####################### # Definitions # ####################### IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" [ -x $IPTABLES ] || exit 0 [ -x $IP6TABLES ] || exit 0 FILTER="$IPTABLES -t filter" NAT="$IPTABLES -t nat" MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" LAN_IF="{{ network.primary.name }}" LAN_IPADDR="{{ network.primary.prefix | ipaddr('address') }}" LAN_NETMASK="{{ network.primary.prefix | ipaddr('netmask') }}" EXT_IF="wg-gwhetzner" EXT_IPADDR="192.168.254.2" EXT_SERVICES_TCP="80 443 {{ ansible_port }}" EXT_SERVICES_UDP="" ######################### # IPv4 UP # ######################### ipv4_up() { $FILTER -A INPUT -i lo -j ACCEPT $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT for port in $EXT_SERVICES_TCP; do $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT done for port in $EXT_SERVICES_UDP; do $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT done $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $FILTER -P INPUT DROP $FILTER -P FORWARD DROP echo -n "success" } ######################### # IPv6 UP # ######################### ipv6_up() { $FILTER6 -A INPUT -i lo -j ACCEPT $FILTER6 -P INPUT DROP $FILTER6 -P FORWARD DROP echo -n "success" } ######################### # IPv4 DOWN # ######################### ipv4_down() { $MANGLE -F $NAT -F $FILTER -F $FILTER -P INPUT ACCEPT $FILTER -P FORWARD ACCEPT $FILTER -P OUTPUT ACCEPT echo -n "success" } ######################### # IPv6 DOWN # ######################### ipv6_down() { $MANGLE6 -F $FILTER6 -F $FILTER6 -P INPUT ACCEPT $FILTER6 -P FORWARD ACCEPT $FILTER6 -P OUTPUT ACCEPT echo -n "success" }