From efb93675e2741db057b77b70acf9b0c650f99e47 Mon Sep 17 00:00:00 2001
From: Giulio <giulio@gmx.com>
Date: Wed, 27 Jan 2021 11:22:28 +0100
Subject: [PATCH] Added backup of master serve rconfiguration: DHCP,
 interfaces, iptables

---
 server-config/dhcpd.conf                    | 254 ++++++++++++++++++++
 server-config/interfaces.backup             | 185 ++++++++++++++
 server-config/iptables                      |   8 +
 server-config/iptables-save.dropall.rules   |  27 +++
 server-config/iptables-save.dropvlans.rules |  22 ++
 5 files changed, 496 insertions(+)
 create mode 100644 server-config/dhcpd.conf
 create mode 100644 server-config/interfaces.backup
 create mode 100755 server-config/iptables
 create mode 100644 server-config/iptables-save.dropall.rules
 create mode 100644 server-config/iptables-save.dropvlans.rules

diff --git a/server-config/dhcpd.conf b/server-config/dhcpd.conf
new file mode 100644
index 0000000..54c1c4b
--- /dev/null
+++ b/server-config/dhcpd.conf
@@ -0,0 +1,254 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+option domain-name "example.org";
+option domain-name-servers ns1.example.org, ns2.example.org;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.example.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.example.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}
+
+
+subnet 10.0.13.0 netmask 255.255.255.0 {
+    range 10.0.13.10 10.0.13.12;
+    option routers 10.0.13.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.14.0 netmask 255.255.255.0 {
+    range 10.0.14.10 10.0.14.12;
+    option routers 10.0.14.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.15.0 netmask 255.255.255.0 {
+    range 10.0.15.10 10.0.15.12;
+    option routers 10.0.15.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.16.0 netmask 255.255.255.0 {
+    range 10.0.16.10 10.0.16.12;
+    option routers 10.0.16.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.17.0 netmask 255.255.255.0 {
+    range 10.0.17.10 10.0.17.12;
+    option routers 10.0.17.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.18.0 netmask 255.255.255.0 {
+    range 10.0.18.10 10.0.18.12;
+    option routers 10.0.18.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.19.0 netmask 255.255.255.0 {
+    range 10.0.19.10 10.0.19.12;
+    option routers 10.0.19.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.20.0 netmask 255.255.255.0 {
+    range 10.0.20.10 10.0.20.12;
+    option routers 10.0.20.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.21.0 netmask 255.255.255.0 {
+    range 10.0.21.10 10.0.21.12;
+    option routers 10.0.21.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.22.0 netmask 255.255.255.0 {
+    range 10.0.22.10 10.0.22.12;
+    option routers 10.0.22.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.23.0 netmask 255.255.255.0 {
+    range 10.0.23.10 10.0.23.12;
+    option routers 10.0.23.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.24.0 netmask 255.255.255.0 {
+    range 10.0.24.10 10.0.24.12;
+    option routers 10.0.24.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.25.0 netmask 255.255.255.0 {
+    range 10.0.25.10 10.0.25.12;
+    option routers 10.0.25.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.26.0 netmask 255.255.255.0 {
+    range 10.0.26.10 10.0.26.12;
+    option routers 10.0.26.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.27.0 netmask 255.255.255.0 {
+    range 10.0.27.10 10.0.27.12;
+    option routers 10.0.27.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.28.0 netmask 255.255.255.0 {
+    range 10.0.28.10 10.0.28.12;
+    option routers 10.0.28.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.29.0 netmask 255.255.255.0 {
+    range 10.0.29.10 10.0.29.12;
+    option routers 10.0.29.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.30.0 netmask 255.255.255.0 {
+    range 10.0.30.10 10.0.30.12;
+    option routers 10.0.30.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.31.0 netmask 255.255.255.0 {
+    range 10.0.31.10 10.0.31.12;
+    option routers 10.0.31.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.32.0 netmask 255.255.255.0 {
+    range 10.0.32.10 10.0.32.12;
+    option routers 10.0.32.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.33.0 netmask 255.255.255.0 {
+    range 10.0.33.10 10.0.33.12;
+    option routers 10.0.33.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.34.0 netmask 255.255.255.0 {
+    range 10.0.34.10 10.0.34.12;
+    option routers 10.0.34.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.35.0 netmask 255.255.255.0 {
+    range 10.0.35.10 10.0.35.12;
+    option routers 10.0.35.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.36.0 netmask 255.255.255.0 {
+    range 10.0.36.10 10.0.36.12;
+    option routers 10.0.36.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.37.0 netmask 255.255.255.0 {
+    range 10.0.37.10 10.0.37.12;
+    option routers 10.0.37.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.38.0 netmask 255.255.255.0 {
+    range 10.0.38.10 10.0.38.12;
+    option routers 10.0.38.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.39.0 netmask 255.255.255.0 {
+    range 10.0.39.10 10.0.39.12;
+    option routers 10.0.39.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.40.0 netmask 255.255.255.0 {
+    range 10.0.40.10 10.0.40.12;
+    option routers 10.0.40.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
+subnet 10.0.41.0 netmask 255.255.255.0 {
+    range 10.0.41.10 10.0.41.12;
+    option routers 10.0.41.1;
+    option domain-name-servers 8.8.8.8, 1.1.1.1;
+}
diff --git a/server-config/interfaces.backup b/server-config/interfaces.backup
new file mode 100644
index 0000000..f27c585
--- /dev/null
+++ b/server-config/interfaces.backup
@@ -0,0 +1,185 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+auto enp9s0f0
+iface enp9s0f0 inet static
+address 130.192.93.78
+netmask 255.255.255.0
+gateway 130.192.93.17
+
+auto enp9s0f1
+iface enp9s0f1 inet static
+address 192.168.1.10
+netmask 255.255.255.0
+
+auto enp5s0f0
+iface enp5s0f0 inet static
+address 10.0.0.0
+netmask 255.255.255.0
+
+auto enp5s0f0.1013
+iface enp5s0f0.1013 inet static
+address 10.0.13.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1014
+iface enp5s0f0.1014 inet static
+address 10.0.14.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1015
+iface enp5s0f0.1015 inet static
+address 10.0.15.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1016
+iface enp5s0f0.1016 inet static
+address 10.0.16.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1017
+iface enp5s0f0.1017 inet static
+address 10.0.17.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1018
+iface enp5s0f0.1018 inet static
+address 10.0.18.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1019
+iface enp5s0f0.1019 inet static
+address 10.0.19.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1020
+iface enp5s0f0.1020 inet static
+address 10.0.20.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1021
+iface enp5s0f0.1021 inet static
+address 10.0.21.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1022
+iface enp5s0f0.1022 inet static
+address 10.0.22.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1023
+iface enp5s0f0.1023 inet static
+address 10.0.23.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1024
+iface enp5s0f0.1024 inet static
+address 10.0.24.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1025
+iface enp5s0f0.1025 inet static
+address 10.0.25.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1026
+iface enp5s0f0.1026 inet static
+address 10.0.26.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1027
+iface enp5s0f0.1027 inet static
+address 10.0.27.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1028
+iface enp5s0f0.1028 inet static
+address 10.0.28.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1029
+iface enp5s0f0.1029 inet static
+address 10.0.29.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1030
+iface enp5s0f0.1030 inet static
+address 10.0.30.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1031
+iface enp5s0f0.1031 inet static
+address 10.0.31.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1032
+iface enp5s0f0.1032 inet static
+address 10.0.32.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1033
+iface enp5s0f0.1033 inet static
+address 10.0.33.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1034
+iface enp5s0f0.1034 inet static
+address 10.0.34.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1035
+iface enp5s0f0.1035 inet static
+address 10.0.35.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1036
+iface enp5s0f0.1036 inet static
+address 10.0.36.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1037
+iface enp5s0f0.1037 inet static
+address 10.0.37.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1038
+iface enp5s0f0.1038 inet static
+address 10.0.38.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1039
+iface enp5s0f0.1039 inet static
+address 10.0.39.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1040
+iface enp5s0f0.1040 inet static
+address 10.0.40.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1041
+iface enp5s0f0.1041 inet static
+address 10.0.41.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1100
+iface enp5s0f0.1100 inet static
+address 10.0.100.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1101
+iface enp5s0f0.1101 inet static
+address 10.0.101.1
+netmask 255.255.255.0
+
+auto enp5s0f0.1102
+iface enp5s0f0.1102 inet static
+address 10.0.102.1
+netmask 255.255.255.0
+
diff --git a/server-config/iptables b/server-config/iptables
new file mode 100755
index 0000000..9c06d54
--- /dev/null
+++ b/server-config/iptables
@@ -0,0 +1,8 @@
+iptables -N LOG_DROP
+iptables -I FORWARD -s 10.0.0.0/16 -d 10.0.0.0/16 -j LOG_DROP
+iptables -A LOG_DROP -j LOG --log-prefix "refused connection: "
+iptables -A LOG_DROP -j DROP
+iptables -A FORWARD -i enp5s0f0 -o enp9s0f0 -j ACCEPT
+iptables -A FORWARD -i enp5s0f0 -o enp9s0f0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -t nat -A POSTROUTING -o enp9s0f0 -j MASQUERADE
+#iptables -A FORWARD -j DROP
diff --git a/server-config/iptables-save.dropall.rules b/server-config/iptables-save.dropall.rules
new file mode 100644
index 0000000..6918212
--- /dev/null
+++ b/server-config/iptables-save.dropall.rules
@@ -0,0 +1,27 @@
+# Generated by xtables-save v1.8.2 on Fri Sep 25 17:53:13 2020
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:LOG_DROP - [0:0]
+
+-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A FORWARD -s 10.0.0.0/16 -d 168.119.32.41 -j ACCEPT
+-A FORWARD -s 10.0.0.0/16 -d 168.119.32.44 -j ACCEPT
+-A FORWARD -s 10.0.0.0/16 -j LOG_DROP
+
+-A FORWARD -i enp5s0f0 -o enp9s0f0 -j ACCEPT
+-A FORWARD -i enp5s0f0 -o enp9s0f0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A LOG_DROP -j LOG --log-prefix "refused connection: "
+-A LOG_DROP -j DROP
+COMMIT
+# Completed on Fri Sep 25 17:53:13 2020
+# Generated by xtables-save v1.8.2 on Fri Sep 25 17:53:13 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A POSTROUTING -o enp9s0f0 -j MASQUERADE
+COMMIT
+# Completed on Fri Sep 25 17:53:13 2020
diff --git a/server-config/iptables-save.dropvlans.rules b/server-config/iptables-save.dropvlans.rules
new file mode 100644
index 0000000..1181069
--- /dev/null
+++ b/server-config/iptables-save.dropvlans.rules
@@ -0,0 +1,22 @@
+# Generated by xtables-save v1.8.2 on Fri Sep 25 17:53:13 2020
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:LOG_DROP - [0:0]
+-A FORWARD -s 10.0.0.0/16 -d 10.0.0.0/16 -j LOG_DROP
+-A FORWARD -i enp5s0f0 -o enp9s0f0 -j ACCEPT
+-A FORWARD -i enp5s0f0 -o enp9s0f0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A LOG_DROP -j LOG --log-prefix "refused connection: "
+-A LOG_DROP -j DROP
+COMMIT
+# Completed on Fri Sep 25 17:53:13 2020
+# Generated by xtables-save v1.8.2 on Fri Sep 25 17:53:13 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A POSTROUTING -o enp9s0f0 -j MASQUERADE
+COMMIT
+# Completed on Fri Sep 25 17:53:13 2020