From f56bd3e56f0eeb2edbb427f2a17d5e5426d64f38 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Fri, 7 Jan 2022 18:51:15 +0100 Subject: [PATCH] Updated ifg.in (updated nft rules for the new nameservers). --- sources/ifg.in/firstboot/nftables.config | 49 +++++++++++++++++------- 1 file changed, 36 insertions(+), 13 deletions(-) diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config index e8d5f0a..a6954b2 100644 --- a/sources/ifg.in/firstboot/nftables.config +++ b/sources/ifg.in/firstboot/nftables.config @@ -39,24 +39,20 @@ define PUBLIC_DL380E_IPV4 = 37.220.137.109 # efg address (perimeter network) define EFG_PERIMETER_IPV4 = 192.168.173.254 -# service address (perimeter network) -#define SVC_PERIMETER_IPV4 = 192.168.173.253 - # transfer web server address (perimeter network) define XFR_PERIMETER_IPV4 = 192.168.173.251 -# subversion address (perimeter network) -#define SVN_PERIMETER_IPV4 = 192.168.173.250 - # web server address (perimeter network) define WS_PERIMETER_IPV4 = 192.168.173.249 define WS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adf9 # perimeter name server address (perimeter network) define PNS_PERIMETER_IPV4 = 192.168.173.174 +define PNS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adae # external name server address (perimeter network) define ENS_PERIMETER_IPV4 = 192.168.173.64 +define ENS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad40 # ifg address (perimeter network) define IFG_PERIMETER_IPV4 = 192.168.173.1 @@ -82,9 +78,17 @@ define WIKI_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6def # vpn address (internal network) define VPN_INTERNAL_IPV4 = 10.228.109.236 +# source name server address (internal network) +define SNS_INTERNAL_IPV4 = 10.228.109.204 +define SNS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dcc + # primary name server address (internal network) define PNS_INTERNAL_IPV4 = 10.228.109.174 +# name server 1 address (internal network) +define NS1_INTERNAL_IPV4 = 10.228.109.159 +define NS1_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d9f + # minicrm address (internal network) define MINICRM_INTERNAL_IPV4 = 10.228.109.133 @@ -92,6 +96,10 @@ define MINICRM_INTERNAL_IPV4 = 10.228.109.133 define INS_INTERNAL_IPV4 = 10.228.109.104 define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68 +# name server 2 address (internal network) +define NS2_INTERNAL_IPV4 = 10.228.92.159 +define NS2_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:5c9f + # dvredmine address (internal network) define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193 @@ -163,12 +171,12 @@ add rule ip ifg_nat prerouting \ add rule ip ifg_filter input \ ct state established \ ip protocol udp \ - iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp sport 53 \ + iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp sport 53 \ ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \ counter accept comment "DNS replies" add rule ip6 ifg_filter input \ ct state established \ - iifname $INTERNAL_IF ip6 saddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp sport 53 \ + iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp sport 53 \ ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" @@ -244,23 +252,38 @@ add rule ip ifg_filter forward \ add rule ip ifg_filter forward \ ct state new \ ip protocol udp \ - iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 udp sport 1024-65535 \ + iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \ counter accept comment "DNS zone notification" +add rule ip6 ifg_filter forward \ + ct state new \ + iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 udp sport 1024-65535 \ + oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } udp dport 53 \ + counter accept comment "DNS zone notification" add rule ip ifg_filter forward \ ct state new \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IPV4 tcp dport 53 \ + oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport 53 \ + counter accept comment "DNS zone transfer requests" +add rule ip6 ifg_filter forward \ + ct state new \ + iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport 53 \ counter accept comment "DNS zone transfer requests" add rule ip ifg_filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 tcp sport 53 \ + iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "DNS zone transfer replies" +add rule ip6 ifg_filter forward \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport 53 \ + oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \ + counter accept comment "DNS zone transfer replies" add rule ip ifg_filter forward \ ip protocol udp \ @@ -391,12 +414,12 @@ add rule ip ifg_filter output \ ct state new \ ip protocol udp \ ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp dport 53 \ + oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp dport 53 \ counter accept comment "DNS requests" add rule ip6 ifg_filter output \ ct state new \ ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \ - oifname $INTERNAL_IF ip6 daddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp dport 53 \ + oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp dport 53 \ counter accept comment "DNS requests" add rule ip ifg_filter output \ -- 2.54.0