From: Zoltán Felleg Date: Tue, 5 Nov 2019 15:55:58 +0000 (+0100) Subject: Added ifg.usr (cvm -> vhost migration, Fedora 31 upgrade). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=582fdc3bfba13655fc8eefe9286ced47392291ed;p=user-lxc.git Added ifg.usr (cvm -> vhost migration, Fedora 31 upgrade). --- diff --git a/sources/ifg.usr/config b/sources/ifg.usr/config new file mode 100644 index 0000000..2b075cb --- /dev/null +++ b/sources/ifg.usr/config @@ -0,0 +1,24 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = ifg.usr.user.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = bri-dev +lxc.net.0.hwaddr = 02:0c:18:03:6d:fe + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.link = brh-dev +lxc.net.1.hwaddr = 02:0c:18:03:ad:01 + +lxc.autodev = 1 + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = 2 +lxc.start.delay = 3 diff --git a/sources/ifg.usr/envvars b/sources/ifg.usr/envvars new file mode 100644 index 0000000..5eb2281 --- /dev/null +++ b/sources/ifg.usr/envvars @@ -0,0 +1,4 @@ +DISTRIBUTION=Fedora +DISTRIBUTION_VERSION=31 +BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils logrotate rootfiles rsyslog tar vim-minimal" +SPEC_PACKAGES="ethtool nftables radvd tcpdump" diff --git a/sources/ifg.usr/firstboot/01_setupnetworking.sh b/sources/ifg.usr/firstboot/01_setupnetworking.sh new file mode 100755 index 0000000..3c31156 --- /dev/null +++ b/sources/ifg.usr/firstboot/01_setupnetworking.sh @@ -0,0 +1,67 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -eq 1 ] && echo + +# wait for two network connections +CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +CYCLES_WAITED=0 +while [ $CONNECTION_DEVICES_UP -lt 2 ] +do + if [ $CYCLES_WAITED -ge 10 ] + then + nmcli connection show + exit 1 + fi + sleep 1 + CYCLES_WAITED=$(( $CYCLES_WAITED + 1 )) + CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +done + +CONNECTIONS=$(nmcli --terse connection show | wc -l) +while [ $CONNECTIONS -gt 0 ] +do + CONNECTION_LINE=$(nmcli --terse connection show | head -n 1) + CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') + nmcli connection delete uuid "$CONNECTION_UUID" + CONNECTIONS=$(nmcli --terse connection show | wc -l) +done + +INTERNAL_DEVICE=ifg +PM_DEVICE=eth0 + +nmcli connection add \ + connection.autoconnect yes \ + connection.id internal \ + connection.interface-name $INTERNAL_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "10.228.109.254/16, 192.168.42.254/24, 192.168.43.254/24" \ + ipv4.dns "10.228.109.104, 10.228.109.253" \ + ipv4.dns-search "usr.user.hu" \ + ipv4.method "manual" \ + ipv4.routes "172.16.223.0/24 10.228.109.236, 10.162.104.0/24 10.228.109.236" \ + save yes + +nmcli connection add \ + connection.autoconnect yes \ + connection.id perimeter \ + connection.interface-name $PM_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "192.168.173.1/24" \ + ipv4.gateway "192.168.173.254" \ + ipv4.method "manual" \ + save yes + +nmcli connection show diff --git a/sources/ifg.usr/firstboot/02_settimezone.sh b/sources/ifg.usr/firstboot/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/ifg.usr/firstboot/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/ifg.usr/firstboot/10_setupnftables.sh b/sources/ifg.usr/firstboot/10_setupnftables.sh new file mode 100755 index 0000000..2f32506 --- /dev/null +++ b/sources/ifg.usr/firstboot/10_setupnftables.sh @@ -0,0 +1,17 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) + + +nft list ruleset +nft list ruleset | grep ^table | sed 's/ {$//' | while read TABLE_SPEC +do + nft flush $TABLE_SPEC + nft delete $TABLE_SPEC +done + +nft --echo --file $REAL_PATH/nftables.config +nft list ruleset >/etc/nftables/ifg.nft + +systemctl enable nftables.service diff --git a/sources/ifg.usr/firstboot/99_cleanup.sh b/sources/ifg.usr/firstboot/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/ifg.usr/firstboot/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/ifg.usr/firstboot/nftables.config b/sources/ifg.usr/firstboot/nftables.config new file mode 100644 index 0000000..6694a10 --- /dev/null +++ b/sources/ifg.usr/firstboot/nftables.config @@ -0,0 +1,293 @@ +#!/usr/sbin/nft -f + + +################################ +# interface definitions +################################ + +# internal interface +define INTERNAL_IF = ifg + +# loopback interface +define LOOPBACK_IF = lo + +# perimeter interface +define PERIMETER_IF = eth0 + +################################ +# address definitions +################################ + +# loopback address +define LOOPBACK_IP = 127.0.0.1 + +# public addresses +define PUBLIC_EFG_IP = 194.149.40.146 +define PUBLIC_MX_IP = 194.149.40.147 +define PUBLIC_NS_IP = 194.149.40.148 +define PUBLIC_VPN_IP = 194.149.40.149 +define PUBLIC_WS_IP = 194.149.40.150 +define PUBLIC_MINECRAFT_IP = 194.149.40.151 +define PUBLIC_IP_152 = 194.149.40.152 +define PUBLIC_IP_153 = 194.149.40.153 +define PUBLIC_IP_154 = 194.149.40.154 +define PUBLIC_IP_155 = 194.149.40.155 +define PUBLIC_IP_156 = 194.149.40.156 +define PUBLIC_RX300_IP = 194.149.40.157 +define PUBLIC_DL360E_IP = 194.149.40.158 + +define PUBLIC_IP_194 = 84.2.25.194 +define PUBLIC_IP_195 = 84.2.25.195 +define PUBLIC_IP_196 = 84.2.25.196 +define PUBLIC_IP_197 = 84.2.25.197 +define PUBLIC_IP_198 = 84.2.25.198 +define PUBLIC_IP_199 = 84.2.25.199 +define PUBLIC_IP_200 = 84.2.25.200 +define PUBLIC_IP_201 = 84.2.25.201 +define PUBLIC_IP_202 = 84.2.25.202 +define PUBLIC_IP_203 = 84.2.25.203 +define PUBLIC_IP_204 = 84.2.25.204 +define PUBLIC_IP_205 = 84.2.25.205 +define PUBLIC_IP_206 = 84.2.25.206 + +# efg address (perimeter network) +define EFG_PERIMETER_IP = 192.168.173.254 + +# service address (perimeter network) +#define SVC_PERIMETER_IP = 192.168.173.253 + +# transfer web server address (perimeter network) +define XFR_PERIMETER_IP = 192.168.173.251 + +# subversion address (perimeter network) +#define SVN_PERIMETER_IP = 192.168.173.250 + +# web server address (perimeter network) +define WS_PERIMETER_IP = 192.168.173.249 + +# perimeter name server address (perimeter network) +define PNS_PERIMETER_IP = 192.168.173.174 + +# external name server address (perimeter network) +define ENS_PERIMETER_IP = 192.168.173.64 + +# ifg address (perimeter network) +define IFG_PERIMETER_IP = 192.168.173.1 + +# ifg addresses (internal network) +define IFG_USR_IP = 10.228.109.254 +define IFG_SR_IP = 192.168.42.254 +define IFG_IN_IP = 192.168.43.254 + +# dvredmine address (internal network) +define DVREDMINE_INTERNAL_IP = 10.228.62.193 + +# minicrm address (internal network) +define MINICRM_INTERNAL_IP = 10.228.109.133 + +# store address (internal network) +define STORE_INTERNAL_IP = 10.228.109.250 + +# service address (internal network) +define SVC_INTERNAL_IP = 10.228.109.253 + +# vpn address (internal network) +define VPN_INTERNAL_IP = 10.228.109.236 + +# primary name server address (internal network) +define PNS_INTERNAL_IP = 10.228.109.174 + +# internal name server address (internal network) +define INS_INTERNAL_IP = 10.228.109.104 + +# worksheet address (internal network) +define WORKSHEET_SR_IP = 192.168.42.248 + +################################ +# network definitions +################################ + +# internal networks +define USR_NET = 10.228.0.0/16 +define SR_NET = 192.168.42.0/24 +define IN_NET = 192.168.43.0/24 +define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET } + +# perimeter network +define PERIMETER_NET = 192.168.173.0/24 + +# vpn client network +define VPN_NET = 172.16.223.0/24 + +# peep-bo network +define PEEP_BO_NET = 10.162.104.0/24 + +################################ +# port definitions +################################ + +#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } +define WS_PORTS = { 80, 443 } + + +################################ +# reset nftables +################################ + +create table inet ifg_filter +create table ip ifg_nat + +create chain inet ifg_filter input { type filter hook input priority 0; policy drop; } +create chain inet ifg_filter forward { type filter hook forward priority 0; policy drop; } +create chain inet ifg_filter output { type filter hook output priority 0; policy drop; } +create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; } + + +################################ +# NAT prerouting rules +################################ + +add rule ip ifg_nat prerouting \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \ + ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IP comment "Webserver access" + + +################################ +# FILTER input rules +################################ + +add rule inet ifg_filter input \ + ct state established \ + ip protocol udp \ + iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \ + ip daddr $IFG_USR_IP udp dport 1024-65535 \ + counter accept comment "DNS replies" + +add rule inet ifg_filter input \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet ifg_filter input \ + counter log prefix "INPUT" + + +################################ +# FILTER forward rules +################################ + +add rule inet ifg_filter forward \ + ct state established, related \ + iifname $PERIMETER_IF \ + oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \ + counter accept comment "Established sessions" + +add rule inet ifg_filter forward \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \ + oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \ + counter accept comment "Internet access" + +add rule inet ifg_filter forward \ + ct state new, established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + counter accept comment "Webserver access" + +add rule inet ifg_filter forward \ + ct state new \ + ip protocol udp \ + iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 53 \ + counter accept comment "DNS zone notification" + +add rule inet ifg_filter forward \ + ct state new \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IP tcp dport 53 \ + counter accept comment "DNS zone transfer requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP tcp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + counter accept comment "DNS zone transfer replies" + +add rule inet ifg_filter forward \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + counter accept comment "Incoming VPN traffic" + +add rule inet ifg_filter forward \ + iifname $INTERNAL_IF \ + oifname $INTERNAL_IF \ + counter accept comment "Internal traffic" + +add rule inet ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IP tcp dport 80 \ + counter accept comment "Redmine requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IP tcp sport 80 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Redmine replies" + +add rule inet ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IP tcp dport 8080 \ + counter accept comment "MiniCRM requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IP tcp sport 8080 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "MiniCRM replies" + +add rule inet ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IP tcp dport 8079 \ + counter accept comment "Worksheet requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IP tcp sport 8079 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Worksheet replies" + +add rule inet ifg_filter forward \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet ifg_filter forward \ + counter log prefix "FORWARD" + + +################################ +# FILTER output rules +################################ + +add rule inet ifg_filter output \ + ct state new \ + ip protocol udp \ + ip saddr $IFG_USR_IP udp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \ + counter accept comment "DNS requests" + +add rule inet ifg_filter output \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet ifg_filter output \ + counter log prefix "OUTPUT" diff --git a/sources/ifg.usr/firstboot/traversal.txt b/sources/ifg.usr/firstboot/traversal.txt new file mode 100644 index 0000000..97ebf2d --- /dev/null +++ b/sources/ifg.usr/firstboot/traversal.txt @@ -0,0 +1,53 @@ +############################### + chain traversal + for all tables +############################### + + NETWORK + | + ______v_____ + / raw \ + | PREROUTING | + \____________/ + | + ________ ______v_____ + / mangle \ / mangle \ + | INPUT |<- | PREROUTING | + \________/ | \____________/ + | | | + ____v___ | ______v_____ + / filter \ | / nat \ + | INPUT | | | PREROUTING | + \________/ | \____________/ + | | | + ____v____ | ____v___ + | | | / \ + | local | |__/ routing \__________ + | process | \ decision / | + |_________| \________/ ____v____ + | / mangle \ + ___v____ | FORWARD | + / \ \_________/ + / routing \ | + \ decision / ____v____ + \________/ / filter \ + | | FORWARD | + ____v___ ________ \_________/ + / raw \ / \ | + | OUTPUT | / routing \ | + \________/ ->\ decision /<--------- + | | \________/ + ____v___ | | + / mangle \ | ______v______ + | OUTPUT | | / mangle \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / nat \ | ______v______ + | OUTPUT | | / nat \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / filter \ | v + | OUTPUT |-- NETWORK + \________/ diff --git a/sources/ifg.usr/postinstall/01_setownership.sh b/sources/ifg.usr/postinstall/01_setownership.sh new file mode 100755 index 0000000..f2e6b94 --- /dev/null +++ b/sources/ifg.usr/postinstall/01_setownership.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install + +chown -R root.root $SOURCE_PATH/* diff --git a/sources/ifg.usr/postinstall/02_setpermissions.sh b/sources/ifg.usr/postinstall/02_setpermissions.sh new file mode 100755 index 0000000..241386a --- /dev/null +++ b/sources/ifg.usr/postinstall/02_setpermissions.sh @@ -0,0 +1,5 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install diff --git a/sources/ifg.usr/postinstall/03_installfiles.sh b/sources/ifg.usr/postinstall/03_installfiles.sh new file mode 100755 index 0000000..f190caf --- /dev/null +++ b/sources/ifg.usr/postinstall/03_installfiles.sh @@ -0,0 +1,15 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +tar --create \ + --directory=$REAL_PATH \ + --to-stdout \ + install \ + | tar --extract \ + --backup \ + --directory=/ \ + --no-overwrite-dir \ + --strip-components=1 \ + --suffix=.orig diff --git a/sources/ifg.usr/postinstall/10_setupservices.sh b/sources/ifg.usr/postinstall/10_setupservices.sh new file mode 100755 index 0000000..5250ed4 --- /dev/null +++ b/sources/ifg.usr/postinstall/10_setupservices.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +#systemctl enable iptables.service +systemctl enable NetworkManager-wait-online.service + +systemctl mask wpa_supplicant.service diff --git a/sources/ifg.usr/postinstall/99_cleanup.sh b/sources/ifg.usr/postinstall/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/ifg.usr/postinstall/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/ifg.usr/postinstall/install/etc/hosts b/sources/ifg.usr/postinstall/install/etc/hosts new file mode 100644 index 0000000..98645cf --- /dev/null +++ b/sources/ifg.usr/postinstall/install/etc/hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4 +::1 localhost6.localdomain6 localhost6 + +10.228.109.254 ifg.usr.user.hu ifg +192.168.42.254 ifg.sr.user.hu +192.168.43.254 ifg.in.user.hu diff --git a/sources/ifg.usr/postinstall/install/etc/resolv.conf b/sources/ifg.usr/postinstall/install/etc/resolv.conf new file mode 100644 index 0000000..656e3f2 --- /dev/null +++ b/sources/ifg.usr/postinstall/install/etc/resolv.conf @@ -0,0 +1,4 @@ +nameserver 10.228.109.253 +nameserver 10.228.109.104 +domain usr.user.hu +search usr.user.hu diff --git a/sources/ifg.usr/postinstall/install/etc/sysconfig/nftables.conf b/sources/ifg.usr/postinstall/install/etc/sysconfig/nftables.conf new file mode 100644 index 0000000..a6d184f --- /dev/null +++ b/sources/ifg.usr/postinstall/install/etc/sysconfig/nftables.conf @@ -0,0 +1 @@ +include "/etc/nftables/ifg.nft" diff --git a/sources/ifg.usr/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/ifg.usr/postinstall/install/etc/sysctl.d/01_ipforward.conf new file mode 100644 index 0000000..05b3f78 --- /dev/null +++ b/sources/ifg.usr/postinstall/install/etc/sysctl.d/01_ipforward.conf @@ -0,0 +1 @@ +net.ipv4.conf.all.forwarding = 1