Fix some nftables issues
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing

This commit is contained in:
jeltz 2022-01-13 13:59:49 +01:00
parent f4acc8949c
commit 4d85cd7e4b
Signed by: jeltz
GPG key ID: 800882B66C0C3326
5 changed files with 55 additions and 46 deletions

View file

@ -59,10 +59,21 @@ define egress_internet_ipv4 = {
$bastion_ipv4,
}
# FIXME: bad ipv6 address
define log_ipv6 = 2a09:6840:128::241/128
define log_ipv4 = 10.128.0.241
define aurore_ipv4 = {
10.0.0.0/8,
45.66.108.0/22,
}
define need_nat_ipv4 = {
10.0.0.0/8,
}
define nat_public_ipv4 = 45.66.111.10
# FIXME: bad ipv6 address
define prom_infra_v6 = 2a09:6840:128::67/128
define prom_infra_v4 = 10.128.0.67
define log_infra_ipv6 = 2a09:6840:128::241/128
define log_infra_ipv4 = 10.128.0.241
# FIXME: bad ipv6 address
define prom_infra_ipv6 = 2a09:6840:128::67/128
define prom_infra_ipv4 = 10.128.0.67

View file

@ -4,17 +4,17 @@ table inet input {
chain conntrack {
ct state vmap {
established: counter accept,
related: counter accept,
invalid: counter drop,
established: accept,
related: accept,
invalid: drop,
}
}
chain input_from_server {
jump conntrack
ip6 saddr $prom_infra_ipv6 dport 9100 accept
ip saddr $prom_infra_ipv4 dport 9100 accept
ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
ip saddr $prom_infra_ipv4 tcp dport 9100 accept
}
chain input_from_backbone {

View file

@ -4,9 +4,9 @@ table inet output {
chain conntrack {
ct state vmap {
established: counter accept,
related: counter accept,
invalid: counter drop,
established: accept,
related: accept,
invalid: drop,
}
}

View file

@ -4,9 +4,9 @@ table inet forward {
chain conntrack {
ct state vmap {
established: counter accept,
related: counter accept,
invalid: counter drop,
established: accept,
related: accept,
invalid: drop,
}
}
@ -27,11 +27,11 @@ table inet forward {
udp dport 514 counter accept
}
ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_backbone {
@ -40,21 +40,21 @@ table inet forward {
chain forward_to_ups {
jump conntrack
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept
ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_bmc {
jump conntrack
ip6 saddr $prom_infra_v6 udp dport 161 counter accept
ip saddr $prom_infra_v4 udp dport 161 counter accept
ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
ip saddr $prom_infra_ipv4 udp dport 161 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_pve {
@ -63,8 +63,8 @@ table inet forward {
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_router {
@ -73,8 +73,8 @@ table inet forward {
ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
ip6 saddr $bastion_ipv6 dport ssh accept
ip saddr $bastion_ipv4 dport ssh accept
ip6 saddr $bastion_ipv6 tcp dport ssh accept
ip saddr $bastion_ipv4 tcp dport ssh accept
}
chain forward_to_internet {

View file

@ -2,20 +2,18 @@
table ip nat {
# chain prerouting {
# type nat hook prerouting dstnat
# polict accept
# }
chain postrouting {
type nat hook postrouting priority srcnat
policy accept
# chain postrouting {
# type nat hook postrouting priority srcnat
# policy accept
#
# iif lo return
#
# meta pkttype unicast \
# ip saddr $nat_v4 ip daddr != $saclay_v4 \
# snat $snat_any_v4 persistent
# }
iif lo return
# Is there any other way to do that?
meta pkttype { multicast, broadcast } return
ip daddr 224.0.0.0/24 return
ip saddr $need_nat_ipv4 ip daddr != $aurore_ipv4 \
snat $nat_public_ipv4 persistent
}
}