Matteo Cerutti m4ce

## gist:35298c7091e6150ebeccdb82e1b9a825
[edit security]
 ike {
     policy ike-dyn-vpn-policy {
         mode aggressive;
         proposal-set standard;
         pre-shared-key ascii-text "<key>"; ## SECRET-DATA
     }
     gateway dyn-vpn-local-gw {
         ike-policy ike-dyn-vpn-policy;
         dynamic {

## Quagga OSPF filter network routes
 redistribute connected metric 1 route-map filter_connected_routes
 redistribute static metric 1
 redistribute kernel metric 1

 route-map filter_connected_routes permit 10
   match ip address filter_connected_routes

 access-list filter_connected_routes deny <network>
 access-list filter_connected_routes permit any

## iptables
# Rules for transparent proxying
iptables -N NO_PROXY -t nat
iptables -A NO_PROXY -t nat -d 0.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 10.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 127.0.0.0/8 -j ACCEPT
iptables -A NO_PROXY -t nat -d 169.254.0.0/16 -j ACCEPT
iptables -A NO_PROXY -t nat -d 172.16.0.0/12 -j ACCEPT
iptables -A NO_PROXY -t nat -d 192.168.0.0/16 -j ACCEPT
iptables -A NO_PROXY -t nat -d 224.0.0.0/4 -j ACCEPT
iptables -A NO_PROXY -t nat -d 240.0.0.0/4 -j ACCEPT

## canonical_ldap
server_host = <ipa_host>
server_port = 389
bind = no
search_base = cn=users,cn=accounts,dc=example,dc=org
query_filter = (&(objectClass=person)(uid=%u))
result_attribute = mail
result_format = %s
start_tls = yes
version = 3
tls_key = <key>

## gist:1fbd0b36310fb9625fea40e3b3141b7e
frontend example
  bind 0.0.0.0:80
  bind 0.0.0.0:443 ssl crt <pem>
  mode http
  option httplog

  acl is_test hdr(host) -i test.example.org

  use_backend test if is_test
  default_backend welcome

## gist:ade3970c74631ef2512d7aca4353dd84
$ pulp-admin auth user create --login registrator --password=secret --name "Used for unattended registrations"
$ pulp-admin auth permission grant --login registrator --resource /v2/consumers/ -o CREATE -o READ
$ pulp-consumer -u registrator -p secret register --consumer-id `hostname -f`

## inventory.mc
formatted_inventory do
  page_length 50
  page_heading <<TOP

Hostname:                 Serial:                 Hardware:                                                   Distribution:
------------------------------------------------------------------------------------------------------------------------------
TOP

  page_body <<BODY
@<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<< @<<<

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                m4ce
                / keybase.md
            
            
              Created
              May 24, 2016 10:33
            
          
    Keybase proof

I hereby claim:

I am m4ce on github.
I am m4ce (https://keybase.io/m4ce) on keybase.
I have a public key whose fingerprint is 168E FD43 E44A 13D0 3BDE  59FA 148D 5C94 66C3 CF73

To claim this, I am signing this object:

  
## site1.conf
conn site1
    left=%defaultroute
    leftid=@site1
    leftrsasigkey=/etc/ipsec.d/certs/site1.pem
    right=<SITE2_IP>
    rightid=@site2
    rightrsasigkey="dns:<Base64 RFC 3110 RSA key from site2>"
    authby=rsasig
    auto=add
    type=tunnel

## gist:f587b0203ea0bc2d9d1cbf13baa9497b
on box1:
  cat < /dev/tcp/<IP>/<PORT> > file

on box2:
  nc -v -l <PORT> < file
	[edit security]
	ike {
	policy ike-dyn-vpn-policy {
	mode aggressive;
	proposal-set standard;
	pre-shared-key ascii-text "<key>"; ## SECRET-DATA
	}
	gateway dyn-vpn-local-gw {
	ike-policy ike-dyn-vpn-policy;
	dynamic {
	redistribute connected metric 1 route-map filter_connected_routes
	redistribute static metric 1
	redistribute kernel metric 1

	route-map filter_connected_routes permit 10
	match ip address filter_connected_routes

	access-list filter_connected_routes deny <network>
	access-list filter_connected_routes permit any
	# Rules for transparent proxying
	iptables -N NO_PROXY -t nat
	iptables -A NO_PROXY -t nat -d 0.0.0.0/8 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 10.0.0.0/8 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 127.0.0.0/8 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 169.254.0.0/16 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 172.16.0.0/12 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 192.168.0.0/16 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 224.0.0.0/4 -j ACCEPT
	iptables -A NO_PROXY -t nat -d 240.0.0.0/4 -j ACCEPT
	server_host = <ipa_host>
	server_port = 389
	bind = no
	search_base = cn=users,cn=accounts,dc=example,dc=org
	query_filter = (&(objectClass=person)(uid=%u))
	result_attribute = mail
	result_format = %s
	start_tls = yes
	version = 3
	tls_key = <key>
	frontend example
	bind 0.0.0.0:80
	bind 0.0.0.0:443 ssl crt <pem>
	mode http
	option httplog

	acl is_test hdr(host) -i test.example.org

	use_backend test if is_test
	default_backend welcome
	$ pulp-admin auth user create --login registrator --password=secret --name "Used for unattended registrations"
	$ pulp-admin auth permission grant --login registrator --resource /v2/consumers/ -o CREATE -o READ
	$ pulp-consumer -u registrator -p secret register --consumer-id `hostname -f`
	formatted_inventory do
	page_length 50
	page_heading <<TOP

	Hostname: Serial: Hardware: Distribution:
	------------------------------------------------------------------------------------------------------------------------------
	TOP

	page_body <<BODY
	@<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<< @<<<
	conn site1
	left=%defaultroute
	leftid=@site1
	leftrsasigkey=/etc/ipsec.d/certs/site1.pem
	right=<SITE2_IP>
	rightid=@site2
	rightrsasigkey="dns:<Base64 RFC 3110 RSA key from site2>"
	authby=rsasig
	auto=add
	type=tunnel
	on box1:
	cat < /dev/tcp/<IP>/<PORT> > file

	on box2:
	nc -v -l <PORT> < file