define PNS_PERIMETER_IPV4 = 192.168.173.223
define PNS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:addf
+# perimeter mail exchanger address (perimeter network)
+define MX_PERIMETER_IPV4 = 192.168.173.154
+define MX_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad9a
+
# external name server address (perimeter network)
define ENS_PERIMETER_IPV4 = 192.168.173.147
define ENS_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad93
ip daddr $PUBLIC_STORE_IPV4 tcp dport { http, https } \
counter dnat $STORE_INTERNAL_IPV4 comment "Incoming store requests"
-#add rule ip efg-nat prerouting \
-# iifname $EXTERNAL_IF \
-# ip daddr $PUBLIC_MX_IPV4 tcp dport $MX_PORTS \
-# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
+add rule ip efg-nat prerouting \
+ iifname $EXTERNAL_IF tcp sport 1024-65535 \
+ ip daddr $PUBLIC_MX_IPV4 tcp dport $MX_PORTS \
+ counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
add rule ip efg-nat prerouting \
iifname $EXTERNAL_IF udp sport 1024-65535 \
add rule ip efg-filter forward \
iifname $EXTERNAL_IF \
- oifname $PERIMETER_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport { http, https } \
- counter accept comment "Incoming store traffic"
+ oifname $PERIMETER_IF ip daddr $MX_PERIMETER_IPV4 tcp dport $MX_PORTS \
+ counter accept comment "Incoming MX requests"
+
+add rule ip efg-filter forward \
+ ct state established \
+ iifname $PERIMETER_IF ip saddr $MX_PERIMETER_IPV4 tcp sport $MX_PORTS \
+ oifname $EXTERNAL_IF tcp dport 1024-65535 \
+ counter accept comment "Outgoing MX replies"
add rule ip efg-filter forward \
iifname $EXTERNAL_IF \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp)"
+add rule ip6 efg-filter forward \
+ iifname $PERIMETER_IF ip6 saddr $MX_PERIMETER_IPV6 tcp sport 1024-65535 \
+ oifname $EXTERNAL_IF tcp dport { http, https, 2703 } \
+ counter accept comment "Outgoing spamassassin update requests"
+add rule ip efg-filter forward \
+ iifname $PERIMETER_IF ip saddr $MX_PERIMETER_IPV4 tcp sport 1024-65535 \
+ oifname $EXTERNAL_IF tcp dport { http, https, 2703 } \
+ counter accept comment "Outgoing spamassassin update requests"
+
+add rule ip6 efg-filter forward \
+ ct state established \
+ iifname $EXTERNAL_IF tcp sport { http, https, 2703 } \
+ oifname $PERIMETER_IF ip6 daddr $MX_PERIMETER_IPV6 tcp dport 1024-65535 \
+ counter accept comment "Incoming spamassassin update replies"
+add rule ip efg-filter forward \
+ ct state established \
+ iifname $EXTERNAL_IF tcp sport { http, https, 2703 } \
+ oifname $PERIMETER_IF ip daddr $MX_PERIMETER_IPV4 tcp dport 1024-65535 \
+ counter accept comment "Incoming spamassassin update replies"
+
add rule ip efg-filter forward \
ip protocol icmp \
counter accept comment "ICMP"
oifname $EXTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \
counter snat $PUBLIC_EFG_IPV4 comment "Outgoing internal traffic"
-#add rule ip efg-nat postrouting \
-# oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IPV4 \
-# counter snat $PUBLIC_MX_IPV4 comment "Outgoing MX traffic"
+add rule ip efg-nat postrouting \
+ oifname $EXTERNAL_IF ip saddr $MX_PERIMETER_IPV4 \
+ counter snat $PUBLIC_MX_IPV4 comment "Outgoing MX traffic"
add rule ip efg-nat postrouting \
oifname $EXTERNAL_IF ip saddr $ENS_PERIMETER_IPV4 \
https://git.useribm.hu / user-lxc.git / commitdiff