root / README.md @ 5791cc12
Historique | Voir | Annoter | Télécharger (3,98 ko)
| 1 | 0ba57c66 | mh | # nftables puppet module |
|---|---|---|---|
| 2 | |||
| 3 | 82b6fd57 | Steve Traylen | [](https://forge.puppetlabs.com/puppet/nftables) |
| 4 | [](https://forge.puppetlabs.com/puppet/nftables) |
||
| 5 | [](http://www.puppetmodule.info/m/puppet-nftables) |
||
| 6 | [](LICENSE) |
||
| 7 | |||
| 8 | 1ffab17b | Nacho Barrientos | This module manages an opinionated nftables configuration. |
| 9 | 0ba57c66 | mh | |
| 10 | By default it sets up a firewall that drops every incoming |
||
| 11 | and outgoing connection. |
||
| 12 | |||
| 13 | 7940fb07 | tr | It only allows outgoing dns, ntp and web and ingoing ssh |
| 14 | 1330c27e | Nacho Barrientos | traffic, although this can be overridden using parameters. |
| 15 | 0ba57c66 | mh | |
| 16 | The config file has a inet filter and a ip nat table setup. |
||
| 17 | |||
| 18 | 0f31ffbe | Nacho Barrientos | Additionally, the module comes with a basic infrastructure |
| 19 | 0ba57c66 | mh | to hook into different places. |
| 20 | |||
| 21 | 08f77750 | Kienan Stewart | Note: for Debian Stretch, nftables from stretch-backports |
| 22 | *must* be used. |
||
| 23 | |||
| 24 | 0ba57c66 | mh | ## nftables config |
| 25 | |||
| 26 | The main configuration file loaded by the nftables service |
||
| 27 | will be `files/config/puppet.nft`, all other files created |
||
| 28 | by that module go into `files/config/puppet` and will also |
||
| 29 | be purged if not managed anymore. |
||
| 30 | |||
| 31 | The main configuration file includes dedicated files for |
||
| 32 | the filter and nat tables, as well as processes any |
||
| 33 | `custom-*.nft` files before hand. |
||
| 34 | |||
| 35 | The filter and NAT tables both have all the master chains |
||
| 36 | 7940fb07 | tr | (INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
| 37 | and POSTROUTING in case of NAT) configured, to which you |
||
| 38 | can hook in your own chains that can contain specific |
||
| 39 | rules. |
||
| 40 | 0ba57c66 | mh | |
| 41 | All filter masterchains drop by default. |
||
| 42 | By default we have a set of default_MASTERCHAIN chains |
||
| 43 | configured to which you can easily add your custom rules. |
||
| 44 | |||
| 45 | For specific needs you can add your own chain. |
||
| 46 | |||
| 47 | There is a global chain, that defines the default behavior |
||
| 48 | 620da9a6 | Nacho Barrientos | for all masterchains. This chain is empty by default. |
| 49 | 0ba57c66 | mh | |
| 50 | 7940fb07 | tr | INPUT and OUTPUT to the loopback device is allowed by |
| 51 | default, though you could restrict it later. |
||
| 52 | 0ba57c66 | mh | |
| 53 | 30462da1 | Steve Traylen | ### Rules Validation |
| 54 | 4ed97e58 | Nacho Barrientos | |
| 55 | 30462da1 | Steve Traylen | Initially puppet deploys all configuration to |
| 56 | `/etc/nftables/puppet-preflight/` and |
||
| 57 | `/etc/nftables/puppet-preflight.nft`. This is validated with |
||
| 58 | `nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
||
| 59 | If and only if successful the configuration will be copied to |
||
| 60 | the real locations before the service is reloaded. |
||
| 61 | |||
| 62 | 0ba57c66 | mh | ### nftables::config |
| 63 | |||
| 64 | Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
||
| 65 | |||
| 66 | Use this for any custom table files. |
||
| 67 | |||
| 68 | 7940fb07 | tr | ## nftables::chain |
| 69 | 0ba57c66 | mh | |
| 70 | 7940fb07 | tr | Prepares a chain file as a `concat` file to which you will |
| 71 | be able to add dedicated rules through `nftables::rule`. |
||
| 72 | 0ba57c66 | mh | |
| 73 | 7940fb07 | tr | The name must be unique for all chains. The inject |
| 74 | parameter can be used to directly add a jump to a |
||
| 75 | masterchain. inject must follow the pattern |
||
| 76 | `ORDER-MASTERCHAIN`, where order references a 2-digit |
||
| 77 | number which defines the rule order (by default use e.g. 20) |
||
| 78 | and masterchain references the chain to hook in the new |
||
| 79 | af544fea | tr | chain. It's possible to specify the in-interface name and |
| 80 | out-interface name for the inject rule. |
||
| 81 | 0ba57c66 | mh | |
| 82 | 7940fb07 | tr | ## nftables::rule |
| 83 | 0ba57c66 | mh | |
| 84 | 7940fb07 | tr | A simple way to add rules to any chain. The name must be: |
| 85 | `CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
||
| 86 | chain and an arbitrary name for your rule. |
||
| 87 | The rule will be a `concat::fragment` to the chain |
||
| 88 | `CHAIN_NAME`. |
||
| 89 | 0ba57c66 | mh | |
| 90 | You can define the order by using the `order` param. |
||
| 91 | 20b96360 | Nacho Barrientos | |
| 92 | 13f26dfc | Nacho Barrientos | Before defining your own rule, take a look to the list of ready-to-use rules |
| 93 | available in the |
||
| 94 | [REFERENCE](https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md), |
||
| 95 | somebody might have encapsulated a rule definition for you already. |
||
| 96 | |||
| 97 | 8ded326d | Nacho Barrientos | ## nftables::set |
| 98 | 20b96360 | Nacho Barrientos | |
| 99 | Adds a named set to a given table. It allows composing the |
||
| 100 | set using individual parameters but also takes raw input |
||
| 101 | via the content and source parameters. |
||
| 102 | abb04c95 | Nacho Barrientos | |
| 103 | ## nftables::simplerule |
||
| 104 | |||
| 105 | Allows expressing firewall rules without having to use nftables's language by |
||
| 106 | adding an abstraction layer a-la-Firewall. It's rather limited how far you can |
||
| 107 | go so if you need rather complex rules or you can speak nftables it's |
||
| 108 | recommended to use `nftables::rule` directly. |