED -ge 10 ]
     then
@@ -51,22 +51,27 @@ done
 [ $CYCLES_WAITED -gt 0 ] && echo
 
 CONNECTIONS=$(nmcli --terse connection show | wc -l)
-if [ $CONNECTIONS -ne 3 ]
+if [ $CONNECTIONS -ne 4 ]
 then
-    echo "Number of connections: $CONNECTIONS instead of 3" >&2
+    echo "Number of connections: $CONNECTIONS instead of 4" >&2
     exit 1
 fi
 
 CONNECTION_DEVICE_IN="eth0"
-CONNECTION_DEVICE_PM="eth1"
+CONNECTION_DEVICE_L1="eth1"
+CONNECTION_DEVICE_PM="eth2"
 CONNECTION_ID_IN="internal"
+CONNECTION_ID_L1="linuxone"
 CONNECTION_ID_PM="perimeter"
 CONNECTION_LINE_IN=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_IN}$")
+CONNECTION_LINE_L1=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_L1}$")
 CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_PM}$")
 CONNECTION_UUID_IN=$(echo $CONNECTION_LINE_IN | cut -f 2 -d ':')
+CONNECTION_UUID_L1=$(echo $CONNECTION_LINE_L1 | cut -f 2 -d ':')
 CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':')
 
 nmcli connection delete uuid "$CONNECTION_UUID_IN"
+nmcli connection delete uuid "$CONNECTION_UUID_L1"
 nmcli connection delete uuid "$CONNECTION_UUID_PM"
 
 nmcli connection add \
@@ -92,6 +97,24 @@ allowed-connections=id:$CONNECTION_ID_IN
 keep-configuration=no
 EOF
 
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id $CONNECTION_ID_L1 \
+    connection.interface-name $CONNECTION_DEVICE_L1 \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "172.24.121.254/24" \
+    ipv4.method "manual" \
+    ipv6.addresses "2001:1aa1:000a:577d:000c:18ff:fe03:79fe/64" \
+    ipv6.method "manual" \
+    save yes
+
+cat <<EOF >/etc/NetworkManager/conf.d/${CONNECTION_DEVICE_PM}.conf
+[device]
+match-device=interface-name:$CONNECTION_DEVICE_PM
+allowed-connections=id:$CONNECTION_ID_PM
+keep-configuration=no
+EOF
+
 nmcli connection add \
     connection.autoconnect yes \
     connection.id $CONNECTION_ID_PM \
diff --git a/sources/ifg.in/c3d/postinstall/install-data/etc/radvd.conf b/sources/ifg.in/c3d/postinstall/install-data/etc/radvd.conf
index a198455..89cf104 100644
--- a/sources/ifg.in/c3d/postinstall/install-data/etc/radvd.conf
+++ b/sources/ifg.in/c3d/postinstall/install-data/etc/radvd.conf
@@ -8,3 +8,14 @@ interface eth0
                 AdvAutonomous on;
         };
 };
+
+interface eth1
+{
+        AdvSendAdvert on;
+
+        prefix ::/64
+        {
+                AdvOnLink on;
+                AdvAutonomous on;
+        };
+};
diff --git a/sources/ifg.in/config b/sources/ifg.in/config
index 9450416..b0639dc 100644
--- a/sources/ifg.in/config
+++ b/sources/ifg.in/config
@@ -13,9 +13,15 @@ lxc.net.0.hwaddr = 02:0c:18:03:6d:fe
 
 lxc.net.1.type = veth
 lxc.net.1.flags = up
-lxc.net.1.link = brch-dev
+lxc.net.1.link = brl1-dev
 lxc.net.1.name = eth1
-lxc.net.1.hwaddr = 02:0c:18:03:ad:01
+lxc.net.1.hwaddr = 02:0c:18:03:79:fe
+
+lxc.net.2.type = veth
+lxc.net.2.flags = up
+lxc.net.2.link = brch-dev
+lxc.net.2.name = eth2
+lxc.net.2.hwaddr = 02:0c:18:03:ad:01
 
 lxc.autodev = 1