diff options
| author | Emil Renner Berthing <esmil@labitat.dk> | 2020-03-07 17:24:49 +0100 |
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2020-03-07 17:24:49 +0100 |
| commit | 6b7e3b636488dfd50c3710f703cc3f54010c185a (patch) | |
| tree | 3afadf5aeb227076374f8fd9648d34dc5b35548b | |
| parent | ebd0d4d88d471f6729504ff839dc63b5ed617c53 (diff) | |
| download | labitat-ansible-6b7e3b636488dfd50c3710f703cc3f54010c185a.tar.gz labitat-ansible-6b7e3b636488dfd50c3710f703cc3f54010c185a.tar.xz labitat-ansible-6b7e3b636488dfd50c3710f703cc3f54010c185a.zip | |
space_server: nftables: forward space.labitat.dk:17380 to jumbotron
| -rw-r--r-- | roles/space_server/files/nftables.conf | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 34d56f3..5f076ed 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -2,6 +2,8 @@ define ap1 = 10.42.0.5 define ap2 = 10.42.0.6 define labitat = 185.38.172.72 +define jumbotron_ip4 = 10.42.1.36 +define jumbotron_ip6 = 2a01:4262:1ab:b:ba27:ebff:fed3:c162 # internal stuff define ext_if = wan @@ -108,6 +110,9 @@ table ip filter { # traffic stats ip saddr $labitat udp dport 161 counter accept + # jumbotron webhook + ip daddr $jumbotron_ip4 tcp dport 17380 counter accept + # no traffic to admin net ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited ip daddr $adm_net4 drop @@ -170,6 +175,9 @@ table ip6 filter { ct state established,related accept ct state invalid drop + # jumbotron webhook + ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept + iif $wire_if ip6 saddr $wire_net6 accept iif $priv_if ip6 saddr $priv_net6 accept iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept @@ -187,6 +195,7 @@ table ip6 filter { table ip nat { chain portforward { ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook } chain prerouting { @@ -210,3 +219,28 @@ table ip nat { oif $ext_if ip saddr $int_net4 snat $ext_ip4 } } + +table ip6 nat { + chain portforward { + ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + #chain input { + # type nat hook input priority -150; + # # this chain is needed to make dnat from the output chain work + #} + + #chain postrouting { + # type nat hook postrouting priority -150; + #} +} |