From 607895f35eb0dd0f24804ca0456f6963b385a7dc Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Sat, 12 Mar 2022 00:00:02 +0100 Subject: [PATCH] * Fixes on states - disabled iptables handling by docker - updated firewall rules template - added dependency package for ipbl --- states/docker/defaults.yaml | 2 +- states/ipbl/install.sls | 4 ++++ states/nftables/templates/rules.nft.j2 | 12 ++++++++---- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/states/docker/defaults.yaml b/states/docker/defaults.yaml index da2ff80..71471d3 100644 --- a/states/docker/defaults.yaml +++ b/states/docker/defaults.yaml @@ -12,5 +12,5 @@ docker: daemon: config: storage-driver: overlay2 - iptables: true + iptables: false containers: {} diff --git a/states/ipbl/install.sls b/states/ipbl/install.sls index a3c5df2..5906ff9 100644 --- a/states/ipbl/install.sls +++ b/states/ipbl/install.sls @@ -1,5 +1,9 @@ --- {%- from "ipbl/map.jinja" import ipbl with context %} +ipbl-dependencies: + pkg.installed: + - name: libczmq4 + ipbl-archive-extract: archive.extracted: - name: {{ ipbl.release_dir }}/ipbl-{{ ipbl.version }} diff --git a/states/nftables/templates/rules.nft.j2 b/states/nftables/templates/rules.nft.j2 index 1a7ec48..71ec913 100644 --- a/states/nftables/templates/rules.nft.j2 +++ b/states/nftables/templates/rules.nft.j2 @@ -24,13 +24,17 @@ add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state estab ## IPv4 NAT add table ip nat -add chain ip nat PREROUTING { type nat hook prerouting priority 0; policy accept; } -add chain ip nat INPUT { type nat hook input priority 0; policy accept; } -add chain ip nat OUTPUT { type nat hook output priority 0; policy accept; } -add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; } +add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; } +add chain ip nat INPUT { type nat hook input priority 100; policy accept; } +add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; } +add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; } +add chain ip nat DOCKER {%- for key, value in net.nats.items() %} add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade {%- endfor %} +add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER + +add rule ip nat DOCKER iifname "docker0" counter return ## IPv6 filtering add table ip6 filter6