Netplan example bridging and static ip
network:
version: 2
renderer: NetworkManager
ethernets:
eth0:
dhcp4: no
dhcp6: no
bridges:
br0:
interfaces: [eth0]
addresses: [10.29.5.29/24,192.168.5.29/24]
gateway4: 10.29.5.1
nameservers:
addresses:
- 10.29.5.1
parameters:
stp: false
forward-delay: 0
Iptables
# How to get the current ip address of systems we care about
par1=$(dig +short @8.8.8.8 par1.greenwheel.com)
lon1=$(dig +short @8.8.8.8 lon1.greenwheel.com)
# set up some interface aliases
bridge=br0
wanif=eth0
lanif=eth0
# initialise iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Now we create our own chains
iptables -N UNRESTRICTED
iptables -N LOGOK
iptables -N WANINPUT
iptables -N LANINPUT
# chains for logging
iptables -N LOGREJECT
iptables -N LOGREJECTF
iptables -A LOGOK -j LOG --log-prefix "IPTABLES OK " --log-level 4
iptables -A LOGOK -j ACCEPT
iptables -A LOGREJECT -j LOG --log-prefix "IPTABLES BANNED " --log-level 4
iptables -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
iptables -A LOGREJECTF -j LOG --log-prefix "IPTABLES FORWARD REJECT " --log-level 4
iptables -A LOGREJECTF -j REJECT --reject-with icmp-port-unreachable
# We allow most things in apart from port 5000 which is our boiler service
# which is only allowed if we are coming from our own dedicated server
iptables -A INPUT -s $par1 -j ACCEPT
iptables -A INPUT -s $lon1 -j ACCEPT
if [ "$wanif" == "$lanif" ]
then
iptables -A INPUT -s 10.29.0.0/16 -j LANINPUT
iptables -A INPUT -s 192.168.0.0/16 -j LANINPUT
iptables -A INPUT -s 127.0.0.0/8 -j LANINPUT
iptables -A INPUT -j WANINPUT
else
iptables -A INPUT -i $wanif -j WANINPUT
iptables -A INPUT -j LANINPUT
fi
iptables -A LANINPUT -j ACCEPT
iptables -A WANINPUT -p udp -m udp --dport 389 -j DROP # don't allow ldap queries from outside the lan
iptables -A WANINPUT -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable
# Allow anything from our london and paris servers
iptables -A FORWARD -s $par1 -j ACCEPT
iptables -A FORWARD -s $lon1 -j ACCEPT
# Allow all local/vpn traffic within our subnet
iptables -A FORWARD -d 10.0.0.0/8 -j ACCEPT
# Allow ping etc
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# the unrestricted chain is maintained by allow and deny scripts
iptables -A FORWARD -j UNRESTRICTED
iptables -A FORWARD -s 192.168.5.29 -j ACCEPT
iptables -A FORWARD -s 10.29.201.0/24 -j ACCEPT # allow anything we are routing from France
# Anothing not identified as unrestricted is subject to the following....
iptables -A FORWARD -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable
#iptables -A FORWARD -j LOGREJECTF
# And now our natting rules
# If we are on the 10 subnet and going elsewhere, nat us so replies come back
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MASQUERADE
# This is for syncthing, but is an example of bidirectional port forwarding. We need both lines!
iptables -t nat -A PREROUTING -p tcp --dport 62442 -j DNAT --to-destination 10.29.5.207
iptables -t nat -A POSTROUTING -p tcp --dport 62442 -d 10.29.5.207 -j SNAT --to-source 10.29.5.19
# these two lines show how to make port 53 really go to port 5353 in udp
#iptables -t nat -A OUTPUT -d 10.29.11.16 -p udp -m udp --dport 53 -j REDIRECT --to-port 5353
