From 03680a992b627cda620ad3a3fd1ba9c725bfc371 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 28 Oct 2020 16:55:11 +0100 Subject: Switch Matrix+Plume to IPv6, Add Trusted Net to ip6tables --- os/config/roles/network/templates/rules.v6 | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'os/config/roles') diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6 index 50737a0..7cac66e 100644 --- a/os/config/roles/network/templates/rules.v6 +++ b/os/config/roles/network/templates/rules.v6 @@ -3,6 +3,10 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] +# Declaring our chains +-N DEUXFLEURS-TRUSTED-NET +-N DEUXFLEURS-TRUSTED-PORT + # Internet Control Message Protocol # (required) -A INPUT -p icmp -j ACCEPT @@ -21,6 +25,29 @@ -A INPUT -s ::1/128 -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +# Who is part of our trusted net? +# Max@Bruxelles +-A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3606:4800::0/64 -j DEUXFLEURS-TRUSTED-PORT +# Max@Suresnes +-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT +# LX@Rennes +-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT +# ADRN@Gandi +-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT +# Quentin@Rennes +-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT +# Source address is not trusted +-A DEUXFLEURS-TRUSTED-NET -j RETURN + +# What can do our trusted net? +# Access garage basically +-A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT +# Port is not allowed +-A DEUXFLEURS-TRUSTED-PORT -j RETURN + +# Let's check if the user comes from our trusted network +-A INPUT -j DEUXFLEURS-TRUSTED-NET + COMMIT *nat -- cgit v1.2.3