From 4c596ebd22a30dc45e9f692744223841d6067e00 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Mon, 19 Nov 2018 11:21:05 +0100 Subject: [PATCH] Added ifg.usr.f29. --- sources/ifg.usr.f29/config | 24 + sources/ifg.usr.f29/envvars | 4 + .../firstboot/01_setupnetworking.sh | 80 ++++ .../ifg.usr.f29/firstboot/02_settimezone.sh | 21 + sources/ifg.usr.f29/firstboot/03_setupldap.sh | 10 + .../firstboot/10_iptables_reset.sh | 68 +++ .../firstboot/11_iptables_set_ifg_rules.sh | 414 ++++++++++++++++++ .../firstboot/12_iptables_log_dropped.sh | 29 ++ .../ifg.usr.f29/firstboot/13_iptables_save.sh | 4 + sources/ifg.usr.f29/firstboot/99_cleanup.sh | 6 + sources/ifg.usr.f29/firstboot/definitions | 107 +++++ sources/ifg.usr.f29/firstboot/traversal.txt | 53 +++ .../postinstall/01_setownership.sh | 7 + .../postinstall/02_setpermissions.sh | 5 + .../postinstall/03_installfiles.sh | 15 + .../postinstall/10_setupservices.sh | 7 + sources/ifg.usr.f29/postinstall/99_cleanup.sh | 6 + .../ifg.usr.f29/postinstall/install/etc/hosts | 6 + .../postinstall/install/etc/resolv.conf | 4 + .../postinstall/install/etc/sysconfig/network | 1 + .../etc/sysconfig/network-scripts/ifcfg-eth0 | 16 + .../etc/sysconfig/network-scripts/ifcfg-ifg | 19 + .../etc/sysconfig/network-scripts/route-ifg | 2 + .../install/etc/sysctl.d/01_ipforward.conf | 1 + 24 files changed, 909 insertions(+) create mode 100644 sources/ifg.usr.f29/config create mode 100644 sources/ifg.usr.f29/envvars create mode 100755 sources/ifg.usr.f29/firstboot/01_setupnetworking.sh create mode 100755 sources/ifg.usr.f29/firstboot/02_settimezone.sh create mode 100755 sources/ifg.usr.f29/firstboot/03_setupldap.sh create mode 100755 sources/ifg.usr.f29/firstboot/10_iptables_reset.sh create mode 100755 sources/ifg.usr.f29/firstboot/11_iptables_set_ifg_rules.sh create mode 100755 sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh create mode 100755 sources/ifg.usr.f29/firstboot/13_iptables_save.sh create mode 100755 sources/ifg.usr.f29/firstboot/99_cleanup.sh create mode 100644 sources/ifg.usr.f29/firstboot/definitions create mode 100644 sources/ifg.usr.f29/firstboot/traversal.txt create mode 100755 sources/ifg.usr.f29/postinstall/01_setownership.sh create mode 100755 sources/ifg.usr.f29/postinstall/02_setpermissions.sh create mode 100755 sources/ifg.usr.f29/postinstall/03_installfiles.sh create mode 100755 sources/ifg.usr.f29/postinstall/10_setupservices.sh create mode 100755 sources/ifg.usr.f29/postinstall/99_cleanup.sh create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/hosts create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/resolv.conf create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0 create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg create mode 100644 sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf diff --git a/sources/ifg.usr.f29/config b/sources/ifg.usr.f29/config new file mode 100644 index 0000000..88a7c06 --- /dev/null +++ b/sources/ifg.usr.f29/config @@ -0,0 +1,24 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = ifg.usr.user.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = phys +lxc.net.0.flags = up +lxc.net.0.link = ifg + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.link = brh +lxc.net.1.hwaddr = 02:0c:18:03:ad:01 + +lxc.autodev = 1 +lxc.console.logfile = /tmp/ifg.console.log + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = 2 +lxc.start.delay = 3 diff --git a/sources/ifg.usr.f29/envvars b/sources/ifg.usr.f29/envvars new file mode 100644 index 0000000..e6552b4 --- /dev/null +++ b/sources/ifg.usr.f29/envvars @@ -0,0 +1,4 @@ +#BASE_PACKAGES="NetworkManager initscripts openssh-server openssh-clients openssh-ldap rootfiles rsyslog sudo tar vim-minimal" +#SPEC_PACKAGES="authselect iptables iptables-services openldap-clients nss-pam-ldapd pam_ssh passwd" +BASE_PACKAGES="NetworkManager initscripts rootfiles rsyslog tar" +SPEC_PACKAGES="iptables iptables-services" diff --git a/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh new file mode 100755 index 0000000..a0d3b96 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/01_setupnetworking.sh @@ -0,0 +1,80 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -ne 0 ] && echo + +CONNECTIONS=$(nmcli connection show | grep -v '^NAME' | wc -l) +if [ $CONNECTIONS -ne 2 ] +then + echo "Number of connections: $CONNECTIONS" >&2 + exit 1 +fi + +CONNECTION_LINE_1=$(nmcli connection show \ + | grep -v '^NAME' | head -n 1) +CONNECTION_LINE_2=$(nmcli connection show \ + | grep -v '^NAME' | tail -n 1) +CONNECTION_TOKENS=$(echo $CONNECTION_LINE_1 | wc -w) +#CONNECTION_NAME_POS=$(( $CONNECTION_TOKENS - 3 )) +CONNECTION_UUID_POS=$(( $CONNECTION_TOKENS - 2 )) +#CONNECTION_TYPE_POS=$(( $CONNECTION_TOKENS - 1 )) +CONNECTION_DEVICE_POS=$CONNECTION_TOKENS +#CONNECTION_NAME_1=$(echo $CONNECTION_LINE_1 \ +# | cut -f -$CONNECTION_NAME_POS -d ' ') +CONNECTION_UUID_1=$(echo $CONNECTION_LINE_1 \ + | cut -f $CONNECTION_UUID_POS -d ' ') +#CONNECTION_TYPE_1=$(echo $CONNECTION_LINE_1 \ +# | cut -f $CONNECTION_TYPE_POS -d ' ') +CONNECTION_DEVICE_1=$(echo $CONNECTION_LINE_1 \ + | cut -f $CONNECTION_DEVICE_POS -d ' ') +CONNECTION_TOKENS=$(echo $CONNECTION_LINE_2 | wc -w) +#CONNECTION_NAME_POS=$(( $CONNECTION_TOKENS - 3 )) +CONNECTION_UUID_POS=$(( $CONNECTION_TOKENS - 2 )) +#CONNECTION_TYPE_POS=$(( $CONNECTION_TOKENS - 1 )) +CONNECTION_DEVICE_POS=$CONNECTION_TOKENS +#CONNECTION_NAME_2=$(echo $CONNECTION_LINE_2 \ +# | cut -f -$CONNECTION_NAME_POS -d ' ') +CONNECTION_UUID_2=$(echo $CONNECTION_LINE_2 \ + | cut -f $CONNECTION_UUID_POS -d ' ') +#CONNECTION_TYPE_2=$(echo $CONNECTION_LINE_2 \ +# | cut -f $CONNECTION_TYPE_POS -d ' ') +CONNECTION_DEVICE_2=$(echo $CONNECTION_LINE_2 \ + | cut -f $CONNECTION_DEVICE_POS -d ' ') +nmcli connection delete uuid "$CONNECTION_UUID_1" +nmcli connection delete uuid "$CONNECTION_UUID_2" + +nmcli connection add \ + type 802-3-ethernet \ + ifname $CONNECTION_DEVICE_1 \ + con-name internal \ + autoconnect yes \ + save yes \ + ipv4.addresses "10.228.109.254/16, 192.168.42.254/24, 192.168.43.254/24" \ + ipv4.dns "10.228.109.104, 10.228.109.253" \ + ipv4.dns-search "usr.user.hu" \ + ipv4.method "manual" \ + ipv4.routes "172.16.223.0/24 10.228.109.236, 10.162.104.0/24 10.228.109.236" + +nmcli connection add \ + type 802-3-ethernet \ + ifname $CONNECTION_DEVICE_2 \ + con-name perimeter \ + autoconnect yes \ + save yes \ + ipv4.addresses "192.168.173.1/24" \ + ipv4.gateway "192.168.173.254" \ + ipv4.method "manual" + +nmcli connection show diff --git a/sources/ifg.usr.f29/firstboot/02_settimezone.sh b/sources/ifg.usr.f29/firstboot/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/ifg.usr.f29/firstboot/03_setupldap.sh b/sources/ifg.usr.f29/firstboot/03_setupldap.sh new file mode 100755 index 0000000..4b58626 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/03_setupldap.sh @@ -0,0 +1,10 @@ +#!/bin/sh + + +exit 0 +authselect select sssd with-mkhomedir --force + +cat >>/etc/openldap/ldap.conf < svc.pm" \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --destination $PUBLIC_IP_202 \ + --match multiport \ + --destination-ports 22,25,143,873 \ + --jump DNAT --to-destination $SVC_PERIMETER_IP +# dnat http and https packets +# from the usr, sr and in networks +# to the perimeter web server host +$IPTABLES --table nat --append PREROUTING \ + --match comment \ + --comment "http(s) -> ws.pm" \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --destination $PUBLIC_IP_202 \ + --match multiport \ + --destination-ports 80,443 \ + --jump DNAT --to-destination $WS_PERIMETER_IP + +################################ +# filter INPUT rules +# allow dns packets +# from the internal svc host +$IPTABLES --table filter --append INPUT \ + --match comment \ + --comment "dns replies <- svc" \ + --match conntrack \ + --ctstate ESTABLISHED \ + --protocol udp \ + --in-interface $INTERNAL_IF \ + --source $SVC_INTERNAL_IP \ + --source-port 53 \ + --destination $IFG_USR_IP \ + --destination-port 1024:65535 \ + --jump ACCEPT +# allow ssh packets +# from the usr, sr, in and vpn networks +$IPTABLES --table filter --append INPUT \ + --match comment \ + --comment "ssh <- usr, sr, in, vpn networks" \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \ + --source-port 1024:65535 \ + --destination $IFG_USR_IP \ + --destination-port 22 \ + --jump ACCEPT +# allow packets +# from the loopback address +# to the loopback address +$IPTABLES --table filter --append INPUT \ + --in-interface $LOOPBACK_IF \ + --source $LOOPBACK_IP \ + --destination $LOOPBACK_IP \ + --jump ACCEPT +# allow icmp packets +# from anywhere +$IPTABLES --table filter --append INPUT \ + --protocol icmp \ + --jump ACCEPT + +################################ +# filter FORWARD rules +# forward packets +# of established sessions +# to the usr, sr and in networks +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "established sessions -> internal networks" \ + --match conntrack \ + --ctstate ESTABLISHED,RELATED \ + --in-interface $PERIMETER_IF \ + --out-interface $INTERNAL_IF \ + --destination ${USR_NET},${SR_NET},$IN_NET \ + --jump ACCEPT +# forward packets +# from the usr, sr and in networks +# to the internet +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "usr network -> internet" \ + --in-interface $INTERNAL_IF \ + --source $USR_NET \ + --out-interface $PERIMETER_IF \ + ! --destination $PERIMETER_NET \ + --jump ACCEPT +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "sr network -> internet" \ + --in-interface $INTERNAL_IF \ + --source $SR_NET \ + --out-interface $PERIMETER_IF \ + ! --destination $PERIMETER_NET \ + --jump ACCEPT +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "in network -> internet" \ + --in-interface $INTERNAL_IF \ + --source $IN_NET \ + --out-interface $PERIMETER_IF \ + ! --destination $PERIMETER_NET \ + --jump ACCEPT +# forward ssh, smtp, imap and rsync requests +# from the usr, sr and in networks +# to the perimeter service host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface $PERIMETER_IF \ + --destination $SVC_PERIMETER_IP \ + --match multiport \ + --destination-ports 22,25,143,873 \ + --jump ACCEPT +# forward ssh, http and https requests +# from the usr, sr and in networks +# to the perimeter web server host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface $PERIMETER_IF \ + --destination $WS_PERIMETER_IP \ + --match multiport \ + --destination-ports 22,80,443 \ + --jump ACCEPT +# forward ssh, http, https and rsync requests +# from the usr, sr and in networks +# to the perimeter subversion host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface $PERIMETER_IF \ + --destination $SVN_PERIMETER_IP \ + --match multiport \ + --destination-ports 22,80,443,873 \ + --jump ACCEPT +# forward http requests +# from the perimeter web server host +# to the internal store host +#$IPTABLES --table filter --append FORWARD \ +# --protocol tcp \ +# --in-interface $PERIMETER_IF \ +# --source $WS_PERIMETER_IP \ +# --source-port 1024:65535 \ +# --out-interface $INTERNAL_IF \ +# --destination $STORE_INTERNAL_IP \ +# --destination-port 80 \ +# --jump ACCEPT +# forward http replies +# from the internal store host +# to the perimeter web server host +#$IPTABLES --table filter --append FORWARD \ +# --match conntrack \ +# --ctstate ESTABLISHED \ +# --protocol tcp \ +# --in-interface $INTERNAL_IF \ +# --source $STORE_INTERNAL_IP \ +# --source-port 80 \ +# --out-interface $PERIMETER_IF \ +# --destination $WS_PERIMETER_IP \ +# --destination-port 1024:65535 \ +# --jump ACCEPT +# forward dns zone notify messages +# from the internal primary name server host +# to the perimeter external/perimeter name server hosts +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns notify -> ens.pm, pns.pm" \ + --match conntrack \ + --ctstate NEW \ + --protocol udp \ + --in-interface $INTERNAL_IF \ + --source $PNS_INTERNAL_IP \ + --source-port 1024:65535 \ + --out-interface $PERIMETER_IF \ + --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --destination-port 53 \ + --jump ACCEPT +# forward dns zone transfer requests +# from the perimeter external/perimeter name server hosts +# to the internal primary name server host +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns xfr -> ens.pm, pns.pm" \ + --match conntrack \ + --ctstate NEW \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --source-port 1024:65535 \ + --out-interface $INTERNAL_IF \ + --destination $PNS_INTERNAL_IP \ + --destination-port 53 \ + --jump ACCEPT +# forward dns zone transfer replies +# from the internal primary name server host +# to the perimeter external/perimeter name server hosts +$IPTABLES --table filter --append FORWARD \ + --match comment \ + --comment "dns xfr -> ens.pm, pns.pm" \ + --match conntrack \ + --ctstate ESTABLISHED \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source $PNS_INTERNAL_IP \ + --source-port 53 \ + --out-interface $PERIMETER_IF \ + --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ + --destination-port 1024:65535 \ + --jump ACCEPT +# forward openvpn packets +# from the internet +# to the internal vpn host +$IPTABLES --table filter --append FORWARD \ + --protocol udp \ + --in-interface $PERIMETER_IF \ + ! --source $PERIMETER_NET \ + --out-interface $INTERNAL_IF \ + --destination $VPN_INTERNAL_IP \ + --destination-port 1194 \ + --jump ACCEPT +# forward packets +# from the usr network +# to the sr, in, vpn and peep-bo networks +$IPTABLES --table filter --append FORWARD \ + --in-interface $INTERNAL_IF \ + --source $USR_NET \ + --out-interface $INTERNAL_IF \ + --destination ${SR_NET},${IN_NET},${VPN_NET},$PEEP_BO_NET \ + --jump ACCEPT +# forward packets +# from the sr network +# to the usr, in and vpn networks +$IPTABLES --table filter --append FORWARD \ + --in-interface $INTERNAL_IF \ + --source $SR_NET \ + --out-interface $INTERNAL_IF \ + --destination ${USR_NET},${IN_NET},$VPN_NET \ + --jump ACCEPT +# forward packets +# from the in network +# to the usr, sr and vpn networks +$IPTABLES --table filter --append FORWARD \ + --in-interface $INTERNAL_IF \ + --source $IN_NET \ + --out-interface $INTERNAL_IF \ + --destination ${USR_NET},${SR_NET},$VPN_NET \ + --jump ACCEPT +# forward packets +# from the vpn network +# to the usr, sr and in networks +$IPTABLES --table filter --append FORWARD \ + --in-interface $INTERNAL_IF \ + --source $VPN_NET \ + --out-interface $INTERNAL_IF \ + --destination ${USR_NET},${SR_NET},$IN_NET \ + --jump ACCEPT +# forward packets +# from the peep-bo network +# to the usr, sr and in networks +$IPTABLES --table filter --append FORWARD \ + --in-interface $INTERNAL_IF \ + --source $PEEP_BO_NET \ + --out-interface $INTERNAL_IF \ + --destination ${USR_NET},${SR_NET},$IN_NET \ + --jump ACCEPT +# forward ssh packets +# from the usr, sr and in networks +# to the external firewall/gateway host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source ${USR_NET},${SR_NET},$IN_NET \ + --out-interface $PERIMETER_IF \ + --destination $EFG_PERIMETER_IP \ + --destination-port 22 \ + --jump ACCEPT +# forward http requests +# from the perimeter web server +# to the dvredmine host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $WS_PERIMETER_IP \ + --out-interface $INTERNAL_IF \ + --destination $DVREDMINE_INTERNAL_IP \ + --destination-port 80 \ + --jump ACCEPT +# forward http replies +# from the dvredmine host +# to the perimeter web server +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source $DVREDMINE_INTERNAL_IP \ + --source-port 80 \ + --out-interface $PERIMETER_IF \ + --destination $WS_PERIMETER_IP \ + --jump ACCEPT +# forward http requests +# from the perimeter web server +# to the minicrm host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $WS_PERIMETER_IP \ + --out-interface $INTERNAL_IF \ + --destination $MINICRM_INTERNAL_IP \ + --destination-port 8080 \ + --jump ACCEPT +# forward http replies +# from the minicrm host +# to the perimeter web server +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source $MINICRM_INTERNAL_IP \ + --source-port 8080 \ + --out-interface $PERIMETER_IF \ + --destination $WS_PERIMETER_IP \ + --jump ACCEPT +# forward http requests +# from the perimeter web server +# to the workstation host +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $PERIMETER_IF \ + --source $WS_PERIMETER_IP \ + --out-interface $INTERNAL_IF \ + --destination $WORKSHEET_SR_IP \ + --destination-port 8079 \ + --jump ACCEPT +# forward http replies +# from the workstation host +# to the perimeter web server +$IPTABLES --table filter --append FORWARD \ + --protocol tcp \ + --in-interface $INTERNAL_IF \ + --source $WORKSHEET_SR_IP \ + --source-port 8079 \ + --out-interface $PERIMETER_IF \ + --destination $WS_PERIMETER_IP \ + --jump ACCEPT +# forward icmp packets +# from anywhere +# to anywhere +$IPTABLES --table filter --append FORWARD \ + --protocol icmp \ + --jump ACCEPT + +################################ +# filter OUTPUT rules +# allow dns requests +# to the internal svc host +$IPTABLES --table filter --append OUTPUT \ + --match comment \ + --comment "dns requests -> svc" \ + --match conntrack \ + --ctstate NEW \ + --protocol udp \ + --source $IFG_USR_IP \ + --out-interface $INTERNAL_IF \ + --destination $SVC_INTERNAL_IP \ + --destination-port 53 \ + --jump ACCEPT +# allow ssh packets +# of established sessions +# to the usr, sr, in and vpn networks +$IPTABLES --table filter --append OUTPUT \ + --match conntrack \ + --ctstate ESTABLISHED \ + --protocol tcp \ + --source $IFG_USR_IP \ + --source-port 22 \ + --out-interface $INTERNAL_IF \ + --destination ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \ + --destination-port 1024:65535 \ + --jump ACCEPT +# allow packets +# from the loopback address +# to the loopback address +$IPTABLES --table filter --append OUTPUT \ + --source $LOOPBACK_IP \ + --out-interface $LOOPBACK_IF \ + --destination $LOOPBACK_IP \ + --jump ACCEPT +# allow icmp packets +# to anywhere +$IPTABLES --table filter --append OUTPUT \ + --protocol icmp \ + --jump ACCEPT diff --git a/sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh b/sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh new file mode 100755 index 0000000..b419bf6 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/12_iptables_log_dropped.sh @@ -0,0 +1,29 @@ +#!/bin/sh +#set -x + +################################ +# iptables command +IPTABLES=/sbin/iptables + +################################ +# log packets reaching the default policy rules in the filter table +$IPTABLES --table filter --append INPUT \ + --in-interface ifg \ + --jump LOG \ + --log-prefix 'filter ifg INPUT: ' +$IPTABLES --table filter --append INPUT \ + --in-interface eth0 \ + --jump LOG \ + --log-prefix 'filter eth0 INPUT: ' +$IPTABLES --table filter --append INPUT \ + --jump LOG \ + --log-level warning \ + --log-prefix 'filter INPUT: ' +$IPTABLES --table filter --append FORWARD \ + --jump LOG \ + --log-level warning \ + --log-prefix 'filter FORWARD: ' +$IPTABLES --table filter --append OUTPUT \ + --jump LOG \ + --log-level warning \ + --log-prefix 'filter OUTPUT: ' diff --git a/sources/ifg.usr.f29/firstboot/13_iptables_save.sh b/sources/ifg.usr.f29/firstboot/13_iptables_save.sh new file mode 100755 index 0000000..85932f3 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/13_iptables_save.sh @@ -0,0 +1,4 @@ +#!/bin/sh +#set -x + +/sbin/iptables-save >/etc/sysconfig/iptables diff --git a/sources/ifg.usr.f29/firstboot/99_cleanup.sh b/sources/ifg.usr.f29/firstboot/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/ifg.usr.f29/firstboot/definitions b/sources/ifg.usr.f29/firstboot/definitions new file mode 100644 index 0000000..400a1f4 --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/definitions @@ -0,0 +1,107 @@ +################################ +# iptables command +################################ +IPTABLES=/sbin/iptables + +################################ +# interfaces +################################ + +# internal interface +INTERNAL_IF=ifg + +# loopback interface +LOOPBACK_IF=lo + +# perimeter interface +PERIMETER_IF=eth0 + +################################ +# addresses +################################ + +# loopback address +LOOPBACK_IP=127.0.0.1 + +# public addresses +PUBLIC_IP_194=84.2.25.194 +PUBLIC_IP_195=84.2.25.195 +PUBLIC_IP_196=84.2.25.196 +PUBLIC_IP_197=84.2.25.197 +PUBLIC_IP_198=84.2.25.198 +PUBLIC_IP_199=84.2.25.199 +PUBLIC_IP_200=84.2.25.200 +PUBLIC_IP_201=84.2.25.201 +PUBLIC_IP_202=84.2.25.202 +PUBLIC_IP_203=84.2.25.203 +PUBLIC_IP_204=84.2.25.204 +PUBLIC_IP_205=84.2.25.205 +PUBLIC_IP_206=84.2.25.206 + +# efg address (perimeter network) +EFG_PERIMETER_IP=192.168.173.254 + +# service address (perimeter network) +SVC_PERIMETER_IP=192.168.173.253 + +# transfer web server address (perimeter network) +XFR_PERIMETER_IP=192.168.173.251 + +# subversion address (perimeter network) +SVN_PERIMETER_IP=192.168.173.250 + +# web server address (perimeter network) +WS_PERIMETER_IP=192.168.173.249 + +# perimeter name server address (perimeter network) +PNS_PERIMETER_IP=192.168.173.174 + +# external name server address (perimeter network) +ENS_PERIMETER_IP=192.168.173.64 + +# ifg address (perimeter network) +IFG_PERIMETER_IP=192.168.173.1 + +# ifg addresses (internal network) +IFG_USR_IP=10.228.109.254 +IFG_SR_IP=192.168.42.254 +IFG_IN_IP=192.168.43.254 + +# dvredmine address (internal network) +DVREDMINE_INTERNAL_IP=10.228.62.193 + +# minicrm address (internal network) +MINICRM_INTERNAL_IP=10.228.109.133 + +# store address (internal network) +STORE_INTERNAL_IP=10.228.109.250 + +# service address (internal network) +SVC_INTERNAL_IP=10.228.109.253 + +# vpn address (internal network) +VPN_INTERNAL_IP=10.228.109.236 + +# primary name server address (internal network) +PNS_INTERNAL_IP=10.228.109.174 + +# worksheet address (internal network) +WORKSHEET_SR_IP=192.168.42.248 + +################################ +# networks +################################ + +# internal networks +USR_NET=10.228.0.0/16 +SR_NET=192.168.42.0/24 +IN_NET=192.168.43.0/24 + +# perimeter network +PERIMETER_NET=192.168.173.0/24 + +# vpn client network +VPN_NET=172.16.223.0/24 + +# peep-bo network +PEEP_BO_NET=10.162.104.0/24 diff --git a/sources/ifg.usr.f29/firstboot/traversal.txt b/sources/ifg.usr.f29/firstboot/traversal.txt new file mode 100644 index 0000000..97ebf2d --- /dev/null +++ b/sources/ifg.usr.f29/firstboot/traversal.txt @@ -0,0 +1,53 @@ +############################### + chain traversal + for all tables +############################### + + NETWORK + | + ______v_____ + / raw \ + | PREROUTING | + \____________/ + | + ________ ______v_____ + / mangle \ / mangle \ + | INPUT |<- | PREROUTING | + \________/ | \____________/ + | | | + ____v___ | ______v_____ + / filter \ | / nat \ + | INPUT | | | PREROUTING | + \________/ | \____________/ + | | | + ____v____ | ____v___ + | | | / \ + | local | |__/ routing \__________ + | process | \ decision / | + |_________| \________/ ____v____ + | / mangle \ + ___v____ | FORWARD | + / \ \_________/ + / routing \ | + \ decision / ____v____ + \________/ / filter \ + | | FORWARD | + ____v___ ________ \_________/ + / raw \ / \ | + | OUTPUT | / routing \ | + \________/ ->\ decision /<--------- + | | \________/ + ____v___ | | + / mangle \ | ______v______ + | OUTPUT | | / mangle \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / nat \ | ______v______ + | OUTPUT | | / nat \ + \________/ | | POSTROUTING | + | | \_____________/ + ____v___ | | + / filter \ | v + | OUTPUT |-- NETWORK + \________/ diff --git a/sources/ifg.usr.f29/postinstall/01_setownership.sh b/sources/ifg.usr.f29/postinstall/01_setownership.sh new file mode 100755 index 0000000..f2e6b94 --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/01_setownership.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install + +chown -R root.root $SOURCE_PATH/* diff --git a/sources/ifg.usr.f29/postinstall/02_setpermissions.sh b/sources/ifg.usr.f29/postinstall/02_setpermissions.sh new file mode 100755 index 0000000..241386a --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/02_setpermissions.sh @@ -0,0 +1,5 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install diff --git a/sources/ifg.usr.f29/postinstall/03_installfiles.sh b/sources/ifg.usr.f29/postinstall/03_installfiles.sh new file mode 100755 index 0000000..f190caf --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/03_installfiles.sh @@ -0,0 +1,15 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +tar --create \ + --directory=$REAL_PATH \ + --to-stdout \ + install \ + | tar --extract \ + --backup \ + --directory=/ \ + --no-overwrite-dir \ + --strip-components=1 \ + --suffix=.orig diff --git a/sources/ifg.usr.f29/postinstall/10_setupservices.sh b/sources/ifg.usr.f29/postinstall/10_setupservices.sh new file mode 100755 index 0000000..80c2db2 --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/10_setupservices.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +systemctl enable iptables.service +systemctl enable NetworkManager-wait-online.service + +systemctl mask wpa_supplicant.service diff --git a/sources/ifg.usr.f29/postinstall/99_cleanup.sh b/sources/ifg.usr.f29/postinstall/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/ifg.usr.f29/postinstall/install/etc/hosts b/sources/ifg.usr.f29/postinstall/install/etc/hosts new file mode 100644 index 0000000..98645cf --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4 +::1 localhost6.localdomain6 localhost6 + +10.228.109.254 ifg.usr.user.hu ifg +192.168.42.254 ifg.sr.user.hu +192.168.43.254 ifg.in.user.hu diff --git a/sources/ifg.usr.f29/postinstall/install/etc/resolv.conf b/sources/ifg.usr.f29/postinstall/install/etc/resolv.conf new file mode 100644 index 0000000..656e3f2 --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/resolv.conf @@ -0,0 +1,4 @@ +nameserver 10.228.109.253 +nameserver 10.228.109.104 +domain usr.user.hu +search usr.user.hu diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network new file mode 100644 index 0000000..5b2803b --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network @@ -0,0 +1 @@ +NOZEROCONF=yes diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0 b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0 new file mode 100644 index 0000000..d53531e --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-eth0 @@ -0,0 +1,16 @@ +NAME=eth0 +DEVICE=eth0 +TYPE=Ethernet +ONBOOT=yes +BOOTPROTO=static +IPADDR=192.168.173.1 +PREFIX=24 +DEFROUTE=yes +GATEWAY=192.168.173.254 +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_PEERDNS=yes +IPV6_PEERROUTES=yes +IPV6_FAILURE_FATAL=no diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg new file mode 100644 index 0000000..b28e8ce --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/ifcfg-ifg @@ -0,0 +1,19 @@ +NAME=ifg +DEVICE=ifg +TYPE=Ethernet +ONBOOT=yes +BOOTPROTO=none +IPADDR0=10.228.109.254 +PREFIX0=16 +IPADDR1=192.168.42.254 +PREFIX1=24 +IPADDR2=192.168.43.254 +PREFIX2=24 +DEFROUTE=no +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_PEERDNS=yes +IPV6_PEERROUTES=yes +IPV6_FAILURE_FATAL=no diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg new file mode 100644 index 0000000..9bc258f --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/sysconfig/network-scripts/route-ifg @@ -0,0 +1,2 @@ +10.162.104.0/24 via 10.228.109.236 +172.16.223.0/24 via 10.228.109.236 diff --git a/sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf new file mode 100644 index 0000000..05b3f78 --- /dev/null +++ b/sources/ifg.usr.f29/postinstall/install/etc/sysctl.d/01_ipforward.conf @@ -0,0 +1 @@ +net.ipv4.conf.all.forwarding = 1 -- 2.54.0