roles/dch-gw: Configure the filter table
The *filter* table is responsible for deciding which packets will be accepted and which will be rejected. It has three chains, which classify packets according to whether they are destined for the local machine (input), passing through this machine (forward) or originating from the local machine (output). The *dch-gw* role now configures all three chains in this table. For now, it defines basic rules, mostly based on TCP/UDP destination port: * Traffic destined for a service hosted by the local machine (DNS, DHCP, SSH), is allowed if it does not come from the Internet * Traffic passing through the machine is allowed if: * It is passing between internal networks * It is destined for a host on the FireMon network (VPN) * It was NATed to in internal host (marked 323) * It is destined for the Internet * Only DHCP, HTTP, and DNS are allowed to originate from the local machine This configuration requires an `internet_iface` variable, which indicates the name of the network interface connected to the Internet directly.
This commit is contained in:
@@ -33,13 +33,13 @@ table ip nat {
|
||||
}
|
||||
|
||||
chain prerouting {
|
||||
ip daddr $outside_address dnat tcp dport map @tcp_forward
|
||||
ip daddr $outside_address dnat udp dport map @udp_forward
|
||||
ip daddr $outside_address meta mark set 323 dnat tcp dport map @tcp_forward
|
||||
ip daddr $outside_address meta mark set 323 dnat udp dport map @udp_forward
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
{% for item in nat_port_forwards %}
|
||||
ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} masquerade
|
||||
ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} meta mark set 323 masquerade
|
||||
{% endfor %}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user