################################
# loopback address
-define LOOPBACK_IP = 127.0.0.1
+define LOOPBACK_IPV4 = 127.0.0.1
# public addresses
-define PUBLIC_ACE_EFG_IP = 37.220.137.97
-define PUBLIC_ACE_MX_IP = 37.220.137.98
-define PUBLIC_ACE_NS_IP = 37.220.137.99
-define PUBLIC_ACE_VPN_IP = 37.220.137.100
-define PUBLIC_ACE_WS_IP = 37.220.137.101
-define PUBLIC_ACE_MINECRAFT_IP = 37.220.137.102
-define PUBLIC_ACE_IP_103 = 37.220.137.103
-define PUBLIC_ACE_IP_104 = 37.220.137.104
-define PUBLIC_ACE_IP_105 = 37.220.137.105
-define PUBLIC_ACE_IP_106 = 37.220.137.106
-define PUBLIC_ACE_IP_107 = 37.220.137.107
-define PUBLIC_ACE_ZFDL360E_IP = 37.220.137.108
-define PUBLIC_ACE_ZFDL380E_IP = 37.220.137.109
-define PUBLIC_TELEKOM_EFG_IP = 194.149.40.146
-define PUBLIC_TELEKOM_MX_IP = 194.149.40.147
-define PUBLIC_TELEKOM_NS_IP = 194.149.40.148
-define PUBLIC_TELEKOM_VPN_IP = 194.149.40.149
-define PUBLIC_TELEKOM_WS_IP = 194.149.40.150
-define PUBLIC_TELEKOM_MINECRAFT_IP = 194.149.40.151
-define PUBLIC_TELEKOM_IP_152 = 194.149.40.152
-define PUBLIC_TELEKOM_IP_153 = 194.149.40.153
-define PUBLIC_TELEKOM_IP_154 = 194.149.40.154
-define PUBLIC_TELEKOM_IP_155 = 194.149.40.155
-define PUBLIC_TELEKOM_IP_156 = 194.149.40.156
-define PUBLIC_TELEKOM_IP_157 = 194.149.40.157
-define PUBLIC_TELEKOM_DL380E_IP = 194.149.40.158
+define PUBLIC_ACE_EFG_IPV4 = 37.220.137.97
+define PUBLIC_ACE_EFG_IPV6 = 2a02:d400:0000:f200:000c:18ff:fe03:8961
+define PUBLIC_ACE_MX_IPV4 = 37.220.137.98
+define PUBLIC_ACE_NS_IPV4 = 37.220.137.99
+define PUBLIC_ACE_VPN_IPV4 = 37.220.137.100
+define PUBLIC_ACE_WS_IPV4 = 37.220.137.101
+define PUBLIC_ACE_MINECRAFT_IPV4 = 37.220.137.102
+define PUBLIC_ACE_IPV4_103 = 37.220.137.103
+define PUBLIC_ACE_IPV4_104 = 37.220.137.104
+define PUBLIC_ACE_IPV4_105 = 37.220.137.105
+define PUBLIC_ACE_IPV4_106 = 37.220.137.106
+define PUBLIC_ACE_IPV4_107 = 37.220.137.107
+define PUBLIC_ACE_ZFDL360E_IPV4 = 37.220.137.108
+define PUBLIC_ACE_ZFDL380E_IPV4 = 37.220.137.109
+define PUBLIC_TELEKOM_EFG_IPV4 = 188.6.255.10
+define PUBLIC_TELEKOM_MX_IPV4 = 194.149.40.147
+define PUBLIC_TELEKOM_NS_IPV4 = 194.149.40.148
+define PUBLIC_TELEKOM_VPN_IPV4 = 194.149.40.149
+define PUBLIC_TELEKOM_WS_IPV4 = 194.149.40.150
+define PUBLIC_TELEKOM_MINECRAFT_IPV4 = 194.149.40.151
+define PUBLIC_TELEKOM_IPV4_152 = 194.149.40.152
+define PUBLIC_TELEKOM_IPV4_153 = 194.149.40.153
+define PUBLIC_TELEKOM_IPV4_154 = 194.149.40.154
+define PUBLIC_TELEKOM_IPV4_155 = 194.149.40.155
+define PUBLIC_TELEKOM_IPV4_156 = 194.149.40.156
+define PUBLIC_TELEKOM_IPV4_157 = 194.149.40.157
+define PUBLIC_TELEKOM_DL380E_IPV4 = 194.149.40.158
# efg address (perimeter network)
-define EFG_PERIMETER_IP = 192.168.173.254
+define EFG_PERIMETER_IPV4 = 192.168.173.254
+define EFG_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adfe
# transfer web server address (perimeter network)
-define XFR_PERIMETER_IP = 192.168.173.251
+define XFR_PERIMETER_IPV4 = 192.168.173.251
# web server address (perimeter network)
-define WS_PERIMETER_IP = 192.168.173.249
+define WS_PERIMETER_IPV4 = 192.168.173.249
# perimeter name server address (perimeter network)
-define PNS_PERIMETER_IP = 192.168.173.174
+define PNS_PERIMETER_IPV4 = 192.168.173.174
+define PNS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adae
# external name server address (perimeter network)
-define ENS_PERIMETER_IP = 192.168.173.64
+define ENS_PERIMETER_IPV4 = 192.168.173.64
+define ENS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad40
# ifg address (perimeter network)
-define IFG_PERIMETER_IP = 192.168.173.1
+define IFG_PERIMETER_IPV4 = 192.168.173.1
+define IFG_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad01
# dvredmine address (internal network)
-define DVREDMINE_INTERNAL_IP = 10.228.62.193
+define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193
# minicrm address (internal network)
-define MINICRM_INTERNAL_IP = 10.228.109.133
+define MINICRM_INTERNAL_IPV4 = 10.228.109.133
# store address (internal network)
-define STORE_INTERNAL_IP = 10.228.109.250
+define STORE_INTERNAL_IPV4 = 10.228.109.250
# service address (internal network)
-define SVC_INTERNAL_IP = 10.228.109.253
+define SVC_INTERNAL_IPV4 = 10.228.109.253
# vpn address (internal network)
-define VPN_INTERNAL_IP = 10.228.109.236
+define VPN_INTERNAL_IPV4 = 10.228.109.236
# primary name server address (internal network)
-define PNS_INTERNAL_IP = 10.228.109.174
+define PNS_INTERNAL_IPV4 = 10.228.109.174
# internal name server address (internal network)
-define INS_INTERNAL_IP = 10.228.109.104
+define INS_INTERNAL_IPV4 = 10.228.109.104
# worksheet address (internal network)
-define WORKSHEET_SR_IP = 192.168.42.248
+define WORKSHEET_SR_IPV4 = 192.168.42.248
################################
# network definitions
################################
# internal networks
-define USR_NET = 10.228.0.0/16
-define SR_NET = 192.168.42.0/24
-define IN_NET = 192.168.43.0/24
-define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET }
+define USR_IPV4_NET = 10.228.0.0/16
+define SR_IPV4_NET = 192.168.42.0/24
+define IN_IPV4_NET = 192.168.43.0/24
+define INTERNAL_IPV4_NETS = { $USR_IPV4_NET, $SR_IPV4_NET, $IN_IPV4_NET }
+define INTERNAL_IPV6_NET = 2a02:d400:0000:f268::/64
# perimeter network
-define PERIMETER_NET = 192.168.173.0/24
+define PERIMETER_IPV4_NET = 192.168.173.0/24
+define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64
# vpn client network
-define VPN_NET = 172.16.223.0/24
+define VPN_IPV4_NET = 172.16.223.0/24
# peep-bo network
-define PEEP_BO_NET = 10.162.104.0/24
+define PEEP_BO_IPV4_NET = 10.162.104.0/24
################################
# port definitions
add rule ip efg_nat prerouting \
iifname $EXTERNAL_ACE_IF \
- ip daddr $PUBLIC_ACE_VPN_IP udp dport 1194 \
- counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (ACE)"
+ ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \
+ counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (ACE)"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF \
- ip daddr $PUBLIC_TELEKOM_VPN_IP udp dport 1194 \
- counter dnat $VPN_INTERNAL_IP comment "Incoming VPN traffic (TELEKOM)"
+ ip daddr $PUBLIC_TELEKOM_VPN_IPV4 udp dport 1194 \
+ counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic (TELEKOM)"
#add rule ip efg_nat prerouting \
# iifname $EXTERNAL_ACE_IF \
-# ip daddr $PUBLIC_ACE_MX_IP tcp dport $MX_PORTS \
-# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic"
+# ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \
+# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
#add rule ip efg_nat prerouting \
# iifname $EXTERNAL_TELEKOM_IF \
-# ip daddr $PUBLIC_TELEKOM_MX_IP tcp dport $MX_PORTS \
-# counter dnat $MX_PERIMETER_IP comment "Incoming MX traffic"
+# ip daddr $PUBLIC_TELEKOM_MX_IPV4 tcp dport $MX_PORTS \
+# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_NS_IP udp dport 53 \
- counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)"
+ ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \
+ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
- ip daddr $PUBLIC_TELEKOM_NS_IP udp dport 53 \
- counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (udp)"
+ ip daddr $PUBLIC_TELEKOM_NS_IPV4 udp dport 53 \
+ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_NS_IP tcp dport 53 \
- counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)"
+ ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \
+ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_TELEKOM_NS_IP tcp dport 53 \
- counter dnat $ENS_PERIMETER_IP comment "Incoming DNS requests (tcp)"
+ ip daddr $PUBLIC_TELEKOM_NS_IPV4 tcp dport 53 \
+ counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_WS_IP tcp dport $WS_PORTS \
- counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests"
+ ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport $WS_PORTS \
+ counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
add rule ip efg_nat prerouting \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_TELEKOM_WS_IP tcp dport $WS_PORTS \
- counter dnat $WS_PERIMETER_IP comment "Incoming http(s) requests"
+ ip daddr $PUBLIC_TELEKOM_WS_IPV4 tcp dport $WS_PORTS \
+ counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
################################
add rule ip efg_filter input \
ct state established \
- iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IP udp sport 53 \
- ip daddr $EFG_PERIMETER_IP udp dport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport 53 \
+ ip daddr $EFG_PERIMETER_IPV4 udp dport 1024-65535 \
+ counter accept comment "DNS replies"
+add rule ip6 efg_filter input \
+ ct state established \
+ iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport 53 \
+ ip6 daddr $EFG_PERIMETER_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
add rule ip efg_filter input \
ip protocol icmp \
counter accept comment "ICMP"
+add rule inet efg_filter input \
+ icmpv6 type { destination-unreachable, \
+ echo-reply, \
+ echo-request, \
+ mld-listener-done, \
+ mld-listener-query, \
+ mld-listener-report, \
+ nd-redirect, \
+ nd-router-solicit, \
+ nd-router-advert, \
+ nd-neighbor-solicit, \
+ nd-neighbor-advert, \
+ packet-too-big, \
+ parameter-problem, \
+ router-renumbering, \
+ time-exceeded } \
+ counter accept comment "ICMPv6"
add rule ip efg_filter input \
ip protocol gre \
add rule ip efg_filter input \
counter log prefix "INPUT"
-
add rule ip6 efg_filter input \
counter log prefix "INPUT"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF \
- oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \
+ oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
+ counter accept comment "Established sessions (ACE)"
+add rule ip6 efg_filter forward \
+ ct state established, related \
+ iifname $EXTERNAL_ACE_IF \
+ oifname $PERIMETER_IF ip6 daddr $INTERNAL_IPV6_NET \
counter accept comment "Established sessions (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF \
- oifname $PERIMETER_IF ip daddr $INTERNAL_NETS \
+ oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
counter accept comment "Established sessions (TELEKOM)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \
+ iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
+ oifname $EXTERNAL_ACE_IF \
+ counter accept comment "Internet access (ACE)"
+add rule ip6 efg_filter forward \
+ iifname $PERIMETER_IF ip6 saddr $INTERNAL_IPV6_NET \
oifname $EXTERNAL_ACE_IF \
counter accept comment "Internet access (ACE)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr $INTERNAL_NETS \
+ iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
oifname $EXTERNAL_TELEKOM_IF \
counter accept comment "Internet access (TELEKOM)"
add rule ip efg_filter forward \
iifname $EXTERNAL_ACE_IF \
- oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic (ACE)"
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF \
- oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+ oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic (TELEKOM)"
add rule ip efg_filter forward \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
counter accept comment "Incoming http(s) requests (ACE)"
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
counter accept comment "Incoming http(s) requests (TELEKOM)"
add rule ip efg_filter forward \
ct state established \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \
oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
counter accept comment "Outgoing http(s) replies (ACE)"
add rule ip efg_filter forward \
ct state established \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport $WS_PORTS \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
counter accept comment "Outgoing http(s) replies (TELEKOM)"
add rule ip efg_filter forward \
iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP udp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)"
add rule ip efg_filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (udp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP udp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (udp) (TELEKOM)"
add rule ip efg_filter forward \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
counter accept comment "Incoming DNS requests (tcp) (ACE)"
add rule ip efg_filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IP tcp dport 53 \
+ oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
counter accept comment "Incoming DNS requests (tcp) (TELEKOM)"
add rule ip efg_filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (tcp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
- iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IP tcp sport 53 \
+ iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
oifname $EXTERNAL_ACE_IF udp dport 53 \
counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF udp dport 53 \
counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF udp sport 53 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
counter accept comment "Incoming DNS replies (udp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF udp sport 53 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
counter accept comment "Incoming DNS replies (udp) (TELEKOM)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
oifname $EXTERNAL_ACE_IF tcp dport 53 \
counter accept comment "Outgoing DNS requests (tcp) (ACE)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \
counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF tcp sport 53 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp) (ACE)"
add rule ip efg_filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \
- oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp) (TELEKOM)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $EXTERNAL_ACE_IF tcp dport $WS_PORTS \
counter accept comment "Outgoing let's encrypt requests (ACE)"
add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \
counter accept comment "Outgoing let's encrypt requests (TELEKOM)"
add rule ip efg_filter forward \
ct state established \
iifname $EXTERNAL_ACE_IF tcp sport $WS_PORTS \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Incoming let's encrypt replies (ACE)"
add rule ip efg_filter forward \
ct state established \
iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
counter accept comment "Incoming let's encrypt replies (TELEKOM)"
add rule ip efg_filter forward \
add rule ip efg_filter output \
ct state new \
- ip saddr $EFG_PERIMETER_IP udp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IP udp dport 53 \
+ ip saddr $EFG_PERIMETER_IPV4 udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport 53 \
+ counter accept comment "DNS requests"
+add rule ip6 efg_filter output \
+ ct state new \
+ ip6 saddr $EFG_PERIMETER_IPV6 udp sport 1024-65535 \
+ oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport 53 \
counter accept comment "DNS requests"
add rule ip efg_filter output \
ip protocol icmp \
counter accept comment "ICMP"
+add rule inet efg_filter output \
+ icmpv6 type { destination-unreachable, \
+ echo-reply, \
+ echo-request, \
+ mld-listener-done, \
+ mld-listener-query, \
+ mld-listener-report, \
+ nd-redirect, \
+ nd-router-solicit, \
+ nd-router-advert, \
+ nd-neighbor-solicit, \
+ nd-neighbor-advert, \
+ packet-too-big, \
+ parameter-problem, \
+ router-renumbering, \
+ time-exceeded } \
+ counter accept comment "ICMPv6"
add rule ip efg_filter output \
counter log prefix "OUTPUT"
-
add rule ip6 efg_filter output \
counter log prefix "OUTPUT"
################################
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IP \
- counter snat $PUBLIC_ACE_VPN_IP comment "Outgoing VPN traffic (ACE)"
+ oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \
+ counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic (ACE)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IP \
- counter snat $PUBLIC_TELEKOM_VPN_IP comment "Outgoing VPN traffic (TELEKOM)"
+ oifname $EXTERNAL_TELEKOM_IF ip saddr $VPN_INTERNAL_IPV4 \
+ counter snat $PUBLIC_TELEKOM_VPN_IPV4 comment "Outgoing VPN traffic (TELEKOM)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_NETS \
- counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing internal traffic (ACE)"
+ oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \
+ counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic (ACE)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_NETS \
- counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing internal traffic (TELEKOM)"
+ oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \
+ counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing internal traffic (TELEKOM)"
#add rule ip efg_nat postrouting \
-# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IP \
-# counter snat $PUBLIC_ACE_MX_IP comment "Outgoing MX traffic (ACE)"
+# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \
+# counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic (ACE)"
#add rule ip efg_nat postrouting \
-# oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IP \
-# counter snat $PUBLIC_TELEKOM_MX_IP comment "Outgoing MX traffic (TELEKOM)"
+# oifname $EXTERNAL_TELEKOM_IF ip saddr $MX_PERIMETER_IPV4 \
+# counter snat $PUBLIC_TELEKOM_MX_IPV4 comment "Outgoing MX traffic (TELEKOM)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IP \
- counter snat $PUBLIC_ACE_NS_IP comment "Outgoing external DNS traffic (ACE)"
+ oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic (ACE)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IP \
- counter snat $PUBLIC_TELEKOM_NS_IP comment "Outgoing external DNS traffic (TELEKOM)"
+ oifname $EXTERNAL_TELEKOM_IF ip saddr $ENS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_TELEKOM_NS_IPV4 comment "Outgoing external DNS traffic (TELEKOM)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IP \
- counter snat $PUBLIC_ACE_EFG_IP comment "Outgoing perimeter DNS traffic (ACE)"
+ oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic (ACE)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IP \
- counter snat $PUBLIC_TELEKOM_EFG_IP comment "Outgoing perimeter DNS traffic (TELEKOM)"
+ oifname $EXTERNAL_TELEKOM_IF ip saddr $PNS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing perimeter DNS traffic (TELEKOM)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IP \
- counter snat $PUBLIC_ACE_WS_IP comment "Outgoing WS traffic (ACE)"
+ oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic (ACE)"
add rule ip efg_nat postrouting \
- oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IP \
- counter snat $PUBLIC_TELEKOM_WS_IP comment "Outgoing WS traffic (TELEKOM)"
+ oifname $EXTERNAL_TELEKOM_IF ip saddr $WS_PERIMETER_IPV4 \
+ counter snat $PUBLIC_TELEKOM_WS_IPV4 comment "Outgoing WS traffic (TELEKOM)"
https://git.useribm.hu / user-lxc.git / commitdiff