Cloud-config/nat box
From Federal Burro of Information
Jump to navigationJump to search
#cloud-config
apt_sources:
- source: "deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty main multiverse"
- source: "deb http://security.ubuntu.com/ubuntu trusty-security main multiverse"
- source: "deb http://apt.puppetlabs.com trusty main"
keyid: 1054b7a24bd6ec30
apt_upgrade: true
locale: en_US.UTF-8
packages:
- puppet
- git
- traceroute
- nmap
- keepalived
- ec2-api-tools
- awscli
- python-boto
write_files:
- path: /etc/sysctl.d/99-nat.conf
permission: 0644
content: |
net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_max = 65536
net.ipv4.conf.eth0.send_redirects = 0
- path: /etc/ssh/ssh_config
permission: 0644
content: |
Host *
ForwardAgent yes
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
ssh_authorized_keys:
- ssh-rsa YOUR PUBLIC KEY HERE
runcmd:
- [ sysctl, -w, net.ipv4.ip_forward=1 ]
- [ sysctl, -w, net.netfilter.nf_conntrack_max=65536 ]
- [ iptables, -N, LOGGINGF ]
- [ iptables, -N, LOGGINGI ]
- [ iptables, -A, LOGGINGF, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-FORWARD-Dropped: ", --log-level, 4 ]
- [ iptables, -A, LOGGINGI, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-INPUT-Dropped: ", --log-level, 4 ]
- [ iptables, -A, LOGGINGF, -j, DROP ]
- [ iptables, -A, LOGGINGI, -j, DROP ]
- [ iptables, -A, FORWARD, -s, ${networkprefix}, -j, ACCEPT ]
- [ iptables, -A, FORWARD, -j, LOGGINGF ]
- [ iptables, -P, FORWARD, DROP ]
- [ iptables, -I, FORWARD, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ]
- [ iptables, -t, nat, -I, POSTROUTING, -s, ${networkprefix}, -d, 0.0.0.0/0, -j, MASQUERADE ]
- [ iptables, -A, INPUT, -s, ${networkprefix}, -j, ACCEPT ]
- [ iptables, -A, INPUT, -p, tcp, --dport, 22, -m, state, --state, NEW, -j, ACCEPT ]
- [ iptables, -I, INPUT, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ]
- [ iptables, -I, INPUT, -i, lo, -j, ACCEPT ]
- [ iptables, -A, INPUT, -j, LOGGINGI ]
- [ iptables, -P, INPUT, DROP ]
- [ wget, 'https://raw.githubusercontent.com/lithiumtech/ha-nat/master/ha-nat.py', -O, /root/ha-nat.py ]
- [ chmod, +x, /root/ha-nat.py ]
- '/root/ha-nat.py --monitor-interval 15 --private-subnets "${private_subnet_1_id},${private_subnet_2_id}" &'
- echo '@reboot /root/ha-nat.py --monitor-interval 15 --private-subnets "${private_subnet_1_id},${private_subnet_2_id}"' | crontab
