2021 server
This commit is contained in:
parent
71b0a396c3
commit
eb4bef9753
68
server.yml
68
server.yml
|
|
@ -1,7 +1,8 @@
|
|||
kernel:
|
||||
image: linuxkit/kernel:5.4.19
|
||||
# cmdline: "console=tty0 console=ttyS0"
|
||||
cmdline: "console=tty0 adlin.network=alt"
|
||||
# cmdline: "console=tty0 adlin.network=alt"
|
||||
cmdline: "console=tty0"
|
||||
|
||||
init:
|
||||
- linuxkit/init:a4fcf333298f644dfac6adf680b83140927aa85e
|
||||
|
|
@ -37,7 +38,25 @@ onboot:
|
|||
bindNS:
|
||||
net: /run/netns/login
|
||||
|
||||
# Network: DMZ ####################################################
|
||||
# Network: internet DMZ ###########################################
|
||||
|
||||
# wg-manager
|
||||
- name: wg-iface-setup
|
||||
image: linuxkit/ip:v0.7
|
||||
command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.32.251/24 dev vethin-wg; ip link set vethin-wg up; grep adlin.network=alt /proc/cmdline > /dev/null && ip route add default via 10.224.32.254 || ip route add default via 10.224.32.1; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
|
||||
net: new
|
||||
binds:
|
||||
- /etc/iptables/rules-wg.v4:/etc/iptables/rules.v4
|
||||
- /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: vethin-wg
|
||||
add: veth
|
||||
peer: veth-wg
|
||||
bindNS:
|
||||
net: /run/netns/dmzi-wg
|
||||
|
||||
# Network: services DMZ ###########################################
|
||||
|
||||
# token-validator
|
||||
- name: validator-iface-setup
|
||||
|
|
@ -184,9 +203,10 @@ services:
|
|||
|
||||
- name: wg
|
||||
image: nemunaire/wg-manager:a2c7f6c737d968ba8ef79c9b95ce29d707036d28
|
||||
command: ["/bin/wg-manager", "-bind=172.17.0.15:81" ]
|
||||
command: ["/bin/wg-manager", "-bind=:80" ]
|
||||
capabilities:
|
||||
- all
|
||||
net: /run/netns/dmzi-wg
|
||||
|
||||
- name: ns
|
||||
image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103-amd64
|
||||
|
|
@ -282,7 +302,6 @@ files:
|
|||
|
||||
ip l add br-ext type bridge
|
||||
ip a add 172.23.255.1/24 dev br-ext;
|
||||
ip a add 172.17.0.15/16 dev br-ext;
|
||||
ip a add 10.224.32.252/24 dev br-ext;
|
||||
ip a add 172.23.0.1/17 dev br-ext;
|
||||
ip link set eth0 master br-ext;
|
||||
|
|
@ -294,14 +313,13 @@ files:
|
|||
ip route add default via 10.224.32.254 ||
|
||||
ip route add default via 10.224.32.1
|
||||
|
||||
wg-quick up wg0
|
||||
|
||||
/sbin/iptables-restore < /etc/iptables/rules.v4;
|
||||
mode: "0755"
|
||||
|
||||
- path: etc/sysctl.d/99-ipfwd.conf
|
||||
- path: etc/sysctl.d/99-adlin-net.conf
|
||||
contents: |
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv4.conf.all.arp_ignore = 2
|
||||
net.ipv6.conf.all.disable_ipv6 = 1
|
||||
mode: "0644"
|
||||
- path: etc/sysctl.d/00-linuxkit.conf
|
||||
|
|
@ -354,7 +372,7 @@ files:
|
|||
COMMIT
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
[0:0] -A INPUT -i lo -j ACCEPT
|
||||
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
|
|
@ -363,12 +381,14 @@ files:
|
|||
[0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 81 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.254 --dport 80 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p tcp ! -s 172.17.0.0/16 -d 172.17.0.15 -j REJECT --reject-with icmp-net-unreachable
|
||||
[0:0] -A INPUT -i br-ext -p tcp -d 172.17.0.15 --dport 80 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p udp -d 172.17.0.15 --dport 12912 -j ACCEPT
|
||||
[0:0] -A INPUT -p udp --sport 7000 -j DROP
|
||||
[0:0] -A INPUT -p udp --dport 7000 -j DROP
|
||||
[0:0] -A INPUT -j LOG
|
||||
[0:0] -A INPUT -j REJECT --reject-with icmp-port-unreachable
|
||||
[0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT
|
||||
[0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-int -j ACCEPT
|
||||
|
|
@ -380,6 +400,7 @@ files:
|
|||
[0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
|
||||
[0:0] -A FORWARD -j LOG
|
||||
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
|
||||
COMMIT
|
||||
mode: "0440"
|
||||
|
||||
|
|
@ -446,8 +467,7 @@ files:
|
|||
#gzip on;
|
||||
resolver 9.9.9.9;
|
||||
server {
|
||||
listen 80 default;
|
||||
listen [::]:80 default;
|
||||
listen 172.23.0.1:80 default;
|
||||
location = /{
|
||||
return 403;
|
||||
}
|
||||
|
|
@ -729,6 +749,26 @@ files:
|
|||
Address = 172.23.191.254/18
|
||||
mode: "0644"
|
||||
|
||||
- path: etc/iptables/rules-wg.v4
|
||||
contents: |
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
[0:0] -A POSTROUTING -o vethin-wg ! -d 172.17.0.0/16 -j MASQUERADE
|
||||
COMMIT
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
[0:0] -A FORWARD -i wg0 -o vethin-wg -j ACCEPT
|
||||
[0:0] -A FORWARD -o wg0 -i vethin-wg -j ACCEPT
|
||||
[0:0] -A FORWARD -j LOG
|
||||
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
|
||||
COMMIT
|
||||
mode: "0440"
|
||||
|
||||
- path: srv/tftp
|
||||
directory: true
|
||||
mode: "0755"
|
||||
|
|
@ -777,7 +817,7 @@ files:
|
|||
mode: "0755"
|
||||
|
||||
- path: srv/tftp/bzImage
|
||||
source: challenge-kernel
|
||||
source: /var/tftp/adlin/bzImage
|
||||
mode: "0644"
|
||||
- path: srv/tftp/login-initrd.img
|
||||
source: tftp/login-initrd.img
|
||||
|
|
|
|||
Reference in New Issue