paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Paul 2023-01-05 00:13:40 +01:00
parent 037395b462
commit 5440508ca4
2 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
states/nftables/defaults.yaml
View File

@ -2,4 +2,5 @@
nftables: nftables:
enabled: true enabled: true
config_dir: /etc/nftables config_dir: /etc/nftables
log: false
networks: {} networks: {}

19
states/nftables/templates/rules.nft.j2
View File

@ -19,7 +19,10 @@ add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state estab
{%- for key, value in net.public_ports.items() %} {%- for key, value in net.public_ports.items() %}
add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %} {%- endfor %}
#add rule ip filter INPUT counter log {%- if nftables.log %}
add rule ip filter INPUT counter log
{%- endif %}
## IPv4 NAT ## IPv4 NAT
add table ip nat add table ip nat
@ -28,12 +31,18 @@ add chain ip nat INPUT { type nat hook input priority 1; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; } add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; } add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }
add chain ip nat DOCKER add chain ip nat DOCKER
### Main NAT rules
{%- for key, value in net.nats.items() %} {%- for key, value in net.nats.items() %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- endfor %} {%- endfor %}
### Docker related rules
add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/24 counter masquerade add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/24 counter masquerade
add rule ip nat PREROUTING fib daddr type local counter jump DOCKER add rule ip nat PREROUTING fib daddr type local counter jump DOCKER
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat POSTROUTING iifname br-* counter masquerade
add rule ip nat POSTROUTING iifname veth-* counter masquerade
add rule ip nat DOCKER iifname "docker0" counter return add rule ip nat DOCKER iifname "docker0" counter return
@ -52,10 +61,8 @@ add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state es
{%- for key, value in net.public_ports.items() %} {%- for key, value in net.public_ports.items() %}
add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %} {%- endfor %}
#add rule ip6 filter6 INPUT counter log {%- if nftables.log %}
add rule ip6 filter6 INPUT counter log
#add table ip blparser {%- endif %}
#add chain ip blparser INPUT { type filter hook input priority 0; policy accept; }
## Endline is mandatory ## Endline is mandatory