{{ ansible_managed | comment }} table inet forward { chain conntrack { ct state vmap { established: accept, related: accept, invalid: drop, } } chain forward_to_public_server { jump conntrack } chain forward_to_server { jump conntrack ip6 saddr $infra_ipv6 ip6 daddr $log_infra_ipv6 jump { tcp dport 2514 counter accept udp dport 514 counter accept } ip saddr $infra_ipv4 ip daddr $log_infra_ipv4 jump { tcp dport 2514 counter accept udp dport 514 counter accept } ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept ip saddr $prom_infra_ipv4 udp dport 161 counter accept ip6 saddr $bastion_ipv6 tcp dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept } chain forward_to_backbone { } chain forward_to_ups { jump conntrack ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept ip saddr $prom_infra_ipv4 udp dport 161 counter accept ip6 saddr $bastion_ipv6 tcp dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept } chain forward_to_bmc { jump conntrack ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept ip saddr $prom_infra_ipv4 udp dport 161 counter accept ip6 saddr $bastion_ipv6 tcp dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept } chain forward_to_pve { jump conntrack ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept ip6 saddr $bastion_ipv6 tcp dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept } chain forward_to_router { jump conntrack ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept ip6 saddr $bastion_ipv6 tcp dport ssh accept ip saddr $bastion_ipv4 tcp dport ssh accept } chain forward_to_internet { jump conntrack ip6 saddr $egress_internet_ipv6 counter accept ip saddr $egress_internet_ipv4 counter accept } chain forward { type filter hook forward priority filter policy drop iif lo accept ip6 daddr vmap { $public_server_ipv6: goto forward_to_public_server, $server_ipv6: goto forward_to_server, $backbone_ipv6: goto forward_to_backbone, $ups_ipv6: goto forward_to_ups, $bmc_ipv6: goto forward_to_bmc, $pve_ipv6: goto forward_to_pve, $router_ipv6: goto forward_to_router, } ip daddr vmap { $public_server_ipv4: goto forward_to_public_server, $server_ipv4: goto forward_to_server, $backbone_ipv4: goto forward_to_backbone, $ups_ipv4: goto forward_to_ups, $bmc_ipv4: goto forward_to_bmc, $pve_ipv4: goto forward_to_pve, $router_ipv4: goto forward_to_router, } goto forward_to_internet } }