Commit a24e6ce6 authored by kaiyou's avatar kaiyou

Simplify the firewall config

parent be63221d
......@@ -28,12 +28,10 @@ services:
- ./fw:/templates
environment:
- PUBLIC_IFACE
- COMMON_IFACE
- SNAT4
- SNAT6
- SNAT4=${ipv4}
- SNAT6=${ipv4}
- ADMIN_IPV4
- ADMIN_IPV6
- LOGS_IPV6
command: |
/templates /result
-t start die
......
......@@ -38,6 +38,7 @@ table inet filter {
ct state {established, related} accept
meta iifname "lo" accept
meta oifname "lo" accept
ip nexthdr icmp accept
ip6 nexthdr icmpv6 accept
}
......@@ -48,12 +49,6 @@ table inet filter {
# allow ssh
ip daddr {{ utils.environ("ADMIN_IPV4") }} tcp dport 22 counter accept
ip6 daddr {{ utils.environ("ADMIN_IPV6") }} tcp dport 22 counter accept
# allow dhcpv6
udp dport 546 counter accept
# ipsec
udp dport {500,4500} counter accept
ip6 nexthdr {ah, esp} counter accept
counter drop
}
......@@ -62,18 +57,12 @@ table inet filter {
type filter hook output priority 0;
jump common
# allow dhcpv6
udp dport 547 counter accept
# setup and upgrade
tcp dport {22,80,443,2201} counter accept
tcp dport {22,80,443} counter accept
# ntp, dns
udp dport {53,123} counter accept
# logs
ip6 daddr {{ utils.environ("LOGS_IPV6") }} udp dport 12201 accept
# nated traffic
ct mark 1 counter accept
......@@ -84,8 +73,8 @@ table inet filter {
type filter hook forward priority 0;
jump common
# container to internet and other hosts, project internal connections
{% for name, bridge, prefixes, labels in nets %}
# container to internet and project internal connections
{% for name, bridge, prefixes, labels in nets %}
iif "{{ bridge }}" oif "{{ utils.environ("PUBLIC_IFACE") }}" accept
iif "{{ bridge }}" oif "{{ bridge }}" accept
{% endfor %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment