blob: fbd1ad4fb6f28424affd6b14b644efabc2fb6e7b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
#######################
# Definitions #
#######################
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
[ -x $IPTABLES ] || exit 0
[ -x $IP6TABLES ] || exit 0
FILTER="$IPTABLES -t filter"
NAT="$IPTABLES -t nat"
MANGLE="$IPTABLES -t mangle"
FILTER6="$IP6TABLES -t filter"
MANGLE6="$IP6TABLES -t mangle"
LAN_IF="{{ network.primary.interface }}"
LAN_IPADDR="{{ network.primary.ip }}"
LAN_NETMASK="{{ network.primary.mask }}"
EXT_IF="wg-gwhetzner"
EXT_IPADDR="192.168.254.2"
EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
EXT_SERVICES_UDP=""
#########################
# IPv4 UP #
#########################
ipv4_up() {
$FILTER -A INPUT -i lo -j ACCEPT
$FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
$FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
for port in $EXT_SERVICES_TCP; do
$FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
done
for port in $EXT_SERVICES_UDP; do
$FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
done
$FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$FILTER -P INPUT DROP
$FILTER -P FORWARD DROP
echo -n "success"
}
#########################
# IPv6 UP #
#########################
ipv6_up() {
$FILTER6 -A INPUT -i lo -j ACCEPT
$FILTER6 -P INPUT DROP
$FILTER6 -P FORWARD DROP
echo -n "success"
}
#########################
# IPv4 DOWN #
#########################
ipv4_down() {
$MANGLE -F
$NAT -F
$FILTER -F
$FILTER -P INPUT ACCEPT
$FILTER -P FORWARD ACCEPT
$FILTER -P OUTPUT ACCEPT
echo -n "success"
}
#########################
# IPv6 DOWN #
#########################
ipv6_down() {
$MANGLE6 -F
$FILTER6 -F
$FILTER6 -P INPUT ACCEPT
$FILTER6 -P FORWARD ACCEPT
$FILTER6 -P OUTPUT ACCEPT
echo -n "success"
}
|