From: Zoltán Felleg Date: Fri, 15 Nov 2019 16:23:56 +0000 (+0100) Subject: Updated efg.pm (networking fixes, start of ipv6 configuration). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=e18f62b67d728279e8a4d71512cb542a7b05b888;p=user-lxc.git Updated efg.pm (networking fixes, start of ipv6 configuration). --- diff --git a/sources/efg.pm/config b/sources/efg.pm/config index f953548..7c37fde 100644 --- a/sources/efg.pm/config +++ b/sources/efg.pm/config @@ -15,7 +15,7 @@ lxc.net.1.type = veth lxc.net.1.flags = up lxc.net.1.link = bre-dev lxc.net.1.name = eth1 -lxc.net.0.hwaddr = 02:0c:18:03:28:92 +lxc.net.1.hwaddr = 02:0c:18:03:28:92 lxc.cgroup.devices.allow = lxc.cgroup.devices.deny = diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh index 8802b65..18d9e79 100755 --- a/sources/efg.pm/firstboot/01_setupnetworking.sh +++ b/sources/efg.pm/firstboot/01_setupnetworking.sh @@ -49,6 +49,7 @@ nmcli connection add \ ipv4.dns-search "pm.user.hu" \ ipv4.method "manual" \ ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \ + ipv6.method "auto" \ save yes nmcli connection show @@ -61,6 +62,7 @@ nmcli connection add \ ipv4.addresses "192.168.65.1/24, 194.149.40.146/28, 194.149.40.147/28, 194.149.40.148/28, 194.149.40.149/28, 194.149.40.150/28" \ ipv4.gateway "194.149.40.145" \ ipv4.method "manual" \ + ipv6.method "auto" \ save yes nmcli connection show diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config index 0a443ca..29b1867 100644 --- a/sources/efg.pm/firstboot/nftables.config +++ b/sources/efg.pm/firstboot/nftables.config @@ -6,7 +6,7 @@ ################################ # external interface -define EXTERNAL_IF = bonde-dev +define EXTERNAL_IF = eth1 # loopback interface define LOOPBACK_IF = lo @@ -109,14 +109,18 @@ define WS_PORTS = { 80, 443 } # reset nftables ################################ -create table inet efg_filter +create table ip efg_filter create table ip efg_nat +create table ip6 efg_filter -create chain inet efg_filter input { type filter hook input priority 0; policy drop; } -create chain inet efg_filter forward { type filter hook forward priority 0; policy drop; } -create chain inet efg_filter output { type filter hook output priority 0; policy drop; } +create chain ip efg_filter input { type filter hook input priority 0; policy drop; } +create chain ip efg_filter forward { type filter hook forward priority 0; policy drop; } +create chain ip efg_filter output { type filter hook output priority 0; policy drop; } create chain ip efg_nat prerouting { type nat hook prerouting priority 0; policy accept; } create chain ip efg_nat postrouting { type nat hook postrouting priority 0; policy accept; } +create chain ip6 efg_filter input { type filter hook input priority 0; policy accept; } +create chain ip6 efg_filter forward { type filter hook forward priority 0; policy drop; } +create chain ip6 efg_filter output { type filter hook output priority 0; policy accept; } ################################ @@ -124,31 +128,26 @@ create chain ip efg_nat postrouting { type nat hook postrouting priority 0; poli ################################ add rule ip efg_nat prerouting \ - ip protocol udp \ iifname $EXTERNAL_IF \ ip daddr $PUBLIC_VPN_IP udp dport 1194 \ counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic" #add rule ip efg_nat prerouting \ -# ip protocol tcp \ # iifname $EXTERNAL_IF \ # ip daddr $PUBLIC_MX_IP tcp dport $MX_PORTS \ # counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" add rule ip efg_nat prerouting \ - ip protocol udp \ iifname $EXTERNAL_IF udp sport 1024-65535 \ ip daddr $PUBLIC_NS_IP udp dport 53 \ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" add rule ip efg_nat prerouting \ - ip protocol tcp \ iifname $EXTERNAL_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_NS_IP tcp dport 53 \ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" add rule ip efg_nat prerouting \ - ip protocol tcp \ iifname $EXTERNAL_IF tcp sport 1024-65535 \ ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests" @@ -158,18 +157,20 @@ add rule ip efg_nat prerouting \ # FILTER input rules ################################ -add rule inet efg_filter input \ +add rule ip efg_filter input \ ct state established \ - ip protocol udp \ iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IP udp sport 53 \ ip daddr $EFG_PERIMETER_IP udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule inet efg_filter input \ +add rule ip efg_filter input \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet efg_filter input \ +add rule ip efg_filter input \ + counter log prefix "INPUT" + +add rule ip6 efg_filter input \ counter log prefix "INPUT" @@ -177,106 +178,96 @@ add rule inet efg_filter input \ # FILTER forward rules ################################ -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_IF \ oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \ counter accept comment "Established sessions" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \ oifname $EXTERNAL_IF \ counter accept comment "Internet access" -add rule inet efg_filter forward \ - ip protocol udp \ +add rule ip efg_filter forward \ iifname $EXTERNAL_IF \ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ counter accept comment "Incoming VPN traffic" -add rule inet efg_filter forward \ - ip protocol tcp \ +add rule ip efg_filter forward \ iifname $EXTERNAL_IF tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ counter accept comment "Incoming http(s) requests" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established \ - ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \ oifname $EXTERNAL_IF tcp dport 1024-65535 \ counter accept comment "Outgoing http(s) replies" -add rule inet efg_filter forward \ - ip protocol udp \ +add rule ip efg_filter forward \ iifname $EXTERNAL_IF udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ counter accept comment "Incoming DNS requests/notifications (udp)" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established, related \ - ip protocol udp \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ oifname $EXTERNAL_IF udp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (udp)" -add rule inet efg_filter forward \ - ip protocol tcp \ +add rule ip efg_filter forward \ iifname $EXTERNAL_IF tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ counter accept comment "Incoming DNS requests (tcp)" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established, related \ - ip protocol tcp \ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ oifname $EXTERNAL_IF tcp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (tcp)" -add rule inet efg_filter forward \ - ip protocol udp \ +add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ oifname $EXTERNAL_IF udp dport 53 \ counter accept comment "Outgoing DNS requests/notifications (udp)" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established, related \ - ip protocol udp \ iifname $EXTERNAL_IF udp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ counter accept comment "Incoming DNS replies (udp)" -add rule inet efg_filter forward \ - ip protocol tcp \ +add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ oifname $EXTERNAL_IF tcp dport 53 \ counter accept comment "Outgoing DNS requests (tcp)" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established, related \ - ip protocol tcp \ iifname $EXTERNAL_IF tcp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ counter accept comment "Incoming DNS replies (tcp)" -add rule inet efg_filter forward \ - ip protocol tcp \ +add rule ip efg_filter forward \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ oifname $EXTERNAL_IF tcp dport $WS_PORTS \ counter accept comment "Outgoing let's encrypt requests" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ct state established \ - ip protocol tcp \ iifname $EXTERNAL_IF tcp sport $WS_PORTS \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ counter accept comment "Incoming let's encrypt replies" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet efg_filter forward \ +add rule ip efg_filter forward \ + counter log prefix "FORWARD" + +add rule ip6 efg_filter forward \ counter log prefix "FORWARD" @@ -284,18 +275,20 @@ add rule inet efg_filter forward \ # FILTER output rules ################################ -add rule inet efg_filter output \ +add rule ip efg_filter output \ ct state new \ - ip protocol udp \ ip saddr $EFG_PERIMETER_IP udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IP udp dport 53 \ counter accept comment "DNS requests" -add rule inet efg_filter output \ +add rule ip efg_filter output \ ip protocol icmp \ counter accept comment "ICMP" -add rule inet efg_filter output \ +add rule ip efg_filter output \ + counter log prefix "OUTPUT" + +add rule ip6 efg_filter output \ counter log prefix "OUTPUT" diff --git a/sources/efg.pm/postinstall/10_setupservices.sh b/sources/efg.pm/postinstall/10_setupservices.sh index 69dd107..b6097c2 100755 --- a/sources/efg.pm/postinstall/10_setupservices.sh +++ b/sources/efg.pm/postinstall/10_setupservices.sh @@ -2,5 +2,6 @@ systemctl enable NetworkManager-wait-online.service +systemctl enable radvd.service systemctl mask wpa_supplicant.service