Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / manifests / init.pp @ a534e044

Historique | Voir | Annoter | Télécharger (1,22 ko)

1 0ba57c66 mh 
# manage nftables
2 
class nftables {
3 
  package{'nftables':
4 
    ensure => installed,
5 
  } -> file_line{
6 
    'enable_nftables':
7 
      line   => 'include "/etc/nftables/puppet.nft"',
8 
      path   => '/etc/sysconfig/nftables.conf',
9 
      notify => Service['nftables'],
10 
  } -> file{
11 
    default:
12 
      owner  => 'root',
13 
      group  => 'root',
14 
      mode   => '0640';
15 
    '/etc/nftables/puppet.nft':
16 
      source => 'puppet:///modules/nftables/config/puppet.nft';
17 
    '/etc/nftables/puppet':
18 
      ensure  => directory,
19 
      purge   => true,
20 
      force   => true,
21 
      recurse => true;
22 
  } ~> service{'nftables':
23 
    ensure    => running,
24 
    enable    => true,
25 
  }
26 

      

      

        27
        
        
        
        
        
  nftables::config{


      

      

        28
        
        
        
        
        
    'filter':


      

      

        29
        
        
        
        
        
      source => 'puppet:///modules/nftables/config/puppet-filter.nft';


      

      

        30
        
        
        
        
        
    'nat':


      

      

        31
        
        
        
        
        
      source => 'puppet:///modules/nftables/config/puppet-nat.nft';


      

      

        32
        
        
        
        
        
  }


      

      

        33
        
        
        
        
        

      

      

        34
        
        
        
        
        
  nftables::filter::chain{


      

      

        35
        
        
        
        
        
    [


      

      

        36
        
        
        
        
        
      'forward-default_fwd',


      

      

        37
        
        
        
        
        
      'output-default_out',


      

      

        38
        
        
        
        
        
      'input-default_in',


      

      

        39
        
        
        
        
        
    ]:;


      

      

        40
        
        
        
        
        
  }


      

      

        41
        
        
        
        
        
  # basic outgoing rules


      

      

        42
        
        
        
        
        
  nftables::filter::chain::rule{


      

      

        43
        
        
        
        
        
    'default_out-dnsudp':


      

      

        44
        
        
        
        
        
      content => 'udp dport 53 accept';


      

      

        45
        
        
        
        
        
    'default_out-dnstcp':


      

      

        46
        
        
        
        
        
      content => 'tcp dport 53 accept';


      

      

        47
        
        
        
        
        
    'default_out-web':


      

      

        48
        
        
        
        
        
      content => 'tcp dport {80, 443} accept';


      

      

        49
        
        
        
        
        
  }


      

      

        50
        
        
        
        
        
}