59 lines
1.9 KiB
Plaintext
59 lines
1.9 KiB
Plaintext
public_ip4="$(ip -4 addr show dev eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
|
|
public_ip6="$(ip -6 addr show dev eth0 | grep -oP '(?<=inet6\s)[\da-f:]+')"
|
|
|
|
lan_ips4="10.0.0.0/8"
|
|
|
|
LAN="enp7s0"
|
|
WAN="eth0"
|
|
CONTAINERS="vxlan+ flannel+ cni+ cali+ docker+ podman+"
|
|
|
|
server_k3s_ports="tcp/6443"
|
|
client_k3s_ports="6443"
|
|
|
|
version 6
|
|
|
|
# use snat to outgoing ip4 address
|
|
ipv4 snat to "${public_ip4}" outface ${WAN}
|
|
|
|
# enable ipv6 basic stuff on all interfaces
|
|
ipv6 interface any v6interop proto icmpv6
|
|
client ipv6neigh accept
|
|
server ipv6neigh accept
|
|
client ipv6router accept
|
|
server ipv6router accept
|
|
client ipv6mld accept
|
|
server ipv6mld accept
|
|
|
|
policy return
|
|
|
|
# enable dhcpv6 on all interfaces
|
|
ipv6 interface any dhcpv6
|
|
server dhcpv6 accept
|
|
client dhcpv6 accept
|
|
|
|
policy return
|
|
|
|
# allow everything on lan, containers
|
|
interface "${LAN} ${CONTAINERS}" lan
|
|
policy accept
|
|
|
|
# protect from the internet
|
|
interface46 "${WAN}" internet src4 not "${UNROUTABLE_IPS}" dst4 "${public_ip4}" src6 not "${UNROUTABLE_IPS}" dst6 "${public_ip6}"
|
|
protection strong
|
|
client all accept
|
|
|
|
server ident reject with tcp-reset
|
|
|
|
server "http https" accept
|
|
server "pop3 pop3s smtp smtps imap imaps sieve" accept
|
|
server "k3s" accept
|
|
|
|
# Accept all traffic from the container interfaces towards the internet or towards other containers. Note that
|
|
# This doesn't mean all traffic is allowed, since Kubernetes will have its own rules that will beat these.
|
|
router containers inface "${LAN} ${CONTAINERS}" outface "${LAN} ${CONTAINERS} ${WAN}"
|
|
policy accept
|
|
|
|
# Connection between internet and lan
|
|
router internet2lan inface ${WAN} outface ${LAN}
|
|
client all accept # allow all outgoing traffic, but I do think this is redundant with the containers policy
|