Paul Lecuq
607895f35e
- disabled iptables handling by docker - updated firewall rules template - added dependency package for ipbl
57 lines
3.0 KiB
Django/Jinja
57 lines
3.0 KiB
Django/Jinja
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
|
|
|
{%- from "nftables/map.jinja" import nftables with context %}
|
|
{%- from "nftables/map.jinja" import net with context %}
|
|
|
|
## IPv4 filtering
|
|
add table ip filter
|
|
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
|
|
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
|
|
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
|
|
add chain ip filter DOCKER
|
|
add rule ip filter INPUT iifname lo counter accept
|
|
add rule ip filter INPUT iifname tun* counter accept
|
|
add rule ip filter INPUT ct state related,established counter accept
|
|
add rule ip filter INPUT ip protocol icmp counter accept
|
|
add rule ip filter INPUT log ip saddr $blacklist drop
|
|
{%- for key, value in net.ipv4_networks.items() %}
|
|
add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
|
|
{%- endfor %}
|
|
{%- for key, value in net.public_ports.items() %}
|
|
add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
|
|
{%- endfor %}
|
|
#add rule ip filter INPUT counter log
|
|
|
|
## IPv4 NAT
|
|
add table ip nat
|
|
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
|
|
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
|
|
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
|
|
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
|
|
add chain ip nat DOCKER
|
|
{%- for key, value in net.nats.items() %}
|
|
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
|
|
{%- endfor %}
|
|
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
|
|
|
|
add rule ip nat DOCKER iifname "docker0" counter return
|
|
|
|
## IPv6 filtering
|
|
add table ip6 filter6
|
|
add chain ip6 filter6 INPUT { type filter hook input priority 0; policy drop; }
|
|
add chain ip6 filter6 FORWARD { type filter hook forward priority 0; policy accept; }
|
|
add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; }
|
|
add rule ip6 filter6 INPUT iifname lo counter accept
|
|
add rule ip6 filter6 INPUT iifname tun* counter accept
|
|
add rule ip6 filter6 INPUT ct state related,established counter accept
|
|
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
|
|
{%- for key, value in net.ipv6_networks.items() %}
|
|
add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
|
|
{%- endfor %}
|
|
{%- for key, value in net.public_ports.items() %}
|
|
add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
|
|
{%- endfor %}
|
|
#add rule ip6 filter6 INPUT counter log
|
|
|
|
## Endline is mandatory
|