define IFG_PERIMETER_IP = 192.168.173.1
# ifg addresses (internal network)
-define IFG_USR_IP = 10.228.109.254
+define IFG_INTERNAL_IP = 10.228.109.254
+define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe
define IFG_SR_IP = 192.168.42.254
define IFG_IN_IP = 192.168.43.254
# store address (internal network)
define STORE_INTERNAL_IP = 10.228.109.250
+define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68
# service address (internal network)
define SVC_INTERNAL_IP = 10.228.109.253
+define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd
# vpn address (internal network)
define VPN_INTERNAL_IP = 10.228.109.236
# internal name server address (internal network)
define INS_INTERNAL_IP = 10.228.109.104
+define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68
# worksheet address (internal network)
define WORKSHEET_SR_IP = 192.168.42.248
################################
# internal networks
-define USR_NET = 10.228.0.0/16
+define INTERNAL_NET = 10.228.0.0/16
+define INTERNAL_NET_IPV6 = 2a02:d400:0000:f268::/64
define SR_NET = 192.168.42.0/24
define IN_NET = 192.168.43.0/24
-define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET }
+define INTERNAL_NETS = { $INTERNAL_NET, $SR_NET, $IN_NET }
# perimeter network
define PERIMETER_NET = 192.168.173.0/24
+define PERIMETER_NET_IPV6 = 2a02:d400:0000:f2ad::/64
# vpn client network
define VPN_NET = 172.16.223.0/24
ct state established \
ip protocol udp \
iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \
- ip daddr $IFG_USR_IP udp dport 1024-65535 \
+ ip daddr $IFG_INTERNAL_IP udp dport 1024-65535 \
+ counter accept comment "DNS replies"
+add rule inet ifg_filter input \
+ ct state established \
+ iifname $INTERNAL_IF ip6 saddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp sport 53 \
+ ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
add rule inet ifg_filter input \
iifname $PERIMETER_IF \
oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \
counter accept comment "Established sessions"
+add rule inet ifg_filter forward \
+ ct state established, related \
+ iifname $PERIMETER_IF \
+ oifname $INTERNAL_IF ip6 daddr $INTERNAL_NET_IPV6 \
+ counter accept comment "Established sessions"
add rule inet ifg_filter forward \
iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \
oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
counter accept comment "Internet access"
+add rule inet ifg_filter forward \
+ iifname $INTERNAL_IF ip6 saddr $INTERNAL_NET_IPV6 \
+ oifname $PERIMETER_IF \
+ counter accept comment "Internet access"
add rule inet ifg_filter forward \
ct state new, established \
add rule inet ifg_filter output \
ct state new \
ip protocol udp \
- ip saddr $IFG_USR_IP udp sport 1024-65535 \
+ ip saddr $IFG_INTERNAL_IP udp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \
counter accept comment "DNS requests"
+add rule inet ifg_filter output \
+ ct state new \
+ ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \
+ oifname $INTERNAL_IF ip6 daddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp dport 53 \
+ counter accept comment "DNS requests"
add rule inet ifg_filter output \
ip protocol icmp \
https://git.useribm.hu / user-lxc.git / commitdiff