root / README.md @ 1ffab17b
Historique | Voir | Annoter | Télécharger (2,82 ko)
| 1 |
# nftables puppet module |
|---|---|
| 2 |
|
| 3 |
This module manages an opinionated nftables configuration. |
| 4 |
|
| 5 |
By default it sets up a firewall that drops every incoming |
| 6 |
and outgoing connection. |
| 7 |
|
| 8 |
It only allows outgoing dns, ntp and web and ingoing ssh |
| 9 |
traffic. |
| 10 |
|
| 11 |
The config file has a inet filter and a ip nat table setup. |
| 12 |
|
| 13 |
Additionally, the module comes with a basic infrastrcuture |
| 14 |
to hook into different places. |
| 15 |
|
| 16 |
## nftables config |
| 17 |
|
| 18 |
The main configuration file loaded by the nftables service |
| 19 |
will be `files/config/puppet.nft`, all other files created |
| 20 |
by that module go into `files/config/puppet` and will also |
| 21 |
be purged if not managed anymore. |
| 22 |
|
| 23 |
The main configuration file includes dedicated files for |
| 24 |
the filter and nat tables, as well as processes any |
| 25 |
`custom-*.nft` files before hand. |
| 26 |
|
| 27 |
The filter and NAT tables both have all the master chains |
| 28 |
(INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
| 29 |
and POSTROUTING in case of NAT) configured, to which you |
| 30 |
can hook in your own chains that can contain specific |
| 31 |
rules. |
| 32 |
|
| 33 |
All filter masterchains drop by default. |
| 34 |
By default we have a set of default_MASTERCHAIN chains |
| 35 |
configured to which you can easily add your custom rules. |
| 36 |
|
| 37 |
For specific needs you can add your own chain. |
| 38 |
|
| 39 |
There is a global chain, that defines the default behavior |
| 40 |
for all masterchains. |
| 41 |
|
| 42 |
INPUT and OUTPUT to the loopback device is allowed by |
| 43 |
default, though you could restrict it later. |
| 44 |
|
| 45 |
### Rules Validation |
| 46 |
Initially puppet deploys all configuration to |
| 47 |
`/etc/nftables/puppet-preflight/` and |
| 48 |
`/etc/nftables/puppet-preflight.nft`. This is validated with |
| 49 |
`nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
| 50 |
If and only if successful the configuration will be copied to |
| 51 |
the real locations before the service is reloaded. |
| 52 |
|
| 53 |
### nftables::config |
| 54 |
|
| 55 |
Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
| 56 |
|
| 57 |
Use this for any custom table files. |
| 58 |
|
| 59 |
## nftables::chain |
| 60 |
|
| 61 |
Prepares a chain file as a `concat` file to which you will |
| 62 |
be able to add dedicated rules through `nftables::rule`. |
| 63 |
|
| 64 |
The name must be unique for all chains. The inject |
| 65 |
parameter can be used to directly add a jump to a |
| 66 |
masterchain. inject must follow the pattern |
| 67 |
`ORDER-MASTERCHAIN`, where order references a 2-digit |
| 68 |
number which defines the rule order (by default use e.g. 20) |
| 69 |
and masterchain references the chain to hook in the new |
| 70 |
chain. It's possible to specify the in-interface name and |
| 71 |
out-interface name for the inject rule. |
| 72 |
|
| 73 |
## nftables::rule |
| 74 |
|
| 75 |
A simple way to add rules to any chain. The name must be: |
| 76 |
`CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
| 77 |
chain and an arbitrary name for your rule. |
| 78 |
The rule will be a `concat::fragment` to the chain |
| 79 |
`CHAIN_NAME`. |
| 80 |
|
| 81 |
You can define the order by using the `order` param. |
| 82 |
|
| 83 |
## nftsables::set |
| 84 |
|
| 85 |
Adds a named set to a given table. It allows composing the |
| 86 |
set using individual parameters but also takes raw input |
| 87 |
via the content and source parameters. |