diff options
Diffstat (limited to 'inventory/host_vars/ch-iot.yml')
-rw-r--r-- | inventory/host_vars/ch-iot.yml | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 0aca3e57..043403b3 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -49,10 +49,33 @@ ntp_server: - "{{ network_zones.iot.prefix }}" +nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { domain, 1883 } accept + udp dport { bootps, domain, ntp } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } + + coredns_config: | . { + bind iot0 hosts { - {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org + {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org no_reverse } } |