From: Zoltán Felleg Date: Tue, 30 Jul 2019 11:44:14 +0000 (+0200) Subject: Updated efg.pm.f30 (Switched to nftables and the new ip range). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=5267456c777aa0e0a75a4aa78250aa3141cd31d8;p=user-lxc.git Updated efg.pm.f30 (Switched to nftables and the new ip range). --- diff --git a/sources/efg.pm.f30/config b/sources/efg.pm.f30/config index 4a11c89..1c80c0a 100644 --- a/sources/efg.pm.f30/config +++ b/sources/efg.pm.f30/config @@ -12,11 +12,7 @@ lxc.net.0.hwaddr = 02:0c:18:03:ad:fe lxc.net.1.type = phys lxc.net.1.flags = up -lxc.net.1.link = efgd - -lxc.net.2.type = phys -lxc.net.2.flags = up -lxc.net.2.link = efgs +lxc.net.1.link = efg lxc.autodev = 1 diff --git a/sources/efg.pm.f30/firstboot/01_setupnetworking.sh b/sources/efg.pm.f30/firstboot/01_setupnetworking.sh index b173c0a..2c140ad 100755 --- a/sources/efg.pm.f30/firstboot/01_setupnetworking.sh +++ b/sources/efg.pm.f30/firstboot/01_setupnetworking.sh @@ -17,16 +17,16 @@ done [ $WAITED -eq 1 ] && echo CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) -while [ $CONNECTION_DEVICES_UP -lt 3 ] +#while [ $CONNECTION_DEVICES_UP -lt 2 ] +while [ $CONNECTION_DEVICES_UP -lt 1 ] do sleep 1 nmcli --terse connection show CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) done -DYNAMIC_DEVICE=efgd -STATIC_DEVICE=efgs -PM_DEVICE=eth0 +EXTERNAL_DEVICE=efg +PERIMETER_DEVICE=eth0 CONNECTIONS=$(nmcli --terse connection show | wc -l) while [ $CONNECTIONS -gt 0 ] @@ -42,7 +42,7 @@ nmcli connection show nmcli connection add \ connection.autoconnect yes \ connection.id perimeter \ - connection.interface-name $PM_DEVICE \ + connection.interface-name $PERIMETER_DEVICE \ connection.type 802-3-ethernet \ ipv4.addresses "192.168.173.254/24" \ ipv4.dns "192.168.173.174" \ @@ -56,39 +56,11 @@ nmcli connection show nmcli connection add \ connection.autoconnect yes \ connection.id dynamic \ - connection.interface-name $DYNAMIC_DEVICE \ + connection.interface-name $EXTERNAL_DEVICE \ connection.type 802-3-ethernet \ - ipv4.addresses "192.168.65.1/24, 194.149.40.146/28" \ + ipv4.addresses "192.168.65.1/24, 194.149.40.146/28, 194.149.40.147/28, 194.149.40.148/28, 194.149.40.149/28, 194.149.40.150/28" \ ipv4.gateway "194.149.40.145" \ ipv4.method "manual" \ save yes nmcli connection show - -nmcli connection add \ - connection.autoconnect yes \ - connection.id static \ - connection.interface-name $STATIC_DEVICE \ - connection.type 802-3-ethernet \ - ipv4.addresses "84.2.25.202/28, 192.168.210.1/24" \ - ipv4.method "manual" \ - save yes - -nmcli connection show - -ip rule add from 10.228.109.236 lookup static -ip rule add from 10.228.109.253 lookup static -ip rule add from 192.168.173.64 lookup static -ip rule add from 192.168.173.174 lookup static -ip rule add from 192.168.173.249 lookup static -ip rule add from 192.168.173.252 lookup static -ip rule add from 192.168.173.253 lookup static - -ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic -ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic -ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic -ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static -ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static -ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static -ip route add default via 194.149.40.145 dev efgd table dynamic -ip route add default via 84.2.25.193 dev efgs table static diff --git a/sources/efg.pm.f30/firstboot/10_iptables_reset.sh b/sources/efg.pm.f30/firstboot/10_iptables_reset.sh index f63b04d..1dc5600 100755 --- a/sources/efg.pm.f30/firstboot/10_iptables_reset.sh +++ b/sources/efg.pm.f30/firstboot/10_iptables_reset.sh @@ -1,4 +1,5 @@ #!/bin/sh +exit 0 REAL_PATH=$(realpath $(dirname $0)) diff --git a/sources/efg.pm.f30/firstboot/10_setupnftables.sh b/sources/efg.pm.f30/firstboot/10_setupnftables.sh new file mode 100755 index 0000000..2a2bd5b --- /dev/null +++ b/sources/efg.pm.f30/firstboot/10_setupnftables.sh @@ -0,0 +1,19 @@ +#!/bin/sh +set -x + + +REAL_PATH=$(realpath $(dirname $0)) + + +nft list ruleset +nft list ruleset | grep ^table | sed 's/ {$//' | while read TABLE_SPEC +do + nft flush $TABLE_SPEC + nft delete $TABLE_SPEC +done +#exit 0 + +nft --echo --file $REAL_PATH/nftables.config +nft list ruleset >/etc/nftables/efg.nft + +systemctl enable nftables.service diff --git a/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh b/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh index 93d1a8a..d1c9770 100755 --- a/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh +++ b/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh @@ -1,4 +1,5 @@ #!/bin/sh +exit 0 #set -x diff --git a/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh b/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh index 87311ad..6ae55fb 100755 --- a/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh +++ b/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh @@ -1,4 +1,5 @@ #!/bin/sh +exit 0 #set -x ################################ diff --git a/sources/efg.pm.f30/firstboot/13_iptables_save.sh b/sources/efg.pm.f30/firstboot/13_iptables_save.sh index 85932f3..ff43dbd 100755 --- a/sources/efg.pm.f30/firstboot/13_iptables_save.sh +++ b/sources/efg.pm.f30/firstboot/13_iptables_save.sh @@ -1,4 +1,5 @@ #!/bin/sh +exit 0 #set -x /sbin/iptables-save >/etc/sysconfig/iptables diff --git a/sources/efg.pm.f30/firstboot/nftables.config b/sources/efg.pm.f30/firstboot/nftables.config new file mode 100644 index 0000000..9d32595 --- /dev/null +++ b/sources/efg.pm.f30/firstboot/nftables.config @@ -0,0 +1,317 @@ +#!/usr/sbin/nft -f + + +################################ +# interface definitions +################################ + +# external interface +define EXTERNAL_IF = efg + +# loopback interface +define LOOPBACK_IF = lo + +# perimeter interface +define PERIMETER_IF = eth0 + +################################ +# address definitions +################################ + +# loopback address +define LOOPBACK_IP = 127.0.0.1 + +# public addresses +define PUBLIC_EFG_IP = 194.149.40.146 +define PUBLIC_MX_IP = 194.149.40.147 +define PUBLIC_NS_IP = 194.149.40.148 +define PUBLIC_VPN_IP = 194.149.40.149 +define PUBLIC_WS_IP = 194.149.40.150 +define PUBLIC_MINECRAFT_IP = 194.149.40.151 +define PUBLIC_IP_152 = 194.149.40.152 +define PUBLIC_IP_153 = 194.149.40.153 +define PUBLIC_IP_154 = 194.149.40.154 +define PUBLIC_IP_155 = 194.149.40.155 +define PUBLIC_IP_156 = 194.149.40.156 +define PUBLIC_IP_157 = 194.149.40.157 +define PUBLIC_DL380E_IP = 194.149.40.158 + +# efg address (perimeter network) +define EFG_PERIMETER_IP = 192.168.173.254 + +# transfer web server address (perimeter network) +define XFR_PERIMETER_IP = 192.168.173.251 + +# web server address (perimeter network) +define WS_PERIMETER_IP = 192.168.173.249 + +# perimeter name server address (perimeter network) +define PNS_PERIMETER_IP = 192.168.173.174 + +# external name server address (perimeter network) +define ENS_PERIMETER_IP = 192.168.173.64 + +# ifg address (perimeter network) +define IFG_PERIMETER_IP = 192.168.173.1 + +# dvredmine address (internal network) +define DVREDMINE_INTERNAL_IP = 10.228.62.193 + +# minicrm address (internal network) +define MINICRM_INTERNAL_IP = 10.228.109.133 + +# store address (internal network) +define STORE_INTERNAL_IP = 10.228.109.250 + +# service address (internal network) +define SVC_INTERNAL_IP = 10.228.109.253 + +# vpn address (internal network) +define VPN_INTERNAL_IP = 10.228.109.236 + +# primary name server address (internal network) +define PNS_INTERNAL_IP = 10.228.109.174 + +# internal name server address (internal network) +define INS_INTERNAL_IP = 10.228.109.104 + +# worksheet address (internal network) +define WORKSHEET_SR_IP = 192.168.42.248 + +################################ +# network definitions +################################ + +# internal networks +define USR_NET = 10.228.0.0/16 +define SR_NET = 192.168.42.0/24 +define IN_NET = 192.168.43.0/24 +define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET } + +# perimeter network +define PERIMETER_NET = 192.168.173.0/24 + +# vpn client network +define VPN_NET = 172.16.223.0/24 + +# peep-bo network +define PEEP_BO_NET = 10.162.104.0/24 + +################################ +# port definitions +################################ + +#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } +define WS_PORTS = { 80, 443 } + + +################################ +# reset nftables +################################ + +create table inet efg_filter +create table ip efg_nat + +create chain inet efg_filter input { type filter hook input priority 0; policy drop; } +create chain inet efg_filter forward { type filter hook forward priority 0; policy drop; } +create chain inet efg_filter output { type filter hook output priority 0; policy drop; } +create chain ip efg_nat prerouting { type nat hook prerouting priority 0; policy accept; } +create chain ip efg_nat postrouting { type nat hook postrouting priority 0; policy accept; } + + +################################ +# NAT prerouting rules +################################ + +add rule ip efg_nat prerouting \ + ip protocol udp \ + iifname $EXTERNAL_IF \ + ip daddr $PUBLIC_VPN_IP udp dport 1194 \ + counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic" + +#add rule ip efg_nat prerouting \ +# ip protocol tcp \ +# iifname $EXTERNAL_IF \ +# ip daddr $PUBLIC_MX_IP tcp dport $MX_PORTS \ +# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" + +add rule ip efg_nat prerouting \ + ip protocol udp \ + iifname $EXTERNAL_IF udp sport 1024-65535 \ + ip daddr $PUBLIC_NS_IP udp dport 53 \ + counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" + +add rule ip efg_nat prerouting \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + ip daddr $PUBLIC_NS_IP tcp dport 53 \ + counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" + +add rule ip efg_nat prerouting \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests" + + +################################ +# FILTER input rules +################################ + +add rule inet efg_filter input \ + ct state established \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IP udp sport 53 \ + ip daddr $EFG_PERIMETER_IP udp dport 1024-65535 \ + counter accept comment "DNS replies" + +add rule inet efg_filter input \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet efg_filter input \ + counter log prefix "INPUT" + + +################################ +# FILTER forward rules +################################ + +add rule inet efg_filter forward \ + ct state established, related \ + iifname $EXTERNAL_IF \ + oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \ + counter accept comment "Established sessions" + +add rule inet efg_filter forward \ + iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \ + oifname $EXTERNAL_IF \ + counter accept comment "Internet access" + +add rule inet efg_filter forward \ + ip protocol udp \ + iifname $EXTERNAL_IF \ + oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + counter accept comment "Incoming VPN traffic" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + counter accept comment "Incoming http(s) requests" + +add rule inet efg_filter forward \ + ip protocol udp \ + iifname $EXTERNAL_IF udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ + counter accept comment "Incoming DNS requests/notifications (udp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ + oifname $EXTERNAL_IF udp dport 1024-65535 \ + counter accept comment "Outgoing DNS replies (udp)" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ + counter accept comment "Incoming DNS requests (tcp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ + oifname $EXTERNAL_IF tcp dport 1024-65535 \ + counter accept comment "Outgoing DNS replies (tcp)" + +add rule inet efg_filter forward \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ + oifname $EXTERNAL_IF udp dport 53 \ + counter accept comment "Outgoing DNS requests/notifications (udp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol udp \ + iifname $EXTERNAL_IF udp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ + counter accept comment "Incoming DNS replies (udp)" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + oifname $EXTERNAL_IF tcp dport 53 \ + counter accept comment "Outgoing DNS requests (tcp)" + +add rule inet efg_filter forward \ + ct state established, related \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + counter accept comment "Incoming DNS replies (tcp)" + +add rule inet efg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $EXTERNAL_IF tcp dport $WS_PORTS \ + counter accept comment "Outgoing let's encrypt requests" + +add rule inet efg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $EXTERNAL_IF tcp sport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Incoming let's encrypt replies" + +add rule inet efg_filter forward \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet efg_filter forward \ + counter log prefix "FORWARD" + + +################################ +# FILTER output rules +################################ + +add rule inet efg_filter output \ + ct state new \ + ip protocol udp \ + ip saddr $EFG_PERIMETER_IP udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IP udp dport 53 \ + counter accept comment "DNS requests" + +add rule inet efg_filter output \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet efg_filter output \ + counter log prefix "OUTPUT" + + +################################ +# NAT postrouting rules +################################ + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $VPN_INTERNAL_IP \ + counter snat $PUBLIC_VPN_IP comment "Outgoing VPN traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $INTERNAL_NETS \ + counter snat $PUBLIC_EFG_IP comment "Outgoing internal traffic" + +#add rule ip efg_nat postrouting \ +# oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IP \ +# counter snat $PUBLIC_MX_IP comment "Outgoing MX traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $EFG_PERIMETER_IP \ + counter snat $PUBLIC_NS_IP comment "Outgoing external DNS traffic" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $WS_PERIMETER_IP \ + counter snat $PUBLIC_WS_IP comment "Outgoing WS traffic" diff --git a/sources/efg.pm.f30/postinstall/01_setownership.sh b/sources/efg.pm.f30/postinstall/01_setownership.sh index 5590180..f2e6b94 100755 --- a/sources/efg.pm.f30/postinstall/01_setownership.sh +++ b/sources/efg.pm.f30/postinstall/01_setownership.sh @@ -5,5 +5,3 @@ REAL_PATH=$(dirname $(realpath $0)) SOURCE_PATH=$REAL_PATH/install chown -R root.root $SOURCE_PATH/* - -chgrp ssh_keys $SOURCE_PATH/etc/ssh/*_key diff --git a/sources/efg.pm.f30/postinstall/02_setpermissions.sh b/sources/efg.pm.f30/postinstall/02_setpermissions.sh index c8c018c..241386a 100755 --- a/sources/efg.pm.f30/postinstall/02_setpermissions.sh +++ b/sources/efg.pm.f30/postinstall/02_setpermissions.sh @@ -3,6 +3,3 @@ REAL_PATH=$(dirname $(realpath $0)) SOURCE_PATH=$REAL_PATH/install - -chmod 400 $SOURCE_PATH/etc/ssh/*_key -chmod 444 $SOURCE_PATH/etc/ssh/*.pub diff --git a/sources/efg.pm.f30/postinstall/10_setupservices.sh b/sources/efg.pm.f30/postinstall/10_setupservices.sh index 80c2db2..69dd107 100755 --- a/sources/efg.pm.f30/postinstall/10_setupservices.sh +++ b/sources/efg.pm.f30/postinstall/10_setupservices.sh @@ -1,7 +1,6 @@ #!/bin/sh -systemctl enable iptables.service systemctl enable NetworkManager-wait-online.service systemctl mask wpa_supplicant.service diff --git a/sources/efg.pm.f30/postinstall/install/etc/iproute2/rt_tables b/sources/efg.pm.f30/postinstall/install/etc/iproute2/rt_tables deleted file mode 100644 index 41d5b37..0000000 --- a/sources/efg.pm.f30/postinstall/install/etc/iproute2/rt_tables +++ /dev/null @@ -1,13 +0,0 @@ -# -# reserved values -# -255 local -254 main -253 default -0 unspec -# -# local -# -#1 inr.ruhep -65 dynamic -210 static diff --git a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd deleted file mode 100644 index 389bbbd..0000000 --- a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd +++ /dev/null @@ -1,16 +0,0 @@ -NAME=efgd -DEVICE=efgd -TYPE=Ethernet -ONBOOT=yes -BOOTPROTO=static -IPADDR=192.168.65.1 -PREFIX=24 -GATEWAY=192.168.65.254 -DEFROUTE=yes -IPV4_FAILURE_FATAL=no -IPV6INIT=yes -IPV6_AUTOCONF=yes -IPV6_DEFROUTE=yes -IPV6_PEERDNS=yes -IPV6_PEERROUTES=yes -IPV6_FAILURE_FATAL=no diff --git a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs deleted file mode 100644 index 9613b3e..0000000 --- a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs +++ /dev/null @@ -1,17 +0,0 @@ -NAME=efgs -DEVICE=efgs -TYPE=Ethernet -ONBOOT=yes -BOOTPROTO=static -IPADDR0=84.2.25.202 -PREFIX0=28 -IPADDR1=192.168.210.1 -PREFIX1=24 -DEFROUTE=no -IPV4_FAILURE_FATAL=no -IPV6INIT=yes -IPV6_AUTOCONF=yes -IPV6_DEFROUTE=yes -IPV6_PEERDNS=yes -IPV6_PEERROUTES=yes -IPV6_FAILURE_FATAL=no diff --git a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 deleted file mode 100644 index eaa509b..0000000 --- a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 +++ /dev/null @@ -1,15 +0,0 @@ -NAME=eth0 -DEVICE=eth0 -TYPE=Ethernet -ONBOOT=yes -BOOTPROTO=static -IPADDR=192.168.173.254 -PREFIX=24 -DEFROUTE=no -IPV4_FAILURE_FATAL=no -IPV6INIT=yes -IPV6_AUTOCONF=yes -IPV6_DEFROUTE=yes -IPV6_PEERDNS=yes -IPV6_PEERROUTES=yes -IPV6_FAILURE_FATAL=no diff --git a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/route-eth0 b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/route-eth0 deleted file mode 100644 index f0f9015..0000000 --- a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/route-eth0 +++ /dev/null @@ -1,11 +0,0 @@ -#10.228.0.0/16 via 192.168.173.1 dev eth0 -#192.168.42.0/24 via 192.168.173.1 dev eth0 -#192.168.43.0/24 via 192.168.173.1 dev eth0 -10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic -192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic -192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic -10.228.0.0/16 via 192.168.173.1 dev eth0 table static -192.168.42.0/24 via 192.168.173.1 dev eth0 table static -192.168.43.0/24 via 192.168.173.1 dev eth0 table static -default via 192.168.65.254 dev efgd table dynamic -default via 84.2.25.193 dev efgs table static diff --git a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 deleted file mode 100644 index 31adc78..0000000 --- a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 +++ /dev/null @@ -1,7 +0,0 @@ -from 10.228.109.236 lookup static -from 10.228.109.253 lookup static -from 192.168.173.64 lookup static -from 192.168.173.174 lookup static -from 192.168.173.249 lookup static -from 192.168.173.252 lookup static -from 192.168.173.253 lookup static diff --git a/sources/efg.pm.f30/postinstall/install/etc/sysconfig/nftables.conf b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/nftables.conf new file mode 100644 index 0000000..b25a4e2 --- /dev/null +++ b/sources/efg.pm.f30/postinstall/install/etc/sysconfig/nftables.conf @@ -0,0 +1 @@ +include /etc/nftables/efg.nft