add: current iptables

fix: update host exlusion list
fix: double config in extra content
2025-12-06 05:41:35 +01:00 · 2024-11-23 18:31:27 +00:00 · 2024-11-23 18:30:48 +00:00 · 2024-11-23 17:04:40 +00:00
4 changed files with 36 additions and 5 deletions
--- a/helper_scripts/snapshot-backups.py
+++ b/helper_scripts/snapshot-backups.py
@@ -85,14 +85,21 @@ if __name__ == "__main__":

        # shut down VM #
        print("Next:", vm.name())
-        vm_skip_list = ["harbor-registry", "backup", "irc-new", #"kube1",
-                         "kube2", "mail", "monitoring", "paperless",
-                         "prometheus", "signal", "steam-master", "zabbix",
-                         "git", "kathi", "usermanagement", "vpn", "ths", "nextcloud-athq"]
+        vm_skip_list = ["harbor-registry", "backup", #"irc-new", #"kube1",
+                         "kube2", 
+                         "kube1", 
+                        #"mail", 
+                        "monitoring", 
+                        #"paperless",
+                         "prometheus", "signal", 
+                        "steam-master", "zabbix",
+                        "git", 
+                        #"kathi", "usermanagement", "vpn", "ths", "nextcloud-athq"
+                        ]
        if vm.name() in vm_skip_list:
            continue

-        vm_white_list = ["kube1"]
+        vm_white_list = []
        if vm_white_list:
            if not vm.name() in vm_white_list:
                continue
--- a/iptables/rules.v4
+++ b/iptables/rules.v4
@@ -0,0 +1,18 @@
+*filter
+-A INPUT -p tcp -m tcp --dport 10050 -j DROP      
+-A FORWARD -d 159.69.136.222 -p tcp -m multiport --dports 26000:27000 -j ACCEPT
+-A FORWARD -d 159.69.136.222 -p udp -m multiport --dports 26000:27000 -j ACCEPT
+-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A OUTPUT ! -s 159.69.136.222 -o eno1 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -i eno1 -p tcp -m multiport --dports 5044,9200:9210,9300:9310 -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+
+*nat
+-A PREROUTING -i eno1 -p tcp -m multiport --dports 26000:27000 -j DNAT --to-destination 192.168.122.102
+-A PREROUTING -i eno1 -p udp -m multiport --dports 26000:27000 -j DNAT --to-destination 192.168.122.102
+
+-A POSTROUTING ! -o eno1 -p tcp -m multiport --dports 26000:27000 -d 192.168.122.102 -j SNAT --to-source 192.168.122.1
+-A POSTROUTING ! -o eno1 -p tcp -m multiport --dports 26000:27000 -d 192.168.122.102 -j SNAT --to-source 192.168.122.1
+
+COMMIT
--- a/iptables/rules.v6
+++ b/iptables/rules.v6
@@ -0,0 +1,4 @@
+*filter
+-A INPUT -p tcp -m tcp --dport 10050 -j DROP      
+-A INPUT -i eno1 -p tcp -m multiport --dports 5044,9200:9210,9300:9310 -j REJECT
+COMMIT
--- a/templates/nginx_stream_block.conf.j2
+++ b/templates/nginx_stream_block.conf.j2
@@ -4,8 +4,10 @@ server {
    listen {{ portstring }} {% if udp %} udp {% endif %}{% if ssl %} ssl {% endif %};
    listen [::]:{{ portstring }} {% if udp %} udp {% endif %}{% if ssl %} ssl {% endif %};

+    {% if not extra_content or not "proxy_timeout" in extra_content %}
    proxy_timeout {{ proxy_timeout }};
    proxy_responses 1;
+    {% endif %}

    {% if targetportoverwrite %}
    proxy_pass {{ targetip }}:{{ targetportoverwrite }};
Author	SHA1	Message	Date
Sheppy	e5313bcf4e	add: current iptables	2024-11-23 18:31:27 +00:00
Sheppy	79f36ac23e	fix: update host exlusion list	2024-11-23 18:30:48 +00:00
Sheppy	da24ff9b1e	fix: double config in extra content	2024-11-23 17:04:40 +00:00