From 81aa9fd5d9efd74b7cc098f95e440d1c7fa4e4cb Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Mon, 5 Aug 2019 09:35:51 +0200 Subject: [PATCH] Updated efg.pm.f30 (Removed iptables files, added perimeter nameserver rule). --- sources/efg.pm.f30/firstboot/02_ldap_setup.sh | 13 - .../efg.pm.f30/firstboot/10_iptables_reset.sh | 69 --- .../efg.pm.f30/firstboot/10_setupnftables.sh | 2 - .../firstboot/11_iptables_set_efg_rules.sh | 482 ------------------ .../firstboot/12_iptables_log_dropped.sh | 19 - .../efg.pm.f30/firstboot/13_iptables_save.sh | 5 - .../firstboot/20_routing_setup.sh.old | 50 -- sources/efg.pm.f30/firstboot/definitions | 116 ----- sources/efg.pm.f30/firstboot/nftables.config | 4 + 9 files changed, 4 insertions(+), 756 deletions(-) delete mode 100755 sources/efg.pm.f30/firstboot/02_ldap_setup.sh delete mode 100755 sources/efg.pm.f30/firstboot/10_iptables_reset.sh delete mode 100755 sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh delete mode 100755 sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh delete mode 100755 sources/efg.pm.f30/firstboot/13_iptables_save.sh delete mode 100755 sources/efg.pm.f30/firstboot/20_routing_setup.sh.old delete mode 100644 sources/efg.pm.f30/firstboot/definitions diff --git a/sources/efg.pm.f30/firstboot/02_ldap_setup.sh b/sources/efg.pm.f30/firstboot/02_ldap_setup.sh deleted file mode 100755 index 5cb0824..0000000 --- a/sources/efg.pm.f30/firstboot/02_ldap_setup.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - - -exit 0 -REAL_PATH=$(realpath $(dirname $0)) - - -authconfig --enableldap \ - --enableldapauth \ - --ldapserver=ldap.usr.user.hu \ - --ldapbasedn="dc=user,dc=hu" \ - --enablemkhomedir \ - --update diff --git a/sources/efg.pm.f30/firstboot/10_iptables_reset.sh b/sources/efg.pm.f30/firstboot/10_iptables_reset.sh deleted file mode 100755 index 1dc5600..0000000 --- a/sources/efg.pm.f30/firstboot/10_iptables_reset.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh -exit 0 - - -REAL_PATH=$(realpath $(dirname $0)) - -################################ -# definitions -################################ -source $REAL_PATH/definitions - - -################################ -# delete all user-defined chains of all tables -$IPTABLES --table filter --delete-chain -$IPTABLES --table nat --delete-chain -$IPTABLES --table mangle --delete-chain -$IPTABLES --table raw --delete-chain - -################################ -# flush all chains of all tables -$IPTABLES --table filter --flush INPUT -$IPTABLES --table filter --flush FORWARD -$IPTABLES --table filter --flush OUTPUT -$IPTABLES --table nat --flush PREROUTING -$IPTABLES --table nat --flush INPUT -$IPTABLES --table nat --flush OUTPUT -$IPTABLES --table nat --flush POSTROUTING -$IPTABLES --table mangle --flush PREROUTING -$IPTABLES --table mangle --flush INPUT -$IPTABLES --table mangle --flush FORWARD -$IPTABLES --table mangle --flush OUTPUT -$IPTABLES --table mangle --flush POSTROUTING -$IPTABLES --table raw --flush PREROUTING -$IPTABLES --table raw --flush OUTPUT - -################################ -# reset counters for all chains of all tables -$IPTABLES --table filter --zero INPUT -$IPTABLES --table filter --zero FORWARD -$IPTABLES --table filter --zero OUTPUT -$IPTABLES --table nat --zero PREROUTING -$IPTABLES --table nat --zero INPUT -$IPTABLES --table nat --zero OUTPUT -$IPTABLES --table nat --zero POSTROUTING -$IPTABLES --table mangle --zero PREROUTING -$IPTABLES --table mangle --zero INPUT -$IPTABLES --table mangle --zero FORWARD -$IPTABLES --table mangle --zero OUTPUT -$IPTABLES --table mangle --zero POSTROUTING -$IPTABLES --table raw --zero PREROUTING -$IPTABLES --table raw --zero OUTPUT - -################################ -# set the default policy for all chains of all tables -$IPTABLES --table filter --policy INPUT DROP -$IPTABLES --table filter --policy FORWARD DROP -$IPTABLES --table filter --policy OUTPUT DROP -$IPTABLES --table nat --policy PREROUTING ACCEPT -$IPTABLES --table nat --policy INPUT ACCEPT -$IPTABLES --table nat --policy OUTPUT ACCEPT -$IPTABLES --table nat --policy POSTROUTING ACCEPT -$IPTABLES --table mangle --policy PREROUTING ACCEPT -$IPTABLES --table mangle --policy INPUT ACCEPT -$IPTABLES --table mangle --policy FORWARD ACCEPT -$IPTABLES --table mangle --policy OUTPUT ACCEPT -$IPTABLES --table mangle --policy POSTROUTING ACCEPT -$IPTABLES --table raw --policy PREROUTING ACCEPT -$IPTABLES --table raw --policy OUTPUT ACCEPT diff --git a/sources/efg.pm.f30/firstboot/10_setupnftables.sh b/sources/efg.pm.f30/firstboot/10_setupnftables.sh index 2a2bd5b..fd180f1 100755 --- a/sources/efg.pm.f30/firstboot/10_setupnftables.sh +++ b/sources/efg.pm.f30/firstboot/10_setupnftables.sh @@ -1,5 +1,4 @@ #!/bin/sh -set -x REAL_PATH=$(realpath $(dirname $0)) @@ -11,7 +10,6 @@ do nft flush $TABLE_SPEC nft delete $TABLE_SPEC done -#exit 0 nft --echo --file $REAL_PATH/nftables.config nft list ruleset >/etc/nftables/efg.nft diff --git a/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh b/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh deleted file mode 100755 index d1c9770..0000000 --- a/sources/efg.pm.f30/firstboot/11_iptables_set_efg_rules.sh +++ /dev/null @@ -1,482 +0,0 @@ -#!/bin/sh -exit 0 -#set -x - - -REAL_PATH=$(realpath $(dirname $0)) - -################################ -# definitions -################################ -source $REAL_PATH/definitions - - -################################ -# nat PREROUTING rules -# dnat openvpn packets -# from the internet -# to the internal vpn host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "openvpn -> internal vpn host" \ - --protocol udp \ - --in-interface $EXTERNAL_IF_STATIC \ - --destination $PUBLIC_IP_202 \ - --destination-port 1194 \ - --jump DNAT --to-destination $VPN_INTERNAL_IP -# dnat smtp packets -# from the internet -# to the perimeter svc host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "smtp -> perimeter service host" \ - --protocol tcp \ - --in-interface $EXTERNAL_IF_STATIC \ - --destination $PUBLIC_IP_202 \ - --destination-port 25 \ - --jump DNAT --to-destination $SVC_PERIMETER_IP -# dnat dns packets -# from the internet -# to the perimeter external name server host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "dns (udp) -> perimeter name server host" \ - --protocol udp \ - --in-interface $EXTERNAL_IF_STATIC \ - --destination $PUBLIC_IP_202 \ - --destination-port 53 \ - --jump DNAT --to-destination $ENS_PERIMETER_IP -# dnat dns packets -# from the internet -# to the perimeter external name server host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "dns (tcp) -> perimeter name server host" \ - --protocol tcp \ - --in-interface $EXTERNAL_IF_STATIC \ - --destination $PUBLIC_IP_202 \ - --destination-port 53 \ - --jump DNAT --to-destination $ENS_PERIMETER_IP -# dnat http and https packets -# from the internet -# to the perimeter web server host -$IPTABLES --table nat --append PREROUTING \ - --match comment \ - --comment "http, https -> perimeter www host" \ - --protocol tcp \ - --in-interface $EXTERNAL_IF_STATIC \ - --destination $PUBLIC_IP_202 \ - --match multiport \ - --destination-ports 80,443 \ - --jump DNAT --to-destination $WS_PERIMETER_IP -## dnat http and https packets -## from the internet -## to the perimeter whmcs host -#$IPTABLES --table nat --append PREROUTING \ -# --match comment \ -# --comment "http, https -> perimeter whmcs host" \ -# --protocol tcp \ -# --in-interface $EXTERNAL_IF_194 \ -# --destination $PUBLIC_IP \ -# --match multiport \ -# --destination-ports 80,443 \ -# --jump DNAT --to-destination $WHMCS_PERIMETER_IP - -################################ -# filter INPUT rules -# allow dns replies -# from the perimeter ns host -$IPTABLES --table filter --append INPUT \ - --match comment \ - --comment "dns replies <- pns.pm" \ - --match conntrack \ - --ctstate ESTABLISHED \ - --protocol udp \ - --in-interface $PERIMETER_IF \ - --source $PNS_PERIMETER_IP \ - --source-port 53 \ - --destination $EFG_PERIMETER_IP \ - --destination-port 1024:65535 \ - --jump ACCEPT -# allow ssh packets -# from the usr, sr and in networks -$IPTABLES --table filter --append INPUT \ - --match comment \ - --comment "ssh from the usr, sr and in networks" \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --source-port 1024:65535 \ - --destination $EFG_PERIMETER_IP \ - --destination-port 22 \ - --jump ACCEPT -# allow icmp packets -# from anywhere -$IPTABLES --table filter --append INPUT \ - --protocol icmp \ - --jump ACCEPT -# allow packets -# from the loopback address -# to the loopback address -$IPTABLES --table filter --append INPUT \ - --in-interface $LOOPBACK_IF \ - --source $LOOPBACK_IP \ - --destination $LOOPBACK_IP \ - --jump ACCEPT - -################################ -# filter FORWARD rules -# forward packets -# of established sessions -# from the internet -# to the usr, sr and in networks -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "established sessions to the usr, sr and in networks" \ - --match conntrack \ - --ctstate ESTABLISHED,RELATED \ - --in-interface ${EXTERNAL_IF_PREFIX}+ \ - --out-interface $PERIMETER_IF \ - --destination ${USR_NET},${SR_NET},$IN_NET \ - --jump ACCEPT -# forward packets -# from the usr, sr and in networks -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "from the usr, sr and in networks" \ - --in-interface $PERIMETER_IF \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface ${EXTERNAL_IF_PREFIX}+ \ - --jump ACCEPT -# forward openvpn packets -# from the internet -# to the internal vpn host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "openvpn -> internal openvpn host" \ - --protocol udp \ - --in-interface $EXTERNAL_IF_STATIC \ - --out-interface $PERIMETER_IF \ - --destination $VPN_INTERNAL_IP \ - --destination-port 1194 \ - --jump ACCEPT -# forward http and https requests -# from the internet -# to the perimeter web server host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "http, https -> perimeter web server host" \ - --protocol tcp \ - --in-interface $EXTERNAL_IF_STATIC \ - --out-interface $PERIMETER_IF \ - --destination $WS_PERIMETER_IP \ - --match multiport \ - --destination-ports 80,443 \ - --jump ACCEPT -# forward http and https replies -# of established sessions -# from the perimeter web server host -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "perimeter web server host http, https replies" \ - --protocol tcp \ - --match conntrack \ - --ctstate ESTABLISHED \ - --in-interface $PERIMETER_IF \ - --source $WS_PERIMETER_IP \ - --match multiport \ - --source-ports 80,443 \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump ACCEPT -# forward dns requests and notifications -# from the internet -# to the external name server host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns requests from internet (udp) -> ens.pm" \ - --protocol udp \ - --in-interface $EXTERNAL_IF_STATIC \ - --source-port 1024:65535 \ - --out-interface $PERIMETER_IF \ - --destination $ENS_PERIMETER_IP \ - --destination-port 53 \ - --jump ACCEPT -# forward dns replies -# from the external name server host -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns replies from ens.pm (udp) -> internet" \ - --match conntrack \ - --ctstate ESTABLISHED,RELATED \ - --protocol udp \ - --in-interface $PERIMETER_IF \ - --source $ENS_PERIMETER_IP \ - --source-port 53 \ - --out-interface $EXTERNAL_IF_STATIC \ - --destination-port 1024:65535 \ - --jump ACCEPT -# forward dns requests -# from the external and perimeter name server hosts -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns requests from (e|p)ns.pm (udp) -> internet" \ - --protocol udp \ - --in-interface $PERIMETER_IF \ - --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --source-port 1024:65535 \ - --out-interface $EXTERNAL_IF_STATIC \ - --destination-port 53 \ - --jump ACCEPT -# forward dns replies -# from the internet -# to the external and perimeter name server hosts -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns replies (udp) -> (e|p)ns.pm" \ - --match conntrack \ - --ctstate ESTABLISHED,RELATED \ - --protocol udp \ - --in-interface $EXTERNAL_IF_STATIC \ - --source-port 53 \ - --out-interface $PERIMETER_IF \ - --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --destination-port 1024:65535 \ - --jump ACCEPT -# forward dns requests -# from the internet -# to the external name server host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns requests (tcp) -> ens.pm" \ - --protocol tcp \ - --in-interface $EXTERNAL_IF_STATIC \ - --source-port 1024:65535 \ - --out-interface $PERIMETER_IF \ - --destination $ENS_PERIMETER_IP \ - --destination-port 53 \ - --jump ACCEPT -# forward dns replies -# of established sessions -# from the external name server host -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns replies from ens.pm (tcp) -> internet" \ - --match conntrack \ - --ctstate ESTABLISHED \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $ENS_PERIMETER_IP \ - --source-port 53 \ - --out-interface $EXTERNAL_IF_STATIC \ - --destination-port 1024:65535 \ - --jump ACCEPT -# forward dns requests -# from the external and perimeter name server hosts -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns requests from (e|p)ns.pm -> internet" \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --source-port 1024:65535 \ - --out-interface $EXTERNAL_IF_STATIC \ - --destination-port 53 \ - --jump ACCEPT -# forward dns replies -# of established sessions -# from the internet -# to the external and perimeter name server hosts -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "dns replies (tcp) -> (e|p)ns.pm" \ - --match conntrack \ - --ctstate ESTABLISHED \ - --protocol tcp \ - --in-interface $EXTERNAL_IF_STATIC \ - --source-port 53 \ - --out-interface $PERIMETER_IF \ - --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \ - --destination-port 1024:65535 \ - --jump ACCEPT -# forward smtp, dns, http and https requests -# from the perimeter svc host -# to the internet -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $SVC_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --match multiport \ - --destination-ports 25,53,80,443 \ - --jump ACCEPT -# forward smtp, dns, http and https replies -# of established sessions -# from the internet -# to the perimeter svc host -$IPTABLES --table filter --append FORWARD \ - --protocol tcp \ - --match conntrack \ - --ctstate ESTABLISHED \ - --in-interface $EXTERNAL_IF_STATIC \ - --match multiport \ - --source-ports 25,53,80,443 \ - --out-interface $PERIMETER_IF \ - --destination $SVC_PERIMETER_IP \ - --jump ACCEPT -# forward smtp, http and https requests -# from the perimeter web server host -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "perimeter ws host smtp, http, https requests (let's encrypt)" \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $WS_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --match multiport \ - --destination-ports 25,80,443 \ - --jump ACCEPT -# forward smtp, http and https replies -# of established sessions -# from the internet -# to the perimeter web server host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "perimeter ws host smtp, http, https replies (let's encrypt)" \ - --protocol tcp \ - --match conntrack \ - --ctstate ESTABLISHED \ - --in-interface $EXTERNAL_IF_STATIC \ - --match multiport \ - --source-ports 25,80,443 \ - --out-interface $PERIMETER_IF \ - --destination $WS_PERIMETER_IP \ - --jump ACCEPT -# forward http and https requests -# from the perimeter whmcs host -# to the internet -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "perimeter whmcs host http, https requests (let's encrypt)" \ - --protocol tcp \ - --in-interface $PERIMETER_IF \ - --source $WHMCS_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --match multiport \ - --destination-ports 80,443 \ - --jump ACCEPT -# forward http and https replies -# of established sessions -# from the internet -# to the perimeter whmcs host -$IPTABLES --table filter --append FORWARD \ - --match comment \ - --comment "perimeter whmcs host http, https replies (let's encrypt)" \ - --protocol tcp \ - --match conntrack \ - --ctstate ESTABLISHED \ - --in-interface $EXTERNAL_IF_STATIC \ - --match multiport \ - --source-ports 80,443 \ - --out-interface $PERIMETER_IF \ - --destination $WHMCS_PERIMETER_IP \ - --jump ACCEPT -# forward icmp packets -# from anywhere -# to anywhere -$IPTABLES --table filter --append FORWARD \ - --protocol icmp \ - --jump ACCEPT - -################################ -# filter OUTPUT rules -# allow dns requests -# to the perimeter name server host -$IPTABLES --table filter --append OUTPUT \ - --match comment \ - --comment "dns requests -> pns.pm" \ - --match conntrack \ - --ctstate NEW \ - --protocol udp \ - --source $EFG_PERIMETER_IP \ - --source-port 1024:65535 \ - --out-interface $PERIMETER_IF \ - --destination $PNS_PERIMETER_IP \ - --destination-port 53 \ - --jump ACCEPT -# allow ssh packets -# of established sessions -# to the usr, sr and in networks -$IPTABLES --table filter --append OUTPUT \ - --protocol tcp \ - --match conntrack \ - --ctstate ESTABLISHED \ - --source $EFG_PERIMETER_IP \ - --source-port 22 \ - --out-interface $PERIMETER_IF \ - --destination ${USR_NET},${SR_NET},$IN_NET \ - --jump ACCEPT -# allow icmp packets -# to anywhere -$IPTABLES --table filter --append OUTPUT \ - --protocol icmp \ - --jump ACCEPT -# allow packets -# from the loopback address -# to the loopback address -$IPTABLES --table filter --append OUTPUT \ - --source $LOOPBACK_IP \ - --out-interface $LOOPBACK_IF \ - --destination $LOOPBACK_IP \ - --jump ACCEPT - -################################ -# nat POSTROUTING rules -# snat packets -# from the usr, sr and in networks -$IPTABLES --table nat --append POSTROUTING \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface $EXTERNAL_IF_DYNAMIC \ - --jump SNAT --to-source $PUBLIC_IP_202 -# snat packets -# from the usr, sr and in networks -$IPTABLES --table nat --append POSTROUTING \ - --source ${USR_NET},${SR_NET},$IN_NET \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump SNAT --to-source $PUBLIC_IP_202 -# snat packets -# from the perimeter svc host -$IPTABLES --table nat --append POSTROUTING \ - --source $SVC_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump SNAT --to-source $PUBLIC_IP_202 -# snat packets -# from the perimeter web server host -$IPTABLES --table nat --append POSTROUTING \ - --source $WS_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump SNAT --to-source $PUBLIC_IP_202 -# snat packets -# from the perimeter whmcs host -$IPTABLES --table nat --append POSTROUTING \ - --source $WHMCS_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump SNAT --to-source $PUBLIC_IP_202 -# snat packets -# from the perimeter name server host (perimeter network) -$IPTABLES --table nat --append POSTROUTING \ - --source $PNS_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump SNAT --to-source $PUBLIC_IP_202 -# snat packets -# from the external name server host (perimeter network) -$IPTABLES --table nat --append POSTROUTING \ - --source $ENS_PERIMETER_IP \ - --out-interface $EXTERNAL_IF_STATIC \ - --jump SNAT --to-source $PUBLIC_IP_202 diff --git a/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh b/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh deleted file mode 100755 index 6ae55fb..0000000 --- a/sources/efg.pm.f30/firstboot/12_iptables_log_dropped.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -exit 0 -#set -x - -################################ -# iptables command -IPTABLES=/sbin/iptables - -################################ -# log packets reaching the default policy rules in the filter table -$IPTABLES --table filter --append INPUT \ - --jump LOG \ - --log-prefix 'filter INPUT: ' -$IPTABLES --table filter --append FORWARD \ - --jump LOG \ - --log-prefix 'filter FORWARD: ' -$IPTABLES --table filter --append OUTPUT \ - --jump LOG \ - --log-prefix 'filter OUTPUT: ' diff --git a/sources/efg.pm.f30/firstboot/13_iptables_save.sh b/sources/efg.pm.f30/firstboot/13_iptables_save.sh deleted file mode 100755 index ff43dbd..0000000 --- a/sources/efg.pm.f30/firstboot/13_iptables_save.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -exit 0 -#set -x - -/sbin/iptables-save >/etc/sysconfig/iptables diff --git a/sources/efg.pm.f30/firstboot/20_routing_setup.sh.old b/sources/efg.pm.f30/firstboot/20_routing_setup.sh.old deleted file mode 100755 index 9e2c4eb..0000000 --- a/sources/efg.pm.f30/firstboot/20_routing_setup.sh.old +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/sh -set -x - -REAL_PATH=$(realpath $(dirname $0)) - -source $REAL_PATH/definitions - - -#echo '65 dynamic' >>/etc/iproute2/rt_tables -#echo '210 static' >>/etc/iproute2/rt_tables - -ip a -ip r - -# normal routes (table main) -#ip route add 212.40.120.172 via 192.168.43.161 dev eth0 -#ip route add 212.40.120.173 via 192.168.43.210 dev eth0 - -# default route for dynamic -#ip route add default via 192.168.65.254 dev $EXTERNAL_IF_DYNAMIC table dynamic - -# default route for static -#ip route add default via 84.2.25.193 dev $EXTERNAL_IF_STATIC table static - -# normal routes for dynamic -#ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table dynamic -#ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table dynamic -#ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table dynamic - -# normal routes for static -#ip route add 10.228.0.0/16 via 192.168.173.1 dev eth0 table static -#ip route add 192.168.42.0/24 via 192.168.173.1 dev eth0 table static -#ip route add 192.168.43.0/24 via 192.168.173.1 dev eth0 table static - -# source routes for dynamic -#ip rule add from $USR_NET lookup table dynamic -#ip rule add from $SR_NET lookup table dynamic - -# source routes for static -# do NOT use network addresses!!! -#ip rule add from $SVC_PERIMETER_IP lookup static -#ip rule add from $WWW_PERIMETER_IP lookup static -#ip rule add from $NS_PERIMETER_IP lookup static -#ip rule add from $VPN_INTERNAL_IP lookup static -#ip rule add from $IN_NET lookup static -#ip rule add from 192.168.43.176/28 lookup epc201 -#ip rule add from 192.168.43.1 lookup epc201 - -# flush cache -ip route flush cache diff --git a/sources/efg.pm.f30/firstboot/definitions b/sources/efg.pm.f30/firstboot/definitions deleted file mode 100644 index 98476ac..0000000 --- a/sources/efg.pm.f30/firstboot/definitions +++ /dev/null @@ -1,116 +0,0 @@ -################################ -# iptables command -################################ -IPTABLES=/sbin/iptables - -################################ -# interfaces -################################ - -# external interfaces -EXTERNAL_IF_PREFIX=efg -EXTERNAL_IF_DYNAMIC=${EXTERNAL_IF_PREFIX}d -EXTERNAL_IF_STATIC=${EXTERNAL_IF_PREFIX}s - -# loopback interface -LOOPBACK_IF=lo - -# perimeter interface -PERIMETER_IF=eth0 - -################################ -# addresses -################################ - -# loopback address -LOOPBACK_IP=127.0.0.1 - -# public address -PUBLIC_IP_194=84.2.25.194 -PUBLIC_IP_195=84.2.25.195 -PUBLIC_IP_196=84.2.25.196 -PUBLIC_IP_197=84.2.25.197 -PUBLIC_IP_198=84.2.25.198 -PUBLIC_IP_199=84.2.25.199 -PUBLIC_IP_200=84.2.25.200 -PUBLIC_IP_201=84.2.25.201 -PUBLIC_IP_202=84.2.25.202 -PUBLIC_IP_203=84.2.25.203 -PUBLIC_IP_204=84.2.25.204 -PUBLIC_IP_205=84.2.25.205 -PUBLIC_IP_206=84.2.25.206 - -PUBLIC_IP_146=194.149.40.146 -PUBLIC_IP_147=194.149.40.147 -PUBLIC_IP_148=194.149.40.148 -PUBLIC_IP_149=194.149.40.149 -PUBLIC_IP_150=194.149.40.150 -PUBLIC_IP_151=194.149.40.151 -PUBLIC_IP_152=194.149.40.152 -PUBLIC_IP_153=194.149.40.153 -PUBLIC_IP_154=194.149.40.154 -PUBLIC_IP_155=194.149.40.155 -PUBLIC_IP_156=194.149.40.156 -PUBLIC_IP_157=194.149.40.157 -PUBLIC_IP_158=194.149.40.158 - -# modem management addresses -DYNAMIC_MANAGEMENT_IP=192.168.65.1 -STATIC_MANAGEMENT_IP=192.168.210.1 - -# modem/gateway addresses -DYNAMIC_GATEWAY_IP=192.168.65.254 -STATIC_GATEWAY_IP=84.2.25.193 - -# efg address (perimeter network) -EFG_PERIMETER_IP=192.168.173.254 - -# service address (perimeter network) -SVC_PERIMETER_IP=192.168.173.253 - -# transfer server address (perimeter network) -XFR_PERIMETER_IP=192.168.173.251 - -# whmcs server address (perimeter network) -WHMCS_PERIMETER_IP=192.168.173.250 - -# web server address (perimeter network) -WS_PERIMETER_IP=192.168.173.249 - -# subversion address (perimeter network) -SVN_PERIMETER_IP=192.168.173.249 - -# perimeter name server address (perimeter network) -PNS_PERIMETER_IP=192.168.173.174 - -# external name server address (perimeter network) -ENS_PERIMETER_IP=192.168.173.64 - -# ifg address (perimeter network) -IFG_PERIMETER_IP=192.168.173.1 - -# ipg addresses (internal network) -IFG_USR_IP=10.228.109.254 -IFG_SR_IP=192.168.42.254 -IFG_IN_IP=192.168.43.254 - -# service address (internal network) -SVC_INTERNAL_IP=10.228.109.253 - -# vpn address (internal network) -VPN_INTERNAL_IP=10.228.109.236 - -################################ -# networks -################################ - -# internal networks -USR_NET=10.228.0.0/16 -SR_NET=192.168.42.0/24 -IN_NET=192.168.43.0/24 - -# perimeter network -PERIMETER_NET=192.168.173.0/24 - -# vpn client network -VPN_NET=172.16.223.0/24 diff --git a/sources/efg.pm.f30/firstboot/nftables.config b/sources/efg.pm.f30/firstboot/nftables.config index 7c90a33..0043e6b 100644 --- a/sources/efg.pm.f30/firstboot/nftables.config +++ b/sources/efg.pm.f30/firstboot/nftables.config @@ -312,6 +312,10 @@ add rule ip efg_nat postrouting \ oifname $EXTERNAL_IF ip saddr $ENS_PERIMETER_IP \ counter snat $PUBLIC_NS_IP comment "Outgoing external DNS traffic" +add rule ip efg_nat postrouting \ + oifname $EXTERNAL_IF ip saddr $PNS_PERIMETER_IP \ + counter snat $PUBLIC_EFG_IP comment "Outgoing perimeter DNS traffic" + add rule ip efg_nat postrouting \ oifname $EXTERNAL_IF ip saddr $WS_PERIMETER_IP \ counter snat $PUBLIC_WS_IP comment "Outgoing WS traffic" -- 2.54.0