ansible/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2

117 lines
2.6 KiB
Text
Raw Normal View History

{{ ansible_managed | comment }}
table inet forward {
chain conntrack {
ct state vmap {
established: counter accept,
related: counter accept,
invalid: counter drop,
}
}
chain forward_to_public_server {
jump conntrack
}
chain forward_to_server {
jump conntrack
ip6 saddr $infra_ipv6 ip6 daddr $log_infra_ipv6 jump {
tcp dport 2514 counter accept
udp dport 514 counter accept
}
ip saddr $infra_ipv4 ip daddr $log_infra_ipv4 jump {
tcp dport 2514 counter accept
udp dport 514 counter accept
}
ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept
2022-01-10 22:08:54 +01:00
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
}
chain forward_to_backbone {
}
chain forward_to_ups {
jump conntrack
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept
2022-01-10 22:08:54 +01:00
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
}
chain forward_to_bmc {
jump conntrack
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept
2022-01-10 22:08:54 +01:00
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
}
chain forward_to_pve {
jump conntrack
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
2022-01-10 22:08:54 +01:00
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
}
chain forward_to_router {
jump conntrack
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
2022-01-10 22:08:54 +01:00
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
}
chain forward_to_internet {
jump conntrack
ip6 saddr $egress_internet_ipv6 counter accept
ip saddr $egress_internet_ipv4 counter accept
}
chain forward {
type filter hook forward priority filter
policy drop
iif lo accept
ip6 daddr vmap {
$public_server_ipv6: goto forward_to_public_server,
$server_ipv6: goto forward_to_server,
$backbone_ipv6: goto forward_to_backbone,
$ups_ipv6: goto forward_to_ups,
$bmc_ipv6: goto forward_to_bmc,
$pve_ipv6: goto forward_to_pve,
$router_ipv6: goto forward_to_router,
}
ip daddr vmap {
$public_server_ipv4: goto forward_to_public_server,
$server_ipv4: goto forward_to_server,
$backbone_ipv4: goto forward_to_backbone,
$ups_ipv4: goto forward_to_ups,
$bmc_ipv4: goto forward_to_bmc,
$pve_ipv4: goto forward_to_pve,
$router_ipv4: goto forward_to_router,
}
goto forward_to_internet
}
}