From f8d576fb5693637fd02ef4c886fccd2833400c07 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Wed, 15 Dec 2021 19:53:42 +0100 Subject: [PATCH] Updated ifg.in (added nft rules for wiki server). --- sources/ifg.in/firstboot/nftables.config | 52 ++++++++++++++++++------ 1 file changed, 39 insertions(+), 13 deletions(-) diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config index 3b3b08c..ae8c869 100644 --- a/sources/ifg.in/firstboot/nftables.config +++ b/sources/ifg.in/firstboot/nftables.config @@ -67,19 +67,17 @@ define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe define IFG_SR_IPV4 = 192.168.42.254 define IFG_IN_IPV4 = 192.168.43.254 -# dvredmine address (internal network) -define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193 - -# minicrm address (internal network) -define MINICRM_INTERNAL_IPV4 = 10.228.109.133 +# service address (internal network) +define SVC_INTERNAL_IPV4 = 10.228.109.253 +define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd # store address (internal network) define STORE_INTERNAL_IPV4 = 10.228.109.250 define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68 -# service address (internal network) -define SVC_INTERNAL_IPV4 = 10.228.109.253 -define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd +# wiki server address (internal network) +define WIKI_INTERNAL_IPV4 = 10.228.109.239 +define WIKI_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6def # vpn address (internal network) define VPN_INTERNAL_IPV4 = 10.228.109.236 @@ -87,10 +85,16 @@ define VPN_INTERNAL_IPV4 = 10.228.109.236 # primary name server address (internal network) define PNS_INTERNAL_IPV4 = 10.228.109.174 +# minicrm address (internal network) +define MINICRM_INTERNAL_IPV4 = 10.228.109.133 + # internal name server address (internal network) define INS_INTERNAL_IPV4 = 10.228.109.104 define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68 +# dvredmine address (internal network) +define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193 + # worksheet address (internal network) define WORKSHEET_SR_IPV4 = 192.168.42.248 @@ -277,11 +281,33 @@ add rule ip ifg_filter forward \ iifname $INTERNAL_IF ip saddr $STORE_INTERNAL_IPV4 tcp sport 80 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Store replies" -#add rule ip6 ifg_filter forward \ -# ct state established \ -# iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \ -# oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ -# counter accept comment "Store replies" +add rule ip6 ifg_filter forward \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \ + oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ + counter accept comment "Store replies" + +add rule ip ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $WIKI_INTERNAL_IPV4 tcp dport 80 \ + counter accept comment "Wiki requests" +add rule ip6 ifg_filter forward \ + iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr $WIKI_INTERNAL_IPV6 tcp dport 80 \ + counter accept comment "Wiki requests" + +add rule ip ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $WIKI_INTERNAL_IPV4 tcp sport 80 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ + counter accept comment "Wiki replies" +add rule ip6 ifg_filter forward \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr $WIKI_INTERNAL_IPV6 tcp sport 80 \ + oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ + counter accept comment "Wiki replies" add rule ip ifg_filter forward \ ip protocol tcp \ -- 2.54.0