ferm/ferm-eva.conf

43 lines
1.2 KiB
Plaintext
Raw Normal View History

2015-11-14 21:49:44 +00:00
@def $bridge = br0;
@def $internet = ens3;
@def $search_domain = "eva.higgsboson.tk";
@def $public_ipv4 = `ip a s ens3 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
@def $public_ipv6 = `ip a s ens3 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
include "ferm.d/functions";
include `find ferm.d/services/*`;
domain (ip ip6) {
table nat {
chain PREROUTING policy ACCEPT;
chain POSTROUTING policy ACCEPT;
chain INPUT policy ACCEPT;
chain OUTPUT policy ACCEPT;
}
table filter {
chain FORWARD {
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
# dn42 -> is filtered in dn42 container
interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
interface $bridge outerface $internet ACCEPT;
}
chain (INPUT FORWARD) {
policy DROP;
interface lo ACCEPT;
protocol icmp ACCEPT;
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
LOG log-prefix "iptables reject:";
protocol tcp REJECT reject-with tcp-reset;
REJECT reject-with icmp-port-unreachable;
}
chain OUTPUT policy ACCEPT;
}
}
domain ip table nat {
chain POSTROUTING outerface $internet MASQUERADE;
}