From: Zoltán Felleg Date: Tue, 8 Jan 2019 10:46:54 +0000 (+0100) Subject: Added efg.pm.f29. X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=79026bb19a0a49dfd39510c13ae81f7564b3ac23;p=user-lxc.git Added efg.pm.f29. --- diff --git a/sources/cvmb.usr.f29/01_setupnetworking.sh b/sources/cvmb.usr.f29/01_setupnetworking.sh new file mode 100755 index 0000000..df80106 --- /dev/null +++ b/sources/cvmb.usr.f29/01_setupnetworking.sh @@ -0,0 +1,24 @@ +#!/bin/sh + + +CONNECTION_LINE=$(nmcli --terse connection show | grep '^internal:') +CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') + +USR_DEVICE=internal + +nmcli connection delete uuid "$CONNECTION_UUID" + +nmcli connection add \ + connection.autoconnect yes \ + connection.id internal \ + connection.interface-name $USR_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "10.228.92.52/16" \ + ipv4.dns "10.228.109.104, 10.228.109.253" \ + ipv4.dns-search "usr.user.hu" \ + ipv4.gateway "10.228.109.254" \ + ipv4.method "manual" \ + ipv6.method "ignore" \ + save yes + +nmcli connection show diff --git a/sources/efg.pm.f29/config b/sources/efg.pm.f29/config new file mode 100644 index 0000000..4a11c89 --- /dev/null +++ b/sources/efg.pm.f29/config @@ -0,0 +1,27 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = efg.pm.user.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = brh +lxc.net.0.hwaddr = 02:0c:18:03:ad:fe + +lxc.net.1.type = phys +lxc.net.1.flags = up +lxc.net.1.link = efgd + +lxc.net.2.type = phys +lxc.net.2.flags = up +lxc.net.2.link = efgs + +lxc.autodev = 1 + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = 1 +lxc.start.delay = 3 diff --git a/sources/efg.pm.f29/envvars b/sources/efg.pm.f29/envvars new file mode 100644 index 0000000..ca29584 --- /dev/null +++ b/sources/efg.pm.f29/envvars @@ -0,0 +1,2 @@ +BASE_PACKAGES="NetworkManager NetworkManager-dispatcher-routing-rules hostname initscripts iproute iputils rootfiles rsyslog tar vim-minimal" +SPEC_PACKAGES="authselect iptables iptables-services" diff --git a/sources/efg.pm.f29/firstboot/01_setupnetworking.sh b/sources/efg.pm.f29/firstboot/01_setupnetworking.sh new file mode 100755 index 0000000..f1c81e4 --- /dev/null +++ b/sources/efg.pm.f29/firstboot/01_setupnetworking.sh @@ -0,0 +1,105 @@ +#!/bin/sh +set -x + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -eq 1 ] && echo + +CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +while [ $CONNECTION_DEVICES_UP -lt 3 ] +do + sleep 1 + nmcli --terse connection show + CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +done + +DYNAMIC_DEVICE=efgd +STATIC_DEVICE=efgs +PM_DEVICE=eth0 + +CONNECTIONS=$(nmcli --terse connection show | wc -l) +while [ $CONNECTIONS -gt 0 ] +do + CONNECTION_LINE=$(nmcli --terse connection show | head -n 1) + CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') + nmcli connection delete uuid "$CONNECTION_UUID" + CONNECTIONS=$(nmcli --terse connection show | wc -l) +done + +#CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${PM_DEVICE}$") +#CONNECTION_LINE_DYNAMIC=$(nmcli --terse connection show | grep ":${DYNAMIC_DEVICE}$") +#CONNECTION_LINE_STATIC=$(nmcli --terse connection show | grep ":${STATIC_DEVICE}$") +#CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':') +#CONNECTION_UUID_DYNAMIC=$(echo $CONNECTION_LINE_DYNAMIC | cut -f 2 -d ':') +#CONNECTION_UUID_STATIC=$(echo $CONNECTION_LINE_STATIC | cut -f 2 -d ':') + +#nmcli connection delete uuid "$CONNECTION_UUID_PM" +#nmcli connection delete uuid "$CONNECTION_UUID_DYNAMIC" +#nmcli connection delete uuid "$CONNECTION_UUID_STATIC" + +nmcli connection show + +nmcli connection add \ + connection.autoconnect yes \ + connection.id perimeter \ + connection.interface-name $PM_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "192.168.173.254/24" \ + ipv4.dns "192.168.173.174" \ + ipv4.dns-search "pm.user.hu" \ + ipv4.method "manual" \ + ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \ + save yes + +nmcli connection show + +nmcli connection add \ + connection.autoconnect yes \ + connection.id dynamic \ + connection.interface-name $DYNAMIC_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "192.168.65.1/24" \ + ipv4.gateway "192.168.65.254" \ + ipv4.method "manual" \ + save yes + +nmcli connection show + +nmcli connection add \ + connection.autoconnect yes \ + connection.id static \ + connection.interface-name $STATIC_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "84.2.25.202/28, 192.168.210.1/24" \ + ipv4.method "manual" \ + save yes + +nmcli connection show + +ip rule add from 10.228.109.236 lookup static +ip rule add from 10.228.109.253 lookup static +ip rule add from 192.168.173.64 lookup static +ip rule add from 192.168.173.174 lookup static +ip rule add from 192.168.173.249 lookup static +ip rule add from 192.168.173.252 lookup static +ip rule add from 192.168.173.253 lookup static + +ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic +ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic +ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic +ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static +ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static +ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static +ip route add default via 192.168.65.254 dev efgd table dynamic +ip route add default via 84.2.25.193 dev efgs table static diff --git a/sources/efg.pm.f29/firstboot/02_ldap_setup.sh b/sources/efg.pm.f29/firstboot/02_ldap_setup.sh new file mode 100755 index 0000000..5cb0824 --- /dev/null +++ b/sources/efg.pm.f29/firstboot/02_ldap_setup.sh @@ -0,0 +1,13 @@ +#!/bin/sh + + +exit 0 +REAL_PATH=$(realpath $(dirname $0)) + + +authconfig --enableldap \ + --enableldapauth \ + --ldapserver=ldap.usr.user.hu \ + --ldapbasedn="dc=user,dc=hu" \ + --enablemkhomedir \ + --update diff --git a/sources/efg.pm.f29/firstboot/02_settimezone.sh b/sources/efg.pm.f29/firstboot/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/efg.pm.f29/firstboot/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/efg.pm.f29/firstboot/10_iptables_reset.sh b/sources/efg.pm.f29/firstboot/10_iptables_reset.sh new file mode 100755 index 0000000..f63b04d --- /dev/null +++ b/sources/efg.pm.f29/firstboot/10_iptables_reset.sh @@ -0,0 +1,68 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) + +################################ +# definitions +################################ +source $REAL_PATH/definitions + + +################################ +# delete all user-defined chains of all tables +$IPTABLES --table filter --delete-chain +$IPTABLES --table nat --delete-chain +$IPTABLES --table mangle --delete-chain +$IPTABLES --table raw --delete-chain + +################################ +# flush all chains of all tables +$IPTABLES --table filter --flush INPUT +$IPTABLES --table filter --flush FORWARD +$IPTABLES --table filter --flush OUTPUT +$IPTABLES --table nat --flush PREROUTING +$IPTABLES --table nat --flush INPUT +$IPTABLES --table nat --flush OUTPUT +$IPTABLES --table nat --flush POSTROUTING +$IPTABLES --table mangle --flush PREROUTING +$IPTABLES --table mangle --flush INPUT +$IPTABLES --table mangle --flush FORWARD +$IPTABLES --table mangle --flush OUTPUT +$IPTABLES --table mangle --flush POSTROUTING +$IPTABLES --table raw --flush PREROUTING +$IPTABLES --table raw --flush OUTPUT + +################################ +# reset counters for all chains of all tables +$IPTABLES --table filter --zero INPUT +$IPTABLES --table filter --zero FORWARD +$IPTABLES --table filter --zero OUTPUT +$IPTABLES --table nat --zero PREROUTING +$IPTABLES --table nat --zero INPUT +$IPTABLES --table nat --zero OUTPUT +$IPTABLES --table nat --zero POSTROUTING +$IPTABLES --table mangle --zero PREROUTING +$IPTABLES --table mangle --zero INPUT +$IPTABLES --table mangle --zero FORWARD +$IPTABLES --table mangle --zero OUTPUT +$IPTABLES --table mangle --zero POSTROUTING +$IPTABLES --table raw --zero PREROUTING +$IPTABLES --table raw --zero OUTPUT + +################################ +# set the default policy for all chains of all tables +$IPTABLES --table filter --policy INPUT DROP +$IPTABLES --table filter --policy FORWARD DROP +$IPTABLES --table filter --policy OUTPUT DROP +$IPTABLES --table nat --policy PREROUTING ACCEPT +$IPTABLES --table nat --policy INPUT ACCEPT +$IPTABLES --table nat --policy OUTPUT ACCEPT +$IPTABLES --table nat --policy POSTROUTING ACCEPT +$IPTABLES --table mangle --policy PREROUTING ACCEPT +$IPTABLES --table mangle --policy INPUT ACCEPT +$IPTABLES --table mangle --policy FORWARD ACCEPT +$IPTABLES --table mangle --policy OUTPUT ACCEPT +$IPTABLES --table mangle --policy POSTROUTING ACCEPT +$IPTABLES --table raw --policy PREROUTING ACCEPT +$IPTABLES --table raw --policy OUTPUT ACCEPT diff --git a/sources/efg.pm.f29/firstboot/11_iptables_set_efg_rules.sh b/sources/efg.pm.f29/firstboot/11_iptables_set_efg_rules.sh new file mode 100755 index 0000000..ad6a36f --- /dev/null +++ b/sources/efg.pm.f29/firstboot/11_iptables_set_efg_rules.sh @@ -0,0 +1,539 @@ +#!/bin/sh +#set -x + + +REAL_PATH=$(realpath $(dirname $0)) + +################################ +# definitions +################################ +source $REAL_PATH/definitions + + +################################ +# nat PREROUTING rules +# dnat openvpn packets +# from the internet +# to the internal vpn host +$IPTABLES --table nat --append PREROUTING \ + --match comment \ + --comment "openvpn -> internal vpn host" \ + --protocol udp \ + --in-interface $EXTERNAL_IF_STATIC \ + --destination $PUBLIC_IP_202 \ + --destination-port 1194 \ + --jump DNAT --to-destination $VPN_INTERNAL_IP +# dnat smtp packets +# from the internet +# to the perimeter svc host +$IPTABLES --table nat --append PREROUTING \ + --match comment \ + --comment "smtp -> perimeter service host" \ + --protocol tcp \ + --in-interface $EXTERNAL_IF_STATIC \ + --destination $PUBLIC_IP_202 \ + --destination-port 25 \ + --jump DNAT --to-destination $SVC_PERIMETER_IP +# dnat dns packets +# from the internet +# to the perimeter external name server host +$IPTABLES --table nat --append PREROUTING \ + --match comment \ + --comment "dns (udp) -> perimeter name server host" \ + --protocol udp \ + --in-interface $EXTERNAL_IF_STATIC \ + --destination $PUBLIC_IP_202 \ + --destination-port 53 \ + --jump DNAT --to-destination $ENS_PERIMETER_IP +# dnat dns packets +# from the internet +# to the perimeter external name server host +$IPTABLES --table nat --append PREROUTING \ + --match comment \ + --comment "dns (tcp) -> perimeter name server host" \ + --protocol tcp \ + --in-interface $EXTERNAL_IF_STATIC \ + --destination $PUBLIC_IP_202 \ + --destination-port 53 \ + --jump DNAT --to-destination $ENS_PERIMETER_IP +# dnat http and https packets +# from the internet +# to the perimeter web server host +$IPTABLES --table nat --append PREROUTING \ + --match comment \ + --comment "http, https -> perimeter www host" \ + --protocol tcp \ + --in-interface $EXTERNAL_IF_STATIC \ + --destination $PUBLIC_IP_202 \ + --match multiport \ + --destination-ports 80,443 \ + --jump DNAT --to-destination $WS_PERIMETER_IP +## dnat http and https packets +## from the internet +## to the perimeter whmcs host +#$IPTABLES --table nat --append PREROUTING \ +# --match comment \ +# --comment "http, https -> perimeter whmcs host" \ +# --protocol tcp \ +# --in-interface $EXTERNAL_IF_194 \ +# --destination $PUBLIC_IP \ +# --match multiport \ +# --destination-ports 80,443 \ +# --jump DNAT --to-destination $WHMCS_PERIMETER_IP + +################################ +# filter INPUT rules +# allow dns replies +# from the perimeter ns host +$IPTABLES --table filter --append INPUT \ + --match comment \ + --comment "dns replies <- pns.pm" \ + --match conntrack \ + --ctstate ESTABLISHED \ + --protocol udp \ + --in-interface $PERIMETER_IF \ + --source $PNS_PERIMETER_IP \ + --source-port 53 \ + --destination $EFG_PERIMETER_IP \ + --destination-port 1024:65535 \ + --jump ACCEPT +# allow ssh packets +# from the usr, sr and in networks +$IPTABLES --table filter --append INPUT \ + --match comment \ + --comment "ssh from the usr, sr and in networks" \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --source-port 1024:65535 \ + --destination $EFG_PERIMETER_IP \ + --destination-port 22 \ + --jump ACCEPT +# allow icmp packets +# from anywhere +$IPTABLES --table filter --append INPUT \ + --protocol icmp \ + --jump ACCEPT +# allow packets +# from the loopback address +# to the loopback address +$IPTABLES --table filter --append INPUT \ + --in-interface $LOOPBACK_IF \ + --source $LOOPBACK_IP \ + --destination $LOOPBACK_IP \ + --jump ACCEPT + +################################ +# filter FORWARD rules +# forward packets +# of established sessions +# from the internet +# to the usr, sr and in networks +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "established sessions to the usr, sr and in networks" \ + --match conntrack \ + --ctstate ESTABLISHED,RELATED \ + --in-interface ${EXTERNAL_IF_PREFIX}+ \ + --out-interface $PERIMETER_IF \ + --destination ${USR_NET},${SR_NET},$IN_NET \ + --jump ACCEPT +# forward packets +# from the usr, sr and in networks +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "from the usr, sr and in networks" \ + --in-interface $PERIMETER_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface ${EXTERNAL_IF_PREFIX}+ \ + --jump ACCEPT +# forward openvpn packets +# from the internet +# to the internal vpn host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "openvpn -> internal openvpn host" \ + --protocol udp \ + --in-interface $EXTERNAL_IF_STATIC \ + --out-interface $PERIMETER_IF \ + --destination $VPN_INTERNAL_IP \ + --destination-port 1194 \ + --jump ACCEPT +# forward smtp and dns requests +# from the internet +# to the perimeter svc host +#$IPTABLES --table filter --append FORWARD \ +# --match comment \ +# --comment "smtp, dns -> perimeter service host" \ +# --protocol tcp \ +# --in-interface $EXTERNAL_IF_STATIC \ +# --out-interface $PERIMETER_IF \ +# --destination $SVC_PERIMETER_IP \ +# --match multiport \ +# --destination-ports 25,53 \ +# --jump ACCEPT +# forward smtp and dns replies +# of established sessions +# from the perimeter svc host +# to the internet +#$IPTABLES --table filter --append FORWARD \ +# --match comment \ +# --comment "perimeter service host smtp, dns replies" \ +# --protocol tcp \ +# --match conntrack \ +# --ctstate ESTABLISHED \ +# --in-interface $PERIMETER_IF \ +# --source $SVC_PERIMETER_IP \ +# --match multiport \ +# --source-ports 25,53 \ +# --out-interface $EXTERNAL_IF_STATIC \ +# --jump ACCEPT +# forward http and https requests +# from the internet +# to the perimeter web server host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "http, https -> perimeter web server host" \ + --protocol tcp \ + --in-interface $EXTERNAL_IF_STATIC \ + --out-interface $PERIMETER_IF \ + --destination $WS_PERIMETER_IP \ + --match multiport \ + --destination-ports 80,443 \ + --jump ACCEPT +# forward http and https replies +# of established sessions +# from the perimeter web server host +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "perimeter web server host http, https replies" \ + --protocol tcp \ + --match conntrack \ + --ctstate ESTABLISHED \ + --in-interface $PERIMETER_IF \ + --source $WS_PERIMETER_IP \ + --match multiport \ + --source-ports 80,443 \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump ACCEPT +## forward http and https requests +## from the internet +## to the perimeter whmcs host +#$IPTABLES --table filter --append FORWARD \ +# --match comment \ +# --comment "http, https -> perimeter whmcs host" \ +# --protocol tcp \ +# --in-interface $EXTERNAL_IF_194 \ +# --out-interface $PERIMETER_IF \ +# --destination $WHMCS_PERIMETER_IP \ +# --match multiport \ +# --destination-ports 80,443 \ +# --jump ACCEPT +## forward http and https replies +## of established sessions +## from the perimeter whmcs host +## to the internet +#$IPTABLES --table filter --append FORWARD \ +# --match comment \ +# --comment "perimeter whmcs host http, https replies" \ +# --protocol tcp \ +# --match conntrack \ +# --ctstate ESTABLISHED \ +# --in-interface $PERIMETER_IF \ +# --source $WHMCS_PERIMETER_IP \ +# --match multiport \ +# --source-ports 80,443 \ +# --out-interface $EXTERNAL_IF_194 \ +# --jump ACCEPT +# forward dns requests and notifications +# from the internet +# to the external name server host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns requests from internet (udp) -> ens.pm" \ + --protocol udp \ + --in-interface $EXTERNAL_IF_STATIC \ + --source-port 1024:65535 \ + --out-interface $PERIMETER_IF \ + --destination $ENS_PERIMETER_IP \ + --destination-port 53 \ + --jump ACCEPT +# forward dns replies +# from the external name server host +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns replies from ens.pm (udp) -> internet" \ + --match conntrack \ + --ctstate ESTABLISHED,RELATED \ + --protocol udp \ + --in-interface $PERIMETER_IF \ + --source $ENS_PERIMETER_IP \ + --source-port 53 \ + --out-interface $EXTERNAL_IF_STATIC \ + --destination-port 1024:65535 \ + --jump ACCEPT +# forward dns requests +# from the external and perimeter name server hosts +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns requests from (e|p)ns.pm (udp) -> internet" \ + --protocol udp \ + --in-interface $PERIMETER_IF \ + --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --source-port 1024:65535 \ + --out-interface $EXTERNAL_IF_STATIC \ + --destination-port 53 \ + --jump ACCEPT +# forward dns replies +# from the internet +# to the external and perimeter name server hosts +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns replies (udp) -> (e|p)ns.pm" \ + --match conntrack \ + --ctstate ESTABLISHED,RELATED \ + --protocol udp \ + --in-interface $EXTERNAL_IF_STATIC \ + --source-port 53 \ + --out-interface $PERIMETER_IF \ + --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --destination-port 1024:65535 \ + --jump ACCEPT +# forward dns requests +# from the internet +# to the external name server host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns requests (tcp) -> ens.pm" \ + --protocol tcp \ + --in-interface $EXTERNAL_IF_STATIC \ + --source-port 1024:65535 \ + --out-interface $PERIMETER_IF \ + --destination $ENS_PERIMETER_IP \ + --destination-port 53 \ + --jump ACCEPT +# forward dns replies +# of established sessions +# from the external name server host +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns replies from ens.pm (tcp) -> internet" \ + --match conntrack \ + --ctstate ESTABLISHED \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $ENS_PERIMETER_IP \ + --source-port 53 \ + --out-interface $EXTERNAL_IF_STATIC \ + --destination-port 1024:65535 \ + --jump ACCEPT +# forward dns requests +# from the external and perimeter name server hosts +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns requests from (e|p)ns.pm -> internet" \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --source-port 1024:65535 \ + --out-interface $EXTERNAL_IF_STATIC \ + --destination-port 53 \ + --jump ACCEPT +# forward dns replies +# of established sessions +# from the internet +# to the external and perimeter name server hosts +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns replies (tcp) -> (e|p)ns.pm" \ + --match conntrack \ + --ctstate ESTABLISHED \ + --protocol tcp \ + --in-interface $EXTERNAL_IF_STATIC \ + --source-port 53 \ + --out-interface $PERIMETER_IF \ + --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --destination-port 1024:65535 \ + --jump ACCEPT +# forward smtp, dns, http and https requests +# from the perimeter svc host +# to the internet +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $SVC_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --match multiport \ + --destination-ports 25,53,80,443 \ + --jump ACCEPT +# forward smtp, dns, http and https replies +# of established sessions +# from the internet +# to the perimeter svc host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --match conntrack \ + --ctstate ESTABLISHED \ + --in-interface $EXTERNAL_IF_STATIC \ + --match multiport \ + --source-ports 25,53,80,443 \ + --out-interface $PERIMETER_IF \ + --destination $SVC_PERIMETER_IP \ + --jump ACCEPT +# forward http and https requests +# from the perimeter web server host +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "perimeter ws host http, https requests (let's encrypt)" \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $WS_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --match multiport \ + --destination-ports 80,443 \ + --jump ACCEPT +# forward http and https replies +# of established sessions +# from the internet +# to the perimeter web server host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "perimeter ws host http, https replies (let's encrypt)" \ + --protocol tcp \ + --match conntrack \ + --ctstate ESTABLISHED \ + --in-interface $EXTERNAL_IF_STATIC \ + --match multiport \ + --source-ports 80,443 \ + --out-interface $PERIMETER_IF \ + --destination $WS_PERIMETER_IP \ + --jump ACCEPT +# forward http and https requests +# from the perimeter whmcs host +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "perimeter whmcs host http, https requests (let's encrypt)" \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $WHMCS_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --match multiport \ + --destination-ports 80,443 \ + --jump ACCEPT +# forward http and https replies +# of established sessions +# from the internet +# to the perimeter whmcs host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "perimeter whmcs host http, https replies (let's encrypt)" \ + --protocol tcp \ + --match conntrack \ + --ctstate ESTABLISHED \ + --in-interface $EXTERNAL_IF_STATIC \ + --match multiport \ + --source-ports 80,443 \ + --out-interface $PERIMETER_IF \ + --destination $WHMCS_PERIMETER_IP \ + --jump ACCEPT +# forward icmp packets +# from anywhere +# to anywhere +$IPTABLES --table filter --append FORWARD \ + --protocol icmp \ + --jump ACCEPT + +################################ +# filter OUTPUT rules +# allow dns requests +# to the perimeter name server host +$IPTABLES --table filter --append OUTPUT \ + --match comment \ + --comment "dns requests -> pns.pm" \ + --match conntrack \ + --ctstate NEW \ + --protocol udp \ + --source $EFG_PERIMETER_IP \ + --source-port 1024:65535 \ + --out-interface $PERIMETER_IF \ + --destination $PNS_PERIMETER_IP \ + --destination-port 53 \ + --jump ACCEPT +# allow ssh packets +# of established sessions +# to the usr, sr and in networks +$IPTABLES --table filter --append OUTPUT \ + --protocol tcp \ + --match conntrack \ + --ctstate ESTABLISHED \ + --source $EFG_PERIMETER_IP \ + --source-port 22 \ + --out-interface $PERIMETER_IF \ + --destination ${USR_NET},${SR_NET},$IN_NET \ + --jump ACCEPT +# allow icmp packets +# to anywhere +$IPTABLES --table filter --append OUTPUT \ + --protocol icmp \ + --jump ACCEPT +# allow packets +# from the loopback address +# to the loopback address +$IPTABLES --table filter --append OUTPUT \ + --source $LOOPBACK_IP \ + --out-interface $LOOPBACK_IF \ + --destination $LOOPBACK_IP \ + --jump ACCEPT + +################################ +# nat POSTROUTING rules +# snat packets +# from the usr, sr and in networks +$IPTABLES --table nat --append POSTROUTING \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface $EXTERNAL_IF_DYNAMIC \ + --jump SNAT --to-source $DYNAMIC_MANAGEMENT_IP +# snat packets +# from the usr, sr and in networks +$IPTABLES --table nat --append POSTROUTING \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump SNAT --to-source $PUBLIC_IP_202 +# snat packets +# from the perimeter svc host +$IPTABLES --table nat --append POSTROUTING \ + --source $SVC_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump SNAT --to-source $PUBLIC_IP_202 +# snat packets +# from the perimeter web server host +$IPTABLES --table nat --append POSTROUTING \ + --source $WS_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump SNAT --to-source $PUBLIC_IP_202 +# snat packets +# from the perimeter whmcs host +$IPTABLES --table nat --append POSTROUTING \ + --source $WHMCS_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump SNAT --to-source $PUBLIC_IP_202 +# snat packets +# from the perimeter name server host (perimeter network) +$IPTABLES --table nat --append POSTROUTING \ + --source $PNS_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump SNAT --to-source $PUBLIC_IP_202 +# snat packets +# from the external name server host (perimeter network) +$IPTABLES --table nat --append POSTROUTING \ + --source $ENS_PERIMETER_IP \ + --out-interface $EXTERNAL_IF_STATIC \ + --jump SNAT --to-source $PUBLIC_IP_202 diff --git a/sources/efg.pm.f29/firstboot/12_iptables_log_dropped.sh b/sources/efg.pm.f29/firstboot/12_iptables_log_dropped.sh new file mode 100755 index 0000000..87311ad --- /dev/null +++ b/sources/efg.pm.f29/firstboot/12_iptables_log_dropped.sh @@ -0,0 +1,18 @@ +#!/bin/sh +#set -x + +################################ +# iptables command +IPTABLES=/sbin/iptables + +################################ +# log packets reaching the default policy rules in the filter table +$IPTABLES --table filter --append INPUT \ + --jump LOG \ + --log-prefix 'filter INPUT: ' +$IPTABLES --table filter --append FORWARD \ + --jump LOG \ + --log-prefix 'filter FORWARD: ' +$IPTABLES --table filter --append OUTPUT \ + --jump LOG \ + --log-prefix 'filter OUTPUT: ' diff --git a/sources/efg.pm.f29/firstboot/13_iptables_save.sh b/sources/efg.pm.f29/firstboot/13_iptables_save.sh new file mode 100755 index 0000000..85932f3 --- /dev/null +++ b/sources/efg.pm.f29/firstboot/13_iptables_save.sh @@ -0,0 +1,4 @@ +#!/bin/sh +#set -x + +/sbin/iptables-save >/etc/sysconfig/iptables diff --git a/sources/efg.pm.f29/firstboot/20_routing_setup.sh.old b/sources/efg.pm.f29/firstboot/20_routing_setup.sh.old new file mode 100755 index 0000000..9e2c4eb --- /dev/null +++ b/sources/efg.pm.f29/firstboot/20_routing_setup.sh.old @@ -0,0 +1,50 @@ +#!/bin/sh +set -x + +REAL_PATH=$(realpath $(dirname $0)) + +source $REAL_PATH/definitions + + +#echo '65 dynamic' >>/etc/iproute2/rt_tables +#echo '210 static' >>/etc/iproute2/rt_tables + +ip a +ip r + +# normal routes (table main) +#ip route add 212.40.120.172 via 192.168.43.161 dev eth0 +#ip route add 212.40.120.173 via 192.168.43.210 dev eth0 + +# default route for dynamic +#ip route add default via 192.168.65.254 dev $EXTERNAL_IF_DYNAMIC table dynamic + +# default route for static +#ip route add default via 84.2.25.193 dev $EXTERNAL_IF_STATIC table static + +# normal routes for dynamic +#ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic +#ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic +#ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic + +# normal routes for static +#ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static +#ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static +#ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static + +# source routes for dynamic +#ip rule add from $USR_NET lookup table dynamic +#ip rule add from $SR_NET lookup table dynamic + +# source routes for static +# do NOT use network addresses!!! +#ip rule add from $SVC_PERIMETER_IP lookup static +#ip rule add from $WWW_PERIMETER_IP lookup static +#ip rule add from $NS_PERIMETER_IP lookup static +#ip rule add from $VPN_INTERNAL_IP lookup static +#ip rule add from $IN_NET lookup static +#ip rule add from 192.168.43.176/28 lookup epc201 +#ip rule add from 192.168.43.1 lookup epc201 + +# flush cache +ip route flush cache diff --git a/sources/efg.pm.f29/firstboot/99_cleanup.sh b/sources/efg.pm.f29/firstboot/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/efg.pm.f29/firstboot/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/efg.pm.f29/firstboot/definitions b/sources/efg.pm.f29/firstboot/definitions new file mode 100644 index 0000000..9b46e0d --- /dev/null +++ b/sources/efg.pm.f29/firstboot/definitions @@ -0,0 +1,102 @@ +################################ +# iptables command +################################ +IPTABLES=/sbin/iptables + +################################ +# interfaces +################################ + +# external interfaces +EXTERNAL_IF_PREFIX=efg +EXTERNAL_IF_DYNAMIC=${EXTERNAL_IF_PREFIX}d +EXTERNAL_IF_STATIC=${EXTERNAL_IF_PREFIX}s + +# loopback interface +LOOPBACK_IF=lo + +# perimeter interface +PERIMETER_IF=eth0 + +################################ +# addresses +################################ + +# loopback address +LOOPBACK_IP=127.0.0.1 + +# public address +PUBLIC_IP_194=84.2.25.194 +PUBLIC_IP_195=84.2.25.195 +PUBLIC_IP_196=84.2.25.196 +PUBLIC_IP_197=84.2.25.197 +PUBLIC_IP_198=84.2.25.198 +PUBLIC_IP_199=84.2.25.199 +PUBLIC_IP_200=84.2.25.200 +PUBLIC_IP_201=84.2.25.201 +PUBLIC_IP_202=84.2.25.202 +PUBLIC_IP_203=84.2.25.203 +PUBLIC_IP_204=84.2.25.204 +PUBLIC_IP_205=84.2.25.205 +PUBLIC_IP_206=84.2.25.206 + +# modem management addresses +DYNAMIC_MANAGEMENT_IP=192.168.65.1 +STATIC_MANAGEMENT_IP=192.168.210.1 + +# modem/gateway addresses +DYNAMIC_GATEWAY_IP=192.168.65.254 +STATIC_GATEWAY_IP=84.2.25.193 + +# efg address (perimeter network) +EFG_PERIMETER_IP=192.168.173.254 + +# service address (perimeter network) +SVC_PERIMETER_IP=192.168.173.253 + +# transfer server address (perimeter network) +XFR_PERIMETER_IP=192.168.173.251 + +# whmcs server address (perimeter network) +WHMCS_PERIMETER_IP=192.168.173.250 + +# web server address (perimeter network) +WS_PERIMETER_IP=192.168.173.249 + +# subversion address (perimeter network) +SVN_PERIMETER_IP=192.168.173.249 + +# perimeter name server address (perimeter network) +PNS_PERIMETER_IP=192.168.173.174 + +# external name server address (perimeter network) +ENS_PERIMETER_IP=192.168.173.64 + +# ifg address (perimeter network) +IFG_PERIMETER_IP=192.168.173.1 + +# ipg addresses (internal network) +IFG_USR_IP=10.228.109.254 +IFG_SR_IP=192.168.42.254 +IFG_IN_IP=192.168.43.254 + +# service address (internal network) +SVC_INTERNAL_IP=10.228.109.253 + +# vpn address (internal network) +VPN_INTERNAL_IP=10.228.109.236 + +################################ +# networks +################################ + +# internal networks +USR_NET=10.228.0.0/16 +SR_NET=192.168.42.0/24 +IN_NET=192.168.43.0/24 + +# perimeter network +PERIMETER_NET=192.168.173.0/24 + +# vpn client network +VPN_NET=172.16.223.0/24 diff --git a/sources/efg.pm.f29/firstboot/traversal.txt b/sources/efg.pm.f29/firstboot/traversal.txt new file mode 100644 index 0000000..97ebf2d --- /dev/null +++ b/sources/efg.pm.f29/firstboot/traversal.txt @@ -0,0 +1,53 @@ +############################### + chain traversal + for all tables +############################### + + NETWORK + | + ______v_____ + / raw \ + | PREROUTING | + \____________/ + | + ________ ______v_____ + / mangle \ / mangle \ + | INPUT |<- | PREROUTING | + \________/ | \____________/ + | | | + ____v___ | ______v_____ + / filter \ | / nat \ + | INPUT | | | PREROUTING | + \________/ | \____________/ + | | | + ____v____ | ____v___ + | | | / \ + | local | |__/ routing \__________ + | process | \ decision / | + |_________| \________/ ____v____ + | / mangle \ + ___v____ | FORWARD | + / \ \_________/ + / routing \ | + \ decision / ____v____ + \________/ / filter \ + | | FORWARD | + ____v___ ________ \_________/ + / raw \ / \ | + | OUTPUT | / routing \ | + \________/ ->\ decision /<--------- + | | \________/ + ____v___ | | + / mangle \ | ______v______ + | OUTPUT | | / mangle \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / nat \ | ______v______ + | OUTPUT | | / nat \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / filter \ | v + | OUTPUT |-- NETWORK + \________/ diff --git a/sources/efg.pm.f29/postinstall/01_setownership.sh b/sources/efg.pm.f29/postinstall/01_setownership.sh new file mode 100755 index 0000000..5590180 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/01_setownership.sh @@ -0,0 +1,9 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install + +chown -R root.root $SOURCE_PATH/* + +chgrp ssh_keys $SOURCE_PATH/etc/ssh/*_key diff --git a/sources/efg.pm.f29/postinstall/02_setpermissions.sh b/sources/efg.pm.f29/postinstall/02_setpermissions.sh new file mode 100755 index 0000000..c8c018c --- /dev/null +++ b/sources/efg.pm.f29/postinstall/02_setpermissions.sh @@ -0,0 +1,8 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install + +chmod 400 $SOURCE_PATH/etc/ssh/*_key +chmod 444 $SOURCE_PATH/etc/ssh/*.pub diff --git a/sources/efg.pm.f29/postinstall/03_installfiles.sh b/sources/efg.pm.f29/postinstall/03_installfiles.sh new file mode 100755 index 0000000..f190caf --- /dev/null +++ b/sources/efg.pm.f29/postinstall/03_installfiles.sh @@ -0,0 +1,15 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +tar --create \ + --directory=$REAL_PATH \ + --to-stdout \ + install \ + | tar --extract \ + --backup \ + --directory=/ \ + --no-overwrite-dir \ + --strip-components=1 \ + --suffix=.orig diff --git a/sources/efg.pm.f29/postinstall/10_setupservices.sh b/sources/efg.pm.f29/postinstall/10_setupservices.sh new file mode 100755 index 0000000..80c2db2 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/10_setupservices.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +systemctl enable iptables.service +systemctl enable NetworkManager-wait-online.service + +systemctl mask wpa_supplicant.service diff --git a/sources/efg.pm.f29/postinstall/99_cleanup.sh b/sources/efg.pm.f29/postinstall/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/efg.pm.f29/postinstall/install/etc/hosts b/sources/efg.pm.f29/postinstall/install/etc/hosts new file mode 100644 index 0000000..278fb43 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/hosts @@ -0,0 +1,4 @@ +127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4 +::1 localhost6.localdomain6 localhost6 + +192.168.173.254 efg.pm.user.hu efg diff --git a/sources/efg.pm.f29/postinstall/install/etc/iproute2/rt_tables b/sources/efg.pm.f29/postinstall/install/etc/iproute2/rt_tables new file mode 100644 index 0000000..41d5b37 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/iproute2/rt_tables @@ -0,0 +1,13 @@ +# +# reserved values +# +255 local +254 main +253 default +0 unspec +# +# local +# +#1 inr.ruhep +65 dynamic +210 static diff --git a/sources/efg.pm.f29/postinstall/install/etc/resolv.conf b/sources/efg.pm.f29/postinstall/install/etc/resolv.conf new file mode 100644 index 0000000..1a69e03 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/resolv.conf @@ -0,0 +1,3 @@ +nameserver 192.168.173.174 +domain pm.user.hu +search pm.user.hu diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd new file mode 100644 index 0000000..389bbbd --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgd @@ -0,0 +1,16 @@ +NAME=efgd +DEVICE=efgd +TYPE=Ethernet +ONBOOT=yes +BOOTPROTO=static +IPADDR=192.168.65.1 +PREFIX=24 +GATEWAY=192.168.65.254 +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_PEERDNS=yes +IPV6_PEERROUTES=yes +IPV6_FAILURE_FATAL=no diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs new file mode 100644 index 0000000..9613b3e --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-efgs @@ -0,0 +1,17 @@ +NAME=efgs +DEVICE=efgs +TYPE=Ethernet +ONBOOT=yes +BOOTPROTO=static +IPADDR0=84.2.25.202 +PREFIX0=28 +IPADDR1=192.168.210.1 +PREFIX1=24 +DEFROUTE=no +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_PEERDNS=yes +IPV6_PEERROUTES=yes +IPV6_FAILURE_FATAL=no diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 new file mode 100644 index 0000000..eaa509b --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/donotuse.ifcfg-eth0 @@ -0,0 +1,15 @@ +NAME=eth0 +DEVICE=eth0 +TYPE=Ethernet +ONBOOT=yes +BOOTPROTO=static +IPADDR=192.168.173.254 +PREFIX=24 +DEFROUTE=no +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_PEERDNS=yes +IPV6_PEERROUTES=yes +IPV6_FAILURE_FATAL=no diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/route-eth0 b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/route-eth0 new file mode 100644 index 0000000..f0f9015 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/route-eth0 @@ -0,0 +1,11 @@ +#10.228.0.0/16 via 192.168.173.1 dev eth0 +#192.168.42.0/24 via 192.168.173.1 dev eth0 +#192.168.43.0/24 via 192.168.173.1 dev eth0 +10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic +192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic +192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic +10.228.0.0/16 via 192.168.173.1 dev eth0 table static +192.168.42.0/24 via 192.168.173.1 dev eth0 table static +192.168.43.0/24 via 192.168.173.1 dev eth0 table static +default via 192.168.65.254 dev efgd table dynamic +default via 84.2.25.193 dev efgs table static diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 new file mode 100644 index 0000000..31adc78 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/sysconfig/network-scripts/rule-eth0 @@ -0,0 +1,7 @@ +from 10.228.109.236 lookup static +from 10.228.109.253 lookup static +from 192.168.173.64 lookup static +from 192.168.173.174 lookup static +from 192.168.173.249 lookup static +from 192.168.173.252 lookup static +from 192.168.173.253 lookup static diff --git a/sources/efg.pm.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/efg.pm.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf new file mode 100644 index 0000000..05b3f78 --- /dev/null +++ b/sources/efg.pm.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf @@ -0,0 +1 @@ +net.ipv4.conf.all.forwarding = 1 diff --git a/sources/ifg.usr.f29/envvars b/sources/ifg.usr.f29/envvars index e6552b4..03031a0 100644 --- a/sources/ifg.usr.f29/envvars +++ b/sources/ifg.usr.f29/envvars @@ -1,4 +1,2 @@ -#BASE_PACKAGES="NetworkManager initscripts openssh-server openssh-clients openssh-ldap rootfiles rsyslog sudo tar vim-minimal" -#SPEC_PACKAGES="authselect iptables iptables-services openldap-clients nss-pam-ldapd pam_ssh passwd" -BASE_PACKAGES="NetworkManager initscripts rootfiles rsyslog tar" +BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils rootfiles rsyslog tar vim-minimal" SPEC_PACKAGES="iptables iptables-services" diff --git a/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh index e94cd12..f8c1498 100755 --- a/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh +++ b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh @@ -15,32 +15,40 @@ do done [ $WAITED -eq 1 ] && echo -nmcli --terse connection show | grep ':$' >/dev/null -CONNECTION_DEVICES_UP=$? -while [ $CONNECTION_DEVICES_UP -eq 0 ] +# wait for two network connections +CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) +CYCLES_WAITED=0 +while [ $CONNECTION_DEVICES_UP -lt 2 ] do + if [ $CYCLES_WAITED -ge 10 ] + then + nmcli connection show + exit 1 + fi sleep 1 - nmcli --terse connection show | grep ':$' >/dev/null - CONNECTION_DEVICES_UP=$? + CYCLES_WAITED=$(( $CYCLES_WAITED + 1 )) + CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l) done CONNECTIONS=$(nmcli --terse connection show | wc -l) -if [ $CONNECTIONS -ne 2 ] -then - echo "Number of connections: $CONNECTIONS" >&2 - exit 1 -fi +while [ $CONNECTIONS -gt 0 ] +do + CONNECTION_LINE=$(nmcli --terse connection show | head -n 1) + CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') + nmcli connection delete uuid "$CONNECTION_UUID" + CONNECTIONS=$(nmcli --terse connection show | wc -l) +done INTERNAL_DEVICE=ifg PM_DEVICE=eth0 -CONNECTION_LINE_INTERNAL=$(nmcli --terse connection show | grep ":${INTERNAL_DEVICE}$") -CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${PM_DEVICE}$") -CONNECTION_UUID_INTERNAL=$(echo $CONNECTION_LINE_INTERNAL | cut -f 2 -d ':') -CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':') +#CONNECTION_LINE_INTERNAL=$(nmcli --terse connection show | grep ":${INTERNAL_DEVICE}$") +#CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${PM_DEVICE}$") +#CONNECTION_UUID_INTERNAL=$(echo $CONNECTION_LINE_INTERNAL | cut -f 2 -d ':') +#CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':') -nmcli connection delete uuid "$CONNECTION_UUID_INTERNAL" -nmcli connection delete uuid "$CONNECTION_UUID_PM" +#nmcli connection delete uuid "$CONNECTION_UUID_INTERNAL" +#nmcli connection delete uuid "$CONNECTION_UUID_PM" nmcli connection add \ connection.autoconnect yes \ diff --git a/sources/ws.pm.f29/envvars b/sources/ws.pm.f29/envvars index 91bef48..1657c36 100644 --- a/sources/ws.pm.f29/envvars +++ b/sources/ws.pm.f29/envvars @@ -1,4 +1,2 @@ -#BASE_PACKAGES="NetworkManager initscripts openssh-server openssh-clients openssh-ldap rootfiles rsyslog sudo tar vim-minimal" -#SPEC_PACKAGES="authselect httpd mod_ssl openldap-clients nss-pam-ldapd pam_ssh passwd python2-certbot-apache python3-certbot-apache" -BASE_PACKAGES="NetworkManager initscripts rootfiles rsyslog tar" -SPEC_PACKAGES="httpd mod_ssl python3-certbot-apache" +BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils rootfiles rsyslog tar" +SPEC_PACKAGES="httpd mailx mod_ssl php postfix python3-certbot-apache"