WIP: Infrastructure routers #91

Draft
jeltz wants to merge 15 commits from infra_router into master
5 changed files with 55 additions and 46 deletions
Showing only changes of commit 4d85cd7e4b - Show all commits

View file

@ -59,10 +59,21 @@ define egress_internet_ipv4 = {
$bastion_ipv4, $bastion_ipv4,
} }
# FIXME: bad ipv6 address define aurore_ipv4 = {
define log_ipv6 = 2a09:6840:128::241/128 10.0.0.0/8,
define log_ipv4 = 10.128.0.241 45.66.108.0/22,
}
define need_nat_ipv4 = {
10.0.0.0/8,
}
define nat_public_ipv4 = 45.66.111.10
# FIXME: bad ipv6 address # FIXME: bad ipv6 address
define prom_infra_v6 = 2a09:6840:128::67/128 define log_infra_ipv6 = 2a09:6840:128::241/128
define prom_infra_v4 = 10.128.0.67 define log_infra_ipv4 = 10.128.0.241
# FIXME: bad ipv6 address
define prom_infra_ipv6 = 2a09:6840:128::67/128
define prom_infra_ipv4 = 10.128.0.67

View file

@ -4,17 +4,17 @@ table inet input {
chain conntrack { chain conntrack {
ct state vmap { ct state vmap {
established: counter accept, established: accept,
related: counter accept, related: accept,
invalid: counter drop, invalid: drop,
} }
} }
chain input_from_server { chain input_from_server {
jump conntrack jump conntrack
ip6 saddr $prom_infra_ipv6 dport 9100 accept ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
ip saddr $prom_infra_ipv4 dport 9100 accept ip saddr $prom_infra_ipv4 tcp dport 9100 accept
} }
chain input_from_backbone { chain input_from_backbone {

View file

@ -4,9 +4,9 @@ table inet output {
chain conntrack { chain conntrack {
ct state vmap { ct state vmap {
established: counter accept, established: accept,
related: counter accept, related: accept,
invalid: counter drop, invalid: drop,
} }
} }

View file

@ -4,9 +4,9 @@ table inet forward {
chain conntrack { chain conntrack {
ct state vmap { ct state vmap {
established: counter accept, established: accept,
related: counter accept, related: accept,
invalid: counter drop, invalid: drop,
} }
} }
@ -27,11 +27,11 @@ table inet forward {
udp dport 514 counter accept udp dport 514 counter accept
} }
ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept
} }
chain forward_to_backbone { chain forward_to_backbone {
@ -40,21 +40,21 @@ table inet forward {
chain forward_to_ups { chain forward_to_ups {
jump conntrack jump conntrack
ip6 saddr $prom_infra_v6 udp dport 161 counter accept ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept
} }
chain forward_to_bmc { chain forward_to_bmc {
jump conntrack jump conntrack
ip6 saddr $prom_infra_v6 udp dport 161 counter accept ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept
} }
chain forward_to_pve { chain forward_to_pve {
@ -63,8 +63,8 @@ table inet forward {
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept
} }
chain forward_to_router { chain forward_to_router {
@ -73,8 +73,8 @@ table inet forward {
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept
} }
chain forward_to_internet { chain forward_to_internet {

View file

@ -2,20 +2,18 @@
table ip nat { table ip nat {
# chain prerouting { chain postrouting {
# type nat hook prerouting dstnat type nat hook postrouting priority srcnat
# polict accept policy accept
# }
# chain postrouting { iif lo return
# type nat hook postrouting priority srcnat
# policy accept # Is there any other way to do that?
# meta pkttype { multicast, broadcast } return
# iif lo return ip daddr 224.0.0.0/24 return
#
# meta pkttype unicast \ ip saddr $need_nat_ipv4 ip daddr != $aurore_ipv4 \
# ip saddr $nat_v4 ip daddr != $saclay_v4 \ snat $nat_public_ipv4 persistent
# snat $snat_any_v4 persistent }
# }
} }