summaryrefslogtreecommitdiff
path: root/inventory
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2023-04-23 19:33:41 +0200
committerChristian Pointner <equinox@spreadspace.org>2023-04-23 19:33:41 +0200
commit665ad225006034a415729d4fc78a7d1940d24897 (patch)
tree3745554765c129eb30e6886eff145784ba32c2c3 /inventory
parentalso gather standalone-kubelet metrics for promzone elevate-festival (diff)
ch-jump: limit jump targets for c3voc using nftables
Diffstat (limited to 'inventory')
-rw-r--r--inventory/host_vars/ch-jump.yml11
1 files changed, 11 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml
index e2fe51d6..ab03c1a4 100644
--- a/inventory/host_vars/ch-jump.yml
+++ b/inventory/host_vars/ch-jump.yml
@@ -49,3 +49,14 @@ sshd_jump_users:
# fim:
# authorized_keys:
# - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzW8lF2i036gsT2BHaOzpHLZUZkit5FsoYHWaiuc9xmruuhzHDzADV17RBMckaIkXRmPnC4I3AZdfFO+RO/7bBdDMAOTw9eyKAcqVWEaR3JDc8C+TFSj8HKRi52jrRXsGD1epJFmhwOFV4VdMXKGlnLrEpTBKn+ZPf6x6bm5pDSfVR3U9nTuXNT/vs+FkrJPvkUZ3iA1cAnK8cRd7Dkasrob9YiskwhWDLSS0bmvTUZatQUqrfUmVcXQqyCkqvHhbOVdYx+gWsjpKHuykSyQEqLTBRzb9UmvzCRjN7sq+QoMRv/CoT1cQjAsgHk4D2tadXuNvRqTgLqrifwK4F3XnCfR+29twm4wSKY+6NKjHjECvJ63JcBFu3jHLXN3ph4va9Tfegkt07W7pdnfrqYxp7veCTyufuByMmReo8s1dwNb2nuBS0HN7Unv2x42ClAzox60QJFgf4sOFCVvJPzhr4mO3ZXahuR75VPYHmsp3TGJZ8RekNyZspD9KWw3FuRiNsYHP/QEFI0gg7X0w7rRQ2CaALA6NGmko0nyTo8CiRkMWVY8rhwJiQ1Eb+mQRW0Y35yqegw3oG/OHEEYIoKD8/Or4KqmrBzGRmFogDjEGmB91iO8XxwfrR+RD3kY34xSr7FXVIYFMK1b3Y4GJ80z6CzU7C2M80wxRww8hqRO1AIw== fim@digl012
+
+
+nftables_base_rules:
+ public-services: |
+ table ip filter {
+ chain sshd-jump {
+ type filter hook output priority filter;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject
+ }
+ }