Fix some nftables issues

2 years ago · 4d85cd7e4b
parent f4acc8949c
commit 4d85cd7e4b
5 changed files with 54 additions and 45 deletions
--- a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
@ -59,10 +59,21 @@ define egress_internet_ipv4 = {
 	$bastion_ipv4,
 }

+define aurore_ipv4 = {
+	10.0.0.0/8,
+	45.66.108.0/22,
+}
+
+define need_nat_ipv4 = {
+	10.0.0.0/8,
+}
+
+define nat_public_ipv4 = 45.66.111.10
+
 # FIXME: bad ipv6 address
-define log_ipv6 = 2a09:6840:128::241/128
-define log_ipv4 = 10.128.0.241
+define log_infra_ipv6 = 2a09:6840:128::241/128
+define log_infra_ipv4 = 10.128.0.241

 # FIXME: bad ipv6 address
-define prom_infra_v6 = 2a09:6840:128::67/128
-define prom_infra_v4 = 10.128.0.67
+define prom_infra_ipv6 = 2a09:6840:128::67/128
+define prom_infra_ipv4 = 10.128.0.67
--- a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
@ -4,17 +4,17 @@ table inet input {

 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
-			related: counter accept,
-			invalid: counter drop,
+			established: accept,
+			related: accept,
+			invalid: drop,
 		}
 	}

 	chain input_from_server {
 		jump conntrack

-		ip6 saddr $prom_infra_ipv6 dport 9100 accept
-		ip saddr $prom_infra_ipv4 dport 9100 accept
+		ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
+		ip saddr $prom_infra_ipv4 tcp dport 9100 accept
 	}

 	chain input_from_backbone {
--- a/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
@ -4,9 +4,9 @@ table inet output {

 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
-			related: counter accept,
-			invalid: counter drop,
+			established: accept,
+			related: accept,
+			invalid: drop,
 		}
 	}

--- a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
@ -4,9 +4,9 @@ table inet forward {

 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
-			related: counter accept,
-			invalid: counter drop,
+			established: accept,
+			related: accept,
+			invalid: drop,
 		}
 	}

@ -27,11 +27,11 @@ table inet forward {
 			udp dport 514 counter accept
 		}

-		ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept

-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}

 	chain forward_to_backbone {
@ -40,21 +40,21 @@ table inet forward {
 	chain forward_to_ups {
 		jump conntrack

-		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept

-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}

 	chain forward_to_bmc {
 		jump conntrack

-		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept

-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}

 	chain forward_to_pve {
@ -63,8 +63,8 @@ table inet forward {
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept

-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}

 	chain forward_to_router {
@ -73,8 +73,8 @@ table inet forward {
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept

-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}

 	chain forward_to_internet {
--- a/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
@ -2,20 +2,18 @@

 table ip nat {

-	# chain prerouting {
-	# 	type nat hook prerouting dstnat
-	# 	polict accept
-	# }
+	chain postrouting {
+		type nat hook postrouting priority srcnat
+		policy accept

-	# chain postrouting {
-	# 	type nat hook postrouting priority srcnat
-	# 	policy accept
-	# 
-	# 	iif lo return
-	# 
-	# 	meta pkttype unicast \
-	# 		ip saddr $nat_v4 ip daddr != $saclay_v4 \
-	# 		snat $snat_any_v4 persistent
-	# }
+		iif lo return
+
+		# Is there any other way to do that?
+		meta pkttype { multicast, broadcast } return
+		ip daddr 224.0.0.0/24 return
+
+		ip saddr $need_nat_ipv4 ip daddr != $aurore_ipv4 \
+			snat $nat_public_ipv4 persistent
+	}

 }