diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2020-10-28 16:55:11 +0100 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2020-10-28 16:55:11 +0100 |
commit | 03680a992b627cda620ad3a3fd1ba9c725bfc371 (patch) | |
tree | f677bd98d510faf0345133f369fc02676ffee586 /os/config/roles/network/templates | |
parent | aba3ba723ca23d2da2e6fb59700c033f2d6775c0 (diff) | |
download | infrastructure-03680a992b627cda620ad3a3fd1ba9c725bfc371.tar.gz infrastructure-03680a992b627cda620ad3a3fd1ba9c725bfc371.zip |
Switch Matrix+Plume to IPv6, Add Trusted Net to ip6tables
Diffstat (limited to 'os/config/roles/network/templates')
-rw-r--r-- | os/config/roles/network/templates/rules.v6 | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6 index 50737a0..7cac66e 100644 --- a/os/config/roles/network/templates/rules.v6 +++ b/os/config/roles/network/templates/rules.v6 @@ -3,6 +3,10 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] +# Declaring our chains +-N DEUXFLEURS-TRUSTED-NET +-N DEUXFLEURS-TRUSTED-PORT + # Internet Control Message Protocol # (required) -A INPUT -p icmp -j ACCEPT @@ -21,6 +25,29 @@ -A INPUT -s ::1/128 -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +# Who is part of our trusted net? +# Max@Bruxelles +-A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3606:4800::0/64 -j DEUXFLEURS-TRUSTED-PORT +# Max@Suresnes +-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT +# LX@Rennes +-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT +# ADRN@Gandi +-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT +# Quentin@Rennes +-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT +# Source address is not trusted +-A DEUXFLEURS-TRUSTED-NET -j RETURN + +# What can do our trusted net? +# Access garage basically +-A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT +# Port is not allowed +-A DEUXFLEURS-TRUSTED-PORT -j RETURN + +# Let's check if the user comes from our trusted network +-A INPUT -j DEUXFLEURS-TRUSTED-NET + COMMIT *nat |