Fix some nftables issues

2022-01-13 13:59:49 +01:00 · 2022-01-13 13:59:49 +01:00 · 4d85cd7e4b
commit 4d85cd7e4b
parent f4acc8949c
5 changed files with 55 additions and 46 deletions
--- a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
@ -59,10 +59,21 @@ define egress_internet_ipv4 = {
 	$bastion_ipv4,
 }
-# FIXME: bad ipv6 address
+define aurore_ipv4 = {
-define log_ipv6 = 2a09:6840:128::241/128
+	10.0.0.0/8,
-define log_ipv4 = 10.128.0.241
+	45.66.108.0/22,
 }
 define need_nat_ipv4 = {
 	10.0.0.0/8,
 }
 define nat_public_ipv4 = 45.66.111.10
 # FIXME: bad ipv6 address
-define prom_infra_v6 = 2a09:6840:128::67/128
+define log_infra_ipv6 = 2a09:6840:128::241/128
-define prom_infra_v4 = 10.128.0.67
+define log_infra_ipv4 = 10.128.0.241
 # FIXME: bad ipv6 address
 define prom_infra_ipv6 = 2a09:6840:128::67/128
 define prom_infra_ipv4 = 10.128.0.67
--- a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
@ -4,17 +4,17 @@ table inet input {
 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
+			established: accept,
-			related: counter accept,
+			related: accept,
-			invalid: counter drop,
+			invalid: drop,
 		}
 	}
 	chain input_from_server {
 		jump conntrack
-		ip6 saddr $prom_infra_ipv6 dport 9100 accept
+		ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
-		ip saddr $prom_infra_ipv4 dport 9100 accept
+		ip saddr $prom_infra_ipv4 tcp dport 9100 accept
 	}
 	chain input_from_backbone {
--- a/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
@ -4,9 +4,9 @@ table inet output {
 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
+			established: accept,
-			related: counter accept,
+			related: accept,
-			invalid: counter drop,
+			invalid: drop,
 		}
 	}
--- a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
@ -4,9 +4,9 @@ table inet forward {
 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
+			established: accept,
-			related: counter accept,
+			related: accept,
-			invalid: counter drop,
+			invalid: drop,
 		}
 	}
@ -27,11 +27,11 @@ table inet forward {
 			udp dport 514 counter accept
 		}
-		ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
+		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept
-		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 	chain forward_to_backbone {
@ -40,21 +40,21 @@ table inet forward {
 	chain forward_to_ups {
 		jump conntrack
-		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept
-		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 	chain forward_to_bmc {
 		jump conntrack
-		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept
-		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 	chain forward_to_pve {
@ -63,8 +63,8 @@ table inet forward {
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
-		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 	chain forward_to_router {
@ -73,8 +73,8 @@ table inet forward {
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
-		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 	chain forward_to_internet {
--- a/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
@ -2,20 +2,18 @@
 table ip nat {
-	# chain prerouting {
+	chain postrouting {
-	# 	type nat hook prerouting dstnat
+		type nat hook postrouting priority srcnat
-	# 	polict accept
+		policy accept
 	# }
-	# chain postrouting {
+		iif lo return
-	# 	type nat hook postrouting priority srcnat
+
-	# 	policy accept
+		# Is there any other way to do that?
-	# 
+		meta pkttype { multicast, broadcast } return
-	# 	iif lo return
+		ip daddr 224.0.0.0/24 return
-	# 
+
-	# 	meta pkttype unicast \
+		ip saddr $need_nat_ipv4 ip daddr != $aurore_ipv4 \
-	# 		ip saddr $nat_v4 ip daddr != $saclay_v4 \
+			snat $nat_public_ipv4 persistent
-	# 		snat $snat_any_v4 persistent
+	}
 	# }
 }