70 lines
1.2 KiB
Django/Jinja
70 lines
1.2 KiB
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
table inet input {
|
|
|
|
chain conntrack {
|
|
ct state vmap {
|
|
established: counter accept,
|
|
related: counter accept,
|
|
invalid: counter drop,
|
|
}
|
|
}
|
|
|
|
chain input_from_server {
|
|
jump conntrack
|
|
|
|
ip6 saddr $prom_infra_ipv6 dport 9100 accept
|
|
ip saddr $prom_infra_ipv4 dport 9100 accept
|
|
}
|
|
|
|
chain input_from_backbone {
|
|
ip6 nexthdr { ospf, vrrp } accept
|
|
ip protocol { ospf, vrrp } accept
|
|
counter accept # FIXME: temporary
|
|
}
|
|
|
|
chain input_from_router {
|
|
jump conntrack
|
|
|
|
tcp dport ssh counter accept
|
|
}
|
|
|
|
chain input_from_bastion {
|
|
jump conntrack
|
|
|
|
tcp dport ssh counter accept
|
|
}
|
|
|
|
chain input_from_anywhere {
|
|
jump conntrack
|
|
|
|
# FIXME: limit
|
|
ip6 nexthdr icmpv6 counter accept
|
|
ip protocol icmp counter accept
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter
|
|
policy drop
|
|
|
|
iif lo accept
|
|
|
|
jump input_from_anywhere
|
|
|
|
# FIXME: temporary
|
|
tcp dport ssh accept
|
|
|
|
ip6 saddr vmap {
|
|
$backbone_ipv6: jump input_from_backbone,
|
|
$router_ipv6: jump input_from_router,
|
|
}
|
|
|
|
ip saddr vmap {
|
|
$backbone_ipv4: jump input_from_backbone,
|
|
$router_ipv4: jump input_from_router,
|
|
}
|
|
|
|
reject with icmpx type admin-prohibited
|
|
}
|
|
|
|
}
|