{{{#!rst ========================== CAcert infra01 setup notes ========================== :Author: Jan Dittberner :Version: 0.3 :Date: 2011-04-27 .. image:: CAcert-logo-colour.png :width: 5cm .. contents:: initial setup ============= * update packages using aptitude * setup apticron to get informed about available updates * install etckeeper, bash-completion, vim, lxc, bridge-utils, debootstrap, ntp, screen, pwgen, ferm, python-apt, python-ipcalc virtual machine setup ===================== * create script lxc-setup for lxc container creation (know how from http://wiki.debian.org/LXC and /usr/share/doc/lxc) * initialization file }}} {{{ [network] subnet=24 gateway=10.0.0.1 device=br0 domain=cacert.org smtprelay=emailout.cacert.org [host] volumegroup=vg0 [debian] mirror=http://ftp.nl.debian.org/debian/ release=squeeze packages=ifupdown, libui-dialog-perl, dialog, netbase, net-tools, exim4-daemon-light, iproute, openssh-server, etckeeper, python, locales, vim, iputils-ping, screen, sudo [lxc] cachedir=/var/cache/lxc/debian }}} {{{#!rst * example for svn VM }}} {{{ sudo ./lxc-setup -n svn -l 8G -i 10.0.0.20 -r `pwgen -s 32 -n 1` \ -a svn-admin@cacert.org sudo lxc-start -n svn -f /etc/lxc/svn.conf -d }}} {{{#!rst * enable forwarding }}} {{{ echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/local.conf sysctl net.ipv4.ip_forward=1 }}} {{{#!rst * setup of firewall rules in ``/etc/ferm/ferm.conf`` * use aliases for internal and external addresses in header * use subchains for hosts * host specific rules are put in separate files in ``/etc/ferm/ferm.d/`` }}} {{{ # -*- shell-script -*- # # Configuration file for ferm(1). # @def $INFRA01 = 172.16.2.9; @def $HOST_DEBMIRROR = @resolve((ftp.nluug.nl ftp.nl.debian.org security.debian.org)); @def $HOST_DNS = 172.16.2.1; @def $HOST_SMTP = @resolve(emailout.intra.cacert.org); @def &CONTAINER($name, $host, $host_ext) = { table filter { chain FORWARD { daddr $host @subchain "$name-fwd-in" { jump global-in; } saddr $host @subchain "$name-fwd-out" { jump global-out; } } } } @def &CONTAINER_NAT($name, $host_ext, $host_int) = { &CONTAINER($name, $host_int, $host_ext); table nat { chain PREROUTING { daddr $host_ext DNAT to $host_int; } chain POSTROUTING { saddr $host_int SNAT to $host_ext; } } } @def &CONTAINER_IN($name, $proto, $port) = { table filter { chain "$name-fwd-in" { proto $proto dport $port ACCEPT; } } } @def &CONTAINER_OUT($name, $host, $proto, $port) = { table filter { chain "$name-fwd-out" { proto $proto daddr $host dport $port ACCEPT; } } } table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; # allow local packet interface lo ACCEPT; # respond to ping proto icmp ACCEPT; jump global-in; mod state state (ESTABLISHED RELATED) ACCEPT; } chain OUTPUT { policy DROP; mod state state INVALID DROP; jump global-out; # connection tracking mod state state (ESTABLISHED RELATED) ACCEPT; } chain FORWARD { policy DROP; # connection tracking mod state state INVALID DROP; } chain global-out { proto udp daddr $HOST_DNS dport domain ACCEPT; proto tcp daddr $HOST_SMTP dport smtp ACCEPT; proto tcp daddr $HOST_DEBMIRROR dport http ACCEPT; } chain global-in { proto tcp dport ssh ACCEPT; } } @include 'ferm.d/'; table filter chain FORWARD mod state state (ESTABLISHED RELATED) ACCEPT; # IPv6: domain ip6 { table filter { chain INPUT { policy DROP; } chain FORWARD { policy DROP; } chain OUTPUT { policy DROP; } } } }}} {{{#!rst * add ip address of svn vhost to ``/etc/network/interfaces`` in ``eth0`` section: }}} {{{ iface eth0 inet static address 172.16.2.9 netmask 255.255.255.0 network 172.16.2.0 broadcast 172.16.2.255 gateway 172.16.2.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 172.16.2.1 dns-search infra.cacert.org post-up ip -4 addr add 172.16.2.15 dev eth0 pre-down ip -4 addr del 172.16.2.15 dev eth0 }}}