paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state

Browse Source
This commit is contained in:
Paul 2022-04-03 23:02:32 +02:00
parent 59faf0aea9
commit a96333a4d1
2 changed files with 8 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
states/nftables/config.sls
View File

@ -4,17 +4,6 @@ nftables-config-dir:
file.directory: file.directory:
- name: {{ nftables.config_dir }} - name: {{ nftables.config_dir }}
nftables-blacklist-config:
file.managed:
- name: {{ nftables.config_dir }}/blacklist.nft
- source: salt://nftables/templates/blacklist.nft.j2
- template: jinja
- watch_in:
- service: nftables-service
- require:
- pkg: nftables-pkg
- file: nftables-config-dir
nftables-rules-config: nftables-rules-config:
file.managed: file.managed:
- name: {{ nftables.config_dir }}/rules.nft - name: {{ nftables.config_dir }}/rules.nft

13
states/nftables/templates/rules.nft.j2
View File

@ -13,7 +13,6 @@ add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT ct state related,established counter accept add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept add rule ip filter INPUT ip protocol icmp counter accept
add rule ip filter INPUT log ip saddr $blacklist drop
{%- for key, value in net.ipv4_networks.items() %} {%- for key, value in net.ipv4_networks.items() %}
add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %} {%- endfor %}
@ -24,10 +23,10 @@ add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state estab
## IPv4 NAT ## IPv4 NAT
add table ip nat add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; } add chain ip nat PREROUTING { type nat hook prerouting priority -1; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; } add chain ip nat INPUT { type nat hook input priority 1; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; } add chain ip nat OUTPUT { type nat hook output priority -1; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; } add chain ip nat POSTROUTING { type nat hook postrouting priority 1; policy accept; }
add chain ip nat DOCKER add chain ip nat DOCKER
{%- for key, value in net.nats.items() %} {%- for key, value in net.nats.items() %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
@ -53,4 +52,8 @@ add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state est
{%- endfor %} {%- endfor %}
#add rule ip6 filter6 INPUT counter log #add rule ip6 filter6 INPUT counter log
#add table ip blparser
#add chain ip blparser INPUT { type filter hook input priority 0; policy accept; }
## Endline is mandatory ## Endline is mandatory