pvincent
8 months ago
1 changed files with 28 additions and 28 deletions
@ -1,35 +1,35 @@ |
|||
table inet lxd { |
|||
chain pstrt.lxdbr0 { |
|||
type nat hook postrouting priority srcnat; policy accept; |
|||
chain pstrt.lxdbr0 { |
|||
type nat hook postrouting priority srcnat; policy accept; |
|||
|
|||
{%- if target != 'prod' %} |
|||
# BLOCK SMTP PORTS |
|||
tcp dport { 25, 465, 587 } ip saddr {{ firewall.bridge_subnet }} {%- if firewall.container_mail_passthrough %} ip saddr |
|||
!= {{ env.ip_mail_passthrough }} {% endif %} log prefix "Drop SMTP away from container: " drop |
|||
{% endif -%} |
|||
{%- if target != 'prod' %} |
|||
# BLOCK SMTP PORTS |
|||
tcp dport { 25, 465, 587 } ip saddr {{ firewall.bridge_subnet }} {%- if firewall.container_mail_passthrough %} ip saddr |
|||
!= {{ env.ip_mail_passthrough }} {% endif %} log prefix "Drop SMTP away from container: " drop |
|||
{% endif -%} |
|||
|
|||
ip saddr {{ firewall.bridge_subnet }} ip daddr != {{ firewall.bridge_subnet }} masquerade |
|||
} |
|||
ip saddr {{ firewall.bridge_subnet }} ip daddr != {{ firewall.bridge_subnet }} masquerade |
|||
} |
|||
|
|||
chain fwd.lxdbr0 { |
|||
type filter hook forward priority filter; policy accept; |
|||
ip version 4 oifname "lxdbr0" accept |
|||
ip version 4 iifname "lxdbr0" accept |
|||
} |
|||
chain fwd.lxdbr0 { |
|||
type filter hook forward priority filter; policy accept; |
|||
ip version 4 oifname "lxdbr0" accept |
|||
ip version 4 iifname "lxdbr0" accept |
|||
} |
|||
|
|||
chain in.lxdbr0 { |
|||
type filter hook input priority filter; policy accept; |
|||
iifname "lxdbr0" tcp dport 53 accept |
|||
iifname "lxdbr0" udp dport 53 accept |
|||
iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept |
|||
iifname "lxdbr0" udp dport 67 accept |
|||
} |
|||
chain in.lxdbr0 { |
|||
type filter hook input priority filter; policy accept; |
|||
iifname "lxdbr0" tcp dport 53 accept |
|||
iifname "lxdbr0" udp dport 53 accept |
|||
iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept |
|||
iifname "lxdbr0" udp dport 67 accept |
|||
} |
|||
|
|||
chain out.lxdbr0 { |
|||
type filter hook output priority filter; policy accept; |
|||
oifname "lxdbr0" tcp sport 53 accept |
|||
oifname "lxdbr0" udp sport 53 accept |
|||
oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept |
|||
oifname "lxdbr0" udp sport 67 accept |
|||
chain out.lxdbr0 { |
|||
type filter hook output priority filter; policy accept; |
|||
oifname "lxdbr0" tcp sport 53 accept |
|||
oifname "lxdbr0" udp sport 53 accept |
|||
oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept |
|||
oifname "lxdbr0" udp sport 67 accept |
|||
} |
|||
} |
|||
} |
Write
Preview
Loading…
Cancel
Save
Reference in new issue