systems/infrastructure
1
Fork 0
Code Issues 1 Pull requests 16 Activity Actions

Allow ingress to serve as tailscale exit node
All checks were successful
/ terraform (push) Successful in 38s
Details
/ ansible (push) Successful in 1m46s
Details

Browse source
This commit is contained in:
Jake Howard 2024-03-28 23:30:24 +00:00
parent b83e239123
commit 8424b3211b
Signed by: jake
GPG key ID: 57AFB45680EDD477
1 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
ansible/roles/ingress/files/nftables.conf
View file

@ -30,7 +30,7 @@ table inet filter {
# NAT - because the proxmox machines may not have routes back # NAT - because the proxmox machines may not have routes back
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade ip saddr {{ tailscale_cidr }} counter masquerade
} }
chain FORWARD { chain FORWARD {
@ -44,8 +44,9 @@ table inet filter {
# Allow monitoring of nebula network # Allow monitoring of nebula network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
# Allow traffic from Tailscale to proxmox network # Allow Tailscale exit node
ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept ip saddr {{ tailscale_cidr }} accept
ip daddr {{ tailscale_cidr }} ct state related,established accept
} }
} }