teach
/
adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

server: fix network issues with wg

This commit is contained in:
nemunaire 2021-02-18 01:15:15 +01:00
parent 758326ff0d
commit 671427649d
1 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
server.yml
View File

@ -43,7 +43,7 @@ onboot:
# wg-manager
- name: wg-iface-setup
image: linuxkit/ip:v0.8
command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.32.251/24 dev vethin-wg; ip link set vethin-wg up; grep adlin.network=alt /proc/cmdline > /dev/null && ip route add default via 10.224.32.254 || ip route add default via 10.224.32.1; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.33.251/24 dev vethin-wg; ip link set vethin-wg address 0e:f2:7e:10:58:69; ip link set vethin-wg up; ip route add default via 10.224.33.252; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
net: new
binds:
- /etc/iptables/rules-wg.v4:/etc/iptables/rules.v4
@ -208,6 +208,8 @@ services:
capabilities:
- all
net: /run/netns/dmzi-wg
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- name: ns
image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103-amd64
@ -304,16 +306,18 @@ files:
ip l add br-ext type bridge
ip a add 172.23.255.1/24 dev br-ext;
ip a add 10.224.32.252/24 dev br-ext;
ip a add 10.224.33.252/24 dev br-ext;
ip a add 172.23.0.1/17 dev br-ext;
ip link set eth0 master br-ext;
ip link set veth-login master br-ext;
ip link set veth-wg master br-ext;
ip link set br-ext up;
ip link set veth-login up;
ip link set veth-wg up;
ip link set eth0 up;
grep adlin.network=alt /proc/cmdline > /dev/null &&
ip route add default via 10.224.32.254 ||
ip route add default via 10.224.32.1
ip route add default via 10.224.33.254 ||
ip route add default via 10.224.33.1
/sbin/iptables-restore < /etc/iptables/rules.v4;
mode: "0755"
@ -323,6 +327,7 @@ files:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.arp_ignore = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.netfilter.nf_log_all_netns = 1
mode: "0644"
- path: etc/sysctl.d/00-linuxkit.conf
contents: |
@ -383,10 +388,7 @@ files:
[0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.254 --dport 80 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp ! -s 172.17.0.0/16 -d 172.17.0.15 -j REJECT --reject-with icmp-net-unreachable
[0:0] -A INPUT -i br-ext -p tcp -d 172.17.0.15 --dport 80 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp -d 172.17.0.15 --dport 12912 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.1 --dport 80 -j ACCEPT
[0:0] -A INPUT -p udp --sport 7000 -j DROP
[0:0] -A INPUT -p udp --dport 7000 -j DROP
[0:0] -A INPUT -j LOG
@ -401,6 +403,16 @@ files:
[0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT
[0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
[0:0] -A FORWARD -i br-ext -p icmp -s 172.17.0.0/16 -d 172.17.0.15 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p icmp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 80 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p tcp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p udp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p icmp -s 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p icmp -d 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p tcp -s 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p tcp -d 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -j LOG
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
COMMIT
@ -413,6 +425,7 @@ files:
interface: 0.0.0.0
interface: ::0
prefer-ip6: no
access-control: 10.224.0.0/16 allow
access-control: 172.23.0.0/16 allow
log-queries: yes
log-replies: yes