define IFG_SR_IPV4 = 192.168.42.254
define IFG_IN_IPV4 = 192.168.43.254
-# service address (internal network)
-define SVC_INTERNAL_IPV4 = 10.228.109.253
-define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd
-
# store address (internal network)
define STORE_INTERNAL_IPV4 = 10.228.109.250
define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68
define SNS_INTERNAL_IPV4 = 10.228.109.204
define SNS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dcc
-# primary name server address (internal network)
-define PNS_INTERNAL_IPV4 = 10.228.109.174
+# public key infrastructure server address (internal network)
+define PKI_INTERNAL_IPV4 = 10.228.109.171
+define PKI_INTERNAL_IPV6 = 2a02:d400:0:f268:c:18ff:fe03:6dab
# name server 1 address (internal network)
define NS1_INTERNAL_IPV4 = 10.228.109.159
# minicrm address (internal network)
define MINICRM_INTERNAL_IPV4 = 10.228.109.133
-# internal name server address (internal network)
-define INS_INTERNAL_IPV4 = 10.228.109.104
-define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68
-
# name server 2 address (internal network)
define NS2_INTERNAL_IPV4 = 10.228.92.159
define NS2_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:5c9f
# reset nftables
################################
-create table ip ifg_filter
-create table ip ifg_nat
-create table ip6 ifg_filter
+create table ip ifg-filter
+create table ip ifg-nat
+create table ip6 ifg-filter
-create chain ip ifg_filter input { type filter hook input priority 0; policy drop; }
-create chain ip ifg_filter forward { type filter hook forward priority 0; policy drop; }
-create chain ip ifg_filter output { type filter hook output priority 0; policy drop; }
-create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; }
-create chain ip6 ifg_filter input { type filter hook input priority 0; policy drop; }
-create chain ip6 ifg_filter forward { type filter hook forward priority 0; policy drop; }
-create chain ip6 ifg_filter output { type filter hook output priority 0; policy drop; }
+create chain ip ifg-filter input { type filter hook input priority 0; policy drop; }
+create chain ip ifg-filter forward { type filter hook forward priority 0; policy drop; }
+create chain ip ifg-filter output { type filter hook output priority 0; policy drop; }
+create chain ip ifg-nat prerouting { type nat hook prerouting priority 0; policy accept; }
+create chain ip6 ifg-filter input { type filter hook input priority 0; policy drop; }
+create chain ip6 ifg-filter forward { type filter hook forward priority 0; policy drop; }
+create chain ip6 ifg-filter output { type filter hook output priority 0; policy drop; }
################################
# NAT prerouting rules
################################
-add rule ip ifg_nat prerouting \
+add rule ip ifg-nat prerouting \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
ip daddr $PUBLIC_WS_IPV4 tcp dport $WS_PORTS \
# FILTER input rules
################################
-add rule ip ifg_filter input \
+add rule ip ifg-filter input \
ct state established \
ip protocol udp \
iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp sport 53 \
ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \
counter accept comment "DNS replies"
-add rule ip6 ifg_filter input \
+add rule ip6 ifg-filter input \
ct state established \
iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp sport 53 \
ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
-add rule ip ifg_filter input \
+add rule ip ifg-filter input \
ip protocol icmp \
counter accept comment "ICMP"
-add rule ip6 ifg_filter input \
+add rule ip6 ifg-filter input \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule ip ifg_filter input \
+add rule ip ifg-filter input \
ip protocol gre \
counter accept comment "GRE"
-add rule ip ifg_filter input \
+add rule ip ifg-filter input \
counter log prefix "INPUT"
-add rule ip6 ifg_filter input \
+add rule ip6 ifg-filter input \
counter log prefix "INPUT"
# FILTER forward rules
################################
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established, related \
iifname $PERIMETER_IF \
oifname $INTERNAL_IF ip daddr $INTERNAL_IPV4_NETS \
counter accept comment "Established sessions"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
ct state established, related \
iifname $PERIMETER_IF \
oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \
counter accept comment "Established sessions"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
counter accept comment "Internet access"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \
oifname $PERIMETER_IF \
counter accept comment "Internet access"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state new, established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
counter accept comment "Webserver access"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state new, established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $SSH_PORT \
counter accept comment "Webserver SSH access"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state new \
ip protocol udp \
iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 udp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \
counter accept comment "DNS zone notification"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
ct state new \
iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 udp sport 1024-65535 \
oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } udp dport 53 \
counter accept comment "DNS zone notification"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state new \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport 53 \
counter accept comment "DNS zone transfer requests"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
ct state new \
iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \
oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport 53 \
counter accept comment "DNS zone transfer requests"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "DNS zone transfer replies"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
ct state established \
iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport 53 \
oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \
counter accept comment "DNS zone transfer replies"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol udp \
iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \
+ counter accept comment "Webserver letsencrypt transfer requests"
+add rule ip6 ifg-filter forward \
+ iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
+ oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \
+ counter accept comment "Webserver letsencrypt transfer requests"
+
+add rule ip ifg-filter forward \
+ ct state established \
+ iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
+ counter accept comment "Webserver letsencrypt transfer replies"
+add rule ip6 ifg-filter forward \
+ ct state established \
+ iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \
+ oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
+ counter accept comment "Webserver letsencrypt transfer replies"
+
+add rule ip ifg-filter forward \
iifname $INTERNAL_IF \
oifname $INTERNAL_IF \
counter accept comment "Internal traffic"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport 80 \
counter accept comment "Store requests"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip6 daddr $STORE_INTERNAL_IPV6 tcp dport 80 \
counter accept comment "Store requests"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $STORE_INTERNAL_IPV4 tcp sport 80 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Store replies"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
ct state established \
iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \
oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
counter accept comment "Store replies"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $WIKI_INTERNAL_IPV4 tcp dport 80 \
counter accept comment "Wiki requests"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip6 daddr $WIKI_INTERNAL_IPV6 tcp dport 80 \
counter accept comment "Wiki requests"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $WIKI_INTERNAL_IPV4 tcp sport 80 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Wiki replies"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
ct state established \
iifname $INTERNAL_IF ip6 saddr $WIKI_INTERNAL_IPV6 tcp sport 80 \
oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
counter accept comment "Wiki replies"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IPV4 tcp dport 80 \
counter accept comment "Redmine requests"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IPV4 tcp sport 80 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Redmine replies"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \
counter accept comment "MiniCRM requests"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "MiniCRM replies"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol tcp \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \
counter accept comment "Worksheet requests"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ct state established \
ip protocol tcp \
iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Worksheet replies"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
ip protocol icmp \
counter accept comment "ICMP"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule ip ifg_filter forward \
+add rule ip ifg-filter forward \
counter log prefix "FORWARD"
-add rule ip6 ifg_filter forward \
+add rule ip6 ifg-filter forward \
counter log prefix "FORWARD"
# FILTER output rules
################################
-add rule ip ifg_filter output \
+add rule ip ifg-filter output \
ct state new \
ip protocol udp \
ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \
oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp dport 53 \
counter accept comment "DNS requests"
-add rule ip6 ifg_filter output \
+add rule ip6 ifg-filter output \
ct state new \
ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \
oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp dport 53 \
counter accept comment "DNS requests"
-add rule ip ifg_filter output \
+add rule ip ifg-filter output \
ip protocol icmp \
counter accept comment "ICMP"
-add rule ip6 ifg_filter output \
+add rule ip6 ifg-filter output \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule ip ifg_filter output \
+add rule ip ifg-filter output \
counter log prefix "OUTPUT"
-add rule ip6 ifg_filter output \
+add rule ip6 ifg-filter output \
counter log prefix "OUTPUT"
https://git.useribm.hu / user-lxc.git / commitdiff