From: Zoltán Felleg <zoltan.felleg@userrendszerhaz.hu>
Date: Mon, 16 Dec 2024 22:12:06 +0000 (+0100)
Subject: Updated efg.pm (added mx.pm rules).
X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=eade1bc6a1ad8035fd5c609e79997d42967d4ba0;p=user-lxc.git

Updated efg.pm (added mx.pm rules).
---

diff --git a/sources/efg.pm/c3d/firstboot/data/nftables.config b/sources/efg.pm/c3d/firstboot/data/nftables.config
index 85b8114..cfb64af 100644
--- a/sources/efg.pm/c3d/firstboot/data/nftables.config
+++ b/sources/efg.pm/c3d/firstboot/data/nftables.config
@@ -55,6 +55,10 @@ define WS_PERIMETER_IPV4 = 192.168.173.249
 define PNS_PERIMETER_IPV4 = 192.168.173.223
 define PNS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:addf
 
+# perimeter mail exchanger address (perimeter network)
+define MX_PERIMETER_IPV4 = 192.168.173.154
+define MX_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad9a
+
 # external name server address (perimeter network)
 define ENS_PERIMETER_IPV4 = 192.168.173.147
 define ENS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad93
@@ -145,10 +149,10 @@ add rule ip efg-nat prerouting \
     ip daddr $PUBLIC_STORE_IPV4 tcp dport { http, https } \
     counter dnat $STORE_INTERNAL_IPV4 comment "Incoming store requests"
 
-#add rule ip efg-nat prerouting \
-#    iifname $EXTERNAL_IF \
-#    ip daddr $PUBLIC_MX_IPV4 tcp dport $MX_PORTS \
-#    counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
+add rule ip efg-nat prerouting \
+    iifname $EXTERNAL_IF tcp sport 1024-65535 \
+    ip daddr $PUBLIC_MX_IPV4 tcp dport $MX_PORTS \
+    counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
 
 add rule ip efg-nat prerouting \
     iifname $EXTERNAL_IF udp sport 1024-65535 \
@@ -250,8 +254,14 @@ add rule ip efg-filter forward \
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_IF \
-    oifname $PERIMETER_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport { http, https } \
-    counter accept comment "Incoming store traffic"
+    oifname $PERIMETER_IF ip daddr $MX_PERIMETER_IPV4 tcp dport $MX_PORTS \
+    counter accept comment "Incoming MX requests"
+
+add rule ip efg-filter forward \
+    ct state established \
+    iifname $PERIMETER_IF ip saddr $MX_PERIMETER_IPV4 tcp sport $MX_PORTS \
+    oifname $EXTERNAL_IF tcp dport 1024-65535 \
+    counter accept comment "Outgoing MX replies"
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_IF \
@@ -357,6 +367,26 @@ add rule ip efg-filter forward \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (tcp)"
 
+add rule ip6 efg-filter forward \
+    iifname $PERIMETER_IF ip6 saddr $MX_PERIMETER_IPV6 tcp sport 1024-65535 \
+    oifname $EXTERNAL_IF tcp dport { http, https, 2703 } \
+    counter accept comment "Outgoing spamassassin update requests"
+add rule ip efg-filter forward \
+    iifname $PERIMETER_IF ip saddr $MX_PERIMETER_IPV4 tcp sport 1024-65535 \
+    oifname $EXTERNAL_IF tcp dport { http, https, 2703 } \
+    counter accept comment "Outgoing spamassassin update requests"
+
+add rule ip6 efg-filter forward \
+    ct state established \
+    iifname $EXTERNAL_IF tcp sport { http, https, 2703 } \
+    oifname $PERIMETER_IF ip6 daddr $MX_PERIMETER_IPV6 tcp dport 1024-65535 \
+    counter accept comment "Incoming spamassassin update replies"
+add rule ip efg-filter forward \
+    ct state established \
+    iifname $EXTERNAL_IF tcp sport { http, https, 2703 } \
+    oifname $PERIMETER_IF ip daddr $MX_PERIMETER_IPV4 tcp dport 1024-65535 \
+    counter accept comment "Incoming spamassassin update replies"
+
 add rule ip efg-filter forward \
     ip protocol icmp \
     counter accept comment "ICMP"
@@ -439,9 +469,9 @@ add rule ip efg-nat postrouting \
     oifname $EXTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
     counter snat $PUBLIC_EFG_IPV4 comment "Outgoing internal traffic"
 
-#add rule ip efg-nat postrouting \
-#    oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IPV4 \
-#    counter snat $PUBLIC_MX_IPV4 comment "Outgoing MX traffic"
+add rule ip efg-nat postrouting \
+    oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IPV4 \
+    counter snat $PUBLIC_MX_IPV4 comment "Outgoing MX traffic"
 
 add rule ip efg-nat postrouting \
     oifname $EXTERNAL_IF ip saddr $ENS_PERIMETER_IPV4 \
diff --git a/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh
index 34a803c..72556fb 100755
--- a/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh
+++ b/sources/efg.pm/c3d/firstboot/scripts/01_setupnetworking.sh
@@ -1,5 +1,4 @@
 #!/bin/sh
-set -x
 
 
 export PAGER=