paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state

Browse Source
This commit is contained in:
Paul 2022-01-06 23:18:36 +01:00
parent 3c71f5def3
commit 20506f52c5
5 changed files with 54 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
states/nftables/config.sls
View File

@ -7,7 +7,7 @@ nftables-config-dir:
nftables-blacklist-config: nftables-blacklist-config:
file.managed: file.managed:
- name: {{ nftables.config_dir }}/blacklist.nft - name: {{ nftables.config_dir }}/blacklist.nft
- source: salt://nftables/blacklist.nft.j2 - source: salt://nftables/templates/blacklist.nft.j2
- template: jinja - template: jinja
- watch_in: - watch_in:
- service: nftables-service - service: nftables-service
@ -18,7 +18,7 @@ nftables-blacklist-config:
nftables-rules-config: nftables-rules-config:
file.managed: file.managed:
- name: {{ nftables.config_dir }}/rules.nft - name: {{ nftables.config_dir }}/rules.nft
- source: salt://nftables/rules.nft.j2 - source: salt://nftables/templates/rules.nft.j2
- template: jinja - template: jinja
- watch_in: - watch_in:
- service: nftables-service - service: nftables-service
@ -29,7 +29,7 @@ nftables-rules-config:
nftables-main-config: nftables-main-config:
file.managed: file.managed:
- name: /etc/nftables.conf - name: /etc/nftables.conf
- source: salt://nftables/nftables.conf.j2 - source: salt://nftables/templates/nftables.conf.j2
- template: jinja - template: jinja
- watch_in: - watch_in:
- service: nftables-service - service: nftables-service

51
states/nftables/rules.nft.j2
View File

@ -1,51 +0,0 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nftables/map.jinja" import nftables with context %}
{%- from "nftables/map.jinja" import net with context %}
## IPv4 filtering
add table ip filter
add chain ip filter input { type filter hook input priority 0; policy drop; }
add chain ip filter forward { type filter hook forward priority 0; policy accept; }
add chain ip filter output { type filter hook output priority 0; policy accept; }
add rule ip filter input iifname lo counter accept
add rule ip filter input iifname tun* counter accept
add rule ip filter input ct state related,established counter accept
add rule ip filter input ip protocol icmp counter accept
add rule ip filter input ip saddr $blacklist drop
{%- for key, value in net.ipv4_networks.items() %}
add rule ip filter input ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip filter input {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip filter input counter log
## IPv4 NAT
add table ip nat
add chain ip nat prerouting { type nat hook prerouting priority 0; policy accept; }
add chain ip nat input { type nat hook input priority 0; policy accept; }
add chain ip nat output { type nat hook output priority 0; policy accept; }
add chain ip nat postrouting { type nat hook postrouting priority 0; policy accept; }
{%- for key, value in net.nats.items() %}
add rule ip nat postrouting ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- endfor %}
## IPv6 filtering
add table ip6 filter6
add chain ip6 filter6 input { type filter hook input priority 0; policy drop; }
add chain ip6 filter6 forward { type filter hook forward priority 0; policy accept; }
add chain ip6 filter6 output { type filter hook output priority 0; policy accept; }
add rule ip6 filter6 input iifname lo counter accept
add rule ip6 filter6 input iifname tun* counter accept
add rule ip6 filter6 input ct state related,established counter accept
add rule ip6 filter6 input icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for key, value in net.ipv6_networks.items() %}
add rule ip6 filter6 input ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip6 filter6 input {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip6 filter6 input counter log
## Endline is mandatory

0
states/nftables/blacklist.nft.j2 → states/nftables/templates/blacklist.nft.j2
View File

0
states/nftables/nftables.conf.j2 → states/nftables/templates/nftables.conf.j2
View File

51
states/nftables/templates/rules.nft.j2 Normal file
View File

@ -0,0 +1,51 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nftables/map.jinja" import nftables with context %}
{%- from "nftables/map.jinja" import net with context %}
## IPv4 filtering
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept
add rule ip filter INPUT log ip saddr $blacklist drop
{%- for key, value in net.ipv4_networks.items() %}
add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip filter INPUT counter log
## IPv4 NAT
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority 0; policy accept; }
add chain ip nat INPUT { type nat hook input priority 0; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority 0; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
{%- for key, value in net.nats.items() %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- endfor %}
## IPv6 filtering
add table ip6 filter6
add chain ip6 filter6 INPUT { type filter hook input priority 0; policy drop; }
add chain ip6 filter6 FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip6 filter6 INPUT iifname lo counter accept
add rule ip6 filter6 INPUT iifname tun* counter accept
add rule ip6 filter6 INPUT ct state related,established counter accept
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for key, value in net.ipv6_networks.items() %}
add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip6 filter6 INPUT counter log
## Endline is mandatory