Commit 085fd60f authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

Add crude nftables role

parent 41968e0e
import dns.resolver
class FilterModule(object):
def filters(self):
return { 'dnsLookupA': self.dnsLookupA,
'dnsLookupAAAA': self.dnsLookupAAAA }
def dnsLookup(self, record_type, names):
records = []
for n in names:
for rdata in dns.resolver.query(n, record_type):
records.append(rdata.to_text())
return records
def dnsLookupA(self, names):
return self.dnsLookup('A', names)
def dnsLookupAAAA(self, names):
return self.dnsLookup('AAAA', names)
......@@ -21,6 +21,7 @@
template_name: mail
- role: apache
tags: apache
- { role: nftables, tags: nftables }
vars:
- nss_cn: listserv.niif.hu
......
monitor_hosts:
- noc6.vh.hbone.hu
- noc7.vh.hbone.hu
- gum.vh.hbone.hu
- jujube.noc.einfra.hu
monitor_ports:
- ssh
- munin
- nrpe
- name: Reload nftables ruleset
become: yes
service:
name: nftables
state: reloaded
- name: Install nftables
become: yes
apt:
name: nftables
state: present
- name: Blacklist ip_tables
become: yes
copy:
content: |
# Emphasize that we use nftables exclusively. No networkd or nspawn.
# (https://bugs.freedesktop.org/show_bug.cgi?id=89269)
# https://cgit.freedesktop.org/systemd/systemd/tree/src/core/kmod-setup.c be damned.
blacklist ip_tables
dest: /etc/modprobe.d/no-iptables.conf
owner: root
group: root
mode: 0644
- name: Load candidate ruleset into a temporary network namespace, then dump it
become: yes
command:
cmd: unshare --net sh -c 'nft --file - && nft --stateless -nnn list ruleset'
stdin: "{{ lookup('template', 'firewall.nft') }}"
register: nftables_ruleset_candidate
check_mode: no
changed_when: False
- name: Install new nftables ruleset
become: yes
copy:
content: "{{ nftables_ruleset_candidate.stdout ~ '\n' }}" # counter the automatic stripping
dest: /etc/nftables.conf
owner: root
group: root
mode: 0644
notify: Reload nftables ruleset
- name: Enable nftables service
become: yes
systemd:
name: nftables
enabled: yes
......@@ -43,21 +43,21 @@ table inet filter {
chain new-in {
tcp flags & (syn|ack) == syn|ack counter reject with tcp reset
tcp flags & (fin|syn|rst|ack) != syn counter jump bad-new
ip saddr { noc6.vh.hbone.hu, noc7.vh.hbone.hu, gum.vh.hbone.hu, jujube.noc.einfra.hu } tcp dport { ssh, munin, nrpe } accept
ip6 saddr { noc6.vh.hbone.hu, noc7.vh.hbone.hu, gum.vh.hbone.hu, jujube.noc.einfra.hu } tcp dport { ssh, munin, nrpe } accept
ip saddr { {{ monitor_hosts|dnsLookupA|join(',') }} } tcp dport { {{ monitor_ports|join(',') }} } accept
ip6 saddr { {{ monitor_hosts|dnsLookupAAAA|join(',') }} } tcp dport { {{ monitor_ports|join(',') }} } accept
tcp dport { ssh, https, smtp, submission } accept
tcp dport { auth, http } reject
ip saddr baas-dir1.niif.hu tcp dport bacula-fd accept
ip saddr {{ lookup('dig','baas-dir1.niif.hu') }} tcp dport bacula-fd accept
icmp type echo-request accept
}
chain new-out {
tcp dport { telnet, ssh, http, https, smtp, ldaps, whois, mysql, git } accept
udp dport { domain, snmp, 33434-33600 } accept
ip protocol icmp accept
ip daddr rspamd.mail.einfra.hu tcp dport 11333 accept
ip daddr { baas-sd1.niif.hu, baas-sd2.niif.hu } tcp dport bacula-sd accept
ip daddr ingest.logger.niif.hu tcp dport 9200 accept
ip6 daddr ingest.logger.niif.hu tcp dport 9200 accept
ip daddr {{ lookup('dig','rspamd.mail.einfra.hu') }} tcp dport 11333 accept
ip daddr { {{ ['baas-sd1.niif.hu', 'baas-sd2.niif.hu']|dnsLookupA|join(',') }} } tcp dport bacula-sd accept
ip daddr {{ lookup('dig','ingest.logger.niif.hu') }} tcp dport 9200 accept
ip6 daddr {{ lookup('dig','ingest.logger.niif.hu/AAAA') }} tcp dport 9200 accept
}
chain bad-new {
limit rate 3/hour burst 5 packets log prefix "New not syn: "
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment