allow dn42 tunnel
This commit is contained in:
parent
3d9b4ad687
commit
60eaa1234b
|
@ -0,0 +1,42 @@
|
|||
@def $bridge = br0;
|
||||
@def $internet = ens3;
|
||||
@def $search_domain = "eva.higgsboson.tk";
|
||||
@def $public_ipv4 = `ip a s ens3 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
|
||||
@def $public_ipv6 = `ip a s ens3 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
|
||||
|
||||
include "ferm.d/functions";
|
||||
include `find ferm.d/services/*`;
|
||||
|
||||
domain (ip ip6) {
|
||||
table nat {
|
||||
chain PREROUTING policy ACCEPT;
|
||||
chain POSTROUTING policy ACCEPT;
|
||||
chain INPUT policy ACCEPT;
|
||||
chain OUTPUT policy ACCEPT;
|
||||
}
|
||||
table filter {
|
||||
chain FORWARD {
|
||||
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
|
||||
|
||||
# dn42 -> is filtered in dn42 container
|
||||
interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
|
||||
|
||||
interface $bridge outerface $internet ACCEPT;
|
||||
}
|
||||
chain (INPUT FORWARD) {
|
||||
policy DROP;
|
||||
interface lo ACCEPT;
|
||||
protocol icmp ACCEPT;
|
||||
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
|
||||
|
||||
LOG log-prefix "iptables reject:";
|
||||
protocol tcp REJECT reject-with tcp-reset;
|
||||
REJECT reject-with icmp-port-unreachable;
|
||||
}
|
||||
chain OUTPUT policy ACCEPT;
|
||||
}
|
||||
}
|
||||
|
||||
domain ip table nat {
|
||||
chain POSTROUTING outerface $internet MASQUERADE;
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
&allow_local(tcp, 22); # SSH
|
||||
&allow_local(udp, 60000:60010); # Mosh
|
|
@ -0,0 +1,10 @@
|
|||
@def $dn42_ip4 = @resolve(dn42, A);
|
||||
@def $dn42_ip6 = @resolve(ipv6.dn42.eva.higgsboson.tk, AAAA);
|
||||
domain (ip ip6) table filter chain FORWARD proto udp dport 6001:6020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) ACCEPT;
|
||||
domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 6001:6020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
|
||||
|
||||
&def_service(evenet, dn42, udp, 21);
|
||||
&forward_to_service(evenet, udp, 21);
|
||||
&forward_to_service(evenet, udp, 123);
|
||||
&def_service(evenet-tcp, dn42, tcp, 443);
|
||||
&forward_to_service(evenet-tcp, tcp, 443);
|
|
@ -0,0 +1,6 @@
|
|||
&def_service(dns, dns, udp, 53);
|
||||
&def_service(dns2, dns, tcp, 53);
|
||||
&forward_to_service(dns, udp, 53);
|
||||
&forward_to_service(dns2, tcp, 53);
|
||||
&allow_service_for_all(dns);
|
||||
&allow_service_for_all(dns2);
|
Loading…
Reference in New Issue