aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2018-11-27 22:15:57 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2018-11-28 21:13:09 +0100
commit38fe626bdb009da2bc636c6c20d908b0afa7fbff (patch)
treef72b8073e7c47e6e1125aa51a5dcd015ac203201 /roles/space_server
parent92717c5601d04ea9ae75486998c1a257473de339 (diff)
downloadlabitat-ansible-38fe626bdb009da2bc636c6c20d908b0afa7fbff.tar.gz
labitat-ansible-38fe626bdb009da2bc636c6c20d908b0afa7fbff.tar.xz
labitat-ansible-38fe626bdb009da2bc636c6c20d908b0afa7fbff.zip
space_server: nftables: accept all traffic to colo nets
..but don't let colo servers connect to internal addresses.
Diffstat (limited to 'roles/space_server')
-rw-r--r--roles/space_server/files/nftables.conf38
1 files changed, 13 insertions, 25 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 5f2f1b3..3c34582 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -3,15 +3,6 @@ define ap1 = 10.42.0.5
define ap2 = 10.42.0.6
define labitat = 185.38.172.72
-define spacewand4 = 185.38.175.70
-define spacewand6 = 2a01:4262:1ab::cafe
-
-define spacebrain4 = 185.38.175.69
-define spacebrain6 = 2a01:4262:1ab::db
-
-define labservers4 = { $spacewand4, $spacebrain4 }
-define labservers6 = { $spacewand6, $spacebrain6 }
-
# internal stuff
define ext_if = wan
define ext_ip4 = 185.38.175.0
@@ -46,17 +37,17 @@ define pass_ip4 = 10.42.4.1
define pass_net4 = 10.42.4.0/24
define pass_net6 = 2a01:4262:1ab:e::/64
-define serv_if = lan20
-define serv_ip4 = 185.38.175.65
-define serv_net4 = 185.38.175.64/24
-define serv_net6 = 2a01:4262:1ab:20::/64
-
-define avahi_ifs = { $wire_if, $priv_if, $pass_if }
-
#define nat64_if = nat64
#define nat64_net = 10.42.255.0/24
#define nat64_net6 = fde2:52b4:4a19:ffff::/96
+define colo_if = lan20
+define colo_ip4 = 185.38.175.65
+define colo_net4 = 185.38.175.64/26
+define colo_net6 = 2a01:4262:1ab:20::/64
+
+define avahi_ifs = { $wire_if, $priv_if, $pass_if }
+
table ip filter {
chain input {
type filter hook input priority 0;
@@ -108,10 +99,8 @@ table ip filter {
ct state established,related accept
ct state invalid drop
- # accept all traffic to Labitat servers
- ip daddr $labservers4 accept
-
- ip saddr $labitat udp dport 161 counter accept # traffic stats
+ # traffic stats
+ ip saddr $labitat udp dport 161 counter accept
# no traffic to admin net
ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
@@ -123,7 +112,8 @@ table ip filter {
iif $priv_if ip saddr $priv_net4 accept
iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
iif $pass_if ip saddr $pass_net4 accept
- iif $serv_if ip saddr $serv_net4 accept
+ iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
+ oif $colo_if accept
## debugging
#iif $ext_if counter drop
@@ -170,14 +160,12 @@ table ip6 filter {
ct state established,related accept
ct state invalid drop
- # accept all traffic to Labitat servers
- ip6 daddr $labservers6 accept
-
iif $wire_if ip6 saddr $wire_net6 accept
iif $priv_if ip6 saddr $priv_net6 accept
iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
- iif $serv_if ip6 saddr $serv_net6 accept
+ iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
+ oif $colo_if accept
## debugging
#counter log prefix "fw6: " drop