Mic92/ferm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

allow dn42 tunnel

Browse Source
This commit is contained in:
Jörg Thalheim 2015-11-14 21:49:44 +00:00
parent 3d9b4ad687
commit 60eaa1234b
4 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
ferm-eva.conf Executable file
View File

@ -0,0 +1,42 @@
@def $bridge = br0;
@def $internet = ens3;
@def $search_domain = "eva.higgsboson.tk";
@def $public_ipv4 = `ip a s ens3 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
@def $public_ipv6 = `ip a s ens3 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
include "ferm.d/functions";
include `find ferm.d/services/*`;
domain (ip ip6) {
table nat {
chain PREROUTING policy ACCEPT;
chain POSTROUTING policy ACCEPT;
chain INPUT policy ACCEPT;
chain OUTPUT policy ACCEPT;
}
table filter {
chain FORWARD {
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
# dn42 -> is filtered in dn42 container
interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
interface $bridge outerface $internet ACCEPT;
}
chain (INPUT FORWARD) {
policy DROP;
interface lo ACCEPT;
protocol icmp ACCEPT;
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
LOG log-prefix "iptables reject:";
protocol tcp REJECT reject-with tcp-reset;
REJECT reject-with icmp-port-unreachable;
}
chain OUTPUT policy ACCEPT;
}
}
domain ip table nat {
chain POSTROUTING outerface $internet MASQUERADE;
}

2
services-eva/00-local Normal file
View File

@ -0,0 +1,2 @@
&allow_local(tcp, 22); # SSH
&allow_local(udp, 60000:60010); # Mosh

10
services-eva/45-dn42 Normal file
View File

@ -0,0 +1,10 @@
@def $dn42_ip4 = @resolve(dn42, A);
@def $dn42_ip6 = @resolve(ipv6.dn42.eva.higgsboson.tk, AAAA);
domain (ip ip6) table filter chain FORWARD proto udp dport 6001:6020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) ACCEPT;
domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 6001:6020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
&def_service(evenet, dn42, udp, 21);
&forward_to_service(evenet, udp, 21);
&forward_to_service(evenet, udp, 123);
&def_service(evenet-tcp, dn42, tcp, 443);
&forward_to_service(evenet-tcp, tcp, 443);

6
services-eva/45-dns Normal file
View File

@ -0,0 +1,6 @@
&def_service(dns, dns, udp, 53);
&def_service(dns2, dns, tcp, 53);
&forward_to_service(dns, udp, 53);
&forward_to_service(dns2, tcp, 53);
&allow_service_for_all(dns);
&allow_service_for_all(dns2);