Last active
May 3, 2018 06:06
-
-
Save andrewwebber/76ccb88d2620f22a67dd to your computer and use it in GitHub Desktop.
CoreOS - Router
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cloud-config | |
coreos: | |
units: | |
- name: sshd.socket | |
command: restart | |
content: | | |
[Socket] | |
ListenStream=2222 | |
Accept=yes | |
- name: iptables-restore.service | |
command: start | |
- name: 10-dhcp.network | |
runtime: true | |
content: | | |
[Match] | |
Name=eno1* | |
[Network] | |
DHCP=yes | |
- name: 20-static.network | |
runtime: true | |
content: | | |
[Match] | |
Name=eno3* | |
[Network] | |
DNS=8.8.8.8 | |
Address=10.100.2.100/24 | |
update: | |
group: stable | |
reboot-strategy: reboot | |
ssh_authorized_keys: | |
- "ssh-rsa key" | |
write_files: | |
- path: /etc/ssh/sshd_config | |
permissions: 0600 | |
owner: root:root | |
content: | | |
# Use most defaults for sshd configuration. | |
UsePrivilegeSeparation sandbox | |
Subsystem sftp internal-sftp | |
PermitRootLogin no | |
AllowUsers core | |
PasswordAuthentication no | |
ChallengeResponseAuthentication no | |
- path: /var/lib/iptables/rules-save | |
permissions: 0644 | |
owner: root:root | |
content: | | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
# Example port forwarding to static ip address | |
#-A PREROUTING -i eno16777736 -p tcp --dport 1984 -j DNAT --to-destination 10.100.2.101:22 | |
-A POSTROUTING -o eno16777736 -j MASQUERADE | |
COMMIT | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p icmp -j ACCEPT | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT | |
-A FORWARD -i eno16777736 -o eno33554960 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A FORWARD -i eno33554960 -o eno16777736 -j ACCEPT | |
# Example port forwarding to static ip address | |
#-A FORWARD -i eno16777736 -o eno33554960 -d 10.100.2.100 -p tcp --dport 22 -j ACCEPT | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
-A INPUT -j DROP | |
-A FORWARD -j DROP | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment