2021 server

This commit is contained in:
nemunaire 2020-03-27 13:12:21 +01:00
parent 71b0a396c3
commit eb4bef9753

View File

@ -1,7 +1,8 @@
kernel:
image: linuxkit/kernel:5.4.19
# cmdline: "console=tty0 console=ttyS0"
cmdline: "console=tty0 adlin.network=alt"
# cmdline: "console=tty0 adlin.network=alt"
cmdline: "console=tty0"
init:
- linuxkit/init:a4fcf333298f644dfac6adf680b83140927aa85e
@ -37,7 +38,25 @@ onboot:
bindNS:
net: /run/netns/login
# Network: DMZ ####################################################
# Network: internet DMZ ###########################################
# wg-manager
- name: wg-iface-setup
image: linuxkit/ip:v0.7
command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.32.251/24 dev vethin-wg; ip link set vethin-wg up; grep adlin.network=alt /proc/cmdline > /dev/null && ip route add default via 10.224.32.254 || ip route add default via 10.224.32.1; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
net: new
binds:
- /etc/iptables/rules-wg.v4:/etc/iptables/rules.v4
- /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
runtime:
interfaces:
- name: vethin-wg
add: veth
peer: veth-wg
bindNS:
net: /run/netns/dmzi-wg
# Network: services DMZ ###########################################
# token-validator
- name: validator-iface-setup
@ -184,9 +203,10 @@ services:
- name: wg
image: nemunaire/wg-manager:a2c7f6c737d968ba8ef79c9b95ce29d707036d28
command: ["/bin/wg-manager", "-bind=172.17.0.15:81" ]
command: ["/bin/wg-manager", "-bind=:80" ]
capabilities:
- all
net: /run/netns/dmzi-wg
- name: ns
image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103-amd64
@ -282,7 +302,6 @@ files:
ip l add br-ext type bridge
ip a add 172.23.255.1/24 dev br-ext;
ip a add 172.17.0.15/16 dev br-ext;
ip a add 10.224.32.252/24 dev br-ext;
ip a add 172.23.0.1/17 dev br-ext;
ip link set eth0 master br-ext;
@ -294,14 +313,13 @@ files:
ip route add default via 10.224.32.254 ||
ip route add default via 10.224.32.1
wg-quick up wg0
/sbin/iptables-restore < /etc/iptables/rules.v4;
mode: "0755"
- path: etc/sysctl.d/99-ipfwd.conf
- path: etc/sysctl.d/99-adlin-net.conf
contents: |
net.ipv4.ip_forward = 1
net.ipv4.conf.all.arp_ignore = 2
net.ipv6.conf.all.disable_ipv6 = 1
mode: "0644"
- path: etc/sysctl.d/00-linuxkit.conf
@ -354,7 +372,7 @@ files:
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
@ -363,12 +381,14 @@ files:
[0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 81 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.254 --dport 80 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp ! -s 172.17.0.0/16 -d 172.17.0.15 -j REJECT --reject-with icmp-net-unreachable
[0:0] -A INPUT -i br-ext -p tcp -d 172.17.0.15 --dport 80 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp -d 172.17.0.15 --dport 12912 -j ACCEPT
[0:0] -A INPUT -p udp --sport 7000 -j DROP
[0:0] -A INPUT -p udp --dport 7000 -j DROP
[0:0] -A INPUT -j LOG
[0:0] -A INPUT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT
[0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT
[0:0] -A FORWARD -i br-int -j ACCEPT
@ -380,6 +400,7 @@ files:
[0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
[0:0] -A FORWARD -j LOG
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
COMMIT
mode: "0440"
@ -446,8 +467,7 @@ files:
#gzip on;
resolver 9.9.9.9;
server {
listen 80 default;
listen [::]:80 default;
listen 172.23.0.1:80 default;
location = /{
return 403;
}
@ -729,6 +749,26 @@ files:
Address = 172.23.191.254/18
mode: "0644"
- path: etc/iptables/rules-wg.v4
contents: |
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -o vethin-wg ! -d 172.17.0.0/16 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A FORWARD -i wg0 -o vethin-wg -j ACCEPT
[0:0] -A FORWARD -o wg0 -i vethin-wg -j ACCEPT
[0:0] -A FORWARD -j LOG
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
COMMIT
mode: "0440"
- path: srv/tftp
directory: true
mode: "0755"
@ -777,7 +817,7 @@ files:
mode: "0755"
- path: srv/tftp/bzImage
source: challenge-kernel
source: /var/tftp/adlin/bzImage
mode: "0644"
- path: srv/tftp/login-initrd.img
source: tftp/login-initrd.img