242 lines
7 KiB
YAML
242 lines
7 KiB
YAML
|
#!/usr/bin/env ansible-playbook
|
||
|
---
|
||
|
- hosts:
|
||
|
- isp-1.rtr.infra.auro.re
|
||
|
- isp-2.rtr.infra.auro.re
|
||
|
vars:
|
||
|
nftables__vars:
|
||
|
adm_ipv6: 2a09:6840:128::/56
|
||
|
adm_ipv4: 10.128.0.0/16
|
||
|
backbone_ipv6: 2a09:6840:203::/56
|
||
|
backbone_ipv4: 10.203.0.0/16
|
||
|
mgmt_ipv6: 2a09:6840:211::/56
|
||
|
mgmt_ipv4: 10.211.0.0/16
|
||
|
clients_ipv6: 2a09:6841::/48
|
||
|
clients_ipv4: 100.64.0.0/10
|
||
|
nftables__tables:
|
||
|
blacklist:
|
||
|
type: inet
|
||
|
sets:
|
||
|
blacklist_ipv6:
|
||
|
type: ipv6_addr
|
||
|
flags:
|
||
|
- interval
|
||
|
blacklist_ipv4:
|
||
|
type: ipv4_addr
|
||
|
flags:
|
||
|
- interval
|
||
|
chains:
|
||
|
filter:
|
||
|
type: filter
|
||
|
hook: prerouting
|
||
|
priority: "raw - 10"
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "ip6 saddr @blacklist_ipv6 counter drop"
|
||
|
- "ip saddr @blacklist_ipv4 counter drop"
|
||
|
reverse_path_filter:
|
||
|
type: inet
|
||
|
chains:
|
||
|
filter:
|
||
|
type: filter
|
||
|
hook: prerouting
|
||
|
priority: raw
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "fib saddr . iif oif missing pkttype unicast drop"
|
||
|
filter:
|
||
|
type: inet
|
||
|
sets:
|
||
|
allowed_clients_ipv6:
|
||
|
type: ipv6_addr
|
||
|
flags:
|
||
|
- interval
|
||
|
allowed_clients_ipv4:
|
||
|
type: ipv4_addr
|
||
|
flags:
|
||
|
- interval
|
||
|
chains:
|
||
|
conntrack:
|
||
|
rules:
|
||
|
- "ct state { established, related } accept"
|
||
|
- "ct state invalid counter drop"
|
||
|
input_backbone:
|
||
|
rules:
|
||
|
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
|
||
|
- "ip protocol { ospf, vrrp, icmp } accept"
|
||
|
- "tcp dport 179 accept"
|
||
|
input_mgmt:
|
||
|
rules:
|
||
|
- "ip6 nexthdr icmpv6 accept"
|
||
|
- "ip protocol icmp accept"
|
||
|
- "tcp dport 22 accept"
|
||
|
input_other:
|
||
|
rules:
|
||
|
- "ip6 nexthdr icmpv6 accept"
|
||
|
- "ip protocol icmp accept"
|
||
|
input:
|
||
|
type: filter
|
||
|
hook: input
|
||
|
priority: filter
|
||
|
policy: drop
|
||
|
rules:
|
||
|
- "jump conntrack"
|
||
|
- "iif lo accept"
|
||
|
# FIXME: don't use ifaces
|
||
|
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
|
||
|
- "ip6 saddr vmap { \
|
||
|
$backbone_ipv6: goto input_backbone, \
|
||
|
$mgmt_ipv6: goto input_mgmt, \
|
||
|
$adm_ipv6: goto input_mgmt \
|
||
|
}"
|
||
|
- "ip saddr vmap { \
|
||
|
$backbone_ipv4: goto input_backbone, \
|
||
|
$mgmt_ipv4: goto input_mgmt, \
|
||
|
$adm_ipv4: goto input_mgmt \
|
||
|
}"
|
||
|
- "goto input_other"
|
||
|
forward_clients:
|
||
|
rules:
|
||
|
- "ip6 daddr $clients_ipv6 drop"
|
||
|
- "ip daddr $clients_ipv4 drop"
|
||
|
- "ip6 saddr @allowed_clients_ipv6 accept"
|
||
|
- "ip saddr @allowed_clients_ipv4 accept"
|
||
|
forward:
|
||
|
type: filter
|
||
|
hook: forward
|
||
|
priority: filter
|
||
|
policy: drop
|
||
|
rules:
|
||
|
- "jump conntrack"
|
||
|
- "ip6 saddr $clients_ipv6 goto forward_clients"
|
||
|
- "ip saddr $clients_ipv4 goto forward_clients"
|
||
|
output:
|
||
|
type: filter
|
||
|
hook: output
|
||
|
priority: filter
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "jump conntrack"
|
||
|
roles:
|
||
|
- nftables
|
||
|
|
||
|
- hosts:
|
||
|
- infra-1.rtr.infra.auro.re
|
||
|
- infra-2.rtr.infra.auro.re
|
||
|
vars:
|
||
|
nftables__vars:
|
||
|
adm_ipv6: 2a09:6840:128::/56
|
||
|
adm_ipv4: 10.128.0.0/16
|
||
|
backbone_ipv6: 2a09:6840:203::/56
|
||
|
backbone_ipv4: 10.203.0.0/16
|
||
|
mgmt_ipv6: 2a09:6840:211::/56
|
||
|
mgmt_ipv4: 10.211.0.0/16
|
||
|
int_ipv6: 2a09:6840:206::/56
|
||
|
int_ipv4: 10.206.0.0/16
|
||
|
local_ipv4:
|
||
|
- 100.64.0.0/10
|
||
|
- 10.0.0.0/8
|
||
|
- 45.66.108.0/22
|
||
|
nftables__tables:
|
||
|
blacklist:
|
||
|
type: inet
|
||
|
sets:
|
||
|
blacklist_ipv6:
|
||
|
type: ipv6_addr
|
||
|
flags:
|
||
|
- interval
|
||
|
blacklist_ipv4:
|
||
|
type: ipv4_addr
|
||
|
flags:
|
||
|
- interval
|
||
|
chains:
|
||
|
filter:
|
||
|
type: filter
|
||
|
hook: prerouting
|
||
|
priority: "raw - 10"
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "ip6 saddr @blacklist_ipv6 counter drop"
|
||
|
- "ip saddr @blacklist_ipv4 counter drop"
|
||
|
reverse_path_filter:
|
||
|
type: inet
|
||
|
chains:
|
||
|
filter:
|
||
|
type: filter
|
||
|
hook: prerouting
|
||
|
priority: raw
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "fib saddr . iif oif missing pkttype unicast drop"
|
||
|
filter:
|
||
|
type: inet
|
||
|
chains:
|
||
|
conntrack:
|
||
|
rules:
|
||
|
- "ct state { established, related } accept"
|
||
|
- "ct state invalid counter drop"
|
||
|
input_backbone:
|
||
|
rules:
|
||
|
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
|
||
|
- "ip protocol { ospf, vrrp, icmp } accept"
|
||
|
- "tcp dport 179 accept"
|
||
|
input_mgmt:
|
||
|
rules:
|
||
|
- "ip6 nexthdr icmpv6 accept"
|
||
|
- "ip protocol icmp accept"
|
||
|
- "tcp dport 22 accept"
|
||
|
input_other:
|
||
|
rules:
|
||
|
- "ip6 nexthdr icmpv6 accept"
|
||
|
- "ip protocol icmp accept"
|
||
|
input:
|
||
|
type: filter
|
||
|
hook: input
|
||
|
priority: filter
|
||
|
policy: drop
|
||
|
rules:
|
||
|
- "jump conntrack"
|
||
|
- "iif lo accept"
|
||
|
# FIXME: don't use ifaces
|
||
|
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
|
||
|
- "ip6 saddr vmap { \
|
||
|
$backbone_ipv6: goto input_backbone, \
|
||
|
$mgmt_ipv6: goto input_mgmt, \
|
||
|
$adm_ipv6: goto input_mgmt \
|
||
|
}"
|
||
|
- "ip saddr vmap { \
|
||
|
$backbone_ipv4: goto input_backbone, \
|
||
|
$mgmt_ipv4: goto input_mgmt, \
|
||
|
$adm_ipv4: goto input_mgmt \
|
||
|
}"
|
||
|
- "goto input_other"
|
||
|
forward:
|
||
|
type: filter
|
||
|
hook: forward
|
||
|
priority: filter
|
||
|
policy: drop
|
||
|
rules:
|
||
|
- "jump conntrack"
|
||
|
- "ip6 saddr $int_ipv6 accept" # FIXME
|
||
|
- "ip saddr $int_ipv4 accept" # FIXME
|
||
|
output:
|
||
|
type: filter
|
||
|
hook: output
|
||
|
priority: filter
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "jump conntrack"
|
||
|
nat:
|
||
|
type: ip
|
||
|
chains:
|
||
|
postrouting:
|
||
|
type: nat
|
||
|
hook: postrouting
|
||
|
priority: srcnat
|
||
|
policy: accept
|
||
|
rules:
|
||
|
- "ip daddr != $local_ipv4 snat to 10.128.10.4"
|
||
|
roles:
|
||
|
- nftables
|
||
|
...
|