From: Zoltán Felleg Date: Thu, 15 Apr 2021 16:21:55 +0000 (+0200) Subject: Updated ifg.in (continued implementing ipv6). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=68fd1aa7d6ce65be3dc195a074c8d03651c64068;p=user-lxc.git Updated ifg.in (continued implementing ipv6). --- diff --git a/sources/ifg.in/firstboot/01_setupnetworking.sh b/sources/ifg.in/firstboot/01_setupnetworking.sh index a969a48..4820c9c 100755 --- a/sources/ifg.in/firstboot/01_setupnetworking.sh +++ b/sources/ifg.in/firstboot/01_setupnetworking.sh @@ -72,3 +72,5 @@ nmcli connection add \ save yes nmcli connection show + +sysctl --load=/etc/sysctl.d/01_ipforward.conf diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config index c02de0a..71835a1 100644 --- a/sources/ifg.in/firstboot/nftables.config +++ b/sources/ifg.in/firstboot/nftables.config @@ -61,7 +61,8 @@ define ENS_PERIMETER_IP = 192.168.173.64 define IFG_PERIMETER_IP = 192.168.173.1 # ifg addresses (internal network) -define IFG_USR_IP = 10.228.109.254 +define IFG_INTERNAL_IP = 10.228.109.254 +define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe define IFG_SR_IP = 192.168.42.254 define IFG_IN_IP = 192.168.43.254 @@ -73,9 +74,11 @@ define MINICRM_INTERNAL_IP = 10.228.109.133 # store address (internal network) define STORE_INTERNAL_IP = 10.228.109.250 +define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68 # service address (internal network) define SVC_INTERNAL_IP = 10.228.109.253 +define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd # vpn address (internal network) define VPN_INTERNAL_IP = 10.228.109.236 @@ -85,6 +88,7 @@ define PNS_INTERNAL_IP = 10.228.109.174 # internal name server address (internal network) define INS_INTERNAL_IP = 10.228.109.104 +define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68 # worksheet address (internal network) define WORKSHEET_SR_IP = 192.168.42.248 @@ -94,13 +98,15 @@ define WORKSHEET_SR_IP = 192.168.42.248 ################################ # internal networks -define USR_NET = 10.228.0.0/16 +define INTERNAL_NET = 10.228.0.0/16 +define INTERNAL_NET_IPV6 = 2a02:d400:0000:f268::/64 define SR_NET = 192.168.42.0/24 define IN_NET = 192.168.43.0/24 -define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET } +define INTERNAL_NETS = { $INTERNAL_NET, $SR_NET, $IN_NET } # perimeter network define PERIMETER_NET = 192.168.173.0/24 +define PERIMETER_NET_IPV6 = 2a02:d400:0000:f2ad::/64 # vpn client network define VPN_NET = 172.16.223.0/24 @@ -148,7 +154,12 @@ add rule inet ifg_filter input \ ct state established \ ip protocol udp \ iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \ - ip daddr $IFG_USR_IP udp dport 1024-65535 \ + ip daddr $IFG_INTERNAL_IP udp dport 1024-65535 \ + counter accept comment "DNS replies" +add rule inet ifg_filter input \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp sport 53 \ + ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" add rule inet ifg_filter input \ @@ -189,11 +200,20 @@ add rule inet ifg_filter forward \ iifname $PERIMETER_IF \ oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \ counter accept comment "Established sessions" +add rule inet ifg_filter forward \ + ct state established, related \ + iifname $PERIMETER_IF \ + oifname $INTERNAL_IF ip6 daddr $INTERNAL_NET_IPV6 \ + counter accept comment "Established sessions" add rule inet ifg_filter forward \ iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \ oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \ counter accept comment "Internet access" +add rule inet ifg_filter forward \ + iifname $INTERNAL_IF ip6 saddr $INTERNAL_NET_IPV6 \ + oifname $PERIMETER_IF \ + counter accept comment "Internet access" add rule inet ifg_filter forward \ ct state new, established \ @@ -305,9 +325,14 @@ add rule inet ifg_filter forward \ add rule inet ifg_filter output \ ct state new \ ip protocol udp \ - ip saddr $IFG_USR_IP udp sport 1024-65535 \ + ip saddr $IFG_INTERNAL_IP udp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \ counter accept comment "DNS requests" +add rule inet ifg_filter output \ + ct state new \ + ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp dport 53 \ + counter accept comment "DNS requests" add rule inet ifg_filter output \ ip protocol icmp \