From 38fe626bdb009da2bc636c6c20d908b0afa7fbff Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Tue, 27 Nov 2018 22:15:57 +0100 Subject: space_server: nftables: accept all traffic to colo nets ..but don't let colo servers connect to internal addresses. --- roles/space_server/files/nftables.conf | 38 ++++++++++++---------------------- 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 5f2f1b3..3c34582 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -3,15 +3,6 @@ define ap1 = 10.42.0.5 define ap2 = 10.42.0.6 define labitat = 185.38.172.72 -define spacewand4 = 185.38.175.70 -define spacewand6 = 2a01:4262:1ab::cafe - -define spacebrain4 = 185.38.175.69 -define spacebrain6 = 2a01:4262:1ab::db - -define labservers4 = { $spacewand4, $spacebrain4 } -define labservers6 = { $spacewand6, $spacebrain6 } - # internal stuff define ext_if = wan define ext_ip4 = 185.38.175.0 @@ -46,17 +37,17 @@ define pass_ip4 = 10.42.4.1 define pass_net4 = 10.42.4.0/24 define pass_net6 = 2a01:4262:1ab:e::/64 -define serv_if = lan20 -define serv_ip4 = 185.38.175.65 -define serv_net4 = 185.38.175.64/24 -define serv_net6 = 2a01:4262:1ab:20::/64 - -define avahi_ifs = { $wire_if, $priv_if, $pass_if } - #define nat64_if = nat64 #define nat64_net = 10.42.255.0/24 #define nat64_net6 = fde2:52b4:4a19:ffff::/96 +define colo_if = lan20 +define colo_ip4 = 185.38.175.65 +define colo_net4 = 185.38.175.64/26 +define colo_net6 = 2a01:4262:1ab:20::/64 + +define avahi_ifs = { $wire_if, $priv_if, $pass_if } + table ip filter { chain input { type filter hook input priority 0; @@ -108,10 +99,8 @@ table ip filter { ct state established,related accept ct state invalid drop - # accept all traffic to Labitat servers - ip daddr $labservers4 accept - - ip saddr $labitat udp dport 161 counter accept # traffic stats + # traffic stats + ip saddr $labitat udp dport 161 counter accept # no traffic to admin net ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited @@ -123,7 +112,8 @@ table ip filter { iif $priv_if ip saddr $priv_net4 accept iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept iif $pass_if ip saddr $pass_net4 accept - iif $serv_if ip saddr $serv_net4 accept + iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept + oif $colo_if accept ## debugging #iif $ext_if counter drop @@ -170,14 +160,12 @@ table ip6 filter { ct state established,related accept ct state invalid drop - # accept all traffic to Labitat servers - ip6 daddr $labservers6 accept - iif $wire_if ip6 saddr $wire_net6 accept iif $priv_if ip6 saddr $priv_net6 accept iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept iif $pass_if ip6 saddr $pass_net6 accept - iif $serv_if ip6 saddr $serv_net6 accept + iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept + oif $colo_if accept ## debugging #counter log prefix "fw6: " drop -- cgit v1.2.1