new services
This commit is contained in:
parent
a7d20af5ad
commit
7dbad8f884
13
ferm.conf
13
ferm.conf
@ -1,7 +1,9 @@
|
|||||||
@def $subnet = 10.100.0.0/16;
|
@def $subnet = 192.168.66.0/24;
|
||||||
@def $bridge = br0;
|
@def $bridge = br0;
|
||||||
|
@def $evenet = evenet;
|
||||||
@def $internet = "enp2s0";
|
@def $internet = "enp2s0";
|
||||||
@def $wanip = `ip a s enp2s0 | awk '{if($0 ~ "inet "){split($2,a,"/");print a[1]}}'`;
|
@def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
|
||||||
|
@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
|
||||||
|
|
||||||
include 'ferm.d/functions';
|
include 'ferm.d/functions';
|
||||||
include `find ferm.d/services/*`;
|
include `find ferm.d/services/*`;
|
||||||
@ -16,6 +18,10 @@ domain (ip ip6) {
|
|||||||
table filter {
|
table filter {
|
||||||
chain FORWARD {
|
chain FORWARD {
|
||||||
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
|
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
|
||||||
|
|
||||||
|
# dn42 -> is filtered in dn42 container
|
||||||
|
interface $evenet outerface $evenet ACCEPT;
|
||||||
|
|
||||||
interface $bridge outerface $internet ACCEPT;
|
interface $bridge outerface $internet ACCEPT;
|
||||||
}
|
}
|
||||||
chain (INPUT FORWARD) {
|
chain (INPUT FORWARD) {
|
||||||
@ -23,8 +29,9 @@ domain (ip ip6) {
|
|||||||
interface lo ACCEPT;
|
interface lo ACCEPT;
|
||||||
protocol icmp ACCEPT;
|
protocol icmp ACCEPT;
|
||||||
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
|
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
|
||||||
|
|
||||||
|
LOG log-prefix "iptables reject:";
|
||||||
protocol tcp REJECT reject-with tcp-reset;
|
protocol tcp REJECT reject-with tcp-reset;
|
||||||
protocol udp REJECT reject-with icmp-port-unreachable;
|
|
||||||
REJECT reject-with icmp-port-unreachable;
|
REJECT reject-with icmp-port-unreachable;
|
||||||
}
|
}
|
||||||
chain OUTPUT policy ACCEPT;
|
chain OUTPUT policy ACCEPT;
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
|
domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Forwards a public port to the given service
|
# Forwards a public port to the given service
|
||||||
@def &forward_to_service($service, $proto, $port) = {
|
@def &forward_to_service($service, $proto, $port) = {
|
||||||
domain (ip ip6) {
|
domain (ip ip6) {
|
||||||
@ -24,7 +25,6 @@
|
|||||||
table filter chain FORWARD jump @cat("allow_", $service);
|
table filter chain FORWARD jump @cat("allow_", $service);
|
||||||
|
|
||||||
table nat {
|
table nat {
|
||||||
|
|
||||||
# change destination address / port to the one of the container / service
|
# change destination address / port to the one of the container / service
|
||||||
chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
|
chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
|
||||||
}
|
}
|
||||||
@ -43,7 +43,6 @@
|
|||||||
domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
|
domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# ----------------
|
# ----------------
|
||||||
# currently unused
|
# currently unused
|
||||||
|
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
&def_service(web, web, tcp, 80);
|
&def_service(web, web, tcp, 80);
|
||||||
&def_service(webs, web, tcp, 443);
|
&def_service(webs, web, tcp, 443);
|
||||||
|
|
||||||
|
&allow_service_for_all(web);
|
||||||
|
&allow_service_for_all(webs);
|
||||||
&forward_to_service(web, tcp, 80);
|
&forward_to_service(web, tcp, 80);
|
||||||
&forward_to_service(webs, tcp, 443);
|
&forward_to_service(webs, tcp, 443);
|
||||||
|
|
||||||
&allow_service_for(ldap, web);
|
&allow_service_for(ldap, web);
|
||||||
|
@ -1,6 +1,10 @@
|
|||||||
# IKE negotiations
|
@def $dn42_ip4 = @resolve(dn42, A);
|
||||||
&def_service(ike, dn42, udp, 500);
|
@def $dn42_ip6 = @resolve(dn42, AAAA);
|
||||||
&forward_to_service(ike, udp, 500);
|
domain (ip ip6) table filter chain FORWARD proto udp dport 5001:5020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) interface $bridge ACCEPT;
|
||||||
# ESP encrypton and authentication
|
domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 5001:5020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
|
||||||
&def_service(esp, dn42, udp, 50);
|
|
||||||
&forward_to_service(esp, udp, 50);
|
# tinc
|
||||||
|
&def_service(evenet, dn42, udp, 666);
|
||||||
|
&forward_to_service(evenet, udp, 666);
|
||||||
|
&def_service(evenet, dn42, tcp, 666);
|
||||||
|
&forward_to_service(evenet, tcp, 666);
|
||||||
|
@ -1,10 +1,18 @@
|
|||||||
&def_service(dns, dns, udp, 53);
|
&def_service(dns, dns, udp, 53);
|
||||||
&def_service(dns-pub, dns, udp, 5353);
|
&def_service(dns2, dns, tcp, 53);
|
||||||
&def_service(dnsweb, dns, tcp, 80);
|
#&def_service(dns, dns1.evenet.dn42, udp, 53);
|
||||||
|
&forward_to_service(dns, udp, 53);
|
||||||
&forward_to_service(dns-pub, udp, 53);
|
&forward_to_service(dns2, tcp, 53);
|
||||||
|
|
||||||
&allow_service_for_all(dns);
|
&allow_service_for_all(dns);
|
||||||
&allow_service_for_all(dns);
|
&allow_service_for_all(dns2);
|
||||||
&allow_service_for(dnsweb, web);
|
|
||||||
&allow_service_for(postgres, dns);
|
chain FORWARD interface $evenet mod pkttype pkt-type (broadcast multicast) ACCEPT;
|
||||||
|
|
||||||
|
# chain to allow forwarding to the service
|
||||||
|
domain ip table filter chain FORWARD {
|
||||||
|
@def $dns1_ip4 = @resolve(dns1.evenet.dn42, A);
|
||||||
|
@def $dns2_ip4 = @resolve(dns2.evenet.dn42, A);
|
||||||
|
@def $ns1_ip4 = @resolve(ns1.evenet.dn42, A);
|
||||||
|
@def $ns2_ip4 = @resolve(ns2.evenet.dn42, A);
|
||||||
|
daddr ($dns1_ip4 $dns2_ip4 $ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
|
||||||
|
}
|
||||||
|
@ -1,3 +1,11 @@
|
|||||||
|
@def $git_ip4 = @resolve(git, A);
|
||||||
|
@def $git_ip6 = @resolve(git, AAAA);
|
||||||
|
@def $web_ip4 = @resolve(web, A);
|
||||||
|
@def $web_ip6 = @resolve(web, AAAA);
|
||||||
|
# git.higgsboson.tk points to web
|
||||||
|
# therefore DNAT port ssh back to git
|
||||||
|
domain (ip ip6) table nat chain PREROUTING daddr @ipfilter(($web_ip4 $web_ip6)) proto tcp dport ssh DNAT to @ipfilter(($git_ip4 $git_ip6));
|
||||||
|
|
||||||
&def_service(git, git, tcp, 9000);
|
&def_service(git, git, tcp, 9000);
|
||||||
&allow_service_for(git, web);
|
&allow_service_for(git, web);
|
||||||
&allow_service_for(postgres, git);
|
&allow_service_for(postgres, git);
|
||||||
|
2
services/45-halfcode
Normal file
2
services/45-halfcode
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
&def_service(halfcode, halfcode, tcp, 9000);
|
||||||
|
&allow_service_for(halfcode, web);
|
2
services/45-phonefinder
Normal file
2
services/45-phonefinder
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
&def_service(phonefinder, phonefinder, tcp, 9000);
|
||||||
|
&allow_service_for(phonefinder, web);
|
2
services/70-terraria
Normal file
2
services/70-terraria
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
&def_service(terraria, terraria, tcp, 37757);
|
||||||
|
&forward_to_service(terraria, tcp, 37757);
|
Loading…
Reference in New Issue
Block a user