Last active
February 15, 2019 12:51
-
-
Save wsw70/9f1b9e03ad7f8bf701a068a98c2886d9 to your computer and use it in GitHub Desktop.
firehol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version 6 | |
# define PIA VPN service | |
server_piavpn_ports="tcp/502" | |
client_piavpn_ports="default" | |
# define Minecraft service | |
server_minecraft_ports="tcp/9000 tcp/25565" | |
client_minecraft_ports="default" | |
# define infoscreen server service | |
server_infoscreen_ports="tcp/8081" | |
client_infoscreen_ports="default" | |
# define wireguard server service | |
#server_wireguard_ports="udp/51820" | |
#client_wireguard_ports="default" | |
########################################### | |
### redirections from Internet to services | |
### THE ACTUAL SECURITY IS HERE | |
########################################### | |
# vpnin | |
dnat4 to 10.200.0.15 inface int0 proto tcp dport 1194 | |
dnat4 to 10.200.0.15 inface int0 proto udp dport 1194 | |
# wireguard | |
#dnat4 to 10.250.0.254 inface int0 proto udp dport 51820 | |
# nginx | |
dnat4 to 10.200.0.12 inface int0 proto tcp dport 80,443 | |
# Minecraft | |
# michael | |
#dnat4 to 10.200.0.6:25565 inface int0 proto tcp dport 25565 | |
#dnat4 to 10.200.0.6:22 inface int0 proto tcp dport 22232 | |
#dnat4 to 10.200.0.6:9987 inface int0 proto udp dport 9987 | |
# martin | |
#dnat4 to 10.200.0.61:25565 inface int0 proto tcp dport 9000 | |
# m-michael-2 | |
#dnat4 to 10.200.0.48:25565 inface int0 proto tcp dport 10000 | |
# infoscreen from application | |
#dnat4 to 10.200.0.108:8081 inface int0 proto tcp dport 15078 | |
# iperf3 to dev | |
#dnat4 to 10.200.0.50:5201 inface int0 proto tcp dport 5201 | |
#dnat4 to 10.200.0.50:5201 inface int0 proto udp dport 5201 | |
# wireguard | |
#dnat4 to 10.250.10.2 inface int0 proto udp dport 51820 src 52.210.137.123 | |
# monitoring from salt - 52.210.137.123 | |
# DNS | |
dnat4 to 10.200.0.40 inface int0 proto udp src 52.210.137.123 dport 53 | |
########################################### | |
# interfaces | |
########################################### | |
interface4 int0 internet | |
# all outgoing traffic | |
client all accept | |
# incoming only from livebox network | |
# the drop protects the server from internet attacks | |
server all accept src 192.168.0.0/24 | |
server all accept src 52.210.137.123 | |
# DO NOT REMOVE THE LINE BELOW !! | |
server any drop | |
interface4 br0 lan | |
# all traffic into services on the LAN interface accepted | |
client all accept | |
server all accept | |
########################################### | |
# routers | |
########################################### | |
# all traffic from lan to internet OK | |
router4 lan2internet inface br0 outface int0 | |
masquerade | |
route dns accept | |
route piavpn accept | |
# tor is not allowed except via openvpn above | |
route all accept src not 10.200.0.14 | |
# all traffic from internet accepted to LAN, the limitation is on the DNAT | |
router4 internet2lan inface int0 outface br0 | |
route all accept | |
# all traffic between the bridge interfaces | |
router bridge inface br0 outface br0 | |
route all accept |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment