root / README.md @ 38a67c59
Historique | Voir | Annoter | Télécharger (2,6 ko)
| 1 |
# nftables puppet module |
|---|---|
| 2 |
|
| 3 |
This module manages an opinionated nftables configuration |
| 4 |
|
| 5 |
By default it sets up a firewall that drops every incoming |
| 6 |
and outgoing connection. |
| 7 |
|
| 8 |
It only allows outgoing dns,ntp and web traffic. |
| 9 |
|
| 10 |
The config file has a inet filter and a ip nat table setup. |
| 11 |
|
| 12 |
Additionally, the module comes with a basic infrastrcuture |
| 13 |
to hook into different places. |
| 14 |
|
| 15 |
## nftables config |
| 16 |
|
| 17 |
The main configuration file loaded by the nftables service |
| 18 |
will be `files/config/puppet.nft`, all other files created |
| 19 |
by that module go into `files/config/puppet` and will also |
| 20 |
be purged if not managed anymore. |
| 21 |
|
| 22 |
The main configuration file includes dedicated files for |
| 23 |
the filter and nat tables, as well as processes any |
| 24 |
`custom-*.nft` files before hand. |
| 25 |
|
| 26 |
The filter and NAT tables both have all the master chains |
| 27 |
(INPUT,OUTPUT,FORWARD) configured, to which you can hook |
| 28 |
in your own chains that can contain specific rules. |
| 29 |
|
| 30 |
All filter masterchains drop by default. |
| 31 |
By default we have a set of default_MASTERCHAIN chains |
| 32 |
configured to which you can easily add your custom rules. |
| 33 |
|
| 34 |
For specific needs you can add your own chain. |
| 35 |
|
| 36 |
There is a global chain, that defines the default behavior |
| 37 |
for all masterchains. |
| 38 |
|
| 39 |
INPUT and OUTPUT to the loopback device is allowed by default, |
| 40 |
though you could restrict it later. |
| 41 |
|
| 42 |
### nftables::config |
| 43 |
|
| 44 |
Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
| 45 |
|
| 46 |
Use this for any custom table files. |
| 47 |
|
| 48 |
## nftables::chain_file |
| 49 |
|
| 50 |
Prepares a chain file as a `concat` file to which you will be |
| 51 |
able to add dedicated rules through `concat::fragments`. |
| 52 |
|
| 53 |
The name must follow the pattern `TABLE@chain_name`, e.g. |
| 54 |
`filter@my_chain`. This will a) prepare a snippet defining |
| 55 |
the chain, that will be included in the filter table. |
| 56 |
|
| 57 |
This define is more intended as a helper to setup chains |
| 58 |
that will be used for the different tables, through their |
| 59 |
own defines. See `nftables::filter::chain` as an example. |
| 60 |
|
| 61 |
## nftables::filter::chain |
| 62 |
|
| 63 |
This setups a chain for the filter table. You will be able |
| 64 |
to add rules to that chain by using `nftables::filter::chain::rule`. |
| 65 |
|
| 66 |
The name must follow the pattern: `MASTERCHAIN-new_chain_name`, which |
| 67 |
defines to which masterchain that custom chain should be hooked into. |
| 68 |
|
| 69 |
new_chain_name must be unique for all chains. |
| 70 |
|
| 71 |
There is automatically a `jump` instruction added to the masterchain, |
| 72 |
with the order preference. |
| 73 |
|
| 74 |
## nftables::filter::chain::rule |
| 75 |
|
| 76 |
A simple way to add rules to your custom chain. The name must be: |
| 77 |
`CHAIN_NAME-rulename`, where CHAIN_NAME refers to your chain and |
| 78 |
an arbitrary name for your rule. |
| 79 |
The rule will be a `concat::fragment` to the chain `concat`. |
| 80 |
|
| 81 |
You can define the order by using the `order` param. |