116 lines
2.6 KiB
Django/Jinja
116 lines
2.6 KiB
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
table inet forward {
|
|
|
|
chain conntrack {
|
|
ct state vmap {
|
|
established: counter accept,
|
|
related: counter accept,
|
|
invalid: counter drop,
|
|
}
|
|
}
|
|
|
|
chain forward_to_public_server {
|
|
jump conntrack
|
|
}
|
|
|
|
chain forward_to_server {
|
|
jump conntrack
|
|
|
|
ip6 saddr $infra_ipv6 ip6 daddr $log_infra_ipv6 jump {
|
|
tcp dport 2514 counter accept
|
|
udp dport 514 counter accept
|
|
}
|
|
|
|
ip saddr $infra_ipv4 ip daddr $log_infra_ipv4 jump {
|
|
tcp dport 2514 counter accept
|
|
udp dport 514 counter accept
|
|
}
|
|
|
|
ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
|
|
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
|
|
|
ip6 saddr $bastion_ipv6 dport ssh accept
|
|
ip saddr $bastion_ipv4 dport ssh accept
|
|
}
|
|
|
|
chain forward_to_backbone {
|
|
}
|
|
|
|
chain forward_to_ups {
|
|
jump conntrack
|
|
|
|
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
|
|
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
|
|
|
ip6 saddr $bastion_ipv6 dport ssh accept
|
|
ip saddr $bastion_ipv4 dport ssh accept
|
|
}
|
|
|
|
chain forward_to_bmc {
|
|
jump conntrack
|
|
|
|
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
|
|
ip saddr $prom_infra_v4 udp dport 161 counter accept
|
|
|
|
ip6 saddr $bastion_ipv6 dport ssh accept
|
|
ip saddr $bastion_ipv4 dport ssh accept
|
|
}
|
|
|
|
chain forward_to_pve {
|
|
jump conntrack
|
|
|
|
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
|
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
|
|
|
|
ip6 saddr $bastion_ipv6 dport ssh accept
|
|
ip saddr $bastion_ipv4 dport ssh accept
|
|
}
|
|
|
|
chain forward_to_router {
|
|
jump conntrack
|
|
|
|
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
|
|
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
|
|
|
|
ip6 saddr $bastion_ipv6 dport ssh accept
|
|
ip saddr $bastion_ipv4 dport ssh accept
|
|
}
|
|
|
|
chain forward_to_internet {
|
|
jump conntrack
|
|
|
|
ip6 saddr $egress_internet_ipv6 counter accept
|
|
ip saddr $egress_internet_ipv4 counter accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter
|
|
policy drop
|
|
|
|
iif lo accept
|
|
|
|
ip6 daddr vmap {
|
|
$public_server_ipv6: goto forward_to_public_server,
|
|
$server_ipv6: goto forward_to_server,
|
|
$backbone_ipv6: goto forward_to_backbone,
|
|
$ups_ipv6: goto forward_to_ups,
|
|
$bmc_ipv6: goto forward_to_bmc,
|
|
$pve_ipv6: goto forward_to_pve,
|
|
$router_ipv6: goto forward_to_router,
|
|
}
|
|
|
|
ip daddr vmap {
|
|
$public_server_ipv4: goto forward_to_public_server,
|
|
$server_ipv4: goto forward_to_server,
|
|
$backbone_ipv4: goto forward_to_backbone,
|
|
$ups_ipv4: goto forward_to_ups,
|
|
$bmc_ipv4: goto forward_to_bmc,
|
|
$pve_ipv4: goto forward_to_pve,
|
|
$router_ipv4: goto forward_to_router,
|
|
}
|
|
|
|
goto forward_to_internet
|
|
}
|
|
|
|
}
|