root / manifests / init.pp @ f3f2870f
Historique | Voir | Annoter | Télécharger (2,21 ko)
| 1 |
# @summary Configure nftables |
|---|---|
| 2 |
# |
| 3 |
# @example |
| 4 |
# class{'nftables:
|
| 5 |
# out_ntp = false, |
| 6 |
# out_dns = true, |
| 7 |
# } |
| 8 |
# |
| 9 |
# @param out_all |
| 10 |
# Allow all outbound connections. If `true` then all other |
| 11 |
# out parameters `out_ntp`, `out_dns`, ... will be assuemed |
| 12 |
# false. |
| 13 |
# |
| 14 |
# @param out_ntp |
| 15 |
# Allow outbound to ntp servers. |
| 16 |
# |
| 17 |
# @param out_http |
| 18 |
# Allow outbound to http servers. |
| 19 |
# |
| 20 |
# @param out_https |
| 21 |
# Allow outbound to https servers. |
| 22 |
# |
| 23 |
# @param out_https |
| 24 |
# Allow outbound to https servers. |
| 25 |
# |
| 26 |
# @param in_ssh |
| 27 |
# Allow inbound to ssh servers. |
| 28 |
# |
| 29 |
# @param reject_with |
| 30 |
# How to discard packets not matching any rule. If `false`, the |
| 31 |
# fate of the packet will be defined by the chain policy (normally |
| 32 |
# drop), otherwise the packet will be rejected with the REJECT_WITH |
| 33 |
# policy indicated by the value of this parameter. |
| 34 |
# |
| 35 |
class nftables ( |
| 36 |
Boolean $in_ssh = true, |
| 37 |
Boolean $out_ntp = true, |
| 38 |
Boolean $out_dns = true, |
| 39 |
Boolean $out_http = true, |
| 40 |
Boolean $out_https = true, |
| 41 |
Boolean $out_all = false, |
| 42 |
Hash $rules = {},
|
| 43 |
String $log_prefix = '[nftables] %<chain>s Rejected: ', |
| 44 |
Variant[Boolean[false], Pattern[ |
| 45 |
/icmp(v6|x)? type .+|tcp reset/]] |
| 46 |
$reject_with = 'icmpx type port-unreachable', |
| 47 |
) {
|
| 48 |
|
| 49 |
package{'nftables':
|
| 50 |
ensure => installed, |
| 51 |
} -> file_line{
|
| 52 |
'enable_nftables': |
| 53 |
line => 'include "/etc/nftables/puppet.nft"', |
| 54 |
path => '/etc/sysconfig/nftables.conf', |
| 55 |
notify => Service['nftables'], |
| 56 |
} -> file{
|
| 57 |
default: |
| 58 |
owner => 'root', |
| 59 |
group => 'root', |
| 60 |
mode => '0640'; |
| 61 |
'/etc/nftables/puppet.nft': |
| 62 |
ensure => file, |
| 63 |
source => 'puppet:///modules/nftables/config/puppet.nft'; |
| 64 |
'/etc/nftables/puppet': |
| 65 |
ensure => directory, |
| 66 |
mode => '0750', |
| 67 |
purge => true, |
| 68 |
force => true, |
| 69 |
recurse => true; |
| 70 |
} ~> service{'nftables':
|
| 71 |
ensure => running, |
| 72 |
enable => true, |
| 73 |
} |
| 74 |
|
| 75 |
service{'firewalld':
|
| 76 |
ensure => stopped, |
| 77 |
enable => mask, |
| 78 |
} |
| 79 |
|
| 80 |
include nftables::inet_filter |
| 81 |
include nftables::ip_nat |
| 82 |
|
| 83 |
# inject custom rules e.g. from hiera |
| 84 |
$rules.each |$n,$v| {
|
| 85 |
nftables::rule{
|
| 86 |
$n: |
| 87 |
* => $v |
| 88 |
} |
| 89 |
} |
| 90 |
} |