Skip to content

Instantly share code, notes, and snippets.

@OptoCloud

OptoCloud/etc-network-interfaces

Last active April 20, 2023 18:17
Show Gist options
  • Save OptoCloud/73d418b366d2ef1098fda6c406843069 to your computer and use it in GitHub Desktop.
Save OptoCloud/73d418b366d2ef1098fda6c406843069 to your computer and use it in GitHub Desktop.
Download ZIP
Configure firewall for my server ( thanks @hbjydev and @RequiDev)
Raw
etc-network-interfaces
... yada yada ...
auto vmbr0
iface vmbr0 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up bash /root/post-up.sh
Raw
post-up.sh
#!/bin/bash
# Set variables
input_interface="enp8s0"
internal_subnet="10.0.0.0/24"
ngninx_address="10.0.0.2:443"
# Fetch cloudflare IP's
cf_ips=$(curl -L cloudflare.com/ips-v4)
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Reset previous rules
iptables -F
iptables -X
iptables -t raw -F
iptables -t raw -X
iptables -t nat -F
iptables -t nat -X
iptables -t filter -F
iptables -t filter -X
# Enable SSH
iptables -A INPUT -i $input_interface -p tcp --dport 22 -j ACCEPT
# Configure proxmox specific rules
iptables -t nat -A POSTROUTING -s $internal_subnet -o $input_interface -j MASQUERADE # Masquerade all traffic from our internal subnet
iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 # Weird thing needed for some reason. See https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_masquerading
# Allow all traffic from cloudflare IP's
for ip in $(curl -L cloudflare.com/ips-v4); do
echo "Adding $ip"
# Forward to internal nginx
iptables -t nat -A PREROUTING -i $input_interface -p tcp -s "$ip" --dport 443 -j DNAT --to $ngninx_address
done
# Drop all other incoming traffic on input interface
iptables -A INPUT -i $input_interface -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment