FAELIX/hphr
FAELIX/hphr
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

taking over iptables/ip6tables and ipset

Browse Source
This commit is contained in:
Marek Isalski 2019-05-18 09:38:36 +01:00
parent 2c9be299e0
commit ac521117b0
5 changed files with 92 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bcp38.ipset.j2 Normal file
View File

@ -0,0 +1,3 @@
create foo hash:net,iface family inet hashsize 1024 maxelem 65536
add foo 0.0.0.0/0,eth0
add foo 0.0.0.0/0,lo

26
bcp38.iptables.v4 Normal file
View File

@ -0,0 +1,26 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -j NOTRACK
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

26
bcp38.iptables.v6 Normal file
View File

@ -0,0 +1,26 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -j NOTRACK
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

30
hphr.sls
View File

@ -23,3 +23,33 @@ configure:
- runas: minion - runas: minion
- require: - require:
- file: /config/config.new - file: /config/config.new
/config/hphr.rules.v4:
file.managed:
- template: jinja
- source: salt://bcp38.iptables.v4
/config/hphr.rules.v6:
file.managed:
- template: jinja
- source: salt://bcp38.iptables.v6
/config/hphr.ipset:
file.managed:
- template: jinja
- source: salt://bcp38.ipset.j2
/config/scripts/vyos-postconfig-bootup.script:
file.managed:
- template: jinja
- source: salt://postconfig.sh
- mode: 760
- require:
- file: /config/hphr.rules.v4
- file: /config/hphr.rules.v6
- file: /config/hphr.ipset
cmd.run:
- name: sudo /config/scripts/vyos-postconfig-bootup.script
- require:
- file: /config/scripts/vyos-postconfig-bootup.script
- cmd: configure

7
postconfig.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
ipset restore < /config/hphr.ipset
iptables-restore /config/hphr.rules.v4
ip6tables-restore /config/hphr.rules.v6
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter