diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2019-07-10 17:21:54 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2019-07-10 17:21:54 +0200 |
| commit | 3f1364557e1753ca0e8f2efcec9087516f4e0cbe (patch) | |
| tree | c4fa61852fd82d8d9ac18cb851f4292c0051efe9 /inventory/host_vars/ch-router.yml | |
| parent | ch-router: fix firewall script (diff) | |
added new jumphost
Diffstat (limited to 'inventory/host_vars/ch-router.yml')
| -rw-r--r-- | inventory/host_vars/ch-router.yml | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index deaf0371..c3df8e2b 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -65,19 +65,34 @@ openwrt_mixin: SSH_PORT=$(uci get dropbear.@dropbear[0].Port) + + ## Local Traffic + # iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + + ## WAN Traffic + # iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" + iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT + + + ## LAN Traffic + # + iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s 192.168.0.0/16 -j ACCEPT iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT + iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j SNAT --to "$MAGENTA_IPADDR" + iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s 192.168.0.0/16 -j SNAT --to "$MAGENTA_IPADDR" + + ## Drop all other inbound traffic + # iptables -P INPUT DROP iptables -P FORWARD DROP } |