forked from Deuxfleurs/nixcfg
Drastically simplify firewall config
This commit is contained in:
parent
4bc67c3906
commit
b5ec581bc8
1 changed files with 6 additions and 34 deletions
|
@ -309,46 +309,18 @@ in
|
|||
# Allow everything from router (usefull for UPnP/IGD)
|
||||
iptables -A INPUT -s 192.168.1.254 -j ACCEPT
|
||||
|
||||
# Allow Docker containers to access a few things
|
||||
iptables -N CONTAINERS
|
||||
iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS
|
||||
# Allow docker containers to access all ports
|
||||
iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT
|
||||
|
||||
# Yugabyte YSQL
|
||||
iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT
|
||||
|
||||
# Specific rules for VPN nodes
|
||||
iptables -N VPN
|
||||
iptables -A INPUT -s 10.42.0.0/16 -j VPN
|
||||
|
||||
# Allow server nodes to communicate between themselves on all ports
|
||||
iptables -A VPN -s 10.42.0.2 -j ACCEPT
|
||||
iptables -A VPN -s 10.42.0.21 -j ACCEPT
|
||||
iptables -A VPN -s 10.42.0.22 -j ACCEPT
|
||||
iptables -A VPN -s 10.42.0.23 -j ACCEPT
|
||||
|
||||
# Allow all VPN users to access Nomad API
|
||||
iptables -A VPN -p tcp --dport 4646 -j ACCEPT
|
||||
|
||||
# Same for Consul API
|
||||
iptables -A VPN -p tcp --dport 8500 -j ACCEPT
|
||||
|
||||
# Same for YugabyteDB YSQL and Admin ports
|
||||
iptables -A VPN -p tcp --dport 5433 -j ACCEPT
|
||||
iptables -A VPN -p tcp --dport 7000 -j ACCEPT
|
||||
|
||||
# Same for Netdata monitoring
|
||||
iptables -A VPN -p tcp --dport 19999 -j ACCEPT
|
||||
# Allow other nodes on VPN to access all ports
|
||||
iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT
|
||||
'';
|
||||
|
||||
# When stopping firewall, delete all rules that were configured manually above
|
||||
extraStopCommands = ''
|
||||
iptables -D INPUT -s 192.168.1.254 -j ACCEPT
|
||||
iptables -D INPUT -s 10.42.0.0/16 -j VPN
|
||||
iptables -F VPN
|
||||
iptables -X VPN
|
||||
iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS
|
||||
iptables -F CONTAINERS
|
||||
iptables -X CONTAINERS
|
||||
iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
|
||||
iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue