For lease expires -19418 day left
grep -iE 'expir.*date|expir.*on'
expdate=$(whois "$domain" | grep -iE 'expir.*date|expir.*on|expires|free-date' | head -1 | grep -oE '[^ ]+$')
$TTL 604800
lra-lx1.local IN SOA ns.lra-lx1.local. (
202301022 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
A 192.168.1.10 ; delete this line
MX 50 mx.lra-lx1.local.
CAA 128 issue "sectigo.com"
TXT "v=spf1 a mx -all"
$ORIGIN example.com.
ns IN A 192.168.1.20
mx IN A 192.168.1.30
/routing bgp template
set default disabled=no output.network=bgp-networks
add as=65514 disabled=no name=antifilter output.network=bgp-networks .no-client-to-client-reflection=yes router-id=10.42.1.3 routing-table=main
/routing filter rule
add chain=discard disabled=no rule="reject;"
add chain=antifilter-in disabled=no rule="set gw *0x4a; accept;"
/routing bgp connection
add as=65514 connect=yes disabled=no hold-time=4m input.filter=antifilter-in keepalive-time=1s listen=yes local.address=10.42.1.3 .role=ebgp multihop=yes name=rublacklist output.filter-chain=discard .network=bgp-networks \
.no-client-to-client-reflection=yes remote.address=10.75.66.20/32 .as=65444 .port=643 router-id=91.231.206.202 routing-table=main templates=antifilter
/tool netwatch
add disabled=no down-script="" host=77.88.8.8 http-codes="" interval=30s test-script="" type=icmp up-script=""
@def $WAN_IP1 = 1.1.1.1; # На этом разрешаем входящие
@def $WAN_IP2 = 1.1.1.2; # Через этот выходим
@def $DEV_WAN = ens1s0;
@def $VPN_NETS = (10.10.10.0/24 10.10.20.0/24); # Сети VPN клиентов
domain (ip ip6) {
table filter {
chain INPUT {
policy DROP; # Политика поумолчанию, если нет разрешающего правила значит запрещено
# connection tracking
mod state state INVALID LOG log-prefix '[FERM] INVALID INPUT DROP: ';
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
#proto icmp ACCEPT;
daddr $WAN_IP1 {
# respond to ping
proto icmp ACCEPT;
# allow SSH connections
proto tcp dport 22 ACCEPT;
# allow WEB connections
proto tcp dport (http https) ACCEPT;
# allow VPN wireguard connections
proto udp dport 51820 ACCEPT;
}
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
saddr $VPN_NETS ACCEPT; # Разрешаем трафику от VPN клиентов проходить в любом направлении
}
}
table nat {
chain POSTROUTING {
saddr $VPN_NETS outerface $DEV_WAN SNAT to $WAN_IP2; # Маскируем-натим исходящий трафик от VPN клиентов вторым IP
}
}
}
@include ferm.d/;
## Ставим CertBot
sudo apt-get install certbot
## Создаем папку
sudo mkdir -p /var/www/cert_bot/.well-known/acme-challenge
sudo chown -R www-data:www-data /var/www/cert_bot
## Создаем базовый конфиг в /etc/nginx/site-enable/default
server {
listen 80;
server_name _;
root /var/www/cert_bot;
location /.well-known/acme-challenge/ {
access_log off;
default_type "text/plain";
}
location / {
return 301 https://$server_name$request_uri;
}
}
## Пробуем запросить сертификат
sudo certbot certonly --dry-run--webroot --agree-tos --email hostmaster@domain.com -w /var/www/cert_bot/ -d domain.com
## Если все ок, заправиваем без --dry-run
sudo certbot certonly --webroot --agree-tos --email hostmaster@domain.com -w /var/www/cert_bot/ -d domain.com
## Добавляем конфиг с SSL /etc/nginx/site-enable/domain-ssl
server {
listen 443 ssl;
server_name domain.com;
ssl on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/domain.com/privkey.pem;
#ssl_dhparam /etc/nginx/dhparam.pem;
root /var/www/html
}
## Добавляем в крон автообновление сертификата
sudo crontab -e -u root
0 0 10,25 * * certbot renew