fickit: fix VLAN and do NAT to Internet

2020-01-30 19:08:28 +01:00 · 2020-01-30 19:08:28 +01:00 · 3bc8d7064b
commit 3bc8d7064b
parent d45a6841db
1 changed files with 20 additions and 2 deletions
--- a/fickit-frontend.yml
+++ b/fickit-frontend.yml
@ -47,7 +47,7 @@ onboot:
        net: /run/netns/nginx
 #  - name: frontal-ip-setup # without bonding
 #    image: linuxkit/ip:v0.7
-#    command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 172.23.42.254/24 dev eth1; ip a add 163.5.55.58/32 dev eth1; ip link add link eth1 name internet type vlan id 1; ip link set internet up;" ]
+#    command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 172.23.42.254/24 dev eth1; ip a add 163.5.55.58/32 dev eth1; ip link add link eth1 name internet type vlan id 2; ip link set internet up;" ]
 #    net: /run/netns/nginx
 #    runtime:
 #      interfaces:
@ -57,7 +57,7 @@ onboot:
 #        - name: eth4
  - name: frontal-ip-setup # with bonding
    image: linuxkit/ip:v0.7
-    command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3 eth4; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal; ip link add link bond-frontal name internet type vlan id 1; ip link set internet up;" ]
+    command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3 eth4; ip a add 172.23.42.254/24 dev bond-frontal; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal; ip link add link bond-frontal name internet type vlan id 2; ip link set internet up; sysctl -w net.ipv4.ip_forward=1;" ]
    net: /run/netns/nginx
    runtime:
      interfaces:
@ -453,6 +453,17 @@ files:
      noarp
      waitip 4
    mode: "0440"
  - path: etc/unbound/unbound.d/tmp-user.conf
    contents: |
        username: ""
    mode: "0440"
 #  - path: etc/unbound/unbound.d/forwarder.conf
 #    contents: |
 #        forward-zone:
 #          name: "."
 #          forward-addr: 9.9.9.9
 #          forward-addr: 1.1.1.1
 #    mode: "0440"
  - path: etc/unbound/unbound.d/access-control.conf
    contents: |
        access-control: 172.23.0.0/16 allow
@ -492,6 +503,13 @@ files:
    mode: "0440"
  - path: etc/iptables/rules-frontal.v4
    contents: |
      *nat
      :PREROUTING ACCEPT [0:0]
      :INPUT ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      :POSTROUTING ACCEPT [0:0]
      [0:0] -A POSTROUTING -o internet -j MASQUERADE
      COMMIT
      *filter
      :INPUT DROP [0:0]
      :FORWARD ACCEPT [0:0]