ansible/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2

{{ ansible_managed | comment }}

table inet forward {

	chain conntrack {
		ct state vmap {
			established: accept,
			related: accept,
			invalid: drop,
		}
	}

	chain forward_to_public_server {
		jump conntrack
	}

	chain forward_to_server {
		jump conntrack

		ip6 saddr $infra_ipv6 ip6 daddr $log_infra_ipv6 jump {
			tcp dport 2514 counter accept
			udp dport 514 counter accept
		}

		ip saddr $infra_ipv4 ip daddr $log_infra_ipv4 jump {
			tcp dport 2514 counter accept
			udp dport 514 counter accept
		}

		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
		ip saddr $prom_infra_ipv4 udp dport 161 counter accept

		ip6 saddr $bastion_ipv6 tcp dport ssh accept
		ip saddr $bastion_ipv4 tcp dport ssh accept
	}

	chain forward_to_backbone {
	}

	chain forward_to_ups {
		jump conntrack

		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
		ip saddr $prom_infra_ipv4 udp dport 161 counter accept

		ip6 saddr $bastion_ipv6 tcp dport ssh accept
		ip saddr $bastion_ipv4 tcp dport ssh accept
	}

	chain forward_to_bmc {
		jump conntrack

		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
		ip saddr $prom_infra_ipv4 udp dport 161 counter accept

		ip6 saddr $bastion_ipv6 tcp dport ssh accept
		ip saddr $bastion_ipv4 tcp dport ssh accept
	}

	chain forward_to_pve {
		jump conntrack

		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept

		ip6 saddr $bastion_ipv6 tcp dport ssh accept
		ip saddr $bastion_ipv4 tcp dport ssh accept
	}

	chain forward_to_router {
		jump conntrack

		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept

		ip6 saddr $bastion_ipv6 tcp dport ssh accept
		ip saddr $bastion_ipv4 tcp dport ssh accept
	}

	chain forward_to_internet {
		jump conntrack

		ip6 saddr $egress_internet_ipv6 counter accept
		ip saddr $egress_internet_ipv4 counter accept
	}

	chain forward {
		type filter hook forward priority filter
		policy drop

		iif lo accept

		ip6 daddr vmap {
			$public_server_ipv6: goto forward_to_public_server,
			$server_ipv6: goto forward_to_server,
			$backbone_ipv6: goto forward_to_backbone,
			$ups_ipv6: goto forward_to_ups,
			$bmc_ipv6: goto forward_to_bmc,
			$pve_ipv6: goto forward_to_pve,
			$router_ipv6: goto forward_to_router,
		}

		ip daddr vmap {
			$public_server_ipv4: goto forward_to_public_server,
			$server_ipv4: goto forward_to_server,
			$backbone_ipv4: goto forward_to_backbone,
			$ups_ipv4: goto forward_to_ups,
			$bmc_ipv4: goto forward_to_bmc,
			$pve_ipv4: goto forward_to_pve,
			$router_ipv4: goto forward_to_router,
		}

		goto forward_to_internet
	}

}
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`{{ ansible_managed \| comment }}`

			`table inet forward {`

			`chain conntrack {`
			`ct state vmap {`
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`established: accept,`
			`related: accept,`
			`invalid: drop,`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`
			`}`

			`chain forward_to_public_server {`
			`jump conntrack`
			`}`

			`chain forward_to_server {`
			`jump conntrack`

			`ip6 saddr $infra_ipv6 ip6 daddr $log_infra_ipv6 jump {`
			`tcp dport 2514 counter accept`
			`udp dport 514 counter accept`
			`}`

			`ip saddr $infra_ipv4 ip daddr $log_infra_ipv4 jump {`
			`tcp dport 2514 counter accept`
			`udp dport 514 counter accept`
			`}`

Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept`
			`ip saddr $prom_infra_ipv4 udp dport 161 counter accept`
Add bastion network 2022-01-10 22:08:54 +01:00
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $bastion_ipv6 tcp dport ssh accept`
			`ip saddr $bastion_ipv4 tcp dport ssh accept`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`

			`chain forward_to_backbone {`
			`}`

			`chain forward_to_ups {`
			`jump conntrack`

Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept`
			`ip saddr $prom_infra_ipv4 udp dport 161 counter accept`
Add bastion network 2022-01-10 22:08:54 +01:00
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $bastion_ipv6 tcp dport ssh accept`
			`ip saddr $bastion_ipv4 tcp dport ssh accept`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`

			`chain forward_to_bmc {`
			`jump conntrack`

Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept`
			`ip saddr $prom_infra_ipv4 udp dport 161 counter accept`
Add bastion network 2022-01-10 22:08:54 +01:00
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $bastion_ipv6 tcp dport ssh accept`
			`ip saddr $bastion_ipv4 tcp dport ssh accept`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`

			`chain forward_to_pve {`
			`jump conntrack`

			`ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept`
			`ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept`
Add bastion network 2022-01-10 22:08:54 +01:00
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $bastion_ipv6 tcp dport ssh accept`
			`ip saddr $bastion_ipv4 tcp dport ssh accept`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`

			`chain forward_to_router {`
			`jump conntrack`

			`ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept`
			`ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept`
Add bastion network 2022-01-10 22:08:54 +01:00
Fix some nftables issues 2022-01-13 13:59:49 +01:00			`ip6 saddr $bastion_ipv6 tcp dport ssh accept`
			`ip saddr $bastion_ipv4 tcp dport ssh accept`
Add nftables role This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…). 2022-01-08 23:41:51 +01:00			`}`

			`chain forward_to_internet {`
			`jump conntrack`

			`ip6 saddr $egress_internet_ipv6 counter accept`
			`ip saddr $egress_internet_ipv4 counter accept`
			`}`

			`chain forward {`
			`type filter hook forward priority filter`
			`policy drop`

			`iif lo accept`

			`ip6 daddr vmap {`
			`$public_server_ipv6: goto forward_to_public_server,`
			`$server_ipv6: goto forward_to_server,`
			`$backbone_ipv6: goto forward_to_backbone,`
			`$ups_ipv6: goto forward_to_ups,`
			`$bmc_ipv6: goto forward_to_bmc,`
			`$pve_ipv6: goto forward_to_pve,`
			`$router_ipv6: goto forward_to_router,`
			`}`

			`ip daddr vmap {`
			`$public_server_ipv4: goto forward_to_public_server,`
			`$server_ipv4: goto forward_to_server,`
			`$backbone_ipv4: goto forward_to_backbone,`
			`$ups_ipv4: goto forward_to_ups,`
			`$bmc_ipv4: goto forward_to_bmc,`
			`$pve_ipv4: goto forward_to_pve,`
			`$router_ipv4: goto forward_to_router,`
			`}`

			`goto forward_to_internet`
			`}`

			`}`