root / README.md @ 44ac0a4e
Historique | Voir | Annoter | Télécharger (2,29 ko)
| 1 | 0ba57c66 | mh | # nftables puppet module |
|---|---|---|---|
| 2 | |||
| 3 | This module manages an opinionated nftables configuration |
||
| 4 | |||
| 5 | By default it sets up a firewall that drops every incoming |
||
| 6 | and outgoing connection. |
||
| 7 | |||
| 8 | 7940fb07 | tr | It only allows outgoing dns, ntp and web and ingoing ssh |
| 9 | traffic. |
||
| 10 | 0ba57c66 | mh | |
| 11 | The config file has a inet filter and a ip nat table setup. |
||
| 12 | |||
| 13 | Additionally, the module comes with a basic infrastrcuture |
||
| 14 | to hook into different places. |
||
| 15 | |||
| 16 | ## nftables config |
||
| 17 | |||
| 18 | The main configuration file loaded by the nftables service |
||
| 19 | will be `files/config/puppet.nft`, all other files created |
||
| 20 | by that module go into `files/config/puppet` and will also |
||
| 21 | be purged if not managed anymore. |
||
| 22 | |||
| 23 | The main configuration file includes dedicated files for |
||
| 24 | the filter and nat tables, as well as processes any |
||
| 25 | `custom-*.nft` files before hand. |
||
| 26 | |||
| 27 | The filter and NAT tables both have all the master chains |
||
| 28 | 7940fb07 | tr | (INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
| 29 | and POSTROUTING in case of NAT) configured, to which you |
||
| 30 | can hook in your own chains that can contain specific |
||
| 31 | rules. |
||
| 32 | 0ba57c66 | mh | |
| 33 | All filter masterchains drop by default. |
||
| 34 | By default we have a set of default_MASTERCHAIN chains |
||
| 35 | configured to which you can easily add your custom rules. |
||
| 36 | |||
| 37 | For specific needs you can add your own chain. |
||
| 38 | |||
| 39 | There is a global chain, that defines the default behavior |
||
| 40 | for all masterchains. |
||
| 41 | |||
| 42 | 7940fb07 | tr | INPUT and OUTPUT to the loopback device is allowed by |
| 43 | default, though you could restrict it later. |
||
| 44 | 0ba57c66 | mh | |
| 45 | ### nftables::config |
||
| 46 | |||
| 47 | Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
||
| 48 | |||
| 49 | Use this for any custom table files. |
||
| 50 | |||
| 51 | 7940fb07 | tr | ## nftables::chain |
| 52 | 0ba57c66 | mh | |
| 53 | 7940fb07 | tr | Prepares a chain file as a `concat` file to which you will |
| 54 | be able to add dedicated rules through `nftables::rule`. |
||
| 55 | 0ba57c66 | mh | |
| 56 | 7940fb07 | tr | The name must be unique for all chains. The inject |
| 57 | parameter can be used to directly add a jump to a |
||
| 58 | masterchain. inject must follow the pattern |
||
| 59 | `ORDER-MASTERCHAIN`, where order references a 2-digit |
||
| 60 | number which defines the rule order (by default use e.g. 20) |
||
| 61 | and masterchain references the chain to hook in the new |
||
| 62 | af544fea | tr | chain. It's possible to specify the in-interface name and |
| 63 | out-interface name for the inject rule. |
||
| 64 | 0ba57c66 | mh | |
| 65 | 7940fb07 | tr | ## nftables::rule |
| 66 | 0ba57c66 | mh | |
| 67 | 7940fb07 | tr | A simple way to add rules to any chain. The name must be: |
| 68 | `CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
||
| 69 | chain and an arbitrary name for your rule. |
||
| 70 | The rule will be a `concat::fragment` to the chain |
||
| 71 | `CHAIN_NAME`. |
||
| 72 | 0ba57c66 | mh | |
| 73 | You can define the order by using the `order` param. |