define WS_PERIMETER_IPV4 = 192.168.173.249
define WS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adf9
+# subversion server address (perimeter network)
+define SVN_PERIMETER_IPV4 = 192.168.173.212
+define SVN_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:add4
+
# perimeter name server address (perimeter network)
define PNS_PERIMETER_IPV4 = 192.168.173.174
define PNS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adae
+# mercurial server address (perimeter network)
+define HG_PERIMETER_IPV4 = 192.168.173.87
+define HG_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad57
+
+# git server address (perimeter network)
+define GIT_PERIMETER_IPV4 = 192.168.173.79
+define GIT_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad4f
+
# external name server address (perimeter network)
define ENS_PERIMETER_IPV4 = 192.168.173.64
define ENS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad40
# minicrm address (internal network)
define MINICRM_INTERNAL_IPV4 = 10.228.109.133
+# fedora directory server address (internal network)
+define FDS_INTERNAL_IPV4 = 10.228.109.64
+define FDS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d40
+
# name server 2 address (internal network)
define NS2_INTERNAL_IPV4 = 10.228.92.159
define NS2_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:5c9f
define INTERNAL_IPV6_NET = 2a02:d400:0000:f268::/64
define SR_IPV4_NET = 192.168.42.0/24
define IN_IPV4_NET = 192.168.43.0/24
-define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, $SR_IPV4_NET, $IN_IPV4_NET }
+define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \
+ $SR_IPV4_NET, \
+ $IN_IPV4_NET }
# perimeter network
define PERIMETER_NET = 192.168.173.0/24
################################
#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
-define SSH_PORT = 22
-define WS_PORTS = { 80, 443 }
+define FDS_PORTS = { ldap, ldaps }
################################
add rule ip ifg-nat prerouting \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
- ip daddr $PUBLIC_WS_IPV4 tcp dport $WS_PORTS \
+ ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \
counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
add rule ip ifg-filter input \
ct state established \
ip protocol udp \
- iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp sport 53 \
+ iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, \
+ $NS2_INTERNAL_IPV4 } udp sport domain \
ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \
counter accept comment "DNS replies"
add rule ip6 ifg-filter input \
ct state established \
- iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp sport 53 \
+ iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, \
+ $NS2_INTERNAL_IPV6 } udp sport domain \
ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
ct state new, established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
counter accept comment "Webserver access"
add rule ip ifg-filter forward \
ct state new, established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $SSH_PORT \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport ssh \
counter accept comment "Webserver SSH access"
add rule ip ifg-filter forward \
ct state new \
ip protocol udp \
iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \
- counter accept comment "DNS zone notification"
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, \
+ $PNS_PERIMETER_IPV4 } udp dport domain \
+ counter accept comment "DNS zone notifications"
add rule ip6 ifg-filter forward \
ct state new \
iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 udp sport 1024-65535 \
- oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } udp dport 53 \
- counter accept comment "DNS zone notification"
+ oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, \
+ $PNS_PERIMETER_IPV6 } udp dport domain \
+ counter accept comment "DNS zone notifications"
add rule ip ifg-filter forward \
ct state new \
ip protocol tcp \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport 53 \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, \
+ $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport domain \
counter accept comment "DNS zone transfer requests"
add rule ip6 ifg-filter forward \
ct state new \
- iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport 53 \
+ iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, \
+ $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport domain \
counter accept comment "DNS zone transfer requests"
add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport 53 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
+ iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport domain \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, \
+ $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "DNS zone transfer replies"
add rule ip6 ifg-filter forward \
ct state established \
- iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport 53 \
- oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \
+ iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport domain \
+ oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, \
+ $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \
counter accept comment "DNS zone transfer replies"
add rule ip ifg-filter forward \
oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic"
-add rule ip ifg-filter forward \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \
- counter accept comment "Webserver letsencrypt transfer requests"
-add rule ip6 ifg-filter forward \
- iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \
- counter accept comment "Webserver letsencrypt transfer requests"
-
-add rule ip ifg-filter forward \
- ct state established \
- iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Webserver letsencrypt transfer replies"
-add rule ip6 ifg-filter forward \
- ct state established \
- iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \
- oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
- counter accept comment "Webserver letsencrypt transfer replies"
-
add rule ip ifg-filter forward \
iifname $INTERNAL_IF \
oifname $INTERNAL_IF \
add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport 80 \
- counter accept comment "Store requests"
+ oifname $INTERNAL_IF ip daddr { $DVREDMINE_INTERNAL_IPV4, \
+ $STORE_INTERNAL_IPV4, \
+ $WIKI_INTERNAL_IPV4 } tcp dport http \
+ counter accept comment "Redmine, store and wiki requests"
add rule ip6 ifg-filter forward \
iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip6 daddr $STORE_INTERNAL_IPV6 tcp dport 80 \
- counter accept comment "Store requests"
+ oifname $INTERNAL_IF ip6 daddr { $STORE_INTERNAL_IPV6, \
+ $WIKI_INTERNAL_IPV6 } tcp dport http \
+ counter accept comment "Store and wiki requests"
add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $STORE_INTERNAL_IPV4 tcp sport 80 \
+ iifname $INTERNAL_IF ip saddr { $DVREDMINE_INTERNAL_IPV4, \
+ $STORE_INTERNAL_IPV4, \
+ $WIKI_INTERNAL_IPV4 } tcp sport http \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Store replies"
+ counter accept comment "Redmine, store and wiki replies"
add rule ip6 ifg-filter forward \
ct state established \
- iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \
+ iifname $INTERNAL_IF ip6 saddr { $STORE_INTERNAL_IPV6, \
+ $WIKI_INTERNAL_IPV6 } tcp sport http \
oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
- counter accept comment "Store replies"
+ counter accept comment "Store and wiki replies"
add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $WIKI_INTERNAL_IPV4 tcp dport 80 \
- counter accept comment "Wiki requests"
-add rule ip6 ifg-filter forward \
- iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip6 daddr $WIKI_INTERNAL_IPV6 tcp dport 80 \
- counter accept comment "Wiki requests"
+ oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \
+ counter accept comment "MiniCRM requests"
add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $WIKI_INTERNAL_IPV4 tcp sport 80 \
+ iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Wiki replies"
-add rule ip6 ifg-filter forward \
- ct state established \
- iifname $INTERNAL_IF ip6 saddr $WIKI_INTERNAL_IPV6 tcp sport 80 \
- oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
- counter accept comment "Wiki replies"
+ counter accept comment "MiniCRM replies"
add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IPV4 tcp dport 80 \
- counter accept comment "Redmine requests"
+ oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \
+ counter accept comment "Worksheet requests"
add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IPV4 tcp sport 80 \
+ iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Redmine replies"
+ counter accept comment "Worksheet replies"
add rule ip ifg-filter forward \
- ip protocol tcp \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \
- counter accept comment "MiniCRM requests"
+ iifname $PERIMETER_IF ip saddr { $GIT_PERIMETER_IPV4, \
+ $HG_PERIMETER_IPV4, \
+ $SVN_PERIMETER_IPV4 } tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $FDS_INTERNAL_IPV4 tcp dport { ldap, ldaps } \
+ counter accept comment "Git, mercurial and subversion directory server requests"
+add rule ip6 ifg-filter forward \
+ iifname $PERIMETER_IF ip6 saddr { $GIT_PERIMETER_IPV6, \
+ $HG_PERIMETER_IPV6, \
+ $SVN_PERIMETER_IPV6 } tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip6 daddr $FDS_INTERNAL_IPV6 tcp dport { ldap, ldaps } \
+ counter accept comment "Git, mercurial and subversion directory server requests"
add rule ip ifg-filter forward \
ct state established \
- ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "MiniCRM replies"
+ iifname $INTERNAL_IF ip saddr $FDS_INTERNAL_IPV4 tcp sport { ldap, ldaps } \
+ oifname $PERIMETER_IF ip daddr { $GIT_PERIMETER_IPV4, \
+ $HG_PERIMETER_IPV4, \
+ $SVN_PERIMETER_IPV4 } tcp dport 1024-65535 \
+ counter accept comment "Git, mercurial and subversion directory server replies"
+add rule ip6 ifg-filter forward \
+ ct state established \
+ iifname $INTERNAL_IF ip6 saddr $FDS_INTERNAL_IPV6 tcp sport {ldap, ldaps } \
+ oifname $PERIMETER_IF ip6 daddr { $GIT_PERIMETER_IPV6, \
+ $HG_PERIMETER_IPV6, \
+ $SVN_PERIMETER_IPV6 } tcp dport 1024-65535 \
+ counter accept comment "Git, mercurial and subversion directory server replies"
add rule ip ifg-filter forward \
- ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \
- counter accept comment "Worksheet requests"
+ oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \
+ counter accept comment "Webserver letsencrypt transfer requests"
+add rule ip6 ifg-filter forward \
+ iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \
+ counter accept comment "Webserver letsencrypt transfer requests"
add rule ip ifg-filter forward \
ct state established \
- ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \
+ iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Worksheet replies"
+ counter accept comment "Webserver letsencrypt transfer replies"
+add rule ip6 ifg-filter forward \
+ ct state established \
+ iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \
+ oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
+ counter accept comment "Webserver letsencrypt transfer replies"
add rule ip ifg-filter forward \
ip protocol icmp \
ct state new \
ip protocol udp \
ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp dport 53 \
+ oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, \
+ $NS2_INTERNAL_IPV4 } udp dport domain \
counter accept comment "DNS requests"
add rule ip6 ifg-filter output \
ct state new \
ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \
- oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp dport 53 \
+ oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, \
+ $NS2_INTERNAL_IPV6 } udp dport domain \
counter accept comment "DNS requests"
add rule ip ifg-filter output \
https://git.useribm.hu / user-lxc.git / commitdiff