From: Zoltán Felleg Date: Mon, 17 May 2021 13:52:11 +0000 (+0200) Subject: Updated efg.pm (updated nftables, routing). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=19c4a9ee96c15b9a3dfcf557bd16065e09d871e3;p=user-lxc.git Updated efg.pm (updated nftables, routing). --- diff --git a/sources/efg.pm/envvars b/sources/efg.pm/envvars index 107ca30..b3b1ad6 100644 --- a/sources/efg.pm/envvars +++ b/sources/efg.pm/envvars @@ -2,4 +2,4 @@ DISTRIBUTION=Fedora DISTRIBUTION_VERSION=33 ROOT_PACKAGES="hostname initscripts iproute rootfiles systemd-udev" BASE_PACKAGES="NetworkManager iputils logrotate rsyslog tar vim-minimal" -SPEC_PACKAGES="ethtool nftables radvd tcpdump" +SPEC_PACKAGES="cronie ethtool nftables radvd tcpdump" diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh index f809b4b..1cbe005 100755 --- a/sources/efg.pm/firstboot/01_setupnetworking.sh +++ b/sources/efg.pm/firstboot/01_setupnetworking.sh @@ -66,8 +66,11 @@ nmcli connection add \ ipv4.addresses "192.168.65.1/24, 188.6.255.10/30" \ ipv4.gateway "188.6.255.9" \ ipv4.method "manual" \ + ipv4.route-table 150 \ + ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \ ipv6.method "auto" \ save yes + # magyar telekom -> mt (13 * 10 + 20) nmcli connection show @@ -82,7 +85,9 @@ nmcli connection add \ ipv6.addresses "2a02:d400:0000:f200:000c:18ff:fe03:8961/64" \ ipv6.gateway "2a02:d400:0000:f200::1" \ ipv6.method "manual" \ - save yes nmcli connection show + +echo "@reboot /usr/local/bin/setuprouting.sh" >>/etc/crontab +/usr/local/bin/setuprouting.sh diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config index defad83..66e3758 100644 --- a/sources/efg.pm/firstboot/nftables.config +++ b/sources/efg.pm/firstboot/nftables.config @@ -38,18 +38,6 @@ define PUBLIC_ACE_IPV4_107 = 37.220.137.107 define PUBLIC_ACE_ZFDL360E_IPV4 = 37.220.137.108 define PUBLIC_ACE_ZFDL380E_IPV4 = 37.220.137.109 define PUBLIC_TELEKOM_EFG_IPV4 = 188.6.255.10 -define PUBLIC_TELEKOM_MX_IPV4 = 194.149.40.147 -define PUBLIC_TELEKOM_NS_IPV4 = 194.149.40.148 -define PUBLIC_TELEKOM_VPN_IPV4 = 194.149.40.149 -define PUBLIC_TELEKOM_WS_IPV4 = 194.149.40.150 -define PUBLIC_TELEKOM_MINECRAFT_IPV4 = 194.149.40.151 -define PUBLIC_TELEKOM_IPV4_152 = 194.149.40.152 -define PUBLIC_TELEKOM_IPV4_153 = 194.149.40.153 -define PUBLIC_TELEKOM_IPV4_154 = 194.149.40.154 -define PUBLIC_TELEKOM_IPV4_155 = 194.149.40.155 -define PUBLIC_TELEKOM_IPV4_156 = 194.149.40.156 -define PUBLIC_TELEKOM_IPV4_157 = 194.149.40.157 -define PUBLIC_TELEKOM_DL380E_IPV4 = 194.149.40.158 # efg address (perimeter network) define EFG_PERIMETER_IPV4 = 192.168.173.254 @@ -151,53 +139,28 @@ create chain ip6 efg_filter output { type filter hook output priority 0; policy add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF \ ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \ - counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (ACE)" - -add rule ip efg_nat prerouting \ - iifname $EXTERNAL_TELEKOM_IF \ - ip daddr $PUBLIC_TELEKOM_VPN_IPV4 udp dport 1194 \ - counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (TELEKOM)" + counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic" #add rule ip efg_nat prerouting \ # iifname $EXTERNAL_ACE_IF \ # ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \ # counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic" -#add rule ip efg_nat prerouting \ -# iifname $EXTERNAL_TELEKOM_IF \ -# ip daddr $PUBLIC_TELEKOM_MX_IPV4 tcp dport $MX_PORTS \ -# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic" - add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)" -add rule ip efg_nat prerouting \ - iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \ - ip daddr $PUBLIC_TELEKOM_NS_IPV4 udp dport 53 \ - counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)" - add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)" -add rule ip efg_nat prerouting \ - iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_TELEKOM_NS_IPV4 tcp dport 53 \ - counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)" - add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport $WS_PORTS \ counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests" -add rule ip efg_nat prerouting \ - iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_TELEKOM_WS_IPV4 tcp dport $WS_PORTS \ - counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests" - ################################ # FILTER input rules @@ -217,7 +180,7 @@ add rule ip6 efg_filter input \ add rule ip efg_filter input \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet efg_filter input \ +add rule ip6 efg_filter input \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -425,6 +388,23 @@ add rule ip efg_filter forward \ add rule ip efg_filter forward \ ip protocol icmp \ counter accept comment "ICMP" +add rule ip6 efg_filter forward \ + icmpv6 type { destination-unreachable, \ + echo-reply, \ + echo-request, \ + mld-listener-done, \ + mld-listener-query, \ + mld-listener-report, \ + nd-redirect, \ + nd-router-solicit, \ + nd-router-advert, \ + nd-neighbor-solicit, \ + nd-neighbor-advert, \ + packet-too-big, \ + parameter-problem, \ + router-renumbering, \ + time-exceeded } \ + counter accept comment "ICMPv6" add rule ip efg_filter forward \ counter log prefix "FORWARD" @@ -451,7 +431,7 @@ add rule ip6 efg_filter output \ add rule ip efg_filter output \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet efg_filter output \ +add rule ip6 efg_filter output \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -481,15 +461,11 @@ add rule ip6 efg_filter output \ add rule ip efg_nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \ - counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic (ACE)" - -add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IPV4 \ - counter snat $PUBLIC_TELEKOM_VPN_IPV4 comment "Outgoing VPN traffic (TELEKOM)" + counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic" add rule ip efg_nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \ - counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic (ACE)" + counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic" add rule ip efg_nat postrouting \ oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \ @@ -497,32 +473,16 @@ add rule ip efg_nat postrouting \ #add rule ip efg_nat postrouting \ # oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \ -# counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic (ACE)" - -#add rule ip efg_nat postrouting \ -# oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IPV4 \ -# counter snat $PUBLIC_TELEKOM_MX_IPV4 comment "Outgoing MX traffic (TELEKOM)" +# counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic" add rule ip efg_nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \ - counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic (ACE)" - -add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IPV4 \ - counter snat $PUBLIC_TELEKOM_NS_IPV4 comment "Outgoing external DNS traffic (TELEKOM)" + counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic" add rule ip efg_nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \ - counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic (ACE)" - -add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IPV4 \ - counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing perimeter DNS traffic (TELEKOM)" + counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic" add rule ip efg_nat postrouting \ oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \ - counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic (ACE)" - -add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IPV4 \ - counter snat $PUBLIC_TELEKOM_WS_IPV4 comment "Outgoing WS traffic (TELEKOM)" + counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic" diff --git a/sources/efg.pm/postinstall/install/usr/local/bin/setuprouting.sh b/sources/efg.pm/postinstall/install/usr/local/bin/setuprouting.sh new file mode 100755 index 0000000..2ee62a3 --- /dev/null +++ b/sources/efg.pm/postinstall/install/usr/local/bin/setuprouting.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +ip rule add from 10.228.10.0/24 lookup 150 +ip rule add from 10.228.43.0/24 lookup 150 +ip rule add from 10.228.109.250/32 lookup 150