.
This commit is contained in:
parent
87598310d9
commit
1acbdd8e81
@ -1,6 +1,5 @@
|
|||||||
@def $subnet = 192.168.66.0/24;
|
@def $subnet = 192.168.66.0/24;
|
||||||
@def $bridge = br0;
|
@def $bridge = br0;
|
||||||
@def $evenet = evenet;
|
|
||||||
@def $internet = "enp2s0";
|
@def $internet = "enp2s0";
|
||||||
@def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
|
@def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
|
||||||
@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
|
@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
|
||||||
@ -20,7 +19,7 @@ domain (ip ip6) {
|
|||||||
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
|
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
|
||||||
|
|
||||||
# dn42 -> is filtered in dn42 container
|
# dn42 -> is filtered in dn42 container
|
||||||
interface $evenet outerface $evenet ACCEPT;
|
interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
|
||||||
|
|
||||||
interface $bridge outerface $internet ACCEPT;
|
interface $bridge outerface $internet ACCEPT;
|
||||||
}
|
}
|
||||||
|
19
functions
19
functions
@ -6,11 +6,12 @@
|
|||||||
# Defines a service residing in a given container
|
# Defines a service residing in a given container
|
||||||
@def &def_service($service, $container, $proto, $port) = {
|
@def &def_service($service, $container, $proto, $port) = {
|
||||||
# look up IP addresses of the container
|
# look up IP addresses of the container
|
||||||
@def $ip4 = @resolve($container, A);
|
@def $ip4 = @resolve("$container", A);
|
||||||
@def $ip6 = @resolve($container, AAAA);
|
@def $ip6 = @resolve("ipv6.$container", AAAA);
|
||||||
|
@def $ula = @resolve("ula.$container", AAAA);
|
||||||
|
|
||||||
# chain to allow forwarding to the service
|
# chain to allow forwarding to the service
|
||||||
domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
|
domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6 $ula)) protocol $proto dport $port ACCEPT;
|
||||||
|
|
||||||
# chain to do the DNAT to change the address / port to the one of the container / service
|
# chain to do the DNAT to change the address / port to the one of the container / service
|
||||||
domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
|
domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
|
||||||
@ -34,8 +35,9 @@
|
|||||||
# Allows connection from the given container to the specified service (which resides in another container)
|
# Allows connection from the given container to the specified service (which resides in another container)
|
||||||
@def &allow_service_for($service, $container) = {
|
@def &allow_service_for($service, $container) = {
|
||||||
@def $ip4 = @resolve($container, A);
|
@def $ip4 = @resolve($container, A);
|
||||||
@def $ip6 = @resolve($container, AAAA);
|
@def $ip6 = @resolve("ipv6.$container", AAAA);
|
||||||
domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
|
@def $ula = @resolve("ula.$container", AAAA);
|
||||||
|
domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6 $ula)) jump @cat("allow_", $service);
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allows connection a specific service to all containers
|
# Allows connection a specific service to all containers
|
||||||
@ -49,13 +51,14 @@
|
|||||||
@def &forward_to($container, $proto, $port) = {
|
@def &forward_to($container, $proto, $port) = {
|
||||||
# look up IP addresses of the container
|
# look up IP addresses of the container
|
||||||
@def $ip4 = @resolve($container, A);
|
@def $ip4 = @resolve($container, A);
|
||||||
@def $ip6 = @resolve($container, AAAA);
|
@def $ip6 = @resolve("ipv6.$container", AAAA);
|
||||||
|
@def $ula = @resolve("ula.$container", AAAA);
|
||||||
|
|
||||||
domain (ip ip6) {
|
domain (ip ip6) {
|
||||||
# allow forwarding to container
|
# allow forwarding to container
|
||||||
table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
|
table filter chain FORWARD daddr @ipfilter(($ip4 $ip6 $ula)) protocol $proto dport $port ACCEPT;
|
||||||
|
|
||||||
# change destination address to the containers one
|
# change destination address to the containers one
|
||||||
table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
|
table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6 $ula);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -3,8 +3,8 @@
|
|||||||
domain (ip ip6) table filter chain FORWARD proto udp dport 5001:5020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) interface $bridge ACCEPT;
|
domain (ip ip6) table filter chain FORWARD proto udp dport 5001:5020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) interface $bridge ACCEPT;
|
||||||
domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 5001:5020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
|
domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 5001:5020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
|
||||||
|
|
||||||
# tinc
|
# openvpn client server
|
||||||
&def_service(evenet, dn42, udp, 666);
|
&def_service(evenet, dn42, udp, 123);
|
||||||
&forward_to_service(evenet, udp, 666);
|
&forward_to_service(evenet, udp, 123);
|
||||||
&def_service(evenet, dn42, tcp, 666);
|
&def_service(evenet, dn42, tcp, 993);
|
||||||
&forward_to_service(evenet, tcp, 666);
|
&forward_to_service(evenet, tcp, 993);
|
||||||
|
@ -6,13 +6,9 @@
|
|||||||
&allow_service_for_all(dns);
|
&allow_service_for_all(dns);
|
||||||
&allow_service_for_all(dns2);
|
&allow_service_for_all(dns2);
|
||||||
|
|
||||||
chain FORWARD interface $evenet mod pkttype pkt-type (broadcast multicast) ACCEPT;
|
|
||||||
|
|
||||||
# chain to allow forwarding to the service
|
# chain to allow forwarding to the service
|
||||||
domain ip table filter chain FORWARD {
|
domain ip table filter chain FORWARD {
|
||||||
@def $dns1_ip4 = @resolve(dns1.evenet.dn42, A);
|
|
||||||
@def $dns2_ip4 = @resolve(dns2.evenet.dn42, A);
|
|
||||||
@def $ns1_ip4 = @resolve(ns1.evenet.dn42, A);
|
@def $ns1_ip4 = @resolve(ns1.evenet.dn42, A);
|
||||||
@def $ns2_ip4 = @resolve(ns2.evenet.dn42, A);
|
@def $ns2_ip4 = @resolve(ns2.evenet.dn42, A);
|
||||||
daddr ($dns1_ip4 $dns2_ip4 $ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
|
daddr ($ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user