Révision 8efbdf9a
Refactoring
| manifests/init.pp | ||
|---|---|---|
| 40 | 40 |
source => 'puppet:///modules/nftables/config/puppet-ip-nat.nft'; |
| 41 | 41 |
} |
| 42 | 42 |
|
| 43 |
nftables::filter::chain{
|
|
| 43 |
nftables::chain{
|
|
| 44 | 44 |
[ |
| 45 |
'forward-default_fwd',
|
|
| 46 |
'output-default_out',
|
|
| 47 |
'input-default_in',
|
|
| 45 |
'INPUT',
|
|
| 46 |
'OUTPUT',
|
|
| 47 |
'FORWARD',
|
|
| 48 | 48 |
]:; |
| 49 | 49 |
} |
| 50 | 50 |
|
| 51 |
nftables::chain{
|
|
| 52 |
'default_in': |
|
| 53 |
inject => '10-INPUT'; |
|
| 54 |
'default_out': |
|
| 55 |
inject => '10-OUTPUT'; |
|
| 56 |
'default_fwd': |
|
| 57 |
inject => '10-FORWARD'; |
|
| 58 |
} |
|
| 59 |
|
|
| 60 |
# filter-chain-INPUT |
|
| 61 |
nftables::rule{
|
|
| 62 |
'INPUT-type': |
|
| 63 |
order => '01', |
|
| 64 |
content => 'type filter hook input priority 0'; |
|
| 65 |
'INPUT-policy': |
|
| 66 |
order => '02', |
|
| 67 |
content => 'policy drop'; |
|
| 68 |
'INPUT-lo': |
|
| 69 |
order => '03', |
|
| 70 |
content => 'iifname lo accept'; |
|
| 71 |
'INPUT-jump_global': |
|
| 72 |
order => '04', |
|
| 73 |
content => 'jump global'; |
|
| 74 |
'INPUT-log_rejected': |
|
| 75 |
order => '98', |
|
| 76 |
content => 'log prefix "[nftables] INPUT Rejected: " flags all counter reject with icmpx type port-unreachable'; |
|
| 77 |
} |
|
| 78 |
|
|
| 79 |
# filter-chain-OUTPUT |
|
| 80 |
nftables::rule{
|
|
| 81 |
'OUTPUT-type': |
|
| 82 |
order => '01', |
|
| 83 |
content => 'type filter hook output priority 0'; |
|
| 84 |
'OUTPUT-policy': |
|
| 85 |
order => '02', |
|
| 86 |
content => 'policy drop'; |
|
| 87 |
'OUTPUT-lo': |
|
| 88 |
order => '03', |
|
| 89 |
content => 'oifname lo accept'; |
|
| 90 |
'OUTPUT-jump_global': |
|
| 91 |
order => '04', |
|
| 92 |
content => 'jump global'; |
|
| 93 |
'OUTPUT-log_rejected': |
|
| 94 |
order => '98', |
|
| 95 |
content => 'log prefix "[nftables] OUTPUT Rejected: " flags all counter reject with icmpx type port-unreachable'; |
|
| 96 |
} |
|
| 97 |
|
|
| 98 |
# filter-chain-FORWARD |
|
| 99 |
nftables::rule{
|
|
| 100 |
'FORWARD-type': |
|
| 101 |
order => '01', |
|
| 102 |
content => 'type filter hook forward priority 0'; |
|
| 103 |
'FORWARD-policy': |
|
| 104 |
order => '02', |
|
| 105 |
content => 'policy drop'; |
|
| 106 |
'FORWARD-jump_global': |
|
| 107 |
order => '03', |
|
| 108 |
content => 'jump global'; |
|
| 109 |
'FORWARD-log_rejected': |
|
| 110 |
order => '98', |
|
| 111 |
content => 'log prefix "[nftables] FORWARD Rejected: " flags all counter reject with icmpx type port-unreachable'; |
|
| 112 |
} |
|
| 113 |
|
|
| 51 | 114 |
# basic ingoing rules |
| 52 | 115 |
if $in_ssh {
|
| 53 | 116 |
include nftables::rules::ssh |
Formats disponibles : Unified diff