From b8c3528e019cbc8641078e8db612372dbbe8954a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Mon, 9 Jan 2023 13:46:11 +0100 Subject: [PATCH] Updated efg.pm and ifg.in (added wireguard routes and rules). --- sources/efg.pm/c3d/firstboot/data/nftables.config | 9 +++++---- sources/efg.pm/envvars | 2 +- sources/ifg.in/c3d/firstboot/data/nftables.config | 11 +++++++---- .../c3d/firstboot/scripts/01_setupnetworking.sh | 2 +- sources/ifg.in/envvars | 2 +- 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/sources/efg.pm/c3d/firstboot/data/nftables.config b/sources/efg.pm/c3d/firstboot/data/nftables.config index fc8f03c..1668a55 100644 --- a/sources/efg.pm/c3d/firstboot/data/nftables.config +++ b/sources/efg.pm/c3d/firstboot/data/nftables.config @@ -101,7 +101,7 @@ define PERIMETER_IPV4_NET = 192.168.173.0/24 define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64 # vpn client network -define VPN_IPV4_NET = 172.16.223.0/24 +define VPN_IPV4_NET = 172.24.232.0/24 # peep-bo network define PEEP_BO_IPV4_NET = 10.162.104.0/24 @@ -111,6 +111,7 @@ define PEEP_BO_IPV4_NET = 10.162.104.0/24 ################################ #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } +define VPN_PORTS = { openvpn, 51820 } ################################ @@ -137,7 +138,7 @@ create chain ip6 efg-filter output { type filter hook output priority 0; policy add rule ip efg-nat prerouting \ iifname $EXTERNAL_ACE_IF \ - ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport openvpn \ + ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport $VPN_PORTS \ counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic" #add rule ip efg-nat prerouting \ @@ -244,12 +245,12 @@ add rule ip efg-filter forward \ add rule ip efg-filter forward \ iifname $EXTERNAL_ACE_IF \ - oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \ + oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \ counter accept comment "Incoming VPN traffic (ACE)" add rule ip efg-filter forward \ iifname $EXTERNAL_TELEKOM_IF \ - oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \ + oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \ counter accept comment "Incoming VPN traffic (TELEKOM)" add rule ip efg-filter forward \ diff --git a/sources/efg.pm/envvars b/sources/efg.pm/envvars index 9214405..9a2fa01 100644 --- a/sources/efg.pm/envvars +++ b/sources/efg.pm/envvars @@ -1,5 +1,5 @@ DISTRIBUTION=Fedora -DISTRIBUTION_VERSION=36 +DISTRIBUTION_VERSION=37 ROOT_PACKAGES="hostname initscripts iproute rootfiles systemd-udev" BASE_PACKAGES="NetworkManager iputils logrotate rsyslog tar vim-minimal" SPEC_PACKAGES="cronie ethtool nftables radvd tcpdump" diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config index d49cd48..c0e21af 100644 --- a/sources/ifg.in/c3d/firstboot/data/nftables.config +++ b/sources/ifg.in/c3d/firstboot/data/nftables.config @@ -136,17 +136,20 @@ define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \ define PERIMETER_NET = 192.168.173.0/24 define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64 -# vpn client network -define VPN_NET = 172.16.223.0/24 +# vpn client networks +define OVPN_NET = 172.16.223.0/24 +define WG_NET = 172.24.232.0/24 +define VPN_NETS = { $OVPN_NET, $WG_NET } # peep-bo network -define PEEP_BO_NET = 10.162.104.0/24 +define PEEP_BO_NET = 10.162.0.0/16 ################################ # port definitions ################################ #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } +define VPN_PORTS = { openvpn, 51820 } ################################ @@ -309,7 +312,7 @@ add rule ip6 ifg-filter forward \ add rule ip ifg-filter forward \ ip protocol udp \ iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ + oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \ counter accept comment "Incoming VPN traffic" add rule ip ifg-filter forward \ diff --git a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh index 44b4cf1..17f7f86 100755 --- a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh +++ b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh @@ -54,7 +54,7 @@ nmcli connection add \ ipv4.dns "10.228.109.159, 10.228.92.159" \ ipv4.dns-search "in.useribm.hu" \ ipv4.method "manual" \ - ipv4.routes "172.16.223.0/24 10.228.109.236, 10.162.104.0/24 10.228.109.236" \ + ipv4.routes "172.16.223.0/24 10.228.109.236, 172.24.232.0/24 10.228.109.236, 10.162.0.0/16 10.228.109.236" \ ipv6.addresses "2a02:d400:0000:f268:000c:18ff:fe03:6dfe/64" \ ipv6.dns "2a02:d400:0000:f268:000c:18ff:fe03:6d9f, 2a02:d400:0000:f268:000c:18ff:fe03:5c9f" \ ipv6.dns-search "in.useribm.hu" \ diff --git a/sources/ifg.in/envvars b/sources/ifg.in/envvars index 980f713..2535012 100644 --- a/sources/ifg.in/envvars +++ b/sources/ifg.in/envvars @@ -1,3 +1,3 @@ DISTRIBUTION=Fedora -DISTRIBUTION_VERSION=36 +DISTRIBUTION_VERSION=37 SPEC_PACKAGES="ethtool nftables radvd tcpdump" -- 2.54.0