From: Zoltán Felleg Date: Tue, 5 Nov 2019 15:59:23 +0000 (+0100) Subject: Added efg.pm (cvm -> vhost migration, Fedora 31 upgrade). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=48c3bb25d54166bb4b11285617014c4ee82bd437;p=user-lxc.git Added efg.pm (cvm -> vhost migration, Fedora 31 upgrade). --- diff --git a/sources/efg.pm/config b/sources/efg.pm/config new file mode 100644 index 0000000..75be1c8 --- /dev/null +++ b/sources/efg.pm/config @@ -0,0 +1,23 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = efg.pm.user.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = brh-dev +lxc.net.0.hwaddr = 02:0c:18:03:ad:fe + +lxc.net.1.type = phys +lxc.net.1.flags = up +lxc.net.1.link = bonde-dev + +lxc.autodev = 1 + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = 1 +lxc.start.delay = 3 diff --git a/sources/efg.pm/envvars b/sources/efg.pm/envvars new file mode 100644 index 0000000..5eb2281 --- /dev/null +++ b/sources/efg.pm/envvars @@ -0,0 +1,4 @@ +DISTRIBUTION=Fedora +DISTRIBUTION_VERSION=31 +BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils logrotate rootfiles rsyslog tar vim-minimal" +SPEC_PACKAGES="ethtool nftables radvd tcpdump" diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh new file mode 100755 index 0000000..2c140ad --- /dev/null +++ b/sources/efg.pm/firstboot/01_setupnetworking.sh @@ -0,0 +1,66 @@ +#!/bin/sh +set -x + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -eq 1 ] && echo + +CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +#while [ $CONNECTION_DEVICES_UP -lt 2 ] +while [ $CONNECTION_DEVICES_UP -lt 1 ] +do + sleep 1 + nmcli --terse connection show + CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +done + +EXTERNAL_DEVICE=efg +PERIMETER_DEVICE=eth0 + +CONNECTIONS=$(nmcli --terse connection show | wc -l) +while [ $CONNECTIONS -gt 0 ] +do + CONNECTION_LINE=$(nmcli --terse connection show | head -n 1) + CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') + nmcli connection delete uuid "$CONNECTION_UUID" + CONNECTIONS=$(nmcli --terse connection show | wc -l) +done + +nmcli connection show + +nmcli connection add \ + connection.autoconnect yes \ + connection.id perimeter \ + connection.interface-name $PERIMETER_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "192.168.173.254/24" \ + ipv4.dns "192.168.173.174" \ + ipv4.dns-search "pm.user.hu" \ + ipv4.method "manual" \ + ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \ + save yes + +nmcli connection show + +nmcli connection add \ + connection.autoconnect yes \ + connection.id dynamic \ + connection.interface-name $EXTERNAL_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "192.168.65.1/24, 194.149.40.146/28, 194.149.40.147/28, 194.149.40.148/28, 194.149.40.149/28, 194.149.40.150/28" \ + ipv4.gateway "194.149.40.145" \ + ipv4.method "manual" \ + save yes + +nmcli connection show diff --git a/sources/efg.pm/firstboot/02_settimezone.sh b/sources/efg.pm/firstboot/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/efg.pm/firstboot/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/efg.pm/firstboot/10_setupnftables.sh b/sources/efg.pm/firstboot/10_setupnftables.sh new file mode 100755 index 0000000..fd180f1 --- /dev/null +++ b/sources/efg.pm/firstboot/10_setupnftables.sh @@ -0,0 +1,17 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) + + +nft list ruleset +nft list ruleset | grep ^table | sed 's/ {$//' | while read TABLE_SPEC +do + nft flush $TABLE_SPEC + nft delete $TABLE_SPEC +done + +nft --echo --file $REAL_PATH/nftables.config +nft list ruleset >/etc/nftables/efg.nft + +systemctl enable nftables.service diff --git a/sources/efg.pm/firstboot/99_cleanup.sh b/sources/efg.pm/firstboot/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/efg.pm/firstboot/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config new file mode 100644 index 0000000..99353c1 --- /dev/null +++ b/sources/efg.pm/firstboot/nftables.config @@ -0,0 +1,328 @@ +#!/usr/sbin/nft -f + + +################################ +# interface definitions +################################ + +# external interface +define EXTERNAL_IF = efg + +# loopback interface +define LOOPBACK_IF = lo + +# perimeter interface +define PERIMETER_IF = eth0 + +################################ +# address definitions +################################ + +# loopback address +define LOOPBACK_IP = 127.0.0.1 + +# public addresses +define PUBLIC_EFG_IP = 194.149.40.146 +define PUBLIC_MX_IP = 194.149.40.147 +define PUBLIC_NS_IP = 194.149.40.148 +define PUBLIC_VPN_IP = 194.149.40.149 +define PUBLIC_WS_IP = 194.149.40.150 +define PUBLIC_MINECRAFT_IP = 194.149.40.151 +define PUBLIC_IP_152 = 194.149.40.152 +define PUBLIC_IP_153 = 194.149.40.153 +define PUBLIC_IP_154 = 194.149.40.154 +define PUBLIC_IP_155 = 194.149.40.155 +define PUBLIC_IP_156 = 194.149.40.156 +define PUBLIC_IP_157 = 194.149.40.157 +define PUBLIC_DL380E_IP = 194.149.40.158 + +# efg address (perimeter network) +define EFG_PERIMETER_IP = 192.168.173.254 + +# transfer web server address (perimeter network) +define XFR_PERIMETER_IP = 192.168.173.251 + +# web server address (perimeter network) +define WS_PERIMETER_IP = 192.168.173.249 + +# perimeter name server address (perimeter network) +define PNS_PERIMETER_IP = 192.168.173.174 + +# external name server address (perimeter network) +define ENS_PERIMETER_IP = 192.168.173.64 + +# ifg address (perimeter network) +define IFG_PERIMETER_IP = 192.168.173.1 + +# dvredmine address (internal network) +define DVREDMINE_INTERNAL_IP = 10.228.62.193 + +# minicrm address (internal network) +define MINICRM_INTERNAL_IP = 10.228.109.133 + +# store address (internal network) +define STORE_INTERNAL_IP = 10.228.109.250 + +# service address (internal network) +define SVC_INTERNAL_IP = 10.228.109.253 + +# vpn address (internal network) +define VPN_INTERNAL_IP = 10.228.109.236 + +# primary name server address (internal network) +define PNS_INTERNAL_IP = 10.228.109.174 + +# internal name server address (internal network) +define INS_INTERNAL_IP = 10.228.109.104 + +# worksheet address (internal network) +define WORKSHEET_SR_IP = 192.168.42.248 + +################################ +# network definitions +################################ + +# internal networks +define USR_NET = 10.228.0.0/16 +define SR_NET = 192.168.42.0/24 +define IN_NET = 192.168.43.0/24 +define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET } + +# perimeter network +define PERIMETER_NET = 192.168.173.0/24 + +# vpn client network +define VPN_NET = 172.16.223.0/24 + +# peep-bo network +define PEEP_BO_NET = 10.162.104.0/24 + +################################ +# port definitions +################################ + +#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } +define WS_PORTS = { 80, 443 } + + +################################ +# reset nftables +################################ + +create table inet efg_filter +create table ip efg_nat + +create chain inet efg_filter input { type filter hook input priority 0; policy drop; } +create chain inet efg_filter forward { type filter hook forward priority 0; policy drop; } +create chain inet efg_filter output { type filter hook output priority 0; policy drop; } +create chain ip efg_nat prerouting { type nat hook prerouting priority 0; policy accept; } +create chain ip efg_nat postrouting { type nat hook postrouting priority 0; policy accept; } + + +################################ +# NAT prerouting rules +################################ + +add rule ip efg_nat prerouting \ + ip protocol udp \ + iifname $EXTERNAL_IF \ + ip daddr $PUBLIC_VPN_IP udp dport 1194 \ + counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic" + +#add rule ip efg_nat prerouting \ +# ip protocol tcp \ +# iifname $EXTERNAL_IF \ +# ip daddr $PUBLIC_MX_IP tcp dport $MX_PORTS \ +# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" + +add rule ip efg_nat prerouting \ + ip protocol udp \ + iifname $EXTERNAL_IF udp sport 1024-65535 \ + ip daddr $PUBLIC_NS_IP udp dport 53 \ + counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" + +add rule ip efg_nat prerouting \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + ip daddr $PUBLIC_NS_IP tcp dport 53 \ + counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" + +add rule ip efg_nat prerouting \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests" + + +################################ +# FILTER input rules +################################ + +add rule inet efg_filter input \ + ct state established \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IP udp sport 53 \ + ip daddr $EFG_PERIMETER_IP udp dport 1024-65535 \ + counter accept comment "DNS replies" + +add rule inet efg_filter input \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet efg_filter input \ + counter log prefix "INPUT" + + +################################ +# FILTER forward rules +################################ + +add rule inet efg_filter forward \ + ct state established, related \ + iifname $EXTERNAL_IF \ + oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \ + counter accept comment "Established sessions" + +add rule inet efg_filter forward \ + iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \ + oifname $EXTERNAL_IF \ + counter accept comment "Internet access" + +add rule inet efg_filter forward \ + ip protocol udp \ + iifname $EXTERNAL_IF \ + oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + counter accept comment "Incoming VPN traffic" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + counter accept comment "Incoming http(s) requests" + +add rule inet efg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \ + oifname $EXTERNAL_IF tcp dport 1024-65535 \ + counter accept comment "Outgoing http(s) replies" + +add rule inet efg_filter forward \ + ip protocol udp \ + iifname $EXTERNAL_IF udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ + counter accept comment "Incoming DNS requests/notifications (udp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ + oifname $EXTERNAL_IF udp dport 1024-65535 \ + counter accept comment "Outgoing DNS replies (udp)" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ + counter accept comment "Incoming DNS requests (tcp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ + oifname $EXTERNAL_IF tcp dport 1024-65535 \ + counter accept comment "Outgoing DNS replies (tcp)" + +add rule inet efg_filter forward \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ + oifname $EXTERNAL_IF udp dport 53 \ + counter accept comment "Outgoing DNS requests/notifications (udp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol udp \ + iifname $EXTERNAL_IF udp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ + counter accept comment "Incoming DNS replies (udp)" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + oifname $EXTERNAL_IF tcp dport 53 \ + counter accept comment "Outgoing DNS requests (tcp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + counter accept comment "Incoming DNS replies (tcp)" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $EXTERNAL_IF tcp dport $WS_PORTS \ + counter accept comment "Outgoing let's encrypt requests" + +add rule inet efg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Incoming let's encrypt replies" + +add rule inet efg_filter forward \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet efg_filter forward \ + counter log prefix "FORWARD" + + +################################ +# FILTER output rules +################################ + +add rule inet efg_filter output \ + ct state new \ + ip protocol udp \ + ip saddr $EFG_PERIMETER_IP udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IP udp dport 53 \ + counter accept comment "DNS requests" + +add rule inet efg_filter output \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet efg_filter output \ + counter log prefix "OUTPUT" + + +################################ +# NAT postrouting rules +################################ + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $VPN_INTERNAL_IP \ + counter snat $PUBLIC_VPN_IP comment "Outgoing VPN traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $INTERNAL_NETS \ + counter snat $PUBLIC_EFG_IP comment "Outgoing internal traffic" + +#add rule ip efg_nat postrouting \ +# oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IP \ +# counter snat $PUBLIC_MX_IP comment "Outgoing MX traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $ENS_PERIMETER_IP \ + counter snat $PUBLIC_NS_IP comment "Outgoing external DNS traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $PNS_PERIMETER_IP \ + counter snat $PUBLIC_EFG_IP comment "Outgoing perimeter DNS traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $WS_PERIMETER_IP \ + counter snat $PUBLIC_WS_IP comment "Outgoing WS traffic" diff --git a/sources/efg.pm/firstboot/traversal.txt b/sources/efg.pm/firstboot/traversal.txt new file mode 100644 index 0000000..97ebf2d --- /dev/null +++ b/sources/efg.pm/firstboot/traversal.txt @@ -0,0 +1,53 @@ +############################### + chain traversal + for all tables +############################### + + NETWORK + | + ______v_____ + / raw \ + | PREROUTING | + \____________/ + | + ________ ______v_____ + / mangle \ / mangle \ + | INPUT |<- | PREROUTING | + \________/ | \____________/ + | | | + ____v___ | ______v_____ + / filter \ | / nat \ + | INPUT | | | PREROUTING | + \________/ | \____________/ + | | | + ____v____ | ____v___ + | | | / \ + | local | |__/ routing \__________ + | process | \ decision / | + |_________| \________/ ____v____ + | / mangle \ + ___v____ | FORWARD | + / \ \_________/ + / routing \ | + \ decision / ____v____ + \________/ / filter \ + | | FORWARD | + ____v___ ________ \_________/ + / raw \ / \ | + | OUTPUT | / routing \ | + \________/ ->\ decision /<--------- + | | \________/ + ____v___ | | + / mangle \ | ______v______ + | OUTPUT | | / mangle \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / nat \ | ______v______ + | OUTPUT | | / nat \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / filter \ | v + | OUTPUT |-- NETWORK + \________/ diff --git a/sources/efg.pm/postinstall/01_setownership.sh b/sources/efg.pm/postinstall/01_setownership.sh new file mode 100755 index 0000000..f2e6b94 --- /dev/null +++ b/sources/efg.pm/postinstall/01_setownership.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install + +chown -R root.root $SOURCE_PATH/* diff --git a/sources/efg.pm/postinstall/02_setpermissions.sh b/sources/efg.pm/postinstall/02_setpermissions.sh new file mode 100755 index 0000000..241386a --- /dev/null +++ b/sources/efg.pm/postinstall/02_setpermissions.sh @@ -0,0 +1,5 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install diff --git a/sources/efg.pm/postinstall/03_installfiles.sh b/sources/efg.pm/postinstall/03_installfiles.sh new file mode 100755 index 0000000..f190caf --- /dev/null +++ b/sources/efg.pm/postinstall/03_installfiles.sh @@ -0,0 +1,15 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +tar --create \ + --directory=$REAL_PATH \ + --to-stdout \ + install \ + | tar --extract \ + --backup \ + --directory=/ \ + --no-overwrite-dir \ + --strip-components=1 \ + --suffix=.orig diff --git a/sources/efg.pm/postinstall/10_setupservices.sh b/sources/efg.pm/postinstall/10_setupservices.sh new file mode 100755 index 0000000..69dd107 --- /dev/null +++ b/sources/efg.pm/postinstall/10_setupservices.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +systemctl enable NetworkManager-wait-online.service + +systemctl mask wpa_supplicant.service diff --git a/sources/efg.pm/postinstall/99_cleanup.sh b/sources/efg.pm/postinstall/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/efg.pm/postinstall/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/efg.pm/postinstall/install/etc/hosts b/sources/efg.pm/postinstall/install/etc/hosts new file mode 100644 index 0000000..278fb43 --- /dev/null +++ b/sources/efg.pm/postinstall/install/etc/hosts @@ -0,0 +1,4 @@ +127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4 +::1 localhost6.localdomain6 localhost6 + +192.168.173.254 efg.pm.user.hu efg diff --git a/sources/efg.pm/postinstall/install/etc/resolv.conf b/sources/efg.pm/postinstall/install/etc/resolv.conf new file mode 100644 index 0000000..1a69e03 --- /dev/null +++ b/sources/efg.pm/postinstall/install/etc/resolv.conf @@ -0,0 +1,3 @@ +nameserver 192.168.173.174 +domain pm.user.hu +search pm.user.hu diff --git a/sources/efg.pm/postinstall/install/etc/sysconfig/nftables.conf b/sources/efg.pm/postinstall/install/etc/sysconfig/nftables.conf new file mode 100644 index 0000000..0c461d7 --- /dev/null +++ b/sources/efg.pm/postinstall/install/etc/sysconfig/nftables.conf @@ -0,0 +1 @@ +include "/etc/nftables/efg.nft" diff --git a/sources/efg.pm/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/efg.pm/postinstall/install/etc/sysctl.d/01_ipforward.conf new file mode 100644 index 0000000..05b3f78 --- /dev/null +++ b/sources/efg.pm/postinstall/install/etc/sysctl.d/01_ipforward.conf @@ -0,0 +1 @@ +net.ipv4.conf.all.forwarding = 1