# external interfaces
define EXTERNAL_ACE_IF = eth2
-define EXTERNAL_TELEKOM_IF = eth1
+define EXTERNAL_INVITECH_IF = eth1
# loopback interface
define LOOPBACK_IF = lo
define LOOPBACK_IPV4 = 127.0.0.1
# public addresses
-define PUBLIC_ACE_EFG_IPV4 = 37.220.137.97
-define PUBLIC_ACE_EFG_IPV6 = 2a02:d400:0000:f200:000c:18ff:fe03:8961
-define PUBLIC_ACE_MX_IPV4 = 37.220.137.98
-define PUBLIC_ACE_NS_IPV4 = 37.220.137.99
-define PUBLIC_ACE_VPN_IPV4 = 37.220.137.100
-define PUBLIC_ACE_WS_IPV4 = 37.220.137.101
-define PUBLIC_ACE_MINECRAFT_IPV4 = 37.220.137.102
-define PUBLIC_ACE_IPV4_103 = 37.220.137.103
-define PUBLIC_ACE_IPV4_104 = 37.220.137.104
-define PUBLIC_ACE_IPV4_105 = 37.220.137.105
-define PUBLIC_ACE_IPV4_106 = 37.220.137.106
-define PUBLIC_ACE_IPV4_107 = 37.220.137.107
-define PUBLIC_ACE_ZFDL360E_IPV4 = 37.220.137.108
-define PUBLIC_ACE_ZFDL380E_IPV4 = 37.220.137.109
-define PUBLIC_TELEKOM_EFG_IPV4 = 188.6.255.10
+define PUBLIC_INVITECH_NET_IPV4 = 213.253.216.160
+define PUBLIC_INVITECH_GW_IPV4 = 213.253.216.161
+define PUBLIC_INVITECH_EFG_IPV4 = 213.253.216.162
+define PUBLIC_INVITECH_MX_IPV4 = 213.253.216.163
+define PUBLIC_INVITECH_NS_IPV4 = 213.253.216.164
+define PUBLIC_INVITECH_STORE_IPV4 = 213.253.216.165
+define PUBLIC_INVITECH_VPN_IPV4 = 213.253.216.166
+define PUBLIC_INVITECH_WS_IPV4 = 213.253.216.167
+define PUBLIC_INVITECH_IPV4_168 = 213.253.216.168
+define PUBLIC_INVITECH_IPV4_169 = 213.253.216.169
+define PUBLIC_INVITECH_IPV4_170 = 213.253.216.170
+define PUBLIC_INVITECH_IPV4_171 = 213.253.216.171
+define PUBLIC_INVITECH_IPV4_172 = 213.253.216.172
+define PUBLIC_INVITECH_ZFDL360E_IPV4 = 213.253.216.173
+define PUBLIC_INVITECH_ZFDL380E_IPV4 = 213.253.216.174
+define PUBLIC_INVITECH_BROADCAST_IPV4 = 213.253.216.175
# efg address (perimeter network)
define EFG_PERIMETER_IPV4 = 192.168.173.254
# port definitions
################################
-#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
-define VPN_PORTS = { openvpn, 51820 }
+define MX_PORTS = { smtp, pop3, imap, 465, submission, imaps, pop3s }
+# 465: SMTP over SSL (TLS)
+
+define VPN_PORT = 51820
+# 51820: wireguard
################################
################################
add rule ip efg-nat prerouting \
- iifname $EXTERNAL_ACE_IF \
- ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport $VPN_PORTS \
+ iifname $EXTERNAL_INVITECH_IF \
+ ip daddr $PUBLIC_INVITECH_VPN_IPV4 udp dport $VPN_PORT \
counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
#add rule ip efg-nat prerouting \
-# iifname $EXTERNAL_ACE_IF \
-# ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \
+# iifname $EXTERNAL_INVITECH_IF \
+# ip daddr $PUBLIC_INVITECH_MX_IPV4 tcp dport $MX_PORTS \
# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
add rule ip efg-nat prerouting \
- iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_NS_IPV4 udp dport domain \
+ iifname $EXTERNAL_INVITECH_IF udp sport 1024-65535 \
+ ip daddr $PUBLIC_INVITECH_NS_IPV4 udp dport domain \
counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
add rule ip efg-nat prerouting \
- iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport domain \
+ iifname $EXTERNAL_INVITECH_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_INVITECH_NS_IPV4 tcp dport domain \
counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
add rule ip efg-nat prerouting \
- iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport { http, https } \
+ iifname $EXTERNAL_INVITECH_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_INVITECH_WS_IPV4 tcp dport { http, https } \
counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
# FILTER forward rules
################################
-add rule ip efg-filter forward \
- ct state established, related \
- iifname $EXTERNAL_ACE_IF \
- oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
- counter accept comment "Established sessions (ACE)"
-add rule ip6 efg-filter forward \
- ct state established, related \
- iifname $EXTERNAL_ACE_IF \
- oifname $PERIMETER_IF ip6 daddr $INTERNAL_IPV6_NET \
- counter accept comment "Established sessions (ACE)"
+#add rule ip efg-filter forward \
+# ct state established, related \
+# iifname $EXTERNAL_ACE_IF \
+# oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
+# counter accept comment "Established sessions (ACE)"
+#add rule ip6 efg-filter forward \
+# ct state established, related \
+# iifname $EXTERNAL_ACE_IF \
+# oifname $PERIMETER_IF ip6 daddr $INTERNAL_IPV6_NET \
+# counter accept comment "Established sessions (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_TELEKOM_IF \
+ iifname $EXTERNAL_INVITECH_IF \
oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
- counter accept comment "Established sessions (TELEKOM)"
+ counter accept comment "Established sessions (INVITECH)"
-add rule ip efg-filter forward \
- iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
- oifname $EXTERNAL_ACE_IF \
- counter accept comment "Internet access (ACE)"
-add rule ip6 efg-filter forward \
- iifname $PERIMETER_IF ip6 saddr $INTERNAL_IPV6_NET \
- oifname $EXTERNAL_ACE_IF \
- counter accept comment "Internet access (ACE)"
+#add rule ip efg-filter forward \
+# iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
+# oifname $EXTERNAL_ACE_IF \
+# counter accept comment "Internet access (ACE)"
+#add rule ip6 efg-filter forward \
+# iifname $PERIMETER_IF ip6 saddr $INTERNAL_IPV6_NET \
+# oifname $EXTERNAL_ACE_IF \
+# counter accept comment "Internet access (ACE)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
- oifname $EXTERNAL_TELEKOM_IF \
- counter accept comment "Internet access (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF \
+ counter accept comment "Internet access (INVITECH)"
-add rule ip efg-filter forward \
- iifname $EXTERNAL_ACE_IF \
- oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \
- counter accept comment "Incoming VPN traffic (ACE)"
+#add rule ip efg-filter forward \
+# iifname $EXTERNAL_ACE_IF \
+# oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORT \
+# counter accept comment "Incoming VPN traffic (ACE)"
add rule ip efg-filter forward \
- iifname $EXTERNAL_TELEKOM_IF \
- oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \
- counter accept comment "Incoming VPN traffic (TELEKOM)"
+ iifname $EXTERNAL_INVITECH_IF \
+ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORT \
+ counter accept comment "Incoming VPN traffic (INVITECH)"
-add rule ip efg-filter forward \
- iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
- counter accept comment "Incoming http(s) requests (ACE)"
+#add rule ip efg-filter forward \
+# iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
+# oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
+# counter accept comment "Incoming http(s) requests (ACE)"
add rule ip efg-filter forward \
- iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
+ iifname $EXTERNAL_INVITECH_IF tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
- counter accept comment "Incoming http(s) requests (TELEKOM)"
+ counter accept comment "Incoming http(s) requests (INVITECH)"
-add rule ip efg-filter forward \
- ct state established \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \
- oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
- counter accept comment "Outgoing http(s) replies (ACE)"
+#add rule ip efg-filter forward \
+# ct state established \
+# iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \
+# oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
+# counter accept comment "Outgoing http(s) replies (ACE)"
add rule ip efg-filter forward \
ct state established \
iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \
- oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
- counter accept comment "Outgoing http(s) replies (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF tcp dport 1024-65535 \
+ counter accept comment "Outgoing http(s) replies (INVITECH)"
-add rule ip efg-filter forward \
- iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
- counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
+#add rule ip efg-filter forward \
+# iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
+# oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
+# counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
add rule ip efg-filter forward \
- iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
+ iifname $EXTERNAL_INVITECH_IF udp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
- counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)"
+ counter accept comment "Incoming DNS requests/notifications (udp) (INVITECH)"
-add rule ip efg-filter forward \
- ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
- oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
- counter accept comment "Outgoing DNS replies (udp) (ACE)"
+#add rule ip efg-filter forward \
+# ct state established, related \
+# iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
+# oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
+# counter accept comment "Outgoing DNS replies (udp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
- oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
- counter accept comment "Outgoing DNS replies (udp) (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF udp dport 1024-65535 \
+ counter accept comment "Outgoing DNS replies (udp) (INVITECH)"
-add rule ip efg-filter forward \
- iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
- counter accept comment "Incoming DNS requests (tcp) (ACE)"
+#add rule ip efg-filter forward \
+# iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
+# oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
+# counter accept comment "Incoming DNS requests (tcp) (ACE)"
add rule ip efg-filter forward \
- iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
+ iifname $EXTERNAL_INVITECH_IF tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
- counter accept comment "Incoming DNS requests (tcp) (TELEKOM)"
+ counter accept comment "Incoming DNS requests (tcp) (INVITECH)"
-add rule ip efg-filter forward \
- ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
- oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
- counter accept comment "Outgoing DNS replies (tcp) (ACE)"
+#add rule ip efg-filter forward \
+# ct state established, related \
+# iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
+# oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
+# counter accept comment "Outgoing DNS replies (tcp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
- oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
- counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF tcp dport 1024-65535 \
+ counter accept comment "Outgoing DNS replies (tcp) (INVITECH)"
-add rule ip efg-filter forward \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
- oifname $EXTERNAL_ACE_IF udp dport domain \
- counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
+#add rule ip efg-filter forward \
+# iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
+# oifname $EXTERNAL_ACE_IF udp dport domain \
+# counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
- oifname $EXTERNAL_TELEKOM_IF udp dport domain \
- counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF udp dport domain \
+ counter accept comment "Outgoing DNS requests/notifications (udp) (INVITECH)"
-add rule ip efg-filter forward \
- ct state established, related \
- iifname $EXTERNAL_ACE_IF udp sport domain \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
- counter accept comment "Incoming DNS replies (udp) (ACE)"
+#add rule ip efg-filter forward \
+# ct state established, related \
+# iifname $EXTERNAL_ACE_IF udp sport domain \
+# oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
+# counter accept comment "Incoming DNS replies (udp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_TELEKOM_IF udp sport domain \
+ iifname $EXTERNAL_INVITECH_IF udp sport domain \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
- counter accept comment "Incoming DNS replies (udp) (TELEKOM)"
+ counter accept comment "Incoming DNS replies (udp) (INVITECH)"
-add rule ip efg-filter forward \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
- oifname $EXTERNAL_ACE_IF tcp dport domain \
- counter accept comment "Outgoing DNS requests (tcp) (ACE)"
+#add rule ip efg-filter forward \
+# iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
+# oifname $EXTERNAL_ACE_IF tcp dport domain \
+# counter accept comment "Outgoing DNS requests (tcp) (ACE)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
- oifname $EXTERNAL_TELEKOM_IF tcp dport domain \
- counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF tcp dport domain \
+ counter accept comment "Outgoing DNS requests (tcp) (INVITECH)"
-add rule ip efg-filter forward \
- ct state established, related \
- iifname $EXTERNAL_ACE_IF tcp sport domain \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
- counter accept comment "Incoming DNS replies (tcp) (ACE)"
+#add rule ip efg-filter forward \
+# ct state established, related \
+# iifname $EXTERNAL_ACE_IF tcp sport domain \
+# oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
+# counter accept comment "Incoming DNS replies (tcp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_TELEKOM_IF tcp sport domain \
+ iifname $EXTERNAL_INVITECH_IF tcp sport domain \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
- counter accept comment "Incoming DNS replies (tcp) (TELEKOM)"
+ counter accept comment "Incoming DNS replies (tcp) (INVITECH)"
add rule ip efg-filter forward \
ip protocol icmp \
################################
add rule ip efg-nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \
- counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic"
+ oifname $EXTERNAL_INVITECH_IF ip saddr $VPN_INTERNAL_IPV4 \
+ counter snat $PUBLIC_INVITECH_VPN_IPV4 comment "Outgoing VPN traffic"
-add rule ip efg-nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \
- counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic"
+#add rule ip efg-nat postrouting \
+# oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \
+# counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic"
add rule ip efg-nat postrouting \
- oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \
- counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing internal traffic (TELEKOM)"
+ oifname $EXTERNAL_INVITECH_IF ip saddr $INTERNAL_IPV4_NETS \
+ counter snat $PUBLIC_INVITECH_EFG_IPV4 comment "Outgoing internal traffic (INVITECH)"
#add rule ip efg-nat postrouting \
# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \
-# counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic"
+# counter snat $PUBLIC_INVITECH_MX_IPV4 comment "Outgoing MX traffic"
add rule ip efg-nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \
- counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic"
+ oifname $EXTERNAL_INVITECH_IF ip saddr $ENS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_INVITECH_NS_IPV4 comment "Outgoing external DNS traffic"
add rule ip efg-nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \
- counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic"
+ oifname $EXTERNAL_INVITECH_IF ip saddr $PNS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_INVITECH_EFG_IPV4 comment "Outgoing perimeter DNS traffic"
add rule ip efg-nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \
- counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic"
+ oifname $EXTERNAL_INVITECH_IF ip saddr $WS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_INVITECH_WS_IPV4 comment "Outgoing WS traffic"
https://git.useribm.hu / user-lxc.git / commitdiff