* Fixes on states

- disabled iptables handling by docker - updated firewall rules template - added dependency package for ipbl
2022-03-12 00:00:02 +01:00 · 2022-03-12 00:00:02 +01:00 · 607895f35e
commit 607895f35e
parent 1b59cdacdd
3 changed files with 13 additions and 5 deletions
--- a/states/docker/defaults.yaml
+++ b/states/docker/defaults.yaml
@ -12,5 +12,5 @@ docker:
  daemon:
    config:
      storage-driver: overlay2
-      iptables: true
+      iptables: false
  containers: {}
--- a/states/ipbl/install.sls
+++ b/states/ipbl/install.sls
@ -1,5 +1,9 @@
 ---
 {%- from "ipbl/map.jinja" import ipbl with context %}
+ipbl-dependencies:
+  pkg.installed:
+    - name: libczmq4
+
 ipbl-archive-extract:
  archive.extracted:
    - name: {{ ipbl.release_dir }}/ipbl-{{ ipbl.version }}
--- a/states/nftables/templates/rules.nft.j2
+++ b/states/nftables/templates/rules.nft.j2
@ -24,13 +24,17 @@ add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state estab

 ## IPv4 NAT
 add table ip nat
-add chain ip nat PREROUTING { type nat hook prerouting priority 0; policy accept; }
-add chain ip nat INPUT { type nat hook input priority 0; policy accept; }
-add chain ip nat OUTPUT { type nat hook output priority 0; policy accept; }
-add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
+add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
+add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
+add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
+add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
+add chain ip nat DOCKER
 {%- for key, value in net.nats.items() %}
 add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
 {%- endfor %}
+add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
+
+add rule ip nat DOCKER iifname "docker0" counter return

 ## IPv6 filtering
 add table ip6 filter6