root / README.md @ 2fda87af
Historique | Voir | Annoter | Télécharger (3,92 ko)
| 1 | 0ba57c66 | mh | # nftables puppet module |
|---|---|---|---|
| 2 | |||
| 3 | 82b6fd57 | Steve Traylen | [](https://forge.puppetlabs.com/puppet/nftables) |
| 4 | [](https://forge.puppetlabs.com/puppet/nftables) |
||
| 5 | [](http://www.puppetmodule.info/m/puppet-nftables) |
||
| 6 | [](LICENSE) |
||
| 7 | |||
| 8 | 1ffab17b | Nacho Barrientos | This module manages an opinionated nftables configuration. |
| 9 | 0ba57c66 | mh | |
| 10 | By default it sets up a firewall that drops every incoming |
||
| 11 | and outgoing connection. |
||
| 12 | |||
| 13 | 7940fb07 | tr | It only allows outgoing dns, ntp and web and ingoing ssh |
| 14 | 1330c27e | Nacho Barrientos | traffic, although this can be overridden using parameters. |
| 15 | 0ba57c66 | mh | |
| 16 | The config file has a inet filter and a ip nat table setup. |
||
| 17 | |||
| 18 | 0f31ffbe | Nacho Barrientos | Additionally, the module comes with a basic infrastructure |
| 19 | 0ba57c66 | mh | to hook into different places. |
| 20 | |||
| 21 | 2fda87af | Nacho Barrientos | ## Configuration |
| 22 | 0ba57c66 | mh | |
| 23 | The main configuration file loaded by the nftables service |
||
| 24 | will be `files/config/puppet.nft`, all other files created |
||
| 25 | by that module go into `files/config/puppet` and will also |
||
| 26 | be purged if not managed anymore. |
||
| 27 | |||
| 28 | The main configuration file includes dedicated files for |
||
| 29 | the filter and nat tables, as well as processes any |
||
| 30 | `custom-*.nft` files before hand. |
||
| 31 | |||
| 32 | The filter and NAT tables both have all the master chains |
||
| 33 | 7940fb07 | tr | (INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
| 34 | and POSTROUTING in case of NAT) configured, to which you |
||
| 35 | can hook in your own chains that can contain specific |
||
| 36 | rules. |
||
| 37 | 0ba57c66 | mh | |
| 38 | All filter masterchains drop by default. |
||
| 39 | By default we have a set of default_MASTERCHAIN chains |
||
| 40 | configured to which you can easily add your custom rules. |
||
| 41 | |||
| 42 | For specific needs you can add your own chain. |
||
| 43 | |||
| 44 | There is a global chain, that defines the default behavior |
||
| 45 | 620da9a6 | Nacho Barrientos | for all masterchains. This chain is empty by default. |
| 46 | 0ba57c66 | mh | |
| 47 | 7940fb07 | tr | INPUT and OUTPUT to the loopback device is allowed by |
| 48 | default, though you could restrict it later. |
||
| 49 | 0ba57c66 | mh | |
| 50 | 2fda87af | Nacho Barrientos | ## Rules Validation |
| 51 | 4ed97e58 | Nacho Barrientos | |
| 52 | 30462da1 | Steve Traylen | Initially puppet deploys all configuration to |
| 53 | `/etc/nftables/puppet-preflight/` and |
||
| 54 | `/etc/nftables/puppet-preflight.nft`. This is validated with |
||
| 55 | `nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
||
| 56 | If and only if successful the configuration will be copied to |
||
| 57 | the real locations before the service is reloaded. |
||
| 58 | |||
| 59 | 2fda87af | Nacho Barrientos | ## Basic types |
| 60 | |||
| 61 | 0ba57c66 | mh | ### nftables::config |
| 62 | |||
| 63 | Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
||
| 64 | |||
| 65 | Use this for any custom table files. |
||
| 66 | |||
| 67 | 2fda87af | Nacho Barrientos | ### nftables::chain |
| 68 | 0ba57c66 | mh | |
| 69 | 7940fb07 | tr | Prepares a chain file as a `concat` file to which you will |
| 70 | be able to add dedicated rules through `nftables::rule`. |
||
| 71 | 0ba57c66 | mh | |
| 72 | 7940fb07 | tr | The name must be unique for all chains. The inject |
| 73 | parameter can be used to directly add a jump to a |
||
| 74 | masterchain. inject must follow the pattern |
||
| 75 | `ORDER-MASTERCHAIN`, where order references a 2-digit |
||
| 76 | number which defines the rule order (by default use e.g. 20) |
||
| 77 | and masterchain references the chain to hook in the new |
||
| 78 | af544fea | tr | chain. It's possible to specify the in-interface name and |
| 79 | out-interface name for the inject rule. |
||
| 80 | 0ba57c66 | mh | |
| 81 | 2fda87af | Nacho Barrientos | ### nftables::rule |
| 82 | 0ba57c66 | mh | |
| 83 | 7940fb07 | tr | A simple way to add rules to any chain. The name must be: |
| 84 | `CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
||
| 85 | chain and an arbitrary name for your rule. |
||
| 86 | The rule will be a `concat::fragment` to the chain |
||
| 87 | `CHAIN_NAME`. |
||
| 88 | 0ba57c66 | mh | |
| 89 | You can define the order by using the `order` param. |
||
| 90 | 20b96360 | Nacho Barrientos | |
| 91 | 13f26dfc | Nacho Barrientos | Before defining your own rule, take a look to the list of ready-to-use rules |
| 92 | available in the |
||
| 93 | [REFERENCE](https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md), |
||
| 94 | somebody might have encapsulated a rule definition for you already. |
||
| 95 | |||
| 96 | 2fda87af | Nacho Barrientos | ### nftables::set |
| 97 | 20b96360 | Nacho Barrientos | |
| 98 | Adds a named set to a given table. It allows composing the |
||
| 99 | set using individual parameters but also takes raw input |
||
| 100 | via the content and source parameters. |
||
| 101 | abb04c95 | Nacho Barrientos | |
| 102 | 2fda87af | Nacho Barrientos | ### nftables::simplerule |
| 103 | abb04c95 | Nacho Barrientos | |
| 104 | Allows expressing firewall rules without having to use nftables's language by |
||
| 105 | adding an abstraction layer a-la-Firewall. It's rather limited how far you can |
||
| 106 | go so if you need rather complex rules or you can speak nftables it's |
||
| 107 | recommended to use `nftables::rule` directly. |