root / README.md @ 8ded326d
Historique | Voir | Annoter | Télécharger (2,85 ko)
| 1 | 0ba57c66 | mh | # nftables puppet module |
|---|---|---|---|
| 2 | |||
| 3 | 1ffab17b | Nacho Barrientos | This module manages an opinionated nftables configuration. |
| 4 | 0ba57c66 | mh | |
| 5 | By default it sets up a firewall that drops every incoming |
||
| 6 | and outgoing connection. |
||
| 7 | |||
| 8 | 7940fb07 | tr | It only allows outgoing dns, ntp and web and ingoing ssh |
| 9 | traffic. |
||
| 10 | 0ba57c66 | mh | |
| 11 | The config file has a inet filter and a ip nat table setup. |
||
| 12 | |||
| 13 | 0f31ffbe | Nacho Barrientos | Additionally, the module comes with a basic infrastructure |
| 14 | 0ba57c66 | mh | to hook into different places. |
| 15 | |||
| 16 | ## nftables config |
||
| 17 | |||
| 18 | The main configuration file loaded by the nftables service |
||
| 19 | will be `files/config/puppet.nft`, all other files created |
||
| 20 | by that module go into `files/config/puppet` and will also |
||
| 21 | be purged if not managed anymore. |
||
| 22 | |||
| 23 | The main configuration file includes dedicated files for |
||
| 24 | the filter and nat tables, as well as processes any |
||
| 25 | `custom-*.nft` files before hand. |
||
| 26 | |||
| 27 | The filter and NAT tables both have all the master chains |
||
| 28 | 7940fb07 | tr | (INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
| 29 | and POSTROUTING in case of NAT) configured, to which you |
||
| 30 | can hook in your own chains that can contain specific |
||
| 31 | rules. |
||
| 32 | 0ba57c66 | mh | |
| 33 | All filter masterchains drop by default. |
||
| 34 | By default we have a set of default_MASTERCHAIN chains |
||
| 35 | configured to which you can easily add your custom rules. |
||
| 36 | |||
| 37 | For specific needs you can add your own chain. |
||
| 38 | |||
| 39 | There is a global chain, that defines the default behavior |
||
| 40 | 620da9a6 | Nacho Barrientos | for all masterchains. This chain is empty by default. |
| 41 | 0ba57c66 | mh | |
| 42 | 7940fb07 | tr | INPUT and OUTPUT to the loopback device is allowed by |
| 43 | default, though you could restrict it later. |
||
| 44 | 0ba57c66 | mh | |
| 45 | 30462da1 | Steve Traylen | ### Rules Validation |
| 46 | 4ed97e58 | Nacho Barrientos | |
| 47 | 30462da1 | Steve Traylen | Initially puppet deploys all configuration to |
| 48 | `/etc/nftables/puppet-preflight/` and |
||
| 49 | `/etc/nftables/puppet-preflight.nft`. This is validated with |
||
| 50 | `nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
||
| 51 | If and only if successful the configuration will be copied to |
||
| 52 | the real locations before the service is reloaded. |
||
| 53 | |||
| 54 | 0ba57c66 | mh | ### nftables::config |
| 55 | |||
| 56 | Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
||
| 57 | |||
| 58 | Use this for any custom table files. |
||
| 59 | |||
| 60 | 7940fb07 | tr | ## nftables::chain |
| 61 | 0ba57c66 | mh | |
| 62 | 7940fb07 | tr | Prepares a chain file as a `concat` file to which you will |
| 63 | be able to add dedicated rules through `nftables::rule`. |
||
| 64 | 0ba57c66 | mh | |
| 65 | 7940fb07 | tr | The name must be unique for all chains. The inject |
| 66 | parameter can be used to directly add a jump to a |
||
| 67 | masterchain. inject must follow the pattern |
||
| 68 | `ORDER-MASTERCHAIN`, where order references a 2-digit |
||
| 69 | number which defines the rule order (by default use e.g. 20) |
||
| 70 | and masterchain references the chain to hook in the new |
||
| 71 | af544fea | tr | chain. It's possible to specify the in-interface name and |
| 72 | out-interface name for the inject rule. |
||
| 73 | 0ba57c66 | mh | |
| 74 | 7940fb07 | tr | ## nftables::rule |
| 75 | 0ba57c66 | mh | |
| 76 | 7940fb07 | tr | A simple way to add rules to any chain. The name must be: |
| 77 | `CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
||
| 78 | chain and an arbitrary name for your rule. |
||
| 79 | The rule will be a `concat::fragment` to the chain |
||
| 80 | `CHAIN_NAME`. |
||
| 81 | 0ba57c66 | mh | |
| 82 | You can define the order by using the `order` param. |
||
| 83 | 20b96360 | Nacho Barrientos | |
| 84 | 8ded326d | Nacho Barrientos | ## nftables::set |
| 85 | 20b96360 | Nacho Barrientos | |
| 86 | Adds a named set to a given table. It allows composing the |
||
| 87 | set using individual parameters but also takes raw input |
||
| 88 | via the content and source parameters. |