modify nodes and bundles for new nftables syntax
This commit is contained in:
parent
ecb67d012b
commit
d569b00960
GPG key ID:
12E3D2136B818350
30 changed files with 172 additions and 126 deletions
|
|
@ -55,7 +55,7 @@ nodes['home.nas'] = {
|
|||
'groups': {
|
||||
'nas': {},
|
||||
},
|
||||
'iptables': {
|
||||
'firewall': {
|
||||
'port_rules': {
|
||||
'4679': { # Dell ULNM
|
||||
'172.19.136.0/25',
|
||||
|
|
|
|||
|
|
@ -94,24 +94,27 @@ nodes['home.router'] = {
|
|||
'vars.notification.sms': True
|
||||
},
|
||||
|
||||
'iptables': {
|
||||
'custom_rules': [
|
||||
# This is a router. Allow forwarding traffic for internal networks.
|
||||
'iptables_both -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT',
|
||||
'iptables_both -A FORWARD -i enp1s0.23 -o ppp0 -j ACCEPT',
|
||||
'iptables_both -A FORWARD -i enp1s0.42 -j ACCEPT',
|
||||
'nftables': {
|
||||
'rules': {
|
||||
'forward': {
|
||||
'router': [
|
||||
# This is a router. Allow forwarding traffic for internal networks.
|
||||
'ct state { related, established } accept',
|
||||
'iif enp1s0.23 oif ppp0 accept',
|
||||
'iif enp1s0.42 accept',
|
||||
|
||||
# External port 2022 should be home.nas
|
||||
'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
|
||||
'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
|
||||
|
||||
# use MASQUERADE for tun0 (c3voc)
|
||||
'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',
|
||||
|
||||
# yaaaaay, IPv6! No NAT!
|
||||
'ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT',
|
||||
'ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT',
|
||||
],
|
||||
# yaaaaay, IPv6! No NAT!
|
||||
'ip6 nexthdr ipv6-icmp accept',
|
||||
'tcp dport 22 accept',
|
||||
],
|
||||
},
|
||||
'nat_prerouting': [
|
||||
'tcp dport 2022 dnat 172.19.138.20:22',
|
||||
],
|
||||
'nat_postrouting': [
|
||||
'oif tun0 masquerade',
|
||||
],
|
||||
},
|
||||
},
|
||||
'netdata': {
|
||||
'restrict-to': {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue