ip daddr $PUBLIC_TELEKOM_VPN_IP udp dport 1194 \
counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (TELEKOM)"
+#add rule ip efg_nat prerouting \
+# iifname $EXTERNAL_ACE_IF \
+# ip daddr $PUBLIC_ACE_MX_IP tcp dport $MX_PORTS \
+# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic"
+
#add rule ip efg_nat prerouting \
# iifname $EXTERNAL_TELEKOM_IF \
# ip daddr $PUBLIC_TELEKOM_MX_IP tcp dport $MX_PORTS \
# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic"
+add rule ip efg_nat prerouting \
+ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
+ ip daddr $PUBLIC_ACE_NS_IP udp dport 53 \
+ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)"
+
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
ip daddr $PUBLIC_TELEKOM_NS_IP udp dport 53 \
counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)"
+add rule ip efg_nat prerouting \
+ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_ACE_NS_IP tcp dport 53 \
+ counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)"
+
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
ip daddr $PUBLIC_TELEKOM_NS_IP tcp dport 53 \
counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)"
+add rule ip efg_nat prerouting \
+ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_ACE_WS_IP tcp dport $WS_PORTS \
+ counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests"
+
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
ip daddr $PUBLIC_TELEKOM_WS_IP tcp dport $WS_PORTS \
oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
counter accept comment "Incoming VPN traffic (TELEKOM)"
+add rule ip efg_filter forward \
+ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+ counter accept comment "Incoming http(s) requests (ACE)"
+
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
- counter accept comment "Incoming http(s) requests"
+ counter accept comment "Incoming http(s) requests (TELEKOM)"
+
+add rule ip efg_filter forward \
+ ct state established \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \
+ oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
+ counter accept comment "Outgoing http(s) replies (ACE)"
add rule ip efg_filter forward \
ct state established \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
- counter accept comment "Outgoing http(s) replies"
+ counter accept comment "Outgoing http(s) replies (TELEKOM)"
+
+add rule ip efg_filter forward \
+ iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \
+ counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \
- counter accept comment "Incoming DNS requests/notifications (udp)"
+ counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ ct state established, related \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \
+ oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
+ counter accept comment "Outgoing DNS replies (udp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \
oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
- counter accept comment "Outgoing DNS replies (udp)"
+ counter accept comment "Outgoing DNS replies (udp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \
+ counter accept comment "Incoming DNS requests (tcp) (ACE)"
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \
- counter accept comment "Incoming DNS requests (tcp)"
+ counter accept comment "Incoming DNS requests (tcp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ ct state established, related \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \
+ oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
+ counter accept comment "Outgoing DNS replies (tcp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
- counter accept comment "Outgoing DNS replies (tcp)"
+ counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \
+ oifname $EXTERNAL_ACE_IF udp dport 53 \
+ counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
add rule ip efg_filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF udp dport 53 \
- counter accept comment "Outgoing DNS requests/notifications (udp)"
+ counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ ct state established, related \
+ iifname $EXTERNAL_ACE_IF udp sport 53 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \
+ counter accept comment "Incoming DNS replies (udp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF udp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \
- counter accept comment "Incoming DNS replies (udp)"
+ counter accept comment "Incoming DNS replies (udp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
+ oifname $EXTERNAL_ACE_IF tcp dport 53 \
+ counter accept comment "Outgoing DNS requests (tcp) (ACE)"
add rule ip efg_filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \
- counter accept comment "Outgoing DNS requests (tcp)"
+ counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ ct state established, related \
+ iifname $EXTERNAL_ACE_IF tcp sport 53 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+ counter accept comment "Incoming DNS replies (tcp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
- counter accept comment "Incoming DNS replies (tcp)"
+ counter accept comment "Incoming DNS replies (tcp) (TELEKOM)"
+
+add rule ip efg_filter forward \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ oifname $EXTERNAL_ACE_IF tcp dport $WS_PORTS \
+ counter accept comment "Outgoing let's encrypt requests (ACE)"
add rule ip efg_filter forward \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \
- counter accept comment "Outgoing let's encrypt requests"
+ counter accept comment "Outgoing let's encrypt requests (TELEKOM)"
+
+add rule ip efg_filter forward \
+ ct state established \
+ iifname $EXTERNAL_ACE_IF tcp sport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ counter accept comment "Incoming let's encrypt replies (ACE)"
add rule ip efg_filter forward \
ct state established \
iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
- counter accept comment "Incoming let's encrypt replies"
+ counter accept comment "Incoming let's encrypt replies (TELEKOM)"
add rule ip efg_filter forward \
ip protocol icmp \
oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_NETS \
counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing internal traffic (TELEKOM)"
+#add rule ip efg_nat postrouting \
+# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IP \
+# counter snat $PUBLIC_ACE_MX_IP comment "Outgoing MX traffic (ACE)"
+
#add rule ip efg_nat postrouting \
# oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IP \
-# counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic"
+# counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic (TELEKOM)"
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IP \
+ counter snat $PUBLIC_ACE_NS_IP comment "Outgoing external DNS traffic (ACE)"
add rule ip efg_nat postrouting \
oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IP \
- counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic"
+ counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic (TELEKOM)"
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IP \
+ counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing perimeter DNS traffic (ACE)"
add rule ip efg_nat postrouting \
oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IP \
- counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic"
+ counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic (TELEKOM)"
+
+add rule ip efg_nat postrouting \
+ oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IP \
+ counter snat $PUBLIC_ACE_WS_IP comment "Outgoing WS traffic (ACE)"
add rule ip efg_nat postrouting \
oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IP \
- counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic"
+ counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic (TELEKOM)"
https://git.useribm.hu / user-lxc.git / commitdiff