fickit: fix VLAN and do NAT to Internet

This commit is contained in:
nemunaire 2020-01-30 19:08:28 +01:00
parent d45a6841db
commit 3bc8d7064b

View File

@ -47,7 +47,7 @@ onboot:
net: /run/netns/nginx
# - name: frontal-ip-setup # without bonding
# image: linuxkit/ip:v0.7
# command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 172.23.42.254/24 dev eth1; ip a add 163.5.55.58/32 dev eth1; ip link add link eth1 name internet type vlan id 1; ip link set internet up;" ]
# command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 172.23.42.254/24 dev eth1; ip a add 163.5.55.58/32 dev eth1; ip link add link eth1 name internet type vlan id 2; ip link set internet up;" ]
# net: /run/netns/nginx
# runtime:
# interfaces:
@ -57,7 +57,7 @@ onboot:
# - name: eth4
- name: frontal-ip-setup # with bonding
image: linuxkit/ip:v0.7
command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3 eth4; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal; ip link add link bond-frontal name internet type vlan id 1; ip link set internet up;" ]
command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3 eth4; ip a add 172.23.42.254/24 dev bond-frontal; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal; ip link add link bond-frontal name internet type vlan id 2; ip link set internet up; sysctl -w net.ipv4.ip_forward=1;" ]
net: /run/netns/nginx
runtime:
interfaces:
@ -453,6 +453,17 @@ files:
noarp
waitip 4
mode: "0440"
- path: etc/unbound/unbound.d/tmp-user.conf
contents: |
username: ""
mode: "0440"
# - path: etc/unbound/unbound.d/forwarder.conf
# contents: |
# forward-zone:
# name: "."
# forward-addr: 9.9.9.9
# forward-addr: 1.1.1.1
# mode: "0440"
- path: etc/unbound/unbound.d/access-control.conf
contents: |
access-control: 172.23.0.0/16 allow
@ -492,6 +503,13 @@ files:
mode: "0440"
- path: etc/iptables/rules-frontal.v4
contents: |
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -o internet -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]