Cloud-config/nat box
From Federal Burro of Information
Jump to navigationJump to search
#cloud-config apt_sources: - source: "deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty main multiverse" - source: "deb http://security.ubuntu.com/ubuntu trusty-security main multiverse" - source: "deb http://apt.puppetlabs.com trusty main" keyid: 1054b7a24bd6ec30 apt_upgrade: true locale: en_US.UTF-8 packages: - puppet - git - traceroute - nmap - keepalived - ec2-api-tools - awscli - python-boto write_files: - path: /etc/sysctl.d/99-nat.conf permission: 0644 content: | net.ipv4.ip_forward = 1 net.netfilter.nf_conntrack_max = 65536 net.ipv4.conf.eth0.send_redirects = 0 - path: /etc/ssh/ssh_config permission: 0644 content: | Host * ForwardAgent yes SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no ssh_authorized_keys: - ssh-rsa YOUR PUBLIC KEY HERE runcmd: - [ sysctl, -w, net.ipv4.ip_forward=1 ] - [ sysctl, -w, net.netfilter.nf_conntrack_max=65536 ] - [ iptables, -N, LOGGINGF ] - [ iptables, -N, LOGGINGI ] - [ iptables, -A, LOGGINGF, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-FORWARD-Dropped: ", --log-level, 4 ] - [ iptables, -A, LOGGINGI, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-INPUT-Dropped: ", --log-level, 4 ] - [ iptables, -A, LOGGINGF, -j, DROP ] - [ iptables, -A, LOGGINGI, -j, DROP ] - [ iptables, -A, FORWARD, -s, ${networkprefix}, -j, ACCEPT ] - [ iptables, -A, FORWARD, -j, LOGGINGF ] - [ iptables, -P, FORWARD, DROP ] - [ iptables, -I, FORWARD, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ] - [ iptables, -t, nat, -I, POSTROUTING, -s, ${networkprefix}, -d, 0.0.0.0/0, -j, MASQUERADE ] - [ iptables, -A, INPUT, -s, ${networkprefix}, -j, ACCEPT ] - [ iptables, -A, INPUT, -p, tcp, --dport, 22, -m, state, --state, NEW, -j, ACCEPT ] - [ iptables, -I, INPUT, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ] - [ iptables, -I, INPUT, -i, lo, -j, ACCEPT ] - [ iptables, -A, INPUT, -j, LOGGINGI ] - [ iptables, -P, INPUT, DROP ] - [ wget, 'https://raw.githubusercontent.com/lithiumtech/ha-nat/master/ha-nat.py', -O, /root/ha-nat.py ] - [ chmod, +x, /root/ha-nat.py ] - '/root/ha-nat.py --monitor-interval 15 --private-subnets "${private_subnet_1_id},${private_subnet_2_id}" &' - echo '@reboot /root/ha-nat.py --monitor-interval 15 --private-subnets "${private_subnet_1_id},${private_subnet_2_id}"' | crontab