This repository has been archived on 2023-03-15. You can view files and clone it, but cannot push or open issues or pull requests.
infrastructure/os/config/roles/network/templates/rules.v6

72 lines
1.9 KiB
Text
Raw Normal View History

2019-06-01 14:02:49 +00:00
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Declaring our chains
-N DEUXFLEURS-TRUSTED-NET
-N DEUXFLEURS-TRUSTED-PORT
2020-10-22 16:29:37 +00:00
# Internet Control Message Protocol
# (required)
2020-10-22 15:57:02 +00:00
-A INPUT -p icmp -j ACCEPT
2020-10-22 16:29:37 +00:00
-A INPUT -p ipv6-icmp -j ACCEPT
2020-10-22 15:57:02 +00:00
2020-07-13 18:01:04 +00:00
# Administration
-A INPUT -p tcp --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT
2020-07-13 18:01:04 +00:00
# Cluster
2019-06-01 14:02:49 +00:00
{% for selected_host in groups['cluster_nodes'] %}
2020-10-22 15:57:02 +00:00
-A INPUT -s {{ hostvars[selected_host]['ipv6'] }} -j ACCEPT
2019-06-01 14:02:49 +00:00
{% endfor %}
2020-07-13 18:01:04 +00:00
# Local
2019-06-01 14:02:49 +00:00
-A INPUT -i docker0 -j ACCEPT
2020-10-22 15:57:02 +00:00
-A INPUT -s ::1/128 -j ACCEPT
2020-10-22 16:29:37 +00:00
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2020-10-22 15:57:02 +00:00
# Who is part of our trusted net?
# Max@Bruxelles
-A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3606:4800::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Max@Suresnes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT
2020-10-28 16:55:03 +00:00
# Max@OVH
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:a:307c:ac7c::/64 -j DEUXFLEURS-TRUSTED-PORT
# LX@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Gandi
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Kimsufi
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
# Quentin@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Source address is not trusted
-A DEUXFLEURS-TRUSTED-NET -j RETURN
# What can do our trusted net?
# Access garage basically
-A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT
# Port is not allowed
-A DEUXFLEURS-TRUSTED-PORT -j RETURN
# Let's check if the user comes from our trusted network
-A INPUT -j DEUXFLEURS-TRUSTED-NET
2019-06-01 14:02:49 +00:00
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
2020-10-22 15:57:02 +00:00