root / README.md @ 64134e4e
Historique | Voir | Annoter | Télécharger (2,6 ko)
| 1 | 0ba57c66 | mh | # nftables puppet module |
|---|---|---|---|
| 2 | |||
| 3 | This module manages an opinionated nftables configuration |
||
| 4 | |||
| 5 | By default it sets up a firewall that drops every incoming |
||
| 6 | and outgoing connection. |
||
| 7 | |||
| 8 | It only allows outgoing dns,ntp and web traffic. |
||
| 9 | |||
| 10 | The config file has a inet filter and a ip nat table setup. |
||
| 11 | |||
| 12 | Additionally, the module comes with a basic infrastrcuture |
||
| 13 | to hook into different places. |
||
| 14 | |||
| 15 | ## nftables config |
||
| 16 | |||
| 17 | The main configuration file loaded by the nftables service |
||
| 18 | will be `files/config/puppet.nft`, all other files created |
||
| 19 | by that module go into `files/config/puppet` and will also |
||
| 20 | be purged if not managed anymore. |
||
| 21 | |||
| 22 | The main configuration file includes dedicated files for |
||
| 23 | the filter and nat tables, as well as processes any |
||
| 24 | `custom-*.nft` files before hand. |
||
| 25 | |||
| 26 | The filter and NAT tables both have all the master chains |
||
| 27 | (INPUT,OUTPUT,FORWARD) configured, to which you can hook |
||
| 28 | in your own chains that can contain specific rules. |
||
| 29 | |||
| 30 | All filter masterchains drop by default. |
||
| 31 | By default we have a set of default_MASTERCHAIN chains |
||
| 32 | configured to which you can easily add your custom rules. |
||
| 33 | |||
| 34 | For specific needs you can add your own chain. |
||
| 35 | |||
| 36 | There is a global chain, that defines the default behavior |
||
| 37 | for all masterchains. |
||
| 38 | |||
| 39 | INPUT and OUTPUT to the loopback device is allowed by default, |
||
| 40 | though you could restrict it later. |
||
| 41 | |||
| 42 | ### nftables::config |
||
| 43 | |||
| 44 | Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
||
| 45 | |||
| 46 | Use this for any custom table files. |
||
| 47 | |||
| 48 | ## nftables::chain_file |
||
| 49 | |||
| 50 | Prepares a chain file as a `concat` file to which you will be |
||
| 51 | able to add dedicated rules through `concat::fragments`. |
||
| 52 | |||
| 53 | The name must follow the pattern `TABLE@chain_name`, e.g. |
||
| 54 | `filter@my_chain`. This will a) prepare a snippet defining |
||
| 55 | the chain, that will be included in the filter table. |
||
| 56 | |||
| 57 | This define is more intended as a helper to setup chains |
||
| 58 | that will be used for the different tables, through their |
||
| 59 | own defines. See `nftables::filter::chain` as an example. |
||
| 60 | |||
| 61 | ## nftables::filter::chain |
||
| 62 | |||
| 63 | This setups a chain for the filter table. You will be able |
||
| 64 | to add rules to that chain by using `nftables::filter::chain::rule`. |
||
| 65 | |||
| 66 | The name must follow the pattern: `MASTERCHAIN-new_chain_name`, which |
||
| 67 | defines to which masterchain that custom chain should be hooked into. |
||
| 68 | |||
| 69 | new_chain_name must be unique for all chains. |
||
| 70 | |||
| 71 | There is automatically a `jump` instruction added to the masterchain, |
||
| 72 | with the order preference. |
||
| 73 | |||
| 74 | ## nftables::filter::chain::rule |
||
| 75 | |||
| 76 | A simple way to add rules to your custom chain. The name must be: |
||
| 77 | `CHAIN_NAME-rulename`, where CHAIN_NAME refers to your chain and |
||
| 78 | an arbitrary name for your rule. |
||
| 79 | The rule will be a `concat::fragment` to the chain `concat`. |
||
| 80 | |||
| 81 | You can define the order by using the `order` param. |