apply mgmt-gw's firewall via lxc-hook
This commit is contained in:
parent
d59f9672d4
commit
2f202d7b2f
|
@ -1,25 +1,24 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
if [ "$IFACE" = "{{ interface }}" ]; then
|
IFACE=mgmt
|
||||||
iptables -F FORWARD
|
iptables -F FORWARD
|
||||||
ip6tables -F FORWARD
|
ip6tables -F FORWARD
|
||||||
iptables -P FORWARD DROP
|
iptables -P FORWARD DROP
|
||||||
ip6tables -P FORWARD DROP
|
ip6tables -P FORWARD DROP
|
||||||
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||||
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||||
# DNS
|
# DNS
|
||||||
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||||
# NTP
|
# NTP
|
||||||
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||||
# collectd
|
# collectd
|
||||||
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||||
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||||
# downloads.lede-project.org
|
# downloads.lede-project.org
|
||||||
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
|
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
|
||||||
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
|
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
|
||||||
# Deny by default
|
# Deny by default
|
||||||
iptables -A FORWARD -j REJECT
|
iptables -A FORWARD -j REJECT
|
||||||
ip6tables -A FORWARD -j REJECT
|
ip6tables -A FORWARD -j REJECT
|
||||||
fi
|
|
||||||
|
|
|
@ -55,6 +55,10 @@ lxc.network.name={{ net }}
|
||||||
{%- set n = n + 1 %}
|
{%- set n = n + 1 %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
{%- if id == 'mgmt-gw' %}
|
||||||
|
lxc.network.script.up=/etc/network/if-pre-up.d/firewall
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
|
|
||||||
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
|
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user