root / README.md @ 9ef3491b
Historique | Voir | Annoter | Télécharger (3,98 ko)
| 1 |
# nftables puppet module |
|---|---|
| 2 |
|
| 3 |
[](https://forge.puppetlabs.com/puppet/nftables) |
| 4 |
[](https://forge.puppetlabs.com/puppet/nftables) |
| 5 |
[](http://www.puppetmodule.info/m/puppet-nftables) |
| 6 |
[](LICENSE) |
| 7 |
|
| 8 |
This module manages an opinionated nftables configuration. |
| 9 |
|
| 10 |
By default it sets up a firewall that drops every incoming |
| 11 |
and outgoing connection. |
| 12 |
|
| 13 |
It only allows outgoing dns, ntp and web and ingoing ssh |
| 14 |
traffic, although this can be overridden using parameters. |
| 15 |
|
| 16 |
The config file has a inet filter and a ip nat table setup. |
| 17 |
|
| 18 |
Additionally, the module comes with a basic infrastructure |
| 19 |
to hook into different places. |
| 20 |
|
| 21 |
Note: for Debian Stretch, nftables from stretch-backports |
| 22 |
*must* be used. |
| 23 |
|
| 24 |
## nftables config |
| 25 |
|
| 26 |
The main configuration file loaded by the nftables service |
| 27 |
will be `files/config/puppet.nft`, all other files created |
| 28 |
by that module go into `files/config/puppet` and will also |
| 29 |
be purged if not managed anymore. |
| 30 |
|
| 31 |
The main configuration file includes dedicated files for |
| 32 |
the filter and nat tables, as well as processes any |
| 33 |
`custom-*.nft` files before hand. |
| 34 |
|
| 35 |
The filter and NAT tables both have all the master chains |
| 36 |
(INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
| 37 |
and POSTROUTING in case of NAT) configured, to which you |
| 38 |
can hook in your own chains that can contain specific |
| 39 |
rules. |
| 40 |
|
| 41 |
All filter masterchains drop by default. |
| 42 |
By default we have a set of default_MASTERCHAIN chains |
| 43 |
configured to which you can easily add your custom rules. |
| 44 |
|
| 45 |
For specific needs you can add your own chain. |
| 46 |
|
| 47 |
There is a global chain, that defines the default behavior |
| 48 |
for all masterchains. This chain is empty by default. |
| 49 |
|
| 50 |
INPUT and OUTPUT to the loopback device is allowed by |
| 51 |
default, though you could restrict it later. |
| 52 |
|
| 53 |
### Rules Validation |
| 54 |
|
| 55 |
Initially puppet deploys all configuration to |
| 56 |
`/etc/nftables/puppet-preflight/` and |
| 57 |
`/etc/nftables/puppet-preflight.nft`. This is validated with |
| 58 |
`nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
| 59 |
If and only if successful the configuration will be copied to |
| 60 |
the real locations before the service is reloaded. |
| 61 |
|
| 62 |
### nftables::config |
| 63 |
|
| 64 |
Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
| 65 |
|
| 66 |
Use this for any custom table files. |
| 67 |
|
| 68 |
## nftables::chain |
| 69 |
|
| 70 |
Prepares a chain file as a `concat` file to which you will |
| 71 |
be able to add dedicated rules through `nftables::rule`. |
| 72 |
|
| 73 |
The name must be unique for all chains. The inject |
| 74 |
parameter can be used to directly add a jump to a |
| 75 |
masterchain. inject must follow the pattern |
| 76 |
`ORDER-MASTERCHAIN`, where order references a 2-digit |
| 77 |
number which defines the rule order (by default use e.g. 20) |
| 78 |
and masterchain references the chain to hook in the new |
| 79 |
chain. It's possible to specify the in-interface name and |
| 80 |
out-interface name for the inject rule. |
| 81 |
|
| 82 |
## nftables::rule |
| 83 |
|
| 84 |
A simple way to add rules to any chain. The name must be: |
| 85 |
`CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
| 86 |
chain and an arbitrary name for your rule. |
| 87 |
The rule will be a `concat::fragment` to the chain |
| 88 |
`CHAIN_NAME`. |
| 89 |
|
| 90 |
You can define the order by using the `order` param. |
| 91 |
|
| 92 |
Before defining your own rule, take a look to the list of ready-to-use rules |
| 93 |
available in the |
| 94 |
[REFERENCE](https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md), |
| 95 |
somebody might have encapsulated a rule definition for you already. |
| 96 |
|
| 97 |
## nftables::set |
| 98 |
|
| 99 |
Adds a named set to a given table. It allows composing the |
| 100 |
set using individual parameters but also takes raw input |
| 101 |
via the content and source parameters. |
| 102 |
|
| 103 |
## nftables::simplerule |
| 104 |
|
| 105 |
Allows expressing firewall rules without having to use nftables's language by |
| 106 |
adding an abstraction layer a-la-Firewall. It's rather limited how far you can |
| 107 |
go so if you need rather complex rules or you can speak nftables it's |
| 108 |
recommended to use `nftables::rule` directly. |