70 lines
1.2 KiB
Django/Jinja
70 lines
1.2 KiB
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
table inet input {
|
|
|
|
chain conntrack {
|
|
ct state vmap {
|
|
established: accept,
|
|
related: accept,
|
|
invalid: drop,
|
|
}
|
|
}
|
|
|
|
chain input_from_server {
|
|
jump conntrack
|
|
|
|
ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
|
|
ip saddr $prom_infra_ipv4 tcp dport 9100 accept
|
|
}
|
|
|
|
chain input_from_backbone {
|
|
ip6 nexthdr { ospf, vrrp } accept
|
|
ip protocol { ospf, vrrp } accept
|
|
counter accept # FIXME: temporary
|
|
}
|
|
|
|
chain input_from_router {
|
|
jump conntrack
|
|
|
|
tcp dport ssh counter accept
|
|
}
|
|
|
|
chain input_from_bastion {
|
|
jump conntrack
|
|
|
|
tcp dport ssh counter accept
|
|
}
|
|
|
|
chain input_from_anywhere {
|
|
jump conntrack
|
|
|
|
# FIXME: limit
|
|
ip6 nexthdr icmpv6 counter accept
|
|
ip protocol icmp counter accept
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter
|
|
policy drop
|
|
|
|
iif lo accept
|
|
|
|
jump input_from_anywhere
|
|
|
|
# FIXME: temporary
|
|
tcp dport ssh accept
|
|
|
|
ip6 saddr vmap {
|
|
$backbone_ipv6: jump input_from_backbone,
|
|
$router_ipv6: jump input_from_router,
|
|
}
|
|
|
|
ip saddr vmap {
|
|
$backbone_ipv4: jump input_from_backbone,
|
|
$router_ipv4: jump input_from_router,
|
|
}
|
|
|
|
reject with icmpx type admin-prohibited
|
|
}
|
|
|
|
}
|