From: Zoltán Felleg Date: Mon, 5 Aug 2019 08:58:05 +0000 (+0200) Subject: Updated ifg.usr.f30 (removed iptables files, updated nft ip addresses). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=ab293fb1f3a1fb72c5be32fc772ceea040ecb070;p=user-lxc.git Updated ifg.usr.f30 (removed iptables files, updated nft ip addresses). --- diff --git a/sources/ifg.usr.f30/firstboot/03_setupldap.sh b/sources/ifg.usr.f30/firstboot/03_setupldap.sh deleted file mode 100755 index 4b58626..0000000 --- a/sources/ifg.usr.f30/firstboot/03_setupldap.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - - -exit 0 -authselect select sssd with-mkhomedir --force - -cat >>/etc/openldap/ldap.conf </etc/nftables/ifg.nft diff --git a/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh b/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh deleted file mode 100755 index c1cc705..0000000 --- a/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh +++ /dev/null @@ -1,414 +0,0 @@ -#!/bin/sh -exit 0 - -REAL_PATH=$(realpath $(dirname $0)) - -################################ -# definitions -################################ -source $REAL_PATH/definitions - - -################################ -# nat PREROUTING rules -# dnat ssh, smtp, imap and rsync packets -# from the usr, sr and in networks -# to the perimeter service host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "ssh, smtp, imap, rsync -> svc.pm" \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --destination $PUBLIC_IP_202 \ - --match multiport \ - --destination-ports 22,25,143,873 \ - --jump DNAT --to-destination $SVC_PERIMETER_IP -# dnat http and https packets -# from the usr, sr and in networks -# to the perimeter web server host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "http(s) -> ws.pm" \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --destination $PUBLIC_IP_202 \ - --match multiport \ - --destination-ports 80,443 \ - --jump DNAT --to-destination $WS_PERIMETER_IP - -################################ -# filter INPUT rules -# allow dns packets -# from the internal svc host -$IPTABLES --table filter --append INPUT \ - --match comment \ - --comment "dns replies <- svc" \ - --match conntrack \ - --ctstate ESTABLISHED \ - --protocol udp \ - --in-interface $INTERNAL_IF \ - --source $SVC_INTERNAL_IP \ - --source-port 53 \ - --destination $IFG_USR_IP \ - --destination-port 1024:65535 \ - --jump ACCEPT -# allow ssh packets -# from the usr, sr, in and vpn networks -$IPTABLES --table filter --append INPUT \ - --match comment \ - --comment "ssh <- usr, sr, in, vpn networks" \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \ - --source-port 1024:65535 \ - --destination $IFG_USR_IP \ - --destination-port 22 \ - --jump ACCEPT -# allow packets -# from the loopback address -# to the loopback address -$IPTABLES --table filter --append INPUT \ - --in-interface $LOOPBACK_IF \ - --source $LOOPBACK_IP \ - --destination $LOOPBACK_IP \ - --jump ACCEPT -# allow icmp packets -# from anywhere -$IPTABLES --table filter --append INPUT \ - --protocol icmp \ - --jump ACCEPT - -################################ -# filter FORWARD rules -# forward packets -# of established sessions -# to the usr, sr and in networks -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "established sessions -> internal networks" \ - --match conntrack \ - --ctstate ESTABLISHED,RELATED \ - --in-interface $PERIMETER_IF \ - --out-interface $INTERNAL_IF \ - --destination ${USR_NET},${SR_NET},$IN_NET \ - --jump ACCEPT -# forward packets -# from the usr, sr and in networks -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "usr network -> internet" \ - --in-interface $INTERNAL_IF \ - --source $USR_NET \ - --out-interface $PERIMETER_IF \ - ! --destination $PERIMETER_NET \ - --jump ACCEPT -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "sr network -> internet" \ - --in-interface $INTERNAL_IF \ - --source $SR_NET \ - --out-interface $PERIMETER_IF \ - ! --destination $PERIMETER_NET \ - --jump ACCEPT -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "in network -> internet" \ - --in-interface $INTERNAL_IF \ - --source $IN_NET \ - --out-interface $PERIMETER_IF \ - ! --destination $PERIMETER_NET \ - --jump ACCEPT -# forward ssh, smtp, imap and rsync requests -# from the usr, sr and in networks -# to the perimeter service host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface $PERIMETER_IF \ - --destination $SVC_PERIMETER_IP \ - --match multiport \ - --destination-ports 22,25,143,873 \ - --jump ACCEPT -# forward ssh, http and https requests -# from the usr, sr and in networks -# to the perimeter web server host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface $PERIMETER_IF \ - --destination $WS_PERIMETER_IP \ - --match multiport \ - --destination-ports 22,80,443 \ - --jump ACCEPT -# forward ssh, http, https and rsync requests -# from the usr, sr and in networks -# to the perimeter subversion host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface $PERIMETER_IF \ - --destination $SVN_PERIMETER_IP \ - --match multiport \ - --destination-ports 22,80,443,873 \ - --jump ACCEPT -# forward http requests -# from the perimeter web server host -# to the internal store host -#$IPTABLES --table filter --append FORWARD \ -# --protocol tcp \ -# --in-interface $PERIMETER_IF \ -# --source $WS_PERIMETER_IP \ -# --source-port 1024:65535 \ -# --out-interface $INTERNAL_IF \ -# --destination $STORE_INTERNAL_IP \ -# --destination-port 80 \ -# --jump ACCEPT -# forward http replies -# from the internal store host -# to the perimeter web server host -#$IPTABLES --table filter --append FORWARD \ -# --match conntrack \ -# --ctstate ESTABLISHED \ -# --protocol tcp \ -# --in-interface $INTERNAL_IF \ -# --source $STORE_INTERNAL_IP \ -# --source-port 80 \ -# --out-interface $PERIMETER_IF \ -# --destination $WS_PERIMETER_IP \ -# --destination-port 1024:65535 \ -# --jump ACCEPT -# forward dns zone notify messages -# from the internal primary name server host -# to the perimeter external/perimeter name server hosts -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns notify -> ens.pm, pns.pm" \ - --match conntrack \ - --ctstate NEW \ - --protocol udp \ - --in-interface $INTERNAL_IF \ - --source $PNS_INTERNAL_IP \ - --source-port 1024:65535 \ - --out-interface $PERIMETER_IF \ - --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --destination-port 53 \ - --jump ACCEPT -# forward dns zone transfer requests -# from the perimeter external/perimeter name server hosts -# to the internal primary name server host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns xfr -> ens.pm, pns.pm" \ - --match conntrack \ - --ctstate NEW \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --source-port 1024:65535 \ - --out-interface $INTERNAL_IF \ - --destination $PNS_INTERNAL_IP \ - --destination-port 53 \ - --jump ACCEPT -# forward dns zone transfer replies -# from the internal primary name server host -# to the perimeter external/perimeter name server hosts -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns xfr -> ens.pm, pns.pm" \ - --match conntrack \ - --ctstate ESTABLISHED \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source $PNS_INTERNAL_IP \ - --source-port 53 \ - --out-interface $PERIMETER_IF \ - --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --destination-port 1024:65535 \ - --jump ACCEPT -# forward openvpn packets -# from the internet -# to the internal vpn host -$IPTABLES --table filter --append FORWARD \ - --protocol udp \ - --in-interface $PERIMETER_IF \ - ! --source $PERIMETER_NET \ - --out-interface $INTERNAL_IF \ - --destination $VPN_INTERNAL_IP \ - --destination-port 1194 \ - --jump ACCEPT -# forward packets -# from the usr network -# to the sr, in, vpn and peep-bo networks -$IPTABLES --table filter --append FORWARD \ - --in-interface $INTERNAL_IF \ - --source $USR_NET \ - --out-interface $INTERNAL_IF \ - --destination ${SR_NET},${IN_NET},${VPN_NET},$PEEP_BO_NET \ - --jump ACCEPT -# forward packets -# from the sr network -# to the usr, in and vpn networks -$IPTABLES --table filter --append FORWARD \ - --in-interface $INTERNAL_IF \ - --source $SR_NET \ - --out-interface $INTERNAL_IF \ - --destination ${USR_NET},${IN_NET},$VPN_NET \ - --jump ACCEPT -# forward packets -# from the in network -# to the usr, sr and vpn networks -$IPTABLES --table filter --append FORWARD \ - --in-interface $INTERNAL_IF \ - --source $IN_NET \ - --out-interface $INTERNAL_IF \ - --destination ${USR_NET},${SR_NET},$VPN_NET \ - --jump ACCEPT -# forward packets -# from the vpn network -# to the usr, sr and in networks -$IPTABLES --table filter --append FORWARD \ - --in-interface $INTERNAL_IF \ - --source $VPN_NET \ - --out-interface $INTERNAL_IF \ - --destination ${USR_NET},${SR_NET},$IN_NET \ - --jump ACCEPT -# forward packets -# from the peep-bo network -# to the usr, sr and in networks -$IPTABLES --table filter --append FORWARD \ - --in-interface $INTERNAL_IF \ - --source $PEEP_BO_NET \ - --out-interface $INTERNAL_IF \ - --destination ${USR_NET},${SR_NET},$IN_NET \ - --jump ACCEPT -# forward ssh packets -# from the usr, sr and in networks -# to the external firewall/gateway host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface $PERIMETER_IF \ - --destination $EFG_PERIMETER_IP \ - --destination-port 22 \ - --jump ACCEPT -# forward http requests -# from the perimeter web server -# to the dvredmine host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $WS_PERIMETER_IP \ - --out-interface $INTERNAL_IF \ - --destination $DVREDMINE_INTERNAL_IP \ - --destination-port 80 \ - --jump ACCEPT -# forward http replies -# from the dvredmine host -# to the perimeter web server -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source $DVREDMINE_INTERNAL_IP \ - --source-port 80 \ - --out-interface $PERIMETER_IF \ - --destination $WS_PERIMETER_IP \ - --jump ACCEPT -# forward http requests -# from the perimeter web server -# to the minicrm host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $WS_PERIMETER_IP \ - --out-interface $INTERNAL_IF \ - --destination $MINICRM_INTERNAL_IP \ - --destination-port 8080 \ - --jump ACCEPT -# forward http replies -# from the minicrm host -# to the perimeter web server -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source $MINICRM_INTERNAL_IP \ - --source-port 8080 \ - --out-interface $PERIMETER_IF \ - --destination $WS_PERIMETER_IP \ - --jump ACCEPT -# forward http requests -# from the perimeter web server -# to the workstation host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $WS_PERIMETER_IP \ - --out-interface $INTERNAL_IF \ - --destination $WORKSHEET_SR_IP \ - --destination-port 8079 \ - --jump ACCEPT -# forward http replies -# from the workstation host -# to the perimeter web server -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $INTERNAL_IF \ - --source $WORKSHEET_SR_IP \ - --source-port 8079 \ - --out-interface $PERIMETER_IF \ - --destination $WS_PERIMETER_IP \ - --jump ACCEPT -# forward icmp packets -# from anywhere -# to anywhere -$IPTABLES --table filter --append FORWARD \ - --protocol icmp \ - --jump ACCEPT - -################################ -# filter OUTPUT rules -# allow dns requests -# to the internal svc host -$IPTABLES --table filter --append OUTPUT \ - --match comment \ - --comment "dns requests -> svc" \ - --match conntrack \ - --ctstate NEW \ - --protocol udp \ - --source $IFG_USR_IP \ - --out-interface $INTERNAL_IF \ - --destination $SVC_INTERNAL_IP \ - --destination-port 53 \ - --jump ACCEPT -# allow ssh packets -# of established sessions -# to the usr, sr, in and vpn networks -$IPTABLES --table filter --append OUTPUT \ - --match conntrack \ - --ctstate ESTABLISHED \ - --protocol tcp \ - --source $IFG_USR_IP \ - --source-port 22 \ - --out-interface $INTERNAL_IF \ - --destination ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \ - --destination-port 1024:65535 \ - --jump ACCEPT -# allow packets -# from the loopback address -# to the loopback address -$IPTABLES --table filter --append OUTPUT \ - --source $LOOPBACK_IP \ - --out-interface $LOOPBACK_IF \ - --destination $LOOPBACK_IP \ - --jump ACCEPT -# allow icmp packets -# to anywhere -$IPTABLES --table filter --append OUTPUT \ - --protocol icmp \ - --jump ACCEPT diff --git a/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh b/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh deleted file mode 100755 index db6992e..0000000 --- a/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -#set -x -exit 0 - -################################ -# iptables command -IPTABLES=/sbin/iptables - -################################ -# log packets reaching the default policy rules in the filter table -$IPTABLES --table filter --append INPUT \ - --in-interface ifg \ - --jump LOG \ - --log-prefix 'filter ifg INPUT: ' -$IPTABLES --table filter --append INPUT \ - --in-interface eth0 \ - --jump LOG \ - --log-prefix 'filter eth0 INPUT: ' -$IPTABLES --table filter --append INPUT \ - --jump LOG \ - --log-level warning \ - --log-prefix 'filter INPUT: ' -$IPTABLES --table filter --append FORWARD \ - --jump LOG \ - --log-level warning \ - --log-prefix 'filter FORWARD: ' -$IPTABLES --table filter --append OUTPUT \ - --jump LOG \ - --log-level warning \ - --log-prefix 'filter OUTPUT: ' diff --git a/sources/ifg.usr.f30/firstboot/13_iptables_save.sh b/sources/ifg.usr.f30/firstboot/13_iptables_save.sh deleted file mode 100755 index 4135372..0000000 --- a/sources/ifg.usr.f30/firstboot/13_iptables_save.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -#set -x -exit 0 - -/sbin/iptables-save >/etc/sysconfig/iptables diff --git a/sources/ifg.usr.f30/firstboot/definitions b/sources/ifg.usr.f30/firstboot/definitions deleted file mode 100644 index 400a1f4..0000000 --- a/sources/ifg.usr.f30/firstboot/definitions +++ /dev/null @@ -1,107 +0,0 @@ -################################ -# iptables command -################################ -IPTABLES=/sbin/iptables - -################################ -# interfaces -################################ - -# internal interface -INTERNAL_IF=ifg - -# loopback interface -LOOPBACK_IF=lo - -# perimeter interface -PERIMETER_IF=eth0 - -################################ -# addresses -################################ - -# loopback address -LOOPBACK_IP=127.0.0.1 - -# public addresses -PUBLIC_IP_194=84.2.25.194 -PUBLIC_IP_195=84.2.25.195 -PUBLIC_IP_196=84.2.25.196 -PUBLIC_IP_197=84.2.25.197 -PUBLIC_IP_198=84.2.25.198 -PUBLIC_IP_199=84.2.25.199 -PUBLIC_IP_200=84.2.25.200 -PUBLIC_IP_201=84.2.25.201 -PUBLIC_IP_202=84.2.25.202 -PUBLIC_IP_203=84.2.25.203 -PUBLIC_IP_204=84.2.25.204 -PUBLIC_IP_205=84.2.25.205 -PUBLIC_IP_206=84.2.25.206 - -# efg address (perimeter network) -EFG_PERIMETER_IP=192.168.173.254 - -# service address (perimeter network) -SVC_PERIMETER_IP=192.168.173.253 - -# transfer web server address (perimeter network) -XFR_PERIMETER_IP=192.168.173.251 - -# subversion address (perimeter network) -SVN_PERIMETER_IP=192.168.173.250 - -# web server address (perimeter network) -WS_PERIMETER_IP=192.168.173.249 - -# perimeter name server address (perimeter network) -PNS_PERIMETER_IP=192.168.173.174 - -# external name server address (perimeter network) -ENS_PERIMETER_IP=192.168.173.64 - -# ifg address (perimeter network) -IFG_PERIMETER_IP=192.168.173.1 - -# ifg addresses (internal network) -IFG_USR_IP=10.228.109.254 -IFG_SR_IP=192.168.42.254 -IFG_IN_IP=192.168.43.254 - -# dvredmine address (internal network) -DVREDMINE_INTERNAL_IP=10.228.62.193 - -# minicrm address (internal network) -MINICRM_INTERNAL_IP=10.228.109.133 - -# store address (internal network) -STORE_INTERNAL_IP=10.228.109.250 - -# service address (internal network) -SVC_INTERNAL_IP=10.228.109.253 - -# vpn address (internal network) -VPN_INTERNAL_IP=10.228.109.236 - -# primary name server address (internal network) -PNS_INTERNAL_IP=10.228.109.174 - -# worksheet address (internal network) -WORKSHEET_SR_IP=192.168.42.248 - -################################ -# networks -################################ - -# internal networks -USR_NET=10.228.0.0/16 -SR_NET=192.168.42.0/24 -IN_NET=192.168.43.0/24 - -# perimeter network -PERIMETER_NET=192.168.173.0/24 - -# vpn client network -VPN_NET=172.16.223.0/24 - -# peep-bo network -PEEP_BO_NET=10.162.104.0/24 diff --git a/sources/ifg.usr.f30/firstboot/nftables.config b/sources/ifg.usr.f30/firstboot/nftables.config index 75ec6e3..6694a10 100644 --- a/sources/ifg.usr.f30/firstboot/nftables.config +++ b/sources/ifg.usr.f30/firstboot/nftables.config @@ -23,10 +23,10 @@ define LOOPBACK_IP = 127.0.0.1 # public addresses define PUBLIC_EFG_IP = 194.149.40.146 -define PUBLIC_NS_IP = 194.149.40.147 -define PUBLIC_VPN_IP = 194.149.40.148 -define PUBLIC_WS_IP = 194.149.40.149 -define PUBLIC_IP_150 = 194.149.40.150 +define PUBLIC_MX_IP = 194.149.40.147 +define PUBLIC_NS_IP = 194.149.40.148 +define PUBLIC_VPN_IP = 194.149.40.149 +define PUBLIC_WS_IP = 194.149.40.150 define PUBLIC_MINECRAFT_IP = 194.149.40.151 define PUBLIC_IP_152 = 194.149.40.152 define PUBLIC_IP_153 = 194.149.40.153 @@ -149,9 +149,9 @@ create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy add rule ip ifg_nat prerouting \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \ ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ - counter dnat $WS_PERIMETER_IP + counter dnat $WS_PERIMETER_IP comment "Webserver access" ################################