aurore
/
ansible
15
2
Fork 0
Code Issues 1 Pull Requests 13 Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
new-infra
bird
dns
aruba
radius
on-en-a-litteralement-rien-a-foutre
radvd
keepalived
ifupdown2
master
dhcp
cleanup_no_ldap_for_servers
infra_router
ask_vault_pass
borgfix
auditd
prometheus_apt_pending_and_reboot
move_host_vars
prometheus-ipmi-exporter
fix-portail
crans
apt
remove_old_db_servers
rspamd
wireguard-ovh
pass
nullmailer
logs
mailserver
re2o-master
mail_server
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4d85cd7e4b'
${ noResults }
ansible/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2

117 lines
2.6 KiB
Django/Jinja
Raw Blame History

{{ ansible_managed | comment }}
table inet forward {
chain conntrack {
ct state vmap {
established: accept,
related: accept,
invalid: drop,
}
}
chain forward_to_public_server {
jump conntrack
}
chain forward_to_server {
jump conntrack
ip6 saddr $infra_ipv6 ip6 daddr $log_infra_ipv6 jump {
tcp dport 2514 counter accept
udp dport 514 counter accept
}
ip saddr $infra_ipv4 ip daddr $log_infra_ipv4 jump {
tcp dport 2514 counter accept
udp dport 514 counter accept
}
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_backbone {
}
chain forward_to_ups {
jump conntrack
ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_bmc {
jump conntrack
ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_pve {
jump conntrack
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_router {
jump conntrack
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_internet {
jump conntrack
ip6 saddr $egress_internet_ipv6 counter accept
ip saddr $egress_internet_ipv4 counter accept
}
chain forward {
type filter hook forward priority filter
policy drop
iif lo accept
ip6 daddr vmap {
$public_server_ipv6: goto forward_to_public_server,
$server_ipv6: goto forward_to_server,
$backbone_ipv6: goto forward_to_backbone,
$ups_ipv6: goto forward_to_ups,
$bmc_ipv6: goto forward_to_bmc,
$pve_ipv6: goto forward_to_pve,
$router_ipv6: goto forward_to_router,
}
ip daddr vmap {
$public_server_ipv4: goto forward_to_public_server,
$server_ipv4: goto forward_to_server,
$backbone_ipv4: goto forward_to_backbone,
$ups_ipv4: goto forward_to_ups,
$bmc_ipv4: goto forward_to_bmc,
$pve_ipv4: goto forward_to_pve,
$router_ipv4: goto forward_to_router,
}
goto forward_to_internet
}
}
Reference in New Issue View Git Blame Copy Permalink