From: Zoltán Felleg Date: Thu, 25 Feb 2021 16:51:15 +0000 (+0100) Subject: Updated efg.pm and pns.usr (switched from Telekom to ACE Telekom). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=c84ec87aefe90f86ef9448ce19df0f6bf3945d0d;p=user-lxc.git Updated efg.pm and pns.usr (switched from Telekom to ACE Telekom). --- diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh index ccf9a40..c8f6874 100755 --- a/sources/efg.pm/firstboot/01_setupnetworking.sh +++ b/sources/efg.pm/firstboot/01_setupnetworking.sh @@ -72,9 +72,9 @@ nmcli connection add \ connection.id ace \ connection.interface-name $EXTERNAL_ACE_DEVICE \ connection.type 802-3-ethernet \ - ipv4.addresses "37.220.137.137/29, 37.220.137.138/29" \ + ipv4.addresses "37.220.137.97/28, 37.220.137.98/28, 37.220.137.99/28, 37.220.137.100/28, 37.220.137.101/28" \ ipv4.method "manual" \ - ipv4.routes "0.0.0.0/0 37.220.137.142 table=13" \ + ipv4.routes "0.0.0.0/0 37.220.137.110 table=13" \ ipv6.method "auto" \ save yes diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config index 65ca045..73903d1 100644 --- a/sources/efg.pm/firstboot/nftables.config +++ b/sources/efg.pm/firstboot/nftables.config @@ -151,21 +151,41 @@ add rule ip efg_nat prerouting \ ip daddr $PUBLIC_TELEKOM_VPN_IP udp dport 1194 \ counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (TELEKOM)" +#add rule ip efg_nat prerouting \ +# iifname $EXTERNAL_ACE_IF \ +# ip daddr $PUBLIC_ACE_MX_IP tcp dport $MX_PORTS \ +# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" + #add rule ip efg_nat prerouting \ # iifname $EXTERNAL_TELEKOM_IF \ # ip daddr $PUBLIC_TELEKOM_MX_IP tcp dport $MX_PORTS \ # counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" +add rule ip efg_nat prerouting \ + iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ + ip daddr $PUBLIC_ACE_NS_IP udp dport 53 \ + counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" + add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \ ip daddr $PUBLIC_TELEKOM_NS_IP udp dport 53 \ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" +add rule ip efg_nat prerouting \ + iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ + ip daddr $PUBLIC_ACE_NS_IP tcp dport 53 \ + counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" + add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_TELEKOM_NS_IP tcp dport 53 \ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" +add rule ip efg_nat prerouting \ + iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ + ip daddr $PUBLIC_ACE_WS_IP tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests" + add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_TELEKOM_WS_IP tcp dport $WS_PORTS \ @@ -233,71 +253,137 @@ add rule ip efg_filter forward \ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ counter accept comment "Incoming VPN traffic (TELEKOM)" +add rule ip efg_filter forward \ + iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + counter accept comment "Incoming http(s) requests (ACE)" + add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ - counter accept comment "Incoming http(s) requests" + counter accept comment "Incoming http(s) requests (TELEKOM)" + +add rule ip efg_filter forward \ + ct state established \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \ + oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \ + counter accept comment "Outgoing http(s) replies (ACE)" add rule ip efg_filter forward \ ct state established \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \ oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \ - counter accept comment "Outgoing http(s) replies" + counter accept comment "Outgoing http(s) replies (TELEKOM)" + +add rule ip efg_filter forward \ + iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ + counter accept comment "Incoming DNS requests/notifications (udp) (ACE)" add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ - counter accept comment "Incoming DNS requests/notifications (udp)" + counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)" + +add rule ip efg_filter forward \ + ct state established, related \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ + oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \ + counter accept comment "Outgoing DNS replies (udp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \ - counter accept comment "Outgoing DNS replies (udp)" + counter accept comment "Outgoing DNS replies (udp) (TELEKOM)" + +add rule ip efg_filter forward \ + iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ + counter accept comment "Incoming DNS requests (tcp) (ACE)" add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ - counter accept comment "Incoming DNS requests (tcp)" + counter accept comment "Incoming DNS requests (tcp) (TELEKOM)" + +add rule ip efg_filter forward \ + ct state established, related \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ + oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \ + counter accept comment "Outgoing DNS replies (tcp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \ - counter accept comment "Outgoing DNS replies (tcp)" + counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)" + +add rule ip efg_filter forward \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ + oifname $EXTERNAL_ACE_IF udp dport 53 \ + counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)" add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF udp dport 53 \ - counter accept comment "Outgoing DNS requests/notifications (udp)" + counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)" + +add rule ip efg_filter forward \ + ct state established, related \ + iifname $EXTERNAL_ACE_IF udp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ + counter accept comment "Incoming DNS replies (udp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF udp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ - counter accept comment "Incoming DNS replies (udp)" + counter accept comment "Incoming DNS replies (udp) (TELEKOM)" + +add rule ip efg_filter forward \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + oifname $EXTERNAL_ACE_IF tcp dport 53 \ + counter accept comment "Outgoing DNS requests (tcp) (ACE)" add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \ - counter accept comment "Outgoing DNS requests (tcp)" + counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)" + +add rule ip efg_filter forward \ + ct state established, related \ + iifname $EXTERNAL_ACE_IF tcp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + counter accept comment "Incoming DNS replies (tcp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ - counter accept comment "Incoming DNS replies (tcp)" + counter accept comment "Incoming DNS replies (tcp) (TELEKOM)" + +add rule ip efg_filter forward \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $EXTERNAL_ACE_IF tcp dport $WS_PORTS \ + counter accept comment "Outgoing let's encrypt requests (ACE)" add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \ - counter accept comment "Outgoing let's encrypt requests" + counter accept comment "Outgoing let's encrypt requests (TELEKOM)" + +add rule ip efg_filter forward \ + ct state established \ + iifname $EXTERNAL_ACE_IF tcp sport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Incoming let's encrypt replies (ACE)" add rule ip efg_filter forward \ ct state established \ iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ - counter accept comment "Incoming let's encrypt replies" + counter accept comment "Incoming let's encrypt replies (TELEKOM)" add rule ip efg_filter forward \ ip protocol icmp \ @@ -351,18 +437,34 @@ add rule ip efg_nat postrouting \ oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_NETS \ counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing internal traffic (TELEKOM)" +#add rule ip efg_nat postrouting \ +# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IP \ +# counter snat $PUBLIC_ACE_MX_IP comment "Outgoing MX traffic (ACE)" + #add rule ip efg_nat postrouting \ # oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IP \ -# counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic" +# counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic (TELEKOM)" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IP \ + counter snat $PUBLIC_ACE_NS_IP comment "Outgoing external DNS traffic (ACE)" add rule ip efg_nat postrouting \ oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IP \ - counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic" + counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic (TELEKOM)" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IP \ + counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing perimeter DNS traffic (ACE)" add rule ip efg_nat postrouting \ oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IP \ - counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic" + counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic (TELEKOM)" + +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IP \ + counter snat $PUBLIC_ACE_WS_IP comment "Outgoing WS traffic (ACE)" add rule ip efg_nat postrouting \ oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IP \ - counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic" + counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic (TELEKOM)" diff --git a/sources/pns.usr/postinstall/install/var/named/mediacube.hu.zone b/sources/pns.usr/postinstall/install/var/named/mediacube.hu.zone index 6881deb..b1f4848 100644 --- a/sources/pns.usr/postinstall/install/var/named/mediacube.hu.zone +++ b/sources/pns.usr/postinstall/install/var/named/mediacube.hu.zone @@ -1,6 +1,7 @@ -$TTL 86400 +;$TTL 86400 +$TTL 3600 @ IN SOA ns1.mediacube.hu. hostmaster.mx.mediacube.hu. ( - 2019110502 ; Serial + 1 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 2419200 ; Expire (4 weeks) @@ -11,10 +12,10 @@ $TTL 86400 IN TXT "v=spf1 +mx -all" IN SPF "v=spf1 +mx -all" -efg IN A 194.149.40.146 ; efg -mx IN A 194.149.40.147 ; mail exchanger -ns IN A 194.149.40.148 ; primary name server -ns1 IN A 194.149.40.148 ; primary name server +efg IN A 37.220.137.97 ; efg +mx IN A 37.220.137.98 ; mail exchanger +ns IN A 37.220.137.99 ; primary name server +ns1 IN A 37.220.137.99 ; primary name server ns2 IN A 46.107.213.35 ; secondary name server ws IN A 158.177.224.206 ; web server www IN A 158.177.224.206 ; web server diff --git a/sources/pns.usr/postinstall/install/var/named/useredms.hu.zone b/sources/pns.usr/postinstall/install/var/named/useredms.hu.zone index dfc56be..72242d6 100644 --- a/sources/pns.usr/postinstall/install/var/named/useredms.hu.zone +++ b/sources/pns.usr/postinstall/install/var/named/useredms.hu.zone @@ -1,6 +1,7 @@ -$TTL 86400 +;$TTL 86400 +$TTL 3600 @ IN SOA ns1.useredms.hu. hostmaster.mx.useredms.hu. ( - 2020030602 ; Serial + 1 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 2419200 ; Expire (4 weeks) @@ -11,10 +12,10 @@ $TTL 86400 IN TXT "v=spf1 +mx -all" IN SPF "v=spf1 +mx -all" -efg IN A 194.149.40.146 ; efg -mx IN A 194.149.40.147 ; mail exchanger -ns IN A 194.149.40.148 ; primary name server -ns1 IN A 194.149.40.148 ; primary name server +efg IN A 37.220.137.97 ; efg +mx IN A 37.220.137.98 ; mail exchanger +ns IN A 37.220.137.99 ; primary name server +ns1 IN A 37.220.137.99 ; primary name server ns2 IN A 46.107.213.35 ; secondary name server ws IN A 158.177.224.206 ; web server www IN A 158.177.224.206 ; web server diff --git a/sources/pns.usr/postinstall/install/var/named/useribm.hu.zone b/sources/pns.usr/postinstall/install/var/named/useribm.hu.zone index 8e1e951..9d19192 100644 --- a/sources/pns.usr/postinstall/install/var/named/useribm.hu.zone +++ b/sources/pns.usr/postinstall/install/var/named/useribm.hu.zone @@ -1,6 +1,7 @@ -$TTL 86400 +;$TTL 86400 +$TTL 3600 @ IN SOA ns1.useribm.hu. hostmaster.mx.useribm.hu. ( - 2021021701 ; Serial + 2021022501 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 2419200 ; Expire (4 weeks) @@ -14,8 +15,8 @@ $TTL 86400 ; Telekom efg IN A 194.149.40.146 ; efg mx IN A 194.149.40.147 ; mail exchanger -ns IN A 194.149.40.148 ; primary name server -ns1 IN A 194.149.40.148 ; primary name server +ns-telekom IN A 194.149.40.148 ; primary name server +ns1-telekom IN A 194.149.40.148 ; primary name server ns2 IN A 46.107.213.35 ; secondary name server vpn IN A 194.149.40.149 ; OpenVPN server hg IN A 194.149.40.150 ; mercurial @@ -40,8 +41,8 @@ zfdl380e IN A 194.149.40.158 ; zfelleg DL380e ; ACE Telecom efg-ace IN A 37.220.137.97 ; efg mx-ace IN A 37.220.137.98 ; mail exchanger -ns-ace IN A 37.220.137.99 ; primary name server -ns1-ace IN A 37.220.137.99 ; primary name server +ns IN A 37.220.137.99 ; primary name server +ns1 IN A 37.220.137.99 ; primary name server vpn-ace IN A 37.220.137.100 ; OpenVPN server hg-ace IN A 37.220.137.101 ; mercurial jtrac-ace IN A 37.220.137.101 ; jtrac diff --git a/sources/pns.usr/postinstall/install/var/named/userrendszerhaz.hu.zone b/sources/pns.usr/postinstall/install/var/named/userrendszerhaz.hu.zone index 95672c6..48af16b 100644 --- a/sources/pns.usr/postinstall/install/var/named/userrendszerhaz.hu.zone +++ b/sources/pns.usr/postinstall/install/var/named/userrendszerhaz.hu.zone @@ -1,6 +1,7 @@ -$TTL 86400 +;$TTL 86400 +$TTL 3600 @ IN SOA ns1.userrendszerhaz.hu. hostmaster.mx.userrendszerhaz.hu. ( - 2021021701 ; Serial + 2021022501 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 2419200 ; Expire (4 weeks) @@ -18,8 +19,8 @@ $TTL 86400 ; Telekom efg IN A 194.149.40.146 ; efg mx IN A 194.149.40.147 ; mail exchanger -ns IN A 194.149.40.148 ; primary name server -ns1 IN A 194.149.40.148 ; primary name server +ns-telekom IN A 194.149.40.148 ; primary name server +ns1-telekom IN A 194.149.40.148 ; primary name server ns2 IN A 46.107.213.35 ; secondary name server vpn IN A 194.149.40.149 ; OpenVPN server hg IN A 194.149.40.150 ; mercurial @@ -44,8 +45,8 @@ zfdl380e IN A 194.149.40.158 ; zfelleg DL380e ; ACE Telecom efg-ace IN A 37.220.137.97 ; efg mx-ace IN A 37.220.137.98 ; mail exchanger -ns-ace IN A 37.220.137.99 ; primary name server -ns1-ace IN A 37.220.137.99 ; primary name server +ns IN A 37.220.137.99 ; primary name server +ns1 IN A 37.220.137.99 ; primary name server vpn-ace IN A 37.220.137.100 ; OpenVPN server hg-ace IN A 37.220.137.101 ; mercurial jtrac-ace IN A 37.220.137.101 ; jtrac