72 lines
2.3 KiB
Django/Jinja
72 lines
2.3 KiB
Django/Jinja
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
# Allow established and related connections
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allow loopback
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# Allow all traffic on Nebula interface (encrypted overlay)
|
|
-A INPUT -i nebula1 -j ACCEPT
|
|
|
|
# ============================================================
|
|
# Bridge network rules (192.168.100.0/24)
|
|
# Only allow Proxmox host - block all other VMs on the bridge
|
|
# ============================================================
|
|
|
|
# Allow Proxmox host for management/Ansible
|
|
-A INPUT -s {{ proxmox_host_ip }} -j ACCEPT
|
|
|
|
# Allow Nebula UDP from lighthouse (required for overlay connectivity)
|
|
-A INPUT -s {{ lighthouse_bridge_ip }} -p udp --dport 4242 -j ACCEPT
|
|
|
|
# DROP everything else from bridge network (force Nebula for inter-VM)
|
|
-A INPUT -s {{ bridge_network }} -j DROP
|
|
|
|
# ============================================================
|
|
# Caddy-proxied ports (Nebula only - reverse proxy traffic)
|
|
# These ports are NOT public; only Caddy can reach them
|
|
# ============================================================
|
|
|
|
{% if caddy_proxied_ports_tcp is defined %}
|
|
# Web services proxied through Caddy (Nebula only)
|
|
{% for port in caddy_proxied_ports_tcp %}
|
|
-A INPUT -s {{ caddy_nebula_ip }} -p tcp --dport {{ port }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if caddy_proxied_ports_udp is defined %}
|
|
# UDP services proxied through Caddy (Nebula only)
|
|
{% for port in caddy_proxied_ports_udp %}
|
|
-A INPUT -s {{ caddy_nebula_ip }} -p udp --dport {{ port }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# ============================================================
|
|
# Public-facing ports (for DNAT'd traffic from internet)
|
|
# ============================================================
|
|
|
|
{% if game_ports_tcp is defined %}
|
|
# Game server TCP ports (internet -> Proxmox DNAT -> VM)
|
|
{% for port in game_ports_tcp %}
|
|
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if game_ports_udp is defined %}
|
|
# Game server UDP ports (internet -> Proxmox DNAT -> VM)
|
|
{% for port in game_ports_udp %}
|
|
-A INPUT -p udp --dport {{ port }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# ============================================================
|
|
# Default deny - drop everything not explicitly allowed
|
|
# ============================================================
|
|
-A INPUT -j DROP
|
|
|
|
COMMIT
|