From f9d2dac21cd545bda4dea8551845d12256d94d40 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Tue, 11 May 2021 13:44:57 +0200 Subject: [PATCH] Updated efg.in (ipv6 implementation, telekom -> ace switch). --- sources/efg.pm/config | 2 +- .../efg.pm/firstboot/01_setupnetworking.sh | 14 +- sources/efg.pm/firstboot/nftables.config | 314 +++++++++++------- .../efg.pm/postinstall/install/etc/radvd.conf | 33 ++ .../postinstall/install/etc/resolv.conf | 3 - 5 files changed, 231 insertions(+), 135 deletions(-) create mode 100644 sources/efg.pm/postinstall/install/etc/radvd.conf delete mode 100644 sources/efg.pm/postinstall/install/etc/resolv.conf diff --git a/sources/efg.pm/config b/sources/efg.pm/config index 57624be..e40602c 100644 --- a/sources/efg.pm/config +++ b/sources/efg.pm/config @@ -21,7 +21,7 @@ lxc.net.2.type = veth lxc.net.2.flags = up lxc.net.2.link = bre-dev lxc.net.2.name = eth2 -lxc.net.2.hwaddr = 02:0c:18:03:89:89 +lxc.net.2.hwaddr = 02:0c:18:03:89:61 lxc.autodev = 1 diff --git a/sources/efg.pm/firstboot/01_setupnetworking.sh b/sources/efg.pm/firstboot/01_setupnetworking.sh index d1e7473..f809b4b 100755 --- a/sources/efg.pm/firstboot/01_setupnetworking.sh +++ b/sources/efg.pm/firstboot/01_setupnetworking.sh @@ -49,7 +49,11 @@ nmcli connection add \ ipv4.dns-search "pm.user.hu" \ ipv4.method "manual" \ ipv4.routes "10.228.0.0/16 192.168.173.1, 192.168.42.0/24 192.168.173.1, 192.168.43.0/24 192.168.173.1" \ - ipv6.method "auto" \ + ipv6.addresses "2a02:d400:0000:f2ad:000c:18ff:fe03:adfe/64" \ + ipv6.dns "2a02:d400:0000:f2ad:000c:18ff:fe03:adae" \ + ipv6.dns-search "pm.useribm.hu" \ + ipv6.method "manual" \ + ipv6.routes "2a02:d400:0000:f268::/64 2a02:d400:0000:f2ad:000c:18ff:fe03:ad01" \ save yes nmcli connection show @@ -59,7 +63,8 @@ nmcli connection add \ connection.id telekom \ connection.interface-name $EXTERNAL_TELEKOM_DEVICE \ connection.type 802-3-ethernet \ - ipv4.addresses "192.168.65.1/24, 194.149.40.146/28, 194.149.40.147/28, 194.149.40.148/28, 194.149.40.149/28, 194.149.40.150/28" \ + ipv4.addresses "192.168.65.1/24, 188.6.255.10/30" \ + ipv4.gateway "188.6.255.9" \ ipv4.method "manual" \ ipv6.method "auto" \ save yes @@ -74,7 +79,10 @@ nmcli connection add \ ipv4.addresses "37.220.137.97/28, 37.220.137.98/28, 37.220.137.99/28, 37.220.137.100/28, 37.220.137.101/28" \ ipv4.gateway "37.220.137.110" \ ipv4.method "manual" \ - ipv6.method "auto" \ + ipv6.addresses "2a02:d400:0000:f200:000c:18ff:fe03:8961/64" \ + ipv6.gateway "2a02:d400:0000:f200::1" \ + ipv6.method "manual" \ + save yes nmcli connection show diff --git a/sources/efg.pm/firstboot/nftables.config b/sources/efg.pm/firstboot/nftables.config index 73903d1..defad83 100644 --- a/sources/efg.pm/firstboot/nftables.config +++ b/sources/efg.pm/firstboot/nftables.config @@ -20,96 +20,103 @@ define PERIMETER_IF = eth0 ################################ # loopback address -define LOOPBACK_IP = 127.0.0.1 +define LOOPBACK_IPV4 = 127.0.0.1 # public addresses -define PUBLIC_ACE_EFG_IP = 37.220.137.97 -define PUBLIC_ACE_MX_IP = 37.220.137.98 -define PUBLIC_ACE_NS_IP = 37.220.137.99 -define PUBLIC_ACE_VPN_IP = 37.220.137.100 -define PUBLIC_ACE_WS_IP = 37.220.137.101 -define PUBLIC_ACE_MINECRAFT_IP = 37.220.137.102 -define PUBLIC_ACE_IP_103 = 37.220.137.103 -define PUBLIC_ACE_IP_104 = 37.220.137.104 -define PUBLIC_ACE_IP_105 = 37.220.137.105 -define PUBLIC_ACE_IP_106 = 37.220.137.106 -define PUBLIC_ACE_IP_107 = 37.220.137.107 -define PUBLIC_ACE_ZFDL360E_IP = 37.220.137.108 -define PUBLIC_ACE_ZFDL380E_IP = 37.220.137.109 -define PUBLIC_TELEKOM_EFG_IP = 194.149.40.146 -define PUBLIC_TELEKOM_MX_IP = 194.149.40.147 -define PUBLIC_TELEKOM_NS_IP = 194.149.40.148 -define PUBLIC_TELEKOM_VPN_IP = 194.149.40.149 -define PUBLIC_TELEKOM_WS_IP = 194.149.40.150 -define PUBLIC_TELEKOM_MINECRAFT_IP = 194.149.40.151 -define PUBLIC_TELEKOM_IP_152 = 194.149.40.152 -define PUBLIC_TELEKOM_IP_153 = 194.149.40.153 -define PUBLIC_TELEKOM_IP_154 = 194.149.40.154 -define PUBLIC_TELEKOM_IP_155 = 194.149.40.155 -define PUBLIC_TELEKOM_IP_156 = 194.149.40.156 -define PUBLIC_TELEKOM_IP_157 = 194.149.40.157 -define PUBLIC_TELEKOM_DL380E_IP = 194.149.40.158 +define PUBLIC_ACE_EFG_IPV4 = 37.220.137.97 +define PUBLIC_ACE_EFG_IPV6 = 2a02:d400:0000:f200:000c:18ff:fe03:8961 +define PUBLIC_ACE_MX_IPV4 = 37.220.137.98 +define PUBLIC_ACE_NS_IPV4 = 37.220.137.99 +define PUBLIC_ACE_VPN_IPV4 = 37.220.137.100 +define PUBLIC_ACE_WS_IPV4 = 37.220.137.101 +define PUBLIC_ACE_MINECRAFT_IPV4 = 37.220.137.102 +define PUBLIC_ACE_IPV4_103 = 37.220.137.103 +define PUBLIC_ACE_IPV4_104 = 37.220.137.104 +define PUBLIC_ACE_IPV4_105 = 37.220.137.105 +define PUBLIC_ACE_IPV4_106 = 37.220.137.106 +define PUBLIC_ACE_IPV4_107 = 37.220.137.107 +define PUBLIC_ACE_ZFDL360E_IPV4 = 37.220.137.108 +define PUBLIC_ACE_ZFDL380E_IPV4 = 37.220.137.109 +define PUBLIC_TELEKOM_EFG_IPV4 = 188.6.255.10 +define PUBLIC_TELEKOM_MX_IPV4 = 194.149.40.147 +define PUBLIC_TELEKOM_NS_IPV4 = 194.149.40.148 +define PUBLIC_TELEKOM_VPN_IPV4 = 194.149.40.149 +define PUBLIC_TELEKOM_WS_IPV4 = 194.149.40.150 +define PUBLIC_TELEKOM_MINECRAFT_IPV4 = 194.149.40.151 +define PUBLIC_TELEKOM_IPV4_152 = 194.149.40.152 +define PUBLIC_TELEKOM_IPV4_153 = 194.149.40.153 +define PUBLIC_TELEKOM_IPV4_154 = 194.149.40.154 +define PUBLIC_TELEKOM_IPV4_155 = 194.149.40.155 +define PUBLIC_TELEKOM_IPV4_156 = 194.149.40.156 +define PUBLIC_TELEKOM_IPV4_157 = 194.149.40.157 +define PUBLIC_TELEKOM_DL380E_IPV4 = 194.149.40.158 # efg address (perimeter network) -define EFG_PERIMETER_IP = 192.168.173.254 +define EFG_PERIMETER_IPV4 = 192.168.173.254 +define EFG_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adfe # transfer web server address (perimeter network) -define XFR_PERIMETER_IP = 192.168.173.251 +define XFR_PERIMETER_IPV4 = 192.168.173.251 # web server address (perimeter network) -define WS_PERIMETER_IP = 192.168.173.249 +define WS_PERIMETER_IPV4 = 192.168.173.249 # perimeter name server address (perimeter network) -define PNS_PERIMETER_IP = 192.168.173.174 +define PNS_PERIMETER_IPV4 = 192.168.173.174 +define PNS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adae # external name server address (perimeter network) -define ENS_PERIMETER_IP = 192.168.173.64 +define ENS_PERIMETER_IPV4 = 192.168.173.64 +define ENS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad40 # ifg address (perimeter network) -define IFG_PERIMETER_IP = 192.168.173.1 +define IFG_PERIMETER_IPV4 = 192.168.173.1 +define IFG_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad01 # dvredmine address (internal network) -define DVREDMINE_INTERNAL_IP = 10.228.62.193 +define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193 # minicrm address (internal network) -define MINICRM_INTERNAL_IP = 10.228.109.133 +define MINICRM_INTERNAL_IPV4 = 10.228.109.133 # store address (internal network) -define STORE_INTERNAL_IP = 10.228.109.250 +define STORE_INTERNAL_IPV4 = 10.228.109.250 # service address (internal network) -define SVC_INTERNAL_IP = 10.228.109.253 +define SVC_INTERNAL_IPV4 = 10.228.109.253 # vpn address (internal network) -define VPN_INTERNAL_IP = 10.228.109.236 +define VPN_INTERNAL_IPV4 = 10.228.109.236 # primary name server address (internal network) -define PNS_INTERNAL_IP = 10.228.109.174 +define PNS_INTERNAL_IPV4 = 10.228.109.174 # internal name server address (internal network) -define INS_INTERNAL_IP = 10.228.109.104 +define INS_INTERNAL_IPV4 = 10.228.109.104 # worksheet address (internal network) -define WORKSHEET_SR_IP = 192.168.42.248 +define WORKSHEET_SR_IPV4 = 192.168.42.248 ################################ # network definitions ################################ # internal networks -define USR_NET = 10.228.0.0/16 -define SR_NET = 192.168.42.0/24 -define IN_NET = 192.168.43.0/24 -define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET } +define USR_IPV4_NET = 10.228.0.0/16 +define SR_IPV4_NET = 192.168.42.0/24 +define IN_IPV4_NET = 192.168.43.0/24 +define INTERNAL_IPV4_NETS = { $USR_IPV4_NET, $SR_IPV4_NET, $IN_IPV4_NET } +define INTERNAL_IPV6_NET = 2a02:d400:0000:f268::/64 # perimeter network -define PERIMETER_NET = 192.168.173.0/24 +define PERIMETER_IPV4_NET = 192.168.173.0/24 +define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64 # vpn client network -define VPN_NET = 172.16.223.0/24 +define VPN_IPV4_NET = 172.16.223.0/24 # peep-bo network -define PEEP_BO_NET = 10.162.104.0/24 +define PEEP_BO_IPV4_NET = 10.162.104.0/24 ################################ # port definitions @@ -143,53 +150,53 @@ create chain ip6 efg_filter output { type filter hook output priority 0; policy add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF \ - ip daddr $PUBLIC_ACE_VPN_IP udp dport 1194 \ - counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (ACE)" + ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \ + counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (ACE)" add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF \ - ip daddr $PUBLIC_TELEKOM_VPN_IP udp dport 1194 \ - counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (TELEKOM)" + ip daddr $PUBLIC_TELEKOM_VPN_IPV4 udp dport 1194 \ + counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (TELEKOM)" #add rule ip efg_nat prerouting \ # iifname $EXTERNAL_ACE_IF \ -# ip daddr $PUBLIC_ACE_MX_IP tcp dport $MX_PORTS \ -# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" +# ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \ +# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic" #add rule ip efg_nat prerouting \ # iifname $EXTERNAL_TELEKOM_IF \ -# ip daddr $PUBLIC_TELEKOM_MX_IP tcp dport $MX_PORTS \ -# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic" +# ip daddr $PUBLIC_TELEKOM_MX_IPV4 tcp dport $MX_PORTS \ +# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic" add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ - ip daddr $PUBLIC_ACE_NS_IP udp dport 53 \ - counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" + ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \ + counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)" add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \ - ip daddr $PUBLIC_TELEKOM_NS_IP udp dport 53 \ - counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)" + ip daddr $PUBLIC_TELEKOM_NS_IPV4 udp dport 53 \ + counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)" add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_ACE_NS_IP tcp dport 53 \ - counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" + ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \ + counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)" add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_TELEKOM_NS_IP tcp dport 53 \ - counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)" + ip daddr $PUBLIC_TELEKOM_NS_IPV4 tcp dport 53 \ + counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)" add rule ip efg_nat prerouting \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_ACE_WS_IP tcp dport $WS_PORTS \ - counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests" + ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests" add rule ip efg_nat prerouting \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - ip daddr $PUBLIC_TELEKOM_WS_IP tcp dport $WS_PORTS \ - counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests" + ip daddr $PUBLIC_TELEKOM_WS_IPV4 tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests" ################################ @@ -198,13 +205,35 @@ add rule ip efg_nat prerouting \ add rule ip efg_filter input \ ct state established \ - iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IP udp sport 53 \ - ip daddr $EFG_PERIMETER_IP udp dport 1024-65535 \ + iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport 53 \ + ip daddr $EFG_PERIMETER_IPV4 udp dport 1024-65535 \ + counter accept comment "DNS replies" +add rule ip6 efg_filter input \ + ct state established \ + iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport 53 \ + ip6 daddr $EFG_PERIMETER_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" add rule ip efg_filter input \ ip protocol icmp \ counter accept comment "ICMP" +add rule inet efg_filter input \ + icmpv6 type { destination-unreachable, \ + echo-reply, \ + echo-request, \ + mld-listener-done, \ + mld-listener-query, \ + mld-listener-report, \ + nd-redirect, \ + nd-router-solicit, \ + nd-router-advert, \ + nd-neighbor-solicit, \ + nd-neighbor-advert, \ + packet-too-big, \ + parameter-problem, \ + router-renumbering, \ + time-exceeded } \ + counter accept comment "ICMPv6" add rule ip efg_filter input \ ip protocol gre \ @@ -212,7 +241,6 @@ add rule ip efg_filter input \ add rule ip efg_filter input \ counter log prefix "INPUT" - add rule ip6 efg_filter input \ counter log prefix "INPUT" @@ -224,165 +252,174 @@ add rule ip6 efg_filter input \ add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF \ - oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \ + oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \ + counter accept comment "Established sessions (ACE)" +add rule ip6 efg_filter forward \ + ct state established, related \ + iifname $EXTERNAL_ACE_IF \ + oifname $PERIMETER_IF ip6 daddr $INTERNAL_IPV6_NET \ counter accept comment "Established sessions (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF \ - oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \ + oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \ counter accept comment "Established sessions (TELEKOM)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \ + iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \ + oifname $EXTERNAL_ACE_IF \ + counter accept comment "Internet access (ACE)" +add rule ip6 efg_filter forward \ + iifname $PERIMETER_IF ip6 saddr $INTERNAL_IPV6_NET \ oifname $EXTERNAL_ACE_IF \ counter accept comment "Internet access (ACE)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \ + iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \ oifname $EXTERNAL_TELEKOM_IF \ counter accept comment "Internet access (TELEKOM)" add rule ip efg_filter forward \ iifname $EXTERNAL_ACE_IF \ - oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic (ACE)" add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF \ - oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic (TELEKOM)" add rule ip efg_filter forward \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ counter accept comment "Incoming http(s) requests (ACE)" add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ counter accept comment "Incoming http(s) requests (TELEKOM)" add rule ip efg_filter forward \ ct state established \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \ oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \ counter accept comment "Outgoing http(s) replies (ACE)" add rule ip efg_filter forward \ ct state established \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \ oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \ counter accept comment "Outgoing http(s) replies (TELEKOM)" add rule ip efg_filter forward \ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \ counter accept comment "Incoming DNS requests/notifications (udp) (ACE)" add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \ counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)" add rule ip efg_filter forward \ ct state established, related \ - iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \ oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (udp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ - iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \ oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (udp) (TELEKOM)" add rule ip efg_filter forward \ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \ counter accept comment "Incoming DNS requests (tcp) (ACE)" add rule ip efg_filter forward \ iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \ + oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \ counter accept comment "Incoming DNS requests (tcp) (TELEKOM)" add rule ip efg_filter forward \ ct state established, related \ - iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \ oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (tcp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ - iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \ + iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \ oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \ counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \ oifname $EXTERNAL_ACE_IF udp dport 53 \ counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF udp dport 53 \ counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF udp sport 53 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \ counter accept comment "Incoming DNS replies (udp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF udp sport 53 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \ counter accept comment "Incoming DNS replies (udp) (TELEKOM)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ oifname $EXTERNAL_ACE_IF tcp dport 53 \ counter accept comment "Outgoing DNS requests (tcp) (ACE)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \ counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_ACE_IF tcp sport 53 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "Incoming DNS replies (tcp) (ACE)" add rule ip efg_filter forward \ ct state established, related \ iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "Incoming DNS replies (tcp) (TELEKOM)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $EXTERNAL_ACE_IF tcp dport $WS_PORTS \ counter accept comment "Outgoing let's encrypt requests (ACE)" add rule ip efg_filter forward \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \ counter accept comment "Outgoing let's encrypt requests (TELEKOM)" add rule ip efg_filter forward \ ct state established \ iifname $EXTERNAL_ACE_IF tcp sport $WS_PORTS \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Incoming let's encrypt replies (ACE)" add rule ip efg_filter forward \ ct state established \ iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Incoming let's encrypt replies (TELEKOM)" add rule ip efg_filter forward \ @@ -402,17 +439,38 @@ add rule ip6 efg_filter forward \ add rule ip efg_filter output \ ct state new \ - ip saddr $EFG_PERIMETER_IP udp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IP udp dport 53 \ + ip saddr $EFG_PERIMETER_IPV4 udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport 53 \ + counter accept comment "DNS requests" +add rule ip6 efg_filter output \ + ct state new \ + ip6 saddr $EFG_PERIMETER_IPV6 udp sport 1024-65535 \ + oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport 53 \ counter accept comment "DNS requests" add rule ip efg_filter output \ ip protocol icmp \ counter accept comment "ICMP" +add rule inet efg_filter output \ + icmpv6 type { destination-unreachable, \ + echo-reply, \ + echo-request, \ + mld-listener-done, \ + mld-listener-query, \ + mld-listener-report, \ + nd-redirect, \ + nd-router-solicit, \ + nd-router-advert, \ + nd-neighbor-solicit, \ + nd-neighbor-advert, \ + packet-too-big, \ + parameter-problem, \ + router-renumbering, \ + time-exceeded } \ + counter accept comment "ICMPv6" add rule ip efg_filter output \ counter log prefix "OUTPUT" - add rule ip6 efg_filter output \ counter log prefix "OUTPUT" @@ -422,49 +480,49 @@ add rule ip6 efg_filter output \ ################################ add rule ip efg_nat postrouting \ - oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IP \ - counter snat $PUBLIC_ACE_VPN_IP comment "Outgoing VPN traffic (ACE)" + oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \ + counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic (ACE)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IP \ - counter snat $PUBLIC_TELEKOM_VPN_IP comment "Outgoing VPN traffic (TELEKOM)" + oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IPV4 \ + counter snat $PUBLIC_TELEKOM_VPN_IPV4 comment "Outgoing VPN traffic (TELEKOM)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_NETS \ - counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing internal traffic (ACE)" + oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \ + counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic (ACE)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_NETS \ - counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing internal traffic (TELEKOM)" + oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \ + counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing internal traffic (TELEKOM)" #add rule ip efg_nat postrouting \ -# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IP \ -# counter snat $PUBLIC_ACE_MX_IP comment "Outgoing MX traffic (ACE)" +# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \ +# counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic (ACE)" #add rule ip efg_nat postrouting \ -# oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IP \ -# counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic (TELEKOM)" +# oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IPV4 \ +# counter snat $PUBLIC_TELEKOM_MX_IPV4 comment "Outgoing MX traffic (TELEKOM)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IP \ - counter snat $PUBLIC_ACE_NS_IP comment "Outgoing external DNS traffic (ACE)" + oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \ + counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic (ACE)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IP \ - counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic (TELEKOM)" + oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IPV4 \ + counter snat $PUBLIC_TELEKOM_NS_IPV4 comment "Outgoing external DNS traffic (TELEKOM)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IP \ - counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing perimeter DNS traffic (ACE)" + oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \ + counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic (ACE)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IP \ - counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic (TELEKOM)" + oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IPV4 \ + counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing perimeter DNS traffic (TELEKOM)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IP \ - counter snat $PUBLIC_ACE_WS_IP comment "Outgoing WS traffic (ACE)" + oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \ + counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic (ACE)" add rule ip efg_nat postrouting \ - oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IP \ - counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic (TELEKOM)" + oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IPV4 \ + counter snat $PUBLIC_TELEKOM_WS_IPV4 comment "Outgoing WS traffic (TELEKOM)" diff --git a/sources/efg.pm/postinstall/install/etc/radvd.conf b/sources/efg.pm/postinstall/install/etc/radvd.conf new file mode 100644 index 0000000..f225031 --- /dev/null +++ b/sources/efg.pm/postinstall/install/etc/radvd.conf @@ -0,0 +1,33 @@ +interface eth0 +{ + AdvSendAdvert on; + + prefix 2a02:d400:0000:f2ad::/64 + { + AdvOnLink on; + AdvAutonomous on; + }; + + route ::/0 + { + }; +}; + +interface eth2 +{ + AdvSendAdvert on; + + prefix 2a02:d400:0000:f200::/64 + { + AdvOnLink on; + AdvAutonomous on; + }; + + route 2a02:d400:0000:f2ad::/64 + { + }; + + route 2a02:d400:0000:f268::/64 + { + }; +}; diff --git a/sources/efg.pm/postinstall/install/etc/resolv.conf b/sources/efg.pm/postinstall/install/etc/resolv.conf deleted file mode 100644 index 1a69e03..0000000 --- a/sources/efg.pm/postinstall/install/etc/resolv.conf +++ /dev/null @@ -1,3 +0,0 @@ -nameserver 192.168.173.174 -domain pm.user.hu -search pm.user.hu -- 2.54.0