blob: 0778a15627e624934a1e784bf088910444f2fd5f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
#!/bin/sh
. /etc/local.d/vars.sh
wan_ip="$(ip -4 addr show dev eth0 | awk '/inet/{print $2}' | sed -e's@/.*$@@g')"
ipt=iptables
ipt6=ip6tables
# Set policies
for chain in INPUT OUTPUT FORWARD ; do
$ipt -F $chain
$ipt -P $chain ACCEPT
$ipt6 -F $chain
$ipt6 -P $chain ACCEPT
done
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -m conntrack --ctstate related,established -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 -d $lan_ip -j ACCEPT # SSH internally
$ipt -A INPUT -p tcp --dport 9100 -j ACCEPT # prometheus node exporter
$ipt -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPs
$ipt -A INPUT -i $lan -j ACCEPT
$ipt -A INPUT -i $lan -p icmp -j ACCEPT
$ipt -A INPUT -j DROP
$ipt6 -A INPUT -i lo -j ACCEPT
$ipt6 -A INPUT -m state --state related,established -j ACCEPT
$ipt6 -A INPUT -p udp --dport 546 -d fe80::/10 -j ACCEPT # Router advertisements
$ipt6 -A INPUT -p icmpv6 -j ACCEPT
$ipt6 -A INPUT -j REJECT
$ipt6 -A FORWARD -m state --state related,established -j ACCEPT
$ipt6 -A FORWARD -i $lan -j ACCEPT
$ipt6 -A FORWARD -p icmpv6 -j ACCEPT
$ipt6 -A FORWARD -j REJECT
# Policies for NAT
for chain in INPUT OUTPUT PREROUTING POSTROUTING ; do
$ipt -t nat -F $chain
$ipt -t nat -P $chain ACCEPT
done
# Multiple port forwards for 10.0.0.241 with NAT relfection as an example:
internal_server=10.0.0.241
for port in 443 9100 9090 ; do
$ipt -t nat -A PREROUTING -p tcp --dport $port -d $wan_ip \
-j DNAT --to $internal_server
# and nat reflection for said server:
$ipt -t nat -I PREROUTING -p tcp --dport $port -d $lan_ip -i eth0 \
-j DNAT --to $internal_server
$ipt -t nat -I POSTROUTING -p tcp --dport $port -d $internal_server \
-j SNAT --to $lan_ip
done
# Where the "magic" happens for IPv4, translate local IPs to that of
# the $wan interface.
$ipt -t nat -A POSTROUTING -o $wan -j MASQUERADE
. /etc/local.d/vars_end.sh
|
