mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
d1d46fdfb4
Currently, the setup we have in docker-compose does not reflect real-world scenarios very well because most components share the same subnet. In reality, Clients, Gateways, relays and the backend are all in separate subnets, connected via multiple routers on the Internet. The current setup makes it hard to properly test relayed connections. To fix this, we move all components into their own subnet with a dedicated router container that performs source and destination NAT as well as acts as a firewall for the client and gateway containers to not allow inbound traffic. This setup will allow us to more easily test #10286 which requires port randomization for outgoing traffic on the Client and Gateway side.
37 lines
968 B
Plaintext
37 lines
968 B
Plaintext
table inet router {
|
|
# Input chain - drop by default, allow established connections
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
# Allow loopback
|
|
iif "lo" accept
|
|
|
|
# Allow established and related connections
|
|
ct state established,related accept
|
|
|
|
# Allow ICMP/ICMPv6 for basic connectivity
|
|
ip protocol icmp accept
|
|
ip6 nexthdr ipv6-icmp accept
|
|
}
|
|
|
|
# Forward chain - accept by default for router functionality
|
|
chain forward {
|
|
type filter hook forward priority filter; policy accept;
|
|
}
|
|
|
|
# Output chain - accept by default
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
}
|
|
|
|
# Prerouting chain for DNAT
|
|
chain prerouting {
|
|
type nat hook prerouting priority dstnat;
|
|
}
|
|
|
|
# Postrouting chain for SNAT/masquerading
|
|
chain postrouting {
|
|
type nat hook postrouting priority srcnat;
|
|
}
|
|
}
|