Fix some nftables issues
This commit is contained in:
parent
f4acc8949c
commit
4d85cd7e4b
5 changed files with 55 additions and 46 deletions
|
@ -59,10 +59,21 @@ define egress_internet_ipv4 = {
|
|||
$bastion_ipv4,
|
||||
}
|
||||
|
||||
# FIXME: bad ipv6 address
|
||||
define log_ipv6 = 2a09:6840:128::241/128
|
||||
define log_ipv4 = 10.128.0.241
|
||||
define aurore_ipv4 = {
|
||||
10.0.0.0/8,
|
||||
45.66.108.0/22,
|
||||
}
|
||||
|
||||
define need_nat_ipv4 = {
|
||||
10.0.0.0/8,
|
||||
}
|
||||
|
||||
define nat_public_ipv4 = 45.66.111.10
|
||||
|
||||
# FIXME: bad ipv6 address
|
||||
define prom_infra_v6 = 2a09:6840:128::67/128
|
||||
define prom_infra_v4 = 10.128.0.67
|
||||
define log_infra_ipv6 = 2a09:6840:128::241/128
|
||||
define log_infra_ipv4 = 10.128.0.241
|
||||
|
||||
# FIXME: bad ipv6 address
|
||||
define prom_infra_ipv6 = 2a09:6840:128::67/128
|
||||
define prom_infra_ipv4 = 10.128.0.67
|
||||
|
|
|
@ -4,17 +4,17 @@ table inet input {
|
|||
|
||||
chain conntrack {
|
||||
ct state vmap {
|
||||
established: counter accept,
|
||||
related: counter accept,
|
||||
invalid: counter drop,
|
||||
established: accept,
|
||||
related: accept,
|
||||
invalid: drop,
|
||||
}
|
||||
}
|
||||
|
||||
chain input_from_server {
|
||||
jump conntrack
|
||||
|
||||
ip6 saddr $prom_infra_ipv6 dport 9100 accept
|
||||
ip saddr $prom_infra_ipv4 dport 9100 accept
|
||||
ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
|
||||
ip saddr $prom_infra_ipv4 tcp dport 9100 accept
|
||||
}
|
||||
|
||||
chain input_from_backbone {
|
||||
|
|
|
@ -4,9 +4,9 @@ table inet output {
|
|||
|
||||
chain conntrack {
|
||||
ct state vmap {
|
||||
established: counter accept,
|
||||
related: counter accept,
|
||||
invalid: counter drop,
|
||||
established: accept,
|
||||
related: accept,
|
||||
invalid: drop,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -4,9 +4,9 @@ table inet forward {
|
|||
|
||||
chain conntrack {
|
||||
ct state vmap {
|
||||
established: counter accept,
|
||||
related: counter accept,
|
||||
invalid: counter drop,
|
||||
established: accept,
|
||||
related: accept,
|
||||
invalid: drop,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -27,11 +27,11 @@ table inet forward {
|
|||
udp dport 514 counter accept
|
||||
}
|
||||
|
||||
ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
||||
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
ip6 saddr $bastion_ipv6 tcp dport ssh accept
|
||||
ip saddr $bastion_ipv4 tcp dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_backbone {
|
||||
|
@ -40,21 +40,21 @@ table inet forward {
|
|||
chain forward_to_ups {
|
||||
jump conntrack
|
||||
|
||||
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
|
||||
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
||||
ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
|
||||
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
ip6 saddr $bastion_ipv6 tcp dport ssh accept
|
||||
ip saddr $bastion_ipv4 tcp dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_bmc {
|
||||
jump conntrack
|
||||
|
||||
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
|
||||
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
||||
ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
|
||||
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
ip6 saddr $bastion_ipv6 tcp dport ssh accept
|
||||
ip saddr $bastion_ipv4 tcp dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_pve {
|
||||
|
@ -63,8 +63,8 @@ table inet forward {
|
|||
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
ip6 saddr $bastion_ipv6 tcp dport ssh accept
|
||||
ip saddr $bastion_ipv4 tcp dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_router {
|
||||
|
@ -73,8 +73,8 @@ table inet forward {
|
|||
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
ip6 saddr $bastion_ipv6 tcp dport ssh accept
|
||||
ip saddr $bastion_ipv4 tcp dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_internet {
|
||||
|
|
|
@ -2,20 +2,18 @@
|
|||
|
||||
table ip nat {
|
||||
|
||||
# chain prerouting {
|
||||
# type nat hook prerouting dstnat
|
||||
# polict accept
|
||||
# }
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat
|
||||
policy accept
|
||||
|
||||
# chain postrouting {
|
||||
# type nat hook postrouting priority srcnat
|
||||
# policy accept
|
||||
#
|
||||
# iif lo return
|
||||
#
|
||||
# meta pkttype unicast \
|
||||
# ip saddr $nat_v4 ip daddr != $saclay_v4 \
|
||||
# snat $snat_any_v4 persistent
|
||||
# }
|
||||
iif lo return
|
||||
|
||||
# Is there any other way to do that?
|
||||
meta pkttype { multicast, broadcast } return
|
||||
ip daddr 224.0.0.0/24 return
|
||||
|
||||
ip saddr $need_nat_ipv4 ip daddr != $aurore_ipv4 \
|
||||
snat $nat_public_ipv4 persistent
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue