andrewwebber/coreos-router.yaml

## coreos-router.yaml
#cloud-config

coreos:
  units:
    - name: sshd.socket
      command: restart
      content: |
        [Socket]
        ListenStream=2222
        Accept=yes
    - name: iptables-restore.service
      command: start
    - name: 10-dhcp.network
      runtime: true
      content: |
        [Match]
        Name=eno1*

        [Network]
        DHCP=yes
    - name: 20-static.network
      runtime: true
      content: |
        [Match]
        Name=eno3*

        [Network]
        DNS=8.8.8.8
        Address=10.100.2.100/24

  update:
    group: stable
    reboot-strategy: reboot

ssh_authorized_keys:
    - "ssh-rsa key"

write_files:
  - path: /etc/ssh/sshd_config
    permissions: 0600
    owner: root:root
    content: |
      # Use most defaults for sshd configuration.
      UsePrivilegeSeparation sandbox
      Subsystem sftp internal-sftp

      PermitRootLogin no
      AllowUsers core
      PasswordAuthentication no
      ChallengeResponseAuthentication no
  - path: /var/lib/iptables/rules-save
    permissions: 0644
    owner: root:root
    content: |
      *nat
      :PREROUTING ACCEPT [0:0]
      :INPUT ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      :POSTROUTING ACCEPT [0:0]
      # Example port forwarding to static ip address
      #-A PREROUTING -i eno16777736 -p tcp --dport 1984 -j DNAT --to-destination 10.100.2.101:22
      -A POSTROUTING -o eno16777736 -j MASQUERADE
      COMMIT
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT ACCEPT [0:0]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
      -A FORWARD -i eno16777736 -o eno33554960 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -i eno33554960 -o eno16777736 -j ACCEPT
      # Example port forwarding to static ip address
      #-A FORWARD -i eno16777736 -o eno33554960 -d 10.100.2.100 -p tcp --dport 22 -j ACCEPT
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited
      -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
      -A INPUT -j DROP
      -A FORWARD -j DROP
      COMMIT
	#cloud-config

	coreos:
	units:
	- name: sshd.socket
	command: restart
	content: \|
	[Socket]
	ListenStream=2222
	Accept=yes
	- name: iptables-restore.service
	command: start
	- name: 10-dhcp.network
	runtime: true
	content: \|
	[Match]
	Name=eno1*

	[Network]
	DHCP=yes
	- name: 20-static.network
	runtime: true
	content: \|
	[Match]
	Name=eno3*

	[Network]
	DNS=8.8.8.8
	Address=10.100.2.100/24

	update:
	group: stable
	reboot-strategy: reboot

	ssh_authorized_keys:
	- "ssh-rsa key"

	write_files:
	- path: /etc/ssh/sshd_config
	permissions: 0600
	owner: root:root
	content: \|
	# Use most defaults for sshd configuration.
	UsePrivilegeSeparation sandbox
	Subsystem sftp internal-sftp

	PermitRootLogin no
	AllowUsers core
	PasswordAuthentication no
	ChallengeResponseAuthentication no
	- path: /var/lib/iptables/rules-save
	permissions: 0644
	owner: root:root
	content: \|
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	# Example port forwarding to static ip address
	#-A PREROUTING -i eno16777736 -p tcp --dport 1984 -j DNAT --to-destination 10.100.2.101:22
	-A POSTROUTING -o eno16777736 -j MASQUERADE
	COMMIT
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
	-A FORWARD -i eno16777736 -o eno33554960 -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i eno33554960 -o eno16777736 -j ACCEPT
	# Example port forwarding to static ip address
	#-A FORWARD -i eno16777736 -o eno33554960 -d 10.100.2.100 -p tcp --dport 22 -j ACCEPT
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
	-A INPUT -j DROP
	-A FORWARD -j DROP
	COMMIT