标签 nftables 下的文章

debian 11 网络远程自动安装测试 - pxe - preseed.cfg

如机房的机子,一般是远程管理,不方便实地用光盘或U盘安装系统,如 debian 11 是提供了完整的网络安装 netboot 文件及自动配置安装参数 preseed.cfg 的说明。

环境:用 VirtualBox 来创建两个虚拟机,A机为pxe服务所在的机子,B机当客户机。A机安装debian 11,分配两张网卡,一张公网,另一张是内网(enp0s8)

步骤:

  1. apt install dnsmasq # 在A机安装dnsmasq,为B机自动自动分配IP及网络引导启动、安装系统
  2. /etc/dnsmasq.conf # 配置文件内容。大概是设置好tftp的路径 /srv/tftp ,及为B机(传统BIOS启动)设置启动文件为 os-images/bullseye/netboot/pxelinux.0

    interface=enp0s8
    domain=debian.local
    dhcp-range=192.168.3.3,192.168.3.253,255.255.255.0,1h
    enable-tftp
    tftp-root=/srv/tftp
    # dhcp-optsfile=/etc/dnsmasq.opt
    #dhcp-match=ipxe,175
    # dhcp-boot=net:ipxe,default.ipxe
    # pxe-service=x86PC,"ipxe bios", ipxe/undionly.kpxe
    # pxe-service=tag:x86-64_efi,"ipxe efi", ipxe/ipxe.efi
    
    dhcp-match=set:bios-x86,option:client-arch,0
    # dhcp-boot=tag:bios-x86,ipxe/undionly.kpxe
    dhcp-boot=tag:bios-x86,os-images/bullseye/netboot/pxelinux.0
    
    # boot config for UEFI systems
    # dhcp-match=set:efi-x86_64,option:client-arch,7
    # dhcp-match=set:efi-x86_64,option:client-arch,9
    # dhcp-boot=tag:efi-x86_64,ipxe/ipxe.efi
    
    # dhcp-match=set:ipxe,175
    # dhcp-boot=tag:ipxe,http://192.168.3.1/boot2.php
    # dhcp-userclass=set:ENH,iPXE
    # dhcp-boot=tag:ENH,default.ipxe
  3. /srv/tftp/os-images/bullseye/netboot/pxelinux.cfg/01-08-00-27-49-b4-6c # 以B机的网卡mac地址为名创建一个pxelinux的启动配置文件内容。大概是将debian的自动应答文件preseed.cfg作为启动参数加载

    DEFAULT linux
     SAY Now booting the kernel from SYSLINUX...
    LABEL linux
     KERNEL debian-installer/amd64/linux
     APPEND auto=true hostname=auto2 domain=local preseed/url=tftp://192.168.3.1/os-images/bullseye/preseed.cfg initrd=debian-installer/amd64/initrd.gz
  4. os-images/bullseye/preseed.cfg # 文件内容。目的是自动回答安装过程中的问题,无人值守就可以完成系统安装

    #### Contents of the preconfiguration file (for bullseye). refer: https://www.debian.org/releases/bullseye/example-preseed.txt
    d-i debian-installer/locale string en_US
    d-i keyboard-configuration/xkb-keymap select us
    d-i netcfg/choose_interface select auto
    d-i netcfg/get_hostname string unassigned-hostname
    d-i netcfg/get_domain string unassigned-domain
    d-i netcfg/hostname string auto1
    d-i netcfg/wireless_wep string
    d-i mirror/country string manual
    d-i mirror/http/hostname string ftp.cn.debian.org
    d-i mirror/http/directory string /debian
    d-i mirror/http/proxy string
    d-i passwd/root-password password r00tme
    d-i passwd/root-password-again password r00tme
    d-i passwd/user-fullname string Debian User
    d-i passwd/username string debian
    d-i passwd/user-password password insecure
    d-i passwd/user-password-again password insecure
    d-i clock-setup/utc boolean true
    d-i time/zone string US/Eastern
    d-i clock-setup/ntp boolean true
    d-i partman-auto/method string lvm
    d-i partman-auto-lvm/guided_size string max
    d-i partman-lvm/device_remove_lvm boolean true
    d-i partman-md/device_remove_md boolean true
    d-i partman-lvm/confirm boolean true
    d-i partman-lvm/confirm_nooverwrite boolean true
    d-i partman-auto/choose_recipe select atomic
    d-i partman-partitioning/confirm_write_new_label boolean true
    d-i partman/choose_partition select finish
    d-i partman/confirm boolean true
    d-i partman/confirm_nooverwrite boolean true
    d-i partman-md/confirm boolean true
    d-i partman-partitioning/confirm_write_new_label boolean true
    d-i partman/choose_partition select finish
    d-i partman/confirm boolean true
    d-i partman/confirm_nooverwrite boolean true
    d-i apt-setup/cdrom/set-first boolean false
    tasksel tasksel/first multiselect standard, ssh-server
    popularity-contest popularity-contest/participate boolean true
    d-i grub-installer/only_debian boolean true
    d-i grub-installer/with_other_os boolean true
    d-i grub-installer/bootdev  string default
    d-i finish-install/reboot_in_progress note
  5. /etc/nftables.conf # 如果A机要为B机充当网关,转发上网,还需要配置一下。发现一个现象是B机有时上不了外网,要重启一下nftables服务

    #!/usr/sbin/nft -f
    
    flush ruleset
    
    table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
    }
    
    #######
    table inet nat {
        chain input {
                type nat hook input priority 0; policy accept;
                ip protocol icmp accept
        }
    
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }
    
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
    #               ip saddr 192.168.3.0/24 oifname "enp0s3" masquerade
                oifname "enp0s3" masquerade
        }
    
        chain output {
                type nat hook output priority 0; policy accept;
        }
    }

参考: