aurore
/
ansible
15
2
Fork 0
Code Issues 1 Pull Requests 13 Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
new-infra
bird
dns
aruba
radius
on-en-a-litteralement-rien-a-foutre
radvd
keepalived
ifupdown2
master
dhcp
cleanup_no_ldap_for_servers
infra_router
ask_vault_pass
borgfix
auditd
prometheus_apt_pending_and_reboot
move_host_vars
prometheus-ipmi-exporter
fix-portail
crans
apt
remove_old_db_servers
rspamd
wireguard-ovh
pass
nullmailer
logs
mailserver
re2o-master
mail_server
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6eeb578d89'
${ noResults }
ansible/playbooks/nftables.yml

242 lines
7.0 KiB
YAML
Raw Blame History

#!/usr/bin/env ansible-playbook
---
- hosts:
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
vars:
nftables__vars:
adm_ipv6: 2a09:6840:128::/56
adm_ipv4: 10.128.0.0/16
backbone_ipv6: 2a09:6840:203::/56
backbone_ipv4: 10.203.0.0/16
mgmt_ipv6: 2a09:6840:211::/56
mgmt_ipv4: 10.211.0.0/16
clients_ipv6: 2a09:6841::/48
clients_ipv4: 100.64.0.0/10
nftables__tables:
blacklist:
type: inet
sets:
blacklist_ipv6:
type: ipv6_addr
flags:
- interval
blacklist_ipv4:
type: ipv4_addr
flags:
- interval
chains:
filter:
type: filter
hook: prerouting
priority: "raw - 10"
policy: accept
rules:
- "ip6 saddr @blacklist_ipv6 counter drop"
- "ip saddr @blacklist_ipv4 counter drop"
reverse_path_filter:
type: inet
chains:
filter:
type: filter
hook: prerouting
priority: raw
policy: accept
rules:
- "fib saddr . iif oif missing pkttype unicast drop"
filter:
type: inet
sets:
allowed_clients_ipv6:
type: ipv6_addr
flags:
- interval
allowed_clients_ipv4:
type: ipv4_addr
flags:
- interval
chains:
conntrack:
rules:
- "ct state { established, related } accept"
- "ct state invalid counter drop"
input_backbone:
rules:
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
- "ip protocol { ospf, vrrp, icmp } accept"
- "tcp dport 179 accept"
input_mgmt:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
- "tcp dport 22 accept"
input_other:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
input:
type: filter
hook: input
priority: filter
policy: drop
rules:
- "jump conntrack"
- "iif lo accept"
# FIXME: don't use ifaces
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
- "ip6 saddr vmap { \
$backbone_ipv6: goto input_backbone, \
$mgmt_ipv6: goto input_mgmt, \
$adm_ipv6: goto input_mgmt \
}"
- "ip saddr vmap { \
$backbone_ipv4: goto input_backbone, \
$mgmt_ipv4: goto input_mgmt, \
$adm_ipv4: goto input_mgmt \
}"
- "goto input_other"
forward_clients:
rules:
- "ip6 daddr $clients_ipv6 drop"
- "ip daddr $clients_ipv4 drop"
- "ip6 saddr @allowed_clients_ipv6 accept"
- "ip saddr @allowed_clients_ipv4 accept"
forward:
type: filter
hook: forward
priority: filter
policy: drop
rules:
- "jump conntrack"
- "ip6 saddr $clients_ipv6 goto forward_clients"
- "ip saddr $clients_ipv4 goto forward_clients"
output:
type: filter
hook: output
priority: filter
policy: accept
rules:
- "jump conntrack"
roles:
- nftables
- hosts:
- infra-1.rtr.infra.auro.re
- infra-2.rtr.infra.auro.re
vars:
nftables__vars:
adm_ipv6: 2a09:6840:128::/56
adm_ipv4: 10.128.0.0/16
backbone_ipv6: 2a09:6840:203::/56
backbone_ipv4: 10.203.0.0/16
mgmt_ipv6: 2a09:6840:211::/56
mgmt_ipv4: 10.211.0.0/16
int_ipv6: 2a09:6840:206::/56
int_ipv4: 10.206.0.0/16
local_ipv4:
- 100.64.0.0/10
- 10.0.0.0/8
- 45.66.108.0/22
nftables__tables:
blacklist:
type: inet
sets:
blacklist_ipv6:
type: ipv6_addr
flags:
- interval
blacklist_ipv4:
type: ipv4_addr
flags:
- interval
chains:
filter:
type: filter
hook: prerouting
priority: "raw - 10"
policy: accept
rules:
- "ip6 saddr @blacklist_ipv6 counter drop"
- "ip saddr @blacklist_ipv4 counter drop"
reverse_path_filter:
type: inet
chains:
filter:
type: filter
hook: prerouting
priority: raw
policy: accept
rules:
- "fib saddr . iif oif missing pkttype unicast drop"
filter:
type: inet
chains:
conntrack:
rules:
- "ct state { established, related } accept"
- "ct state invalid counter drop"
input_backbone:
rules:
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
- "ip protocol { ospf, vrrp, icmp } accept"
- "tcp dport 179 accept"
input_mgmt:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
- "tcp dport 22 accept"
input_other:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
input:
type: filter
hook: input
priority: filter
policy: drop
rules:
- "jump conntrack"
- "iif lo accept"
# FIXME: don't use ifaces
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
- "ip6 saddr vmap { \
$backbone_ipv6: goto input_backbone, \
$mgmt_ipv6: goto input_mgmt, \
$adm_ipv6: goto input_mgmt \
}"
- "ip saddr vmap { \
$backbone_ipv4: goto input_backbone, \
$mgmt_ipv4: goto input_mgmt, \
$adm_ipv4: goto input_mgmt \
}"
- "goto input_other"
forward:
type: filter
hook: forward
priority: filter
policy: drop
rules:
- "jump conntrack"
- "ip6 saddr $int_ipv6 accept" # FIXME
- "ip saddr $int_ipv4 accept" # FIXME
output:
type: filter
hook: output
priority: filter
policy: accept
rules:
- "jump conntrack"
nat:
type: ip
chains:
postrouting:
type: nat
hook: postrouting
priority: srcnat
policy: accept
rules:
- "ip daddr != $local_ipv4 snat to 10.128.10.4"
roles:
- nftables
...
Reference in New Issue View Git Blame Copy Permalink