nftables + bird: add role + fix IP addresses

This commit is contained in:
jeltz 2023-01-13 08:56:16 +01:00
parent 0a621b53b4
commit dcc038bd7c
Signed by: jeltz
GPG key ID: 800882B66C0C3326
7 changed files with 352 additions and 4 deletions

View file

@ -43,8 +43,8 @@
- 2a09:6840:203:1:5::1
- 10.203.1.5
isp-2.rtr.infra.auro.re:
- 2a09:6840:203:1:5::1
- 10.203.1.5
- 2a09:6840:203:1:6::1
- 10.203.1.6
bird__bgp_sessions:
- name: edge1
local:

View file

@ -7,6 +7,9 @@
adm:
- 2a09:6840:128::254
- 10.128.0.254
int:
- 2a09:6840:206::1
- 10.206.0.1
# TODO: netbox
ifupdown2__hosts:
edge-1.rtr.infra.auro.re:
@ -32,7 +35,7 @@
edge-2.rtr.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128:10:102/56
- 2a09:6840:128::10:102/56
- 10.128.10.102/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
@ -54,11 +57,12 @@
addresses:
- 2a09:6840:128::10:3/56
- 10.128.10.3/16
gateways: "{{ ifupdown2__gateways.adm }}"
#gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:206:0:2::1/56
- 10.206.0.2/16
gateways: "{{ ifupdown2__gateways.int }}"
dns-2.int.infra.auro.re:
ens18:
addresses:
@ -76,7 +80,13 @@
- 10.128.10.1/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:207:1:2::1/56
- 45.66.108.2/16
ens20:
addresses:
- 2a09:6840:211:1:1::1/56
- 10.211.1.1/16
ssh-2.mgmt.infra.auro.re:
ens18:
addresses:
@ -84,13 +94,19 @@
- 10.128.10.101/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
- 2a09:6840:207:1:3::1/56
- 45.66.108.3/16
ens20:
addresses:
- 2a09:6840:211:1:2::1/56
- 10.211.1.2/16
infra-1.rtr.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:4/56
- 10.128.10.4/16
gateways: "{{ ifupdown2__gateways.adm }}"
forward: true
ens19:
addresses:
- 2a09:6840:203:1:3::1/56
@ -117,12 +133,16 @@
enp2s3:
ipv6_addrgen: false
forward: true
enp2s4:
ipv6_addrgen: false
forward: true
infra-2.rtr.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:104/56
- 10.128.10.104/16
gateways: "{{ ifupdown2__gateways.adm }}"
forward: true
ens19:
addresses:
- 2a09:6840:203:4::1/64
@ -149,6 +169,9 @@
enp2s3:
ipv6_addrgen: false
forward: true
enp2s4:
ipv6_addrgen: false
forward: true
isp-1.rtr.infra.auro.re:
ens18:
addresses:
@ -215,6 +238,8 @@
- ens20
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
forward: true
client-0:
vlan_id: 1000
@ -258,6 +283,9 @@
- ens20
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
forward: true
client-0:
addresses:
- 100.64.0.2/27
@ -300,6 +328,9 @@
- ens20
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
forward: true
client-0:
addresses:
- 100.64.0.3/27

241
playbooks/nftables.yml Executable file
View file

@ -0,0 +1,241 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
vars:
nftables__vars:
adm_ipv6: 2a09:6840:128::/56
adm_ipv4: 10.128.0.0/16
backbone_ipv6: 2a09:6840:203::/56
backbone_ipv4: 10.203.0.0/16
mgmt_ipv6: 2a09:6840:211::/56
mgmt_ipv4: 10.211.0.0/16
clients_ipv6: 2a09:6841::/48
clients_ipv4: 100.64.0.0/10
nftables__tables:
blacklist:
type: inet
sets:
blacklist_ipv6:
type: ipv6_addr
flags:
- interval
blacklist_ipv4:
type: ipv4_addr
flags:
- interval
chains:
filter:
type: filter
hook: prerouting
priority: "raw - 10"
policy: accept
rules:
- "ip6 saddr @blacklist_ipv6 counter drop"
- "ip saddr @blacklist_ipv4 counter drop"
reverse_path_filter:
type: inet
chains:
filter:
type: filter
hook: prerouting
priority: raw
policy: accept
rules:
- "fib saddr . iif oif missing pkttype unicast drop"
filter:
type: inet
sets:
allowed_clients_ipv6:
type: ipv6_addr
flags:
- interval
allowed_clients_ipv4:
type: ipv4_addr
flags:
- interval
chains:
conntrack:
rules:
- "ct state { established, related } accept"
- "ct state invalid counter drop"
input_backbone:
rules:
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
- "ip protocol { ospf, vrrp, icmp } accept"
- "tcp dport 179 accept"
input_mgmt:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
- "tcp dport 22 accept"
input_other:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
input:
type: filter
hook: input
priority: filter
policy: drop
rules:
- "jump conntrack"
- "iif lo accept"
# FIXME: don't use ifaces
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
- "ip6 saddr vmap { \
$backbone_ipv6: goto input_backbone, \
$mgmt_ipv6: goto input_mgmt, \
$adm_ipv6: goto input_mgmt \
}"
- "ip saddr vmap { \
$backbone_ipv4: goto input_backbone, \
$mgmt_ipv4: goto input_mgmt, \
$adm_ipv4: goto input_mgmt \
}"
- "goto input_other"
forward_clients:
rules:
- "ip6 daddr $clients_ipv6 drop"
- "ip daddr $clients_ipv4 drop"
- "ip6 saddr @allowed_clients_ipv6 accept"
- "ip saddr @allowed_clients_ipv4 accept"
forward:
type: filter
hook: forward
priority: filter
policy: drop
rules:
- "jump conntrack"
- "ip6 saddr $clients_ipv6 goto forward_clients"
- "ip saddr $clients_ipv4 goto forward_clients"
output:
type: filter
hook: output
priority: filter
policy: accept
rules:
- "jump conntrack"
roles:
- nftables
- hosts:
- infra-1.rtr.infra.auro.re
- infra-2.rtr.infra.auro.re
vars:
nftables__vars:
adm_ipv6: 2a09:6840:128::/56
adm_ipv4: 10.128.0.0/16
backbone_ipv6: 2a09:6840:203::/56
backbone_ipv4: 10.203.0.0/16
mgmt_ipv6: 2a09:6840:211::/56
mgmt_ipv4: 10.211.0.0/16
int_ipv6: 2a09:6840:206::/56
int_ipv4: 10.206.0.0/16
local_ipv4:
- 100.64.0.0/10
- 10.0.0.0/8
- 45.66.108.0/22
nftables__tables:
blacklist:
type: inet
sets:
blacklist_ipv6:
type: ipv6_addr
flags:
- interval
blacklist_ipv4:
type: ipv4_addr
flags:
- interval
chains:
filter:
type: filter
hook: prerouting
priority: "raw - 10"
policy: accept
rules:
- "ip6 saddr @blacklist_ipv6 counter drop"
- "ip saddr @blacklist_ipv4 counter drop"
reverse_path_filter:
type: inet
chains:
filter:
type: filter
hook: prerouting
priority: raw
policy: accept
rules:
- "fib saddr . iif oif missing pkttype unicast drop"
filter:
type: inet
chains:
conntrack:
rules:
- "ct state { established, related } accept"
- "ct state invalid counter drop"
input_backbone:
rules:
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
- "ip protocol { ospf, vrrp, icmp } accept"
- "tcp dport 179 accept"
input_mgmt:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
- "tcp dport 22 accept"
input_other:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
input:
type: filter
hook: input
priority: filter
policy: drop
rules:
- "jump conntrack"
- "iif lo accept"
# FIXME: don't use ifaces
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
- "ip6 saddr vmap { \
$backbone_ipv6: goto input_backbone, \
$mgmt_ipv6: goto input_mgmt, \
$adm_ipv6: goto input_mgmt \
}"
- "ip saddr vmap { \
$backbone_ipv4: goto input_backbone, \
$mgmt_ipv4: goto input_mgmt, \
$adm_ipv4: goto input_mgmt \
}"
- "goto input_other"
forward:
type: filter
hook: forward
priority: filter
policy: drop
rules:
- "jump conntrack"
- "ip6 saddr $int_ipv6 accept" # FIXME
- "ip saddr $int_ipv4 accept" # FIXME
output:
type: filter
hook: output
priority: filter
policy: accept
rules:
- "jump conntrack"
nat:
type: ip
chains:
postrouting:
type: nat
hook: postrouting
priority: srcnat
policy: accept
rules:
- "ip daddr != $local_ipv4 snat to 10.128.10.4"
roles:
- nftables
...

View file

@ -0,0 +1,4 @@
---
nftables__vars: {}
nftables__tables: {}
...

View file

@ -0,0 +1,6 @@
---
- name: Reload nftables
systemd:
name: nftables.service
state: reloaded
...

View file

@ -0,0 +1,23 @@
---
- name: Install nftables
apt:
name:
- nftables
- name: Configure nftables
template:
src: nftables.conf.j2
dest: /etc/nftables.conf
validate: "nft -c -f %s"
owner: root
group: root
mode: u=rw,g=r,o=
notify:
- Reload nftables
- name: Enable and start nftables
systemd:
name: nftables.service
enabled: true
state: started
...

View file

@ -0,0 +1,43 @@
{{ ansible_managed | comment }}
flush ruleset
{% for name, value in nftables__vars.items() %}
{% if value is iterable and value is not string %}
define {{ name }} = { {{ value | join(", ") }} }
{% else %}
define {{ name }} = {{ value }}
{% endif %}
{% endfor %}
{% for name, table in nftables__tables.items() %}
table {{ table.type }} {{ name }} {
{% if table.sets is defined %}
{% for name, set in table.sets.items() %}
set {{ name }} {
type {{ set.type }}
{% if set.flags is defined %}
flags {{ set.flags | join(", ") }}
{% endif %}
{% if set.elements is defined %}
elements = { {{ set.elements | join(", ") }} }
{% endif %}
}
{% endfor %}
{% endif %}
{% if table.chains is defined %}
{% for name, chain in table.chains.items() | default({}) %}
chain {{ name }} {
{% if chain.hook is defined %}
type {{ chain.type }} hook {{ chain.hook }} priority {{ chain.priority }}
policy {{ chain.policy }}
{% endif %}
{% for rule in chain.rules %}
{{ rule | indent }}
{% endfor %}
}
{% endfor %}
{% endif %}
}
{% endfor %}