ferm/ferm-eve.conf

42 lines
1.2 KiB
Plaintext
Raw Normal View History

2015-03-29 11:13:01 +00:00
@def $subnet = 192.168.66.0/24;
2014-12-19 19:50:19 +00:00
@def $bridge = br0;
@def $internet = "enp2s0";
2015-03-29 11:13:01 +00:00
@def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
2014-12-19 19:50:19 +00:00
include 'ferm.d/functions';
include `find ferm.d/services/*`;
domain (ip ip6) {
table nat {
chain PREROUTING policy ACCEPT;
chain POSTROUTING policy ACCEPT;
chain INPUT policy ACCEPT;
chain OUTPUT policy ACCEPT;
}
table filter {
chain FORWARD {
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
2015-03-29 11:13:01 +00:00
# dn42 -> is filtered in dn42 container
2015-09-08 22:31:31 +00:00
interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
2015-03-29 11:13:01 +00:00
2014-12-19 19:50:19 +00:00
interface $bridge outerface $internet ACCEPT;
}
chain (INPUT FORWARD) {
policy DROP;
interface lo ACCEPT;
protocol icmp ACCEPT;
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
2015-03-29 11:13:01 +00:00
LOG log-prefix "iptables reject:";
2014-12-19 19:50:19 +00:00
protocol tcp REJECT reject-with tcp-reset;
REJECT reject-with icmp-port-unreachable;
}
chain OUTPUT policy ACCEPT;
}
}
domain ip table nat {
chain POSTROUTING outerface $internet MASQUERADE;
}