forked from zentralwerk/network
Merge branch 'master' of https://github.com/zentralwerk/network
This commit is contained in:
commit
07b838a4da
|
@ -38,6 +38,7 @@ hosts-inet:
|
|||
ap30: 10.0.0.70
|
||||
ap31: 10.0.0.71
|
||||
ap32: 10.0.0.72
|
||||
monit: 10.0.0.80
|
||||
mgmt-gw: 10.0.0.254
|
||||
|
||||
core:
|
||||
|
|
|
@ -1,25 +1,24 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "$IFACE" = "{{ interface }}" ]; then
|
||||
iptables -F FORWARD
|
||||
ip6tables -F FORWARD
|
||||
iptables -P FORWARD DROP
|
||||
ip6tables -P FORWARD DROP
|
||||
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
# DNS
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||
# NTP
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||
# collectd
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||
# downloads.lede-project.org
|
||||
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
|
||||
# Deny by default
|
||||
iptables -A FORWARD -j REJECT
|
||||
ip6tables -A FORWARD -j REJECT
|
||||
fi
|
||||
IFACE=mgmt
|
||||
iptables -F FORWARD
|
||||
ip6tables -F FORWARD
|
||||
iptables -P FORWARD DROP
|
||||
ip6tables -P FORWARD DROP
|
||||
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
# DNS
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||
# NTP
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||
# collectd
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||
# downloads.lede-project.org
|
||||
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
|
||||
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
|
||||
# Deny by default
|
||||
iptables -A FORWARD -j REJECT
|
||||
ip6tables -A FORWARD -j REJECT
|
||||
|
|
|
@ -55,6 +55,10 @@ lxc.network.name={{ net }}
|
|||
{%- set n = n + 1 %}
|
||||
{%- endfor %}
|
||||
|
||||
{%- if id == 'mgmt-gw' %}
|
||||
lxc.network.script.up=/etc/network/if-pre-up.d/firewall
|
||||
{%- endif %}
|
||||
|
||||
|
||||
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
|
||||
|
||||
|
|
Loading…
Reference in New Issue