server: reduce network setup complexity

This commit is contained in:
nemunaire 2020-02-24 10:05:27 +01:00
parent 9cd10dbc7d
commit bfbd94af19

View File

@ -37,22 +37,6 @@ onboot:
bindNS:
net: /run/netns/login
# Network: exposed ################################################
# VLAN7, path to internet
- name: netvlan-iface-setup
image: linuxkit/ip:v0.6
command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
# Bridge between std LAN, PXE LAN services (login-validator) and default route (as it uses the same wire)
- name: bridge-ext-setup
image: linuxkit/ip:v0.6
command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 10.224.32.252/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 10.224.32.1;" ]
runtime:
interfaces:
- name: br-ext
add: bridge
# Network: DMZ ####################################################
# token-validator
@ -107,20 +91,9 @@ onboot:
bindNS:
net: /run/netns/dmz-mail
# Bridge for DMZ services
- name: bridge-int-setup
image: linuxkit/ip:v0.6
command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
runtime:
interfaces:
- name: br-int
add: bridge
# Network: exposed ################################################
- name: fw
image: linuxkit/ip:v0.6
command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ]
binds:
- /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro
# See etc/init.d/011-adlin instead
services:
- name: rngd
@ -281,23 +254,39 @@ files:
echo nameserver 172.23.200.2 > /etc/resolv.conf
mode: "0755"
# - path: etc/init.d/011-adlin
# contents: |
# #!/bin/sh
# ip route add default via 172.17.0.1
# /sbin/sysctl -w net.ipv4.ip_forward=1
# echo nameserver 8.8.8.8 > /etc/resolv.conf
# mkdir /tmp/newroot
# mount -t tmpfs none /tmp/newroot
# mkdir /tmp/newroot/etc
# cp -r /etc/apk /tmp/newroot/etc
# apk add --no-cache --initdb -p /tmp/newroot iptables nftables
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade
# mode: "0755"
- path: etc/init.d/011-adlin-net
contents: |
#!/bin/sh
ip l add br-int type bridge
ip a add 172.23.200.254/24 dev br-int;
ip link set veth-validator master br-int;
ip link set veth-ns master br-int;
ip link set veth-time master br-int;
ip link set veth-mail master br-int;
ip link set br-int up;
ip link set veth-validator up;
ip link set veth-ns up;
ip link set veth-time up;
ip link set veth-mail up;
ip l add br-ext type bridge
ip a add 172.23.255.1/24 dev br-ext;
ip a add 172.17.0.15/16 dev br-ext;
ip a add 10.224.32.252/24 dev br-ext;
ip a add 172.23.0.1/17 dev br-ext;
ip link set eth0 master br-ext;
ip link set veth-login master br-ext;
ip link set br-ext up;
ip link set veth-login up;
ip link set eth0 up;
grep adlin.network=alt /proc/cmdline > /dev/null &&
ip route add default via 10.224.32.254 ||
ip route add default via 10.224.32.1
wg-quick up wg0
/sbin/iptables-restore < /etc/iptables/rules.v4;
mode: "0755"
- path: etc/sysctl.d/99-ipfwd.conf
contents: |
@ -360,15 +349,17 @@ files:
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
[0:0] -A INPUT -p icmp -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i br-ext -m tcp --dport ssh -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 81 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
[0:0] -A INPUT -p udp --sport 7000 -j DROP
[0:0] -A INPUT -p udp --dport 7000 -j DROP
[0:0] -A INPUT -j LOG
[0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT
[0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT
[0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT
[0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT
[0:0] -A FORWARD -i br-int -j ACCEPT
[0:0] -A FORWARD -o br-int -j ACCEPT
[0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT