add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF \
- ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \
+ ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport openvpn \
counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
#add rule ip efg-nat prerouting \
add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \
+ ip daddr $PUBLIC_ACE_NS_IPV4 udp dport domain \
counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \
+ ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport domain \
counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
add rule ip efg-nat prerouting \
add rule ip efg-filter input \
ct state established \
- iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport 53 \
+ iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport domain \
ip daddr $EFG_PERIMETER_IPV4 udp dport 1024-65535 \
counter accept comment "DNS replies"
add rule ip6 efg-filter input \
ct state established \
- iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport 53 \
+ iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport domain \
ip6 daddr $EFG_PERIMETER_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF \
- oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
+ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \
counter accept comment "Incoming VPN traffic (ACE)"
add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF \
- oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
+ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \
counter accept comment "Incoming VPN traffic (TELEKOM)"
add rule ip efg-filter forward \
add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (udp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (udp) (TELEKOM)"
add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
counter accept comment "Incoming DNS requests (tcp) (ACE)"
add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
counter accept comment "Incoming DNS requests (tcp) (TELEKOM)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (tcp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
- oifname $EXTERNAL_ACE_IF udp dport 53 \
+ oifname $EXTERNAL_ACE_IF udp dport domain \
counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
- oifname $EXTERNAL_TELEKOM_IF udp dport 53 \
+ oifname $EXTERNAL_TELEKOM_IF udp dport domain \
counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_ACE_IF udp sport 53 \
+ iifname $EXTERNAL_ACE_IF udp sport domain \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
counter accept comment "Incoming DNS replies (udp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_TELEKOM_IF udp sport 53 \
+ iifname $EXTERNAL_TELEKOM_IF udp sport domain \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
counter accept comment "Incoming DNS replies (udp) (TELEKOM)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
- oifname $EXTERNAL_ACE_IF tcp dport 53 \
+ oifname $EXTERNAL_ACE_IF tcp dport domain \
counter accept comment "Outgoing DNS requests (tcp) (ACE)"
add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
- oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \
+ oifname $EXTERNAL_TELEKOM_IF tcp dport domain \
counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_ACE_IF tcp sport 53 \
+ iifname $EXTERNAL_ACE_IF tcp sport domain \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp) (ACE)"
add rule ip efg-filter forward \
ct state established, related \
- iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \
+ iifname $EXTERNAL_TELEKOM_IF tcp sport domain \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp) (TELEKOM)"
add rule ip efg-filter output \
ct state new \
ip saddr $EFG_PERIMETER_IPV4 udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport 53 \
+ oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport domain \
counter accept comment "DNS requests"
add rule ip6 efg-filter output \
ct state new \
ip6 saddr $EFG_PERIMETER_IPV6 udp sport 1024-65535 \
- oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport 53 \
+ oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport domain \
counter accept comment "DNS requests"
add rule ip efg-filter output \
https://git.useribm.hu / user-lxc.git / commitdiff