root / manifests / init.pp @ 5acb554a
Historique | Voir | Annoter | Télécharger (1,48 ko)
| 1 |
# manage nftables |
|---|---|
| 2 |
class nftables ( |
| 3 |
Boolean $in_ssh = true, |
| 4 |
Boolean $out_ntp = true, |
| 5 |
Boolean $out_dns = true, |
| 6 |
Boolean $out_http = true, |
| 7 |
Boolean $out_https = true, |
| 8 |
) {
|
| 9 |
|
| 10 |
package{'nftables':
|
| 11 |
ensure => installed, |
| 12 |
} -> file_line{
|
| 13 |
'enable_nftables': |
| 14 |
line => 'include "/etc/nftables/puppet.nft"', |
| 15 |
path => '/etc/sysconfig/nftables.conf', |
| 16 |
notify => Service['nftables'], |
| 17 |
} -> file{
|
| 18 |
default: |
| 19 |
owner => 'root', |
| 20 |
group => 'root', |
| 21 |
mode => '0640'; |
| 22 |
'/etc/nftables/puppet.nft': |
| 23 |
ensure => file, |
| 24 |
source => 'puppet:///modules/nftables/config/puppet.nft'; |
| 25 |
'/etc/nftables/puppet': |
| 26 |
ensure => directory, |
| 27 |
mode => '0750', |
| 28 |
purge => true, |
| 29 |
force => true, |
| 30 |
recurse => true; |
| 31 |
} ~> service{'nftables':
|
| 32 |
ensure => running, |
| 33 |
enable => true, |
| 34 |
} |
| 35 |
|
| 36 |
nftables::config{
|
| 37 |
'filter': |
| 38 |
source => 'puppet:///modules/nftables/config/puppet-filter.nft'; |
| 39 |
'ip-nat': |
| 40 |
source => 'puppet:///modules/nftables/config/puppet-ip-nat.nft'; |
| 41 |
} |
| 42 |
|
| 43 |
nftables::filter::chain{
|
| 44 |
[ |
| 45 |
'forward-default_fwd', |
| 46 |
'output-default_out', |
| 47 |
'input-default_in', |
| 48 |
]:; |
| 49 |
} |
| 50 |
|
| 51 |
# basic ingoing rules |
| 52 |
if $in_ssh {
|
| 53 |
include nftables::rules::ssh |
| 54 |
} |
| 55 |
|
| 56 |
# basic outgoing rules |
| 57 |
if $out_ntp {
|
| 58 |
include nftables::rules::out::chrony |
| 59 |
} |
| 60 |
if $out_dns {
|
| 61 |
include nftables::rules::out::dns |
| 62 |
} |
| 63 |
if $out_http {
|
| 64 |
include nftables::rules::out::http |
| 65 |
} |
| 66 |
if $out_https {
|
| 67 |
include nftables::rules::out::https |
| 68 |
} |
| 69 |
} |