Add bastion network
This commit is contained in:
parent
64772b76e4
commit
f4acc8949c
3 changed files with 35 additions and 0 deletions
|
@ -21,6 +21,9 @@ define pve_ipv4 = 10.134.0.0/16
|
|||
define router_ipv6 = 2a09:6840:135::/48
|
||||
define router_ipv4 = 10.135.0.0/16
|
||||
|
||||
define bastion_ipv6 = 2a09:6840:136::/48
|
||||
define bastion_ipv4 = 10.136.0.0/16
|
||||
|
||||
define infra_ipv6 = {
|
||||
$public_server_ipv6,
|
||||
$server_ipv6,
|
||||
|
@ -29,6 +32,7 @@ define infra_ipv6 = {
|
|||
$bmc_ipv6,
|
||||
$pve_ipv6,
|
||||
$router_ipv6,
|
||||
$bastion_ipv6,
|
||||
}
|
||||
define infra_ipv4 = {
|
||||
$public_server_ipv4,
|
||||
|
@ -38,6 +42,7 @@ define infra_ipv4 = {
|
|||
$bmc_ipv4,
|
||||
$pve_ipv4,
|
||||
$router_ipv4,
|
||||
$bastion_ipv4,
|
||||
}
|
||||
|
||||
# FIXME: temporary
|
||||
|
@ -45,11 +50,13 @@ define egress_internet_ipv6 = {
|
|||
$server_ipv6,
|
||||
$pve_ipv6,
|
||||
$router_ipv6,
|
||||
$bastion_ipv6,
|
||||
}
|
||||
define egress_internet_ipv4 = {
|
||||
$server_ipv4,
|
||||
$pve_ipv4,
|
||||
$router_ipv4,
|
||||
$bastion_ipv4,
|
||||
}
|
||||
|
||||
# FIXME: bad ipv6 address
|
||||
|
|
|
@ -10,6 +10,13 @@ table inet input {
|
|||
}
|
||||
}
|
||||
|
||||
chain input_from_server {
|
||||
jump conntrack
|
||||
|
||||
ip6 saddr $prom_infra_ipv6 dport 9100 accept
|
||||
ip saddr $prom_infra_ipv4 dport 9100 accept
|
||||
}
|
||||
|
||||
chain input_from_backbone {
|
||||
ip6 nexthdr { ospf, vrrp } accept
|
||||
ip protocol { ospf, vrrp } accept
|
||||
|
@ -22,6 +29,12 @@ table inet input {
|
|||
tcp dport ssh counter accept
|
||||
}
|
||||
|
||||
chain input_from_bastion {
|
||||
jump conntrack
|
||||
|
||||
tcp dport ssh counter accept
|
||||
}
|
||||
|
||||
chain input_from_anywhere {
|
||||
jump conntrack
|
||||
|
||||
|
|
|
@ -29,6 +29,9 @@ table inet forward {
|
|||
|
||||
ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_backbone {
|
||||
|
@ -39,6 +42,9 @@ table inet forward {
|
|||
|
||||
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
|
||||
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_bmc {
|
||||
|
@ -46,6 +52,9 @@ table inet forward {
|
|||
|
||||
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
|
||||
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_pve {
|
||||
|
@ -53,6 +62,9 @@ table inet forward {
|
|||
|
||||
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_router {
|
||||
|
@ -60,6 +72,9 @@ table inet forward {
|
|||
|
||||
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
||||
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
|
||||
|
||||
ip6 saddr $bastion_ipv6 dport ssh accept
|
||||
ip saddr $bastion_ipv4 dport ssh accept
|
||||
}
|
||||
|
||||
chain forward_to_internet {
|
||||
|
|
Loading…
Reference in a new issue