Table des matières

Installation des serveurs

Commun

Reseau

nano /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 10.0.0.3
  netmask 255.255.255.248
  gateway 10.0.0.1

auto eth1
iface eth1 inet static
  address 10.10.0.3
  netmask 255.255.255.248
  mtu 9000

auto vmbr0
iface vmbr0 inet static
  address 10.20.10.3
  netmask 255.255.255.248
  ovs_type OVSBridge
  post-up ovs-vsctl add-port vmbr0 gre0 -- set interface gre0 type=gre options:remote_ip='10.10.0.4'

auto vmbr1
iface vmbr1 inet manual
  ovs_type OVSBridge
  post-up ovs-vsctl add-port vmbr1 gre1 -- set interface gre1 type=gre options:remote_ip='10.10.0.4'
  post-up ip link set dev vmbr1 up

net.ipv4.ip_forward=1

nano /etc/hosts

apt

rm /etc/apt/sources.list.d/pve-enterprise.list

echo 'deb http://download.proxmox.com/debian jessie pve-no-subscription' > /etc/apt/sources.list.d/pve-no-subscription.list

apt install glusterfs-server iptables-persistent cron-apt safe-rm molly-guard sshguard

systemctl enable sshguard
systemctl enable netfilter-persistent

Iptabes

nano /etc/iptables/rules.v4

# Generated by iptables-save v1.4.21 on
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on 
# Generated by iptables-save v1.4.21 on 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
:TCP-FORWARD - [0:0]
:UDP-FORWARD - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:LOG-IN - [0:0]
:LOG-FW - [0:0]

-A LOG-IN -m limit --limit 2/min -j LOG --log-prefix "[LOG-IN] "
-A LOG-IN -p udp -j REJECT --reject-with icmp-port-unreachable
-A LOG-IN -p tcp -j REJECT --reject-with tcp-reset
-A LOG-IN -j REJECT --reject-with icmp-proto-unreachable

-A LOG-FW -m limit --limit 2/min -j LOG --log-prefix "[LOG-FW] "
-A LOG-FW -p udp -j REJECT --reject-with icmp-port-unreachable
-A LOG-FW -p tcp -j REJECT --reject-with tcp-reset
-A LOG-FW -j REJECT --reject-with icmp-proto-unreachable

-A INPUT -j sshguard
-A FORWARD -j sshguard
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A INPUT -s 10.10.0.0/29 -d 10.10.0.0/29 -i eth1 -j ACCEPT
-A INPUT -s 10.10.0.0/29 -d 239.192.217.120 -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j REJECT
-A FORWARD -m conntrack --ctstate INVALID -j REJECT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

-A FORWARD -i vmbr0 -o vmbr0 -j ACCEPT

-A FORWARD -s 192.168.100.0/24 -i vmbr0 -o eth0 -j ACCEPT

-A FORWARD -s 172.16.42.0/24 -i vmbr0 -o eth0 -j ACCEPT
-A FORWARD -d 172.16.42.0/24 -o vmbr0 -i eth0 -j ACCEPT

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A FORWARD -p udp -m conntrack --ctstate NEW -j UDP-FORWARD
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP-FORWARD

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -j LOG-IN
-A FORWARD -j LOG-FW


COMMIT
# Completed on 
# Generated by iptables-save v1.4.21 on 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on 
cfdisk /dev/sdb
mkfs.xfs -i size=512 /dev/sdb1
mkdir -p /data
echo '/dev/sdb1 /data xfs defaults 1 2' >> /etc/fstab
mount -a && mount

systemctl enable glusterfs-server
systemctl start glusterfs-server

mkdir /data/vm-data

gluster volume create vm-data kush:/data/vm-data
gluster volume start vm-data

mkdir /data/vm-vpn

gluster volume create vm-vpn kush:/data/vm-vpn
gluster volume start vm-vpn

Add node glusterfs (ne pas crer les volume sur amnesia)

gluster peer probe amnesia

gluster volume add-brick vm-vpn replica 2 amnesia:/data/vm-vpn
gluster volume add-brick vm-data replica 2 amnesia:/data/vm-data

Creation du node proxmox :

pvecm create neutrinet
pvecm add kush
quorum {
  provider: corosync_votequorum
  two_node: 1
}