Cloud-config/nat box

From Federal Burro of Information
Revision as of 21:49, 31 July 2022 by David (talk | contribs) (Created page with "<Pre> #cloud-config apt_sources: - source: "deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty main multiverse" - source: "deb http://security.ubuntu.com/ubuntu trus...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
#cloud-config
apt_sources:
 - source: "deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty main multiverse"
 - source: "deb http://security.ubuntu.com/ubuntu trusty-security main multiverse"
 - source: "deb http://apt.puppetlabs.com trusty main"
   keyid: 1054b7a24bd6ec30
apt_upgrade: true
locale: en_US.UTF-8

packages:
 - puppet
 - git
 - traceroute
 - nmap
 - keepalived
 - ec2-api-tools
 - awscli
 - python-boto

write_files:
 - path: /etc/sysctl.d/99-nat.conf
   permission: 0644
   content: |
     net.ipv4.ip_forward = 1
     net.netfilter.nf_conntrack_max = 65536
     net.ipv4.conf.eth0.send_redirects = 0
 - path: /etc/ssh/ssh_config
   permission: 0644
   content: |
     Host *
      ForwardAgent yes
      SendEnv LANG LC_*
      HashKnownHosts yes
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials no

ssh_authorized_keys:
 - ssh-rsa YOUR PUBLIC KEY HERE

runcmd:
 - [ sysctl, -w, net.ipv4.ip_forward=1 ]
 - [ sysctl, -w, net.netfilter.nf_conntrack_max=65536 ]
 - [ iptables, -N, LOGGINGF ]
 - [ iptables, -N, LOGGINGI ]
 - [ iptables, -A, LOGGINGF, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-FORWARD-Dropped: ", --log-level, 4 ]
 - [ iptables, -A, LOGGINGI, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-INPUT-Dropped: ", --log-level, 4 ]
 - [ iptables, -A, LOGGINGF, -j, DROP ]
 - [ iptables, -A, LOGGINGI, -j, DROP ]
 - [ iptables, -A, FORWARD, -s, ${networkprefix}, -j, ACCEPT ]
 - [ iptables, -A, FORWARD, -j, LOGGINGF ]
 - [ iptables, -P, FORWARD, DROP ]
 - [ iptables, -I, FORWARD, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ]
 - [ iptables, -t, nat, -I, POSTROUTING, -s, ${networkprefix}, -d, 0.0.0.0/0, -j, MASQUERADE ]
 - [ iptables, -A, INPUT, -s, ${networkprefix}, -j, ACCEPT ]
 - [ iptables, -A, INPUT, -p, tcp, --dport, 22, -m, state, --state, NEW, -j, ACCEPT ]
 - [ iptables, -I, INPUT, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ]
 - [ iptables, -I, INPUT, -i, lo, -j, ACCEPT ]
 - [ iptables, -A, INPUT, -j, LOGGINGI ]
 - [ iptables, -P, INPUT, DROP ]
 - [ wget, 'https://raw.githubusercontent.com/lithiumtech/ha-nat/master/ha-nat.py', -O, /root/ha-nat.py ]
 - [ chmod, +x, /root/ha-nat.py ]
 - '/root/ha-nat.py --monitor-interval 15 --private-subnets "${private_subnet_1_id},${private_subnet_2_id}" &'
 - echo '@reboot /root/ha-nat.py --monitor-interval 15 --private-subnets "${private_subnet_1_id},${private_subnet_2_id}"' | crontab