From e17ac425df8120c432ff6b2e323356cd8bf71aac Mon Sep 17 00:00:00 2001 From: wvr Date: Tue, 10 Feb 2026 12:01:33 -0600 Subject: [PATCH] initial --- proxmox/etc/kernel/cmdline | 1 + proxmox/etc/network/interfaces | 28 ++++++++++ proxmox/etc/systemd/network/90-nic0.link | 6 +++ proxmox/etc/systemd/network/91-nic1.link | 6 +++ proxmox/scripts-old-wip/iptables-skeleton.sh | 54 ++++++++++++++++++++ 5 files changed, 95 insertions(+) create mode 100644 proxmox/etc/kernel/cmdline create mode 100644 proxmox/etc/network/interfaces create mode 100644 proxmox/etc/systemd/network/90-nic0.link create mode 100644 proxmox/etc/systemd/network/91-nic1.link create mode 100644 proxmox/scripts-old-wip/iptables-skeleton.sh diff --git a/proxmox/etc/kernel/cmdline b/proxmox/etc/kernel/cmdline new file mode 100644 index 0000000..6672364 --- /dev/null +++ b/proxmox/etc/kernel/cmdline @@ -0,0 +1 @@ +root=ZFS=rpool/ROOT/pve-1 quiet intel_iommu=on boot=zfs diff --git a/proxmox/etc/network/interfaces b/proxmox/etc/network/interfaces new file mode 100644 index 0000000..b9c66f9 --- /dev/null +++ b/proxmox/etc/network/interfaces @@ -0,0 +1,28 @@ +auto lo +iface lo inet loopback + +# LAN +iface nic0 inet manual +# WAN +iface nic1 inet manual + +# opnsense LAN +auto vmbr0 + iface vmbr0 inet static + address 192.168.100.51/24 + gateway 192.168.100.1 + bridge-ports nic0 + bridge-stp off + bridge-fd 0 + bridge-mcsnoop 0 + +# opnsense WAN +auto vmbr1 + iface vmbr1 inet dhcp + bridge-ports nic1 + bridge-stp off + bridge-fd 0 + bridge-mcsnoop 0 + +source /etc/network/interfaces.d/* + diff --git a/proxmox/etc/systemd/network/90-nic0.link b/proxmox/etc/systemd/network/90-nic0.link new file mode 100644 index 0000000..27fd525 --- /dev/null +++ b/proxmox/etc/systemd/network/90-nic0.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=58:47:ca:72:ef:21 + +[Link] +Name=nic0 + diff --git a/proxmox/etc/systemd/network/91-nic1.link b/proxmox/etc/systemd/network/91-nic1.link new file mode 100644 index 0000000..5a1a6c3 --- /dev/null +++ b/proxmox/etc/systemd/network/91-nic1.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=58:47:ca:72:ef:22 + +[Link] +Name=nic1 + diff --git a/proxmox/scripts-old-wip/iptables-skeleton.sh b/proxmox/scripts-old-wip/iptables-skeleton.sh new file mode 100644 index 0000000..6579af4 --- /dev/null +++ b/proxmox/scripts-old-wip/iptables-skeleton.sh @@ -0,0 +1,54 @@ +#!/bin/sh +# +# mitchs iptables skeleton config +# ------------------------------------------- + +# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +# variables +# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +SUBNET=192.168.100 +PIHOLE=$SUBNET.200 +# =/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/= + +# flush +iptables -F + +# deny all default +iptables -P OUTPUT DROP +iptables -P INPUT DROP +iptables -P FORWARD DROP + +# dns to pihole +iptables -A OUTPUT -j ACCEPT -d $PIHOLE/24 -p tcp --dport 53 -m state --state NEW +iptables -A OUTPUT -j ACCEPT -d $PIHOLE/24 -p udp --dport 53 -m state --state NEW + +# permit local ssh +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED + +# permit outgoing http,https,ftp as well for updates and things +iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED +iptables -A OUTPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED +iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW,ESTABLISHED + +# permit loopback +iptables -A OUTPUT -j ACCEPT -o lo + +# permit established +iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED + +# save +if command -v systemctl >/dev/null 2>&1 ; then + # redhat + if [ -f /etc/sysconfig/iptables ] ; then + iptables-save -f /etc/sysconfig/iptables + # arch + elif [ -f /etc/iptables/iptables.rules ] ; then + iptables-save -f /etc/iptables/iptables.rules + fi + # alpine +elif command -v rc-service >/dev/null 2>&1 ; then + /etc/init.d/iptables save +fi