-
Notifications
You must be signed in to change notification settings - Fork 22
/
nat-user-data.conf.tmpl
83 lines (82 loc) · 3.18 KB
/
nat-user-data.conf.tmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#cloud-config
# -*- YAML -*-
apt_upgrade: true
locale: en_US.UTF-8
packages:
- traceroute
- nmap
- keepalived
write_files:
- path: /lib/systemd/system/awsnycast.service
content: |
[Unit]
Description=Job that runs AWSnycast
[Service]
Type=simple
ExecStart=/usr/bin/AWSnycast
- path: /etc/awsnycast.yaml
content: |
---
poll_time: 300
healthchecks:
public:
type: ping
destination: 8.8.8.8
rise: 2
fall: 10
every: 1
routetables:
my_az:
find:
type: subnet
config:
subnet_id: ${mysubnet}
manage_routes:
- cidr: 0.0.0.0/0
instance: SELF
healthcheck: public
never_delete: true
other_azs:
find:
type: and
config:
filters:
- type: subnet
not: true
config:
subnet_id: ${mysubnet}
- type: by_tag_regexp
config:
key: Name
regexp: ${name}-rt-private-${region}[a-z]
manage_routes:
- cidr: 0.0.0.0/0
instance: SELF
healthcheck: public
if_unhealthy: true
# The commands below need to run on every boot, but bootcmd runs too early,
# before the write_files has run, but on every boot, where as runcmd only runs
# on the first time this instance is booted.
bootcmd:
- [ sh, -c, "[ -x /var/lib/cloud/instance/scripts/runcmd ] && /var/lib/cloud/instance/scripts/runcmd" ]
runcmd:
- [ sh, -c, "echo 1 > /proc/sys/net/ipv4/ip_forward;echo 655361 > /proc/sys/net/netfilter/nf_conntrack_max" ]
- [ iptables, -N, LOGGINGF ]
- [ iptables, -N, LOGGINGI ]
- [ iptables, -A, LOGGINGF, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-FORWARD-Dropped: ", --log-level, 4 ]
- [ iptables, -A, LOGGINGI, -m, limit, --limit, 2/min, -j, LOG, --log-prefix, "IPTables-INPUT-Dropped: ", --log-level, 4 ]
- [ iptables, -A, LOGGINGF, -j, DROP ]
- [ iptables, -A, LOGGINGI, -j, DROP ]
- [ iptables, -A, FORWARD, -s, ${vpc_cidr}, -j, ACCEPT ]
- [ iptables, -A, FORWARD, -j, LOGGINGF ]
- [ iptables, -P, FORWARD, DROP ]
- [ iptables, -I, FORWARD, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ]
- [ iptables, -t, nat, -I, POSTROUTING, -s, ${vpc_cidr}, -d, 0.0.0.0/0, -j, MASQUERADE ]
- [ iptables, -A, INPUT, -s, ${vpc_cidr}, -j, ACCEPT ]
- [ iptables, -A, INPUT, -p, tcp, --dport, 22, -m, state, --state, NEW, -j, ACCEPT ]
- [ iptables, -I, INPUT, -m, state, --state, "ESTABLISHED,RELATED", -j, ACCEPT ]
- [ iptables, -I, INPUT, -i, lo, -j, ACCEPT ]
- [ iptables, -A, INPUT, -j, LOGGINGI ]
- [ iptables, -P, INPUT, DROP ]
- [ sh, -c, "which AWSnycast || { cd /tmp && wget ${awsnycast_deb_url} && dpkg -i awsnycast_*.deb && rm *.deb; }" ]
- [ systemctl, start, awsnycast ]