Commit ec8f7898 authored by Benjamin Graillot's avatar Benjamin Graillot
Browse files

Specify out interface for nat

parent 7eb4e611
......@@ -8,5 +8,7 @@
"adh-nat": "185.230.77.0/24"
},
"ldap_url": "ldaps://172.16.1.1"
"nat_interface": "ens1",
"ldap_url": "ldaps://172.16.10.1"
}
......@@ -205,5 +205,5 @@ if __name__ == "__main__":
print(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
else:
with open('/etc/nftables.conf', 'w') as nftables:
nftables.write(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
nftables.write(template.render(nat=nat, nat_interface=config['nat_interface'], ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
subprocess.run(['systemctl', 'reload', 'nftables'])
......@@ -24,9 +24,9 @@ table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for nat_subnet in nat %}
ip saddr @{{ nat_subnet }} ip protocol icmp snat to ip saddr map @{{ nat_subnet }}-pub
ip saddr @{{ nat_subnet }} ip protocol udp snat to ip saddr map @{{ nat_subnet }}-pub
ip saddr @{{ nat_subnet }} ip protocol tcp snat to ip saddr map @{{ nat_subnet }}-pub
ip saddr @{{ nat_subnet }} ip protocol icmp oifname "{{ nat_interface }}" snat to ip saddr map @{{ nat_subnet }}-pub
ip saddr @{{ nat_subnet }} ip protocol udp oifname "{{ nat_interface }}" snat to ip saddr map @{{ nat_subnet }}-pub
ip saddr @{{ nat_subnet }} ip protocol tcp oifname "{{ nat_interface }}" snat to ip saddr map @{{ nat_subnet }}-pub
{% endfor %}
}
}
......@@ -41,6 +41,7 @@ table inet filter {
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, router-renumbering } accept
ip saddr 172.16.0.0/16 accept
ip saddr 100.64.0.0/16 accept
ip daddr 224.0.0.18 accept
ip6 saddr fd00::/4 accept
ip6 saddr 2a0c:700::/32 accept
reject
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment