zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

apply mgmt-gw's firewall via lxc-hook

This commit is contained in:
webzwo0i 2017-05-29 19:46:45 +02:00
parent d59f9672d4
commit 2f202d7b2f
2 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
salt/firewall/mgmt-gw.sh
View File

@ -1,25 +1,24 @@
#!/bin/sh
if [ "$IFACE" = "{{ interface }}" ]; then
iptables -F FORWARD
ip6tables -F FORWARD
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
# DNS
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
# NTP
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
# collectd
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
# downloads.lede-project.org
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
# Deny by default
iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT
fi
IFACE=mgmt
iptables -F FORWARD
ip6tables -F FORWARD
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
# DNS
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
# NTP
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
# collectd
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
# downloads.lede-project.org
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
# Deny by default
iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT

4
salt/lxc-containers/config
View File

@ -55,6 +55,10 @@ lxc.network.name={{ net }}
{%- set n = n + 1 %}
{%- endfor %}
{%- if id == 'mgmt-gw' %}
lxc.network.script.up=/etc/network/if-pre-up.d/firewall
{%- endif %}
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod