jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit...

This commit is contained in:
toby 2019-03-29 22:40:03 +00:00
parent a2201fd74b
commit d2a7099392
1 changed files with 7 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
files/firewall
View File

@ -56,30 +56,18 @@ case $1 in
iptables -P INPUT DROP
## some rules for bastion boxes to protect the mgmt networks
iptables -F FORWARD
iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts"
iptables -A FORWARD -o mgmtgw1 -j DROP -m comment --comment "only for bastion hosts"
iptables -A FORWARD -o ipmigw1 -j DROP -m comment --comment "only for bastion hosts"
iptables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts"
iptables -A FORWARD -i ipmigw1 -j DROP -m comment --comment "only for bastion hosts"
## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions
#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
#special tables
iptables -F FORWARD
iptables -F OUTPUT
iptables -t mangle -F
iptables -t nat -F
iptables -t raw -F
# this matters only on bastion boxes
iptables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts"
iptables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts"
iptables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts"
iptables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts"
# this matters on all boxes
iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf"
iptables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf"
@ -139,31 +127,19 @@ case $1 in
ip6tables -P INPUT DROP
## some rules for bastion boxes to protect the mgmt networks
ip6tables -F FORWARD
ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts"
ip6tables -A FORWARD -o mgmtgw1 -j DROP -m comment --comment "only for bastion hosts"
ip6tables -A FORWARD -o ipmigw1 -j DROP -m comment --comment "only for bastion hosts"
ip6tables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts"
ip6tables -A FORWARD -i ipmigw1 -j DROP -m comment --comment "only for bastion hosts"
#special tables
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -t mangle -F
ip6tables -t nat -F
ip6tables -t raw -F
# this matters only on bastion boxes
ip6tables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts"
ip6tables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts"
ip6tables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts"
ip6tables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts"
# this matters on all boxes
# manage conntrack
ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf"
ip6tables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf"
ip6tables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track mgmt vrf"
ip6tables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track mgmt vrf"
ip6tables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track default vrf"
ip6tables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track default vrf"
#some boxes get special addon rules