################################
# loopback address
-define LOOPBACK_IP = 127.0.0.1
+define LOOPBACK_IPV4 = 127.0.0.1
# public addresses
-define PUBLIC_EFG_IP = 37.220.137.97
-define PUBLIC_MX_IP = 37.220.137.98
-define PUBLIC_NS_IP = 37.220.137.99
-define PUBLIC_VPN_IP = 37.220.137.100
-define PUBLIC_WS_IP = 37.220.137.101
-define PUBLIC_MINECRAFT_IP = 37.220.137.102
-define PUBLIC_IP_103 = 37.220.137.103
-define PUBLIC_IP_104 = 37.220.137.104
-define PUBLIC_IP_105 = 37.220.137.105
-define PUBLIC_IP_106 = 37.220.137.106
-define PUBLIC_IP_107 = 37.220.137.107
-define PUBLIC_DL360E_IP = 37.220.137.108
-define PUBLIC_DL380E_IP = 37.220.137.109
+define PUBLIC_EFG_IPV4 = 37.220.137.97
+define PUBLIC_MX_IPV4 = 37.220.137.98
+define PUBLIC_NS_IPV4 = 37.220.137.99
+define PUBLIC_VPN_IPV4 = 37.220.137.100
+define PUBLIC_WS_IPV4 = 37.220.137.101
+define PUBLIC_MINECRAFT_IPV4 = 37.220.137.102
+define PUBLIC_IPV4_103 = 37.220.137.103
+define PUBLIC_IPV4_104 = 37.220.137.104
+define PUBLIC_IPV4_105 = 37.220.137.105
+define PUBLIC_IPV4_106 = 37.220.137.106
+define PUBLIC_IPV4_107 = 37.220.137.107
+define PUBLIC_DL360E_IPV4 = 37.220.137.108
+define PUBLIC_DL380E_IPV4 = 37.220.137.109
# efg address (perimeter network)
-define EFG_PERIMETER_IP = 192.168.173.254
+define EFG_PERIMETER_IPV4 = 192.168.173.254
# service address (perimeter network)
-#define SVC_PERIMETER_IP = 192.168.173.253
+#define SVC_PERIMETER_IPV4 = 192.168.173.253
# transfer web server address (perimeter network)
-define XFR_PERIMETER_IP = 192.168.173.251
+define XFR_PERIMETER_IPV4 = 192.168.173.251
# subversion address (perimeter network)
-#define SVN_PERIMETER_IP = 192.168.173.250
+#define SVN_PERIMETER_IPV4 = 192.168.173.250
# web server address (perimeter network)
-define WS_PERIMETER_IP = 192.168.173.249
+define WS_PERIMETER_IPV4 = 192.168.173.249
# perimeter name server address (perimeter network)
-define PNS_PERIMETER_IP = 192.168.173.174
+define PNS_PERIMETER_IPV4 = 192.168.173.174
# external name server address (perimeter network)
-define ENS_PERIMETER_IP = 192.168.173.64
+define ENS_PERIMETER_IPV4 = 192.168.173.64
# ifg address (perimeter network)
-define IFG_PERIMETER_IP = 192.168.173.1
+define IFG_PERIMETER_IPV4 = 192.168.173.1
# ifg addresses (internal network)
-define IFG_INTERNAL_IP = 10.228.109.254
+define IFG_INTERNAL_IPV4 = 10.228.109.254
define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe
-define IFG_SR_IP = 192.168.42.254
-define IFG_IN_IP = 192.168.43.254
+define IFG_SR_IPV4 = 192.168.42.254
+define IFG_IN_IPV4 = 192.168.43.254
# dvredmine address (internal network)
-define DVREDMINE_INTERNAL_IP = 10.228.62.193
+define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193
# minicrm address (internal network)
-define MINICRM_INTERNAL_IP = 10.228.109.133
+define MINICRM_INTERNAL_IPV4 = 10.228.109.133
# store address (internal network)
-define STORE_INTERNAL_IP = 10.228.109.250
+define STORE_INTERNAL_IPV4 = 10.228.109.250
define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68
# service address (internal network)
-define SVC_INTERNAL_IP = 10.228.109.253
+define SVC_INTERNAL_IPV4 = 10.228.109.253
define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd
# vpn address (internal network)
-define VPN_INTERNAL_IP = 10.228.109.236
+define VPN_INTERNAL_IPV4 = 10.228.109.236
# primary name server address (internal network)
-define PNS_INTERNAL_IP = 10.228.109.174
+define PNS_INTERNAL_IPV4 = 10.228.109.174
# internal name server address (internal network)
-define INS_INTERNAL_IP = 10.228.109.104
+define INS_INTERNAL_IPV4 = 10.228.109.104
define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68
# worksheet address (internal network)
-define WORKSHEET_SR_IP = 192.168.42.248
+define WORKSHEET_SR_IPV4 = 192.168.42.248
################################
# network definitions
################################
# internal networks
-define INTERNAL_NET = 10.228.0.0/16
-define INTERNAL_NET_IPV6 = 2a02:d400:0000:f268::/64
-define SR_NET = 192.168.42.0/24
-define IN_NET = 192.168.43.0/24
-define INTERNAL_NETS = { $INTERNAL_NET, $SR_NET, $IN_NET }
+define INTERNAL_IPV4_NET = 10.228.0.0/16
+define INTERNAL_IPV6_NET = 2a02:d400:0000:f268::/64
+define SR_IPV4_NET = 192.168.42.0/24
+define IN_IPV4_NET = 192.168.43.0/24
+define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, $SR_IPV4_NET, $IN_IPV4_NET }
# perimeter network
define PERIMETER_NET = 192.168.173.0/24
-define PERIMETER_NET_IPV6 = 2a02:d400:0000:f2ad::/64
+define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64
# vpn client network
define VPN_NET = 172.16.223.0/24
# reset nftables
################################
-create table inet ifg_filter
+create table ip ifg_filter
create table ip ifg_nat
+create table ip6 ifg_filter
-create chain inet ifg_filter input { type filter hook input priority 0; policy drop; }
-create chain inet ifg_filter forward { type filter hook forward priority 0; policy drop; }
-create chain inet ifg_filter output { type filter hook output priority 0; policy drop; }
+create chain ip ifg_filter input { type filter hook input priority 0; policy drop; }
+create chain ip ifg_filter forward { type filter hook forward priority 0; policy drop; }
+create chain ip ifg_filter output { type filter hook output priority 0; policy drop; }
create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; }
+create chain ip6 ifg_filter input { type filter hook input priority 0; policy drop; }
+create chain ip6 ifg_filter forward { type filter hook forward priority 0; policy drop; }
+create chain ip6 ifg_filter output { type filter hook output priority 0; policy drop; }
################################
add rule ip ifg_nat prerouting \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \
- ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \
- counter dnat $WS_PERIMETER_IP comment "Webserver access"
+ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
+ ip daddr $PUBLIC_WS_IPV4 tcp dport $WS_PORTS \
+ counter dnat $WS_PERIMETER_IPV4 comment "Webserver access"
################################
# FILTER input rules
################################
-add rule inet ifg_filter input \
+add rule ip ifg_filter input \
ct state established \
ip protocol udp \
- iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \
- ip daddr $IFG_INTERNAL_IP udp dport 1024-65535 \
+ iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp sport 53 \
+ ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \
counter accept comment "DNS replies"
-add rule inet ifg_filter input \
+add rule ip6 ifg_filter input \
ct state established \
iifname $INTERNAL_IF ip6 saddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp sport 53 \
ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
-add rule inet ifg_filter input \
+add rule ip ifg_filter input \
ip protocol icmp \
counter accept comment "ICMP"
-add rule inet ifg_filter input \
+add rule ip6 ifg_filter input \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule inet ifg_filter input \
+add rule ip ifg_filter input \
ip protocol gre \
counter accept comment "GRE"
-add rule inet ifg_filter input \
+add rule ip ifg_filter input \
+ counter log prefix "INPUT"
+add rule ip6 ifg_filter input \
counter log prefix "INPUT"
# FILTER forward rules
################################
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state established, related \
iifname $PERIMETER_IF \
- oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \
+ oifname $INTERNAL_IF ip daddr $INTERNAL_IPV4_NETS \
counter accept comment "Established sessions"
-add rule inet ifg_filter forward \
+add rule ip6 ifg_filter forward \
ct state established, related \
iifname $PERIMETER_IF \
- oifname $INTERNAL_IF ip6 daddr $INTERNAL_NET_IPV6 \
+ oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \
counter accept comment "Established sessions"
-add rule inet ifg_filter forward \
- iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \
+add rule ip ifg_filter forward \
+ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
counter accept comment "Internet access"
-add rule inet ifg_filter forward \
- iifname $INTERNAL_IF ip6 saddr $INTERNAL_NET_IPV6 \
+add rule ip6 ifg_filter forward \
+ iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \
oifname $PERIMETER_IF \
counter accept comment "Internet access"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state new, established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
counter accept comment "Webserver access"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state new \
ip protocol udp \
- iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 53 \
+ iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \
counter accept comment "DNS zone notification"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state new \
ip protocol tcp \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IP tcp dport 53 \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IPV4 tcp dport 53 \
counter accept comment "DNS zone transfer requests"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP tcp sport 53 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+ iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 tcp sport 53 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "DNS zone transfer replies"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ip protocol udp \
iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+ oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
iifname $INTERNAL_IF \
oifname $INTERNAL_IF \
counter accept comment "Internal traffic"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ip protocol tcp \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IP tcp dport 80 \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IPV4 tcp dport 80 \
counter accept comment "Redmine requests"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IP tcp sport 80 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IPV4 tcp sport 80 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Redmine replies"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ip protocol tcp \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IP tcp dport 8080 \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \
counter accept comment "MiniCRM requests"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IP tcp sport 8080 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "MiniCRM replies"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ip protocol tcp \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IP tcp dport 8079 \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \
counter accept comment "Worksheet requests"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ct state established \
ip protocol tcp \
- iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IP tcp sport 8079 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Worksheet replies"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
ip protocol icmp \
counter accept comment "ICMP"
-add rule inet ifg_filter forward \
+add rule ip6 ifg_filter forward \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule inet ifg_filter forward \
+add rule ip ifg_filter forward \
+ counter log prefix "FORWARD"
+add rule ip6 ifg_filter forward \
counter log prefix "FORWARD"
# FILTER output rules
################################
-add rule inet ifg_filter output \
+add rule ip ifg_filter output \
ct state new \
ip protocol udp \
- ip saddr $IFG_INTERNAL_IP udp sport 1024-65535 \
- oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \
+ ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp dport 53 \
counter accept comment "DNS requests"
-add rule inet ifg_filter output \
+add rule ip6 ifg_filter output \
ct state new \
ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \
oifname $INTERNAL_IF ip6 daddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp dport 53 \
counter accept comment "DNS requests"
-add rule inet ifg_filter output \
+add rule ip ifg_filter output \
ip protocol icmp \
counter accept comment "ICMP"
-add rule inet ifg_filter output \
+add rule ip6 ifg_filter output \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule inet ifg_filter output \
+add rule ip ifg_filter output \
+ counter log prefix "OUTPUT"
+add rule ip6 ifg_filter output \
counter log prefix "OUTPUT"
https://git.useribm.hu / user-lxc.git / commitdiff