ansible/roles/nftables_infra/templates/nftables.d/40-input.conf.j2

{{ ansible_managed | comment }}

table inet input {

	chain conntrack {
		ct state vmap {
			established: accept,
			related: accept,
			invalid: drop,
		}
	}

	chain input_from_server {
		jump conntrack

		ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
		ip saddr $prom_infra_ipv4 tcp dport 9100 accept
	}

	chain input_from_backbone {
		ip6 nexthdr { ospf, vrrp } accept
		ip protocol { ospf, vrrp } accept
		counter accept  # FIXME: temporary
	}

	chain input_from_router {
		jump conntrack

		tcp dport ssh counter accept
	}

	chain input_from_bastion {
		jump conntrack

		tcp dport ssh counter accept
	}

	chain input_from_anywhere {
		jump conntrack

		# FIXME: limit
		ip6 nexthdr icmpv6 counter accept
		ip protocol icmp counter accept
	}

	chain input {
		type filter hook input priority filter
		policy drop

		iif lo accept

		jump input_from_anywhere

		# FIXME: temporary
		tcp dport ssh accept

		ip6 saddr vmap {
			$backbone_ipv6: jump input_from_backbone,
			$router_ipv6: jump input_from_router,
		}

		ip saddr vmap {
			$backbone_ipv4: jump input_from_backbone,
			$router_ipv4: jump input_from_router,
		}

		reject with icmpx type admin-prohibited
	}

}
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`{{ ansible_managed \| comment }}`

			`table inet input {`

			`chain conntrack {`
			`ct state vmap {`
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`established: accept,`
			`related: accept,`
			`invalid: drop,`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`
			`}`

Add bastion network 2022-01-10 22:08:54 +01:00			`chain input_from_server {`
			`jump conntrack`

Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept`
			`ip saddr $prom_infra_ipv4 tcp dport 9100 accept`
Add bastion network 2022-01-10 22:08:54 +01:00			`}`

Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`chain input_from_backbone {`
			`ip6 nexthdr { ospf, vrrp } accept`
			`ip protocol { ospf, vrrp } accept`
			`counter accept # FIXME: temporary`
			`}`

			`chain input_from_router {`
			`jump conntrack`

			`tcp dport ssh counter accept`
			`}`

Add bastion network 2022-01-10 22:08:54 +01:00			`chain input_from_bastion {`
			`jump conntrack`

			`tcp dport ssh counter accept`
			`}`

Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`chain input_from_anywhere {`
			`jump conntrack`

			`# FIXME: limit`
			`ip6 nexthdr icmpv6 counter accept`
			`ip protocol icmp counter accept`
			`}`

			`chain input {`
			`type filter hook input priority filter`
			`policy drop`

			`iif lo accept`

			`jump input_from_anywhere`

			`# FIXME: temporary`
			`tcp dport ssh accept`

			`ip6 saddr vmap {`
			`$backbone_ipv6: jump input_from_backbone,`
			`$router_ipv6: jump input_from_router,`
			`}`

			`ip saddr vmap {`
			`$backbone_ipv4: jump input_from_backbone,`
			`$router_ipv4: jump input_from_router,`
			`}`

			`reject with icmpx type admin-prohibited`
			`}`

			`}`