Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
FreifunkHochstift
/
ffho-salt-public
2
0
Forkuj 2
Pliki Problemy 0 Oczekujące zmiany 0
Drzewo: 9f302065c1
Gałęzie Tagi
ffho-salt-pu...
/
nftables
/
nftables.conf.tmpl

nftables.conf.tmpl 8.0 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276 
  1. #!/usr/sbin/nft -f
    2. 

  2. #
    3. 

  3. # /etc/nftables.conf - FFHO packet filter configuration
    4. 

  4. #
    5. 

  5. {%- set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
    6. 

  6. {%- set nf_cc = node_config.get ('nftables', {}) %}
    7. 

  7. {%- set roles = node_config.get ('roles', []) %}
    8. 

  8. {%- set services = node_config.get ('services', []) %}
    9. 

  9. 

  10. {%- set fw_policy = salt['pillar.get']('firewall:policy', {}) %}
    11. 

  11. {%- set acls = salt['pillar.get']('firewall:acls') %}
    12. 

  12. {%- set admin_access = salt['pillar.get']('firewall:admin_access') %}
    13. 

  13. {%- set ssh = salt['pillar.get']("firewall:ssh") %}
    14. 

  14. 

  15. {%- set icinga2_queriers = salt['pillar.get']('monitoring:icinga2:queriers', []) %}
    16. 

  16. {%- set nms_list = salt['pillar.get']('globals:snmp:nms_list', []) %}
    17. 

  17. 

  18. {%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_policy, roles, nf_cc) %}
    19. 

  19. {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](roles, nf_cc) %}
    20. 

  20. {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config['ifaces']) %}
    21. 

  21. {%- set allow_dhcp = salt['ffho_netfilter.allow_dhcp'](fw_policy, roles) %}
    22. 

  22. 

  23. flush ruleset
    24. 

  24. 

  25. table ip filter {
    26. 

  26. 	set ibgp-peers {
    27. 

  27. 		type ipv4_addr
    28. 

  28. 		elements = {
    29. 

  29. 			10.132.255.1,	# cr01.in.ffho.net
    30. 

  30. 			10.132.255.2,	# cr02.in.ffho.net
    31. 

  31. 			10.132.255.3,	# cr03.in.ffho.net
    32. 

  32. 		}
    33. 

  33. 	}
    34. 

  34. 

  35. 	chain input {
    36. 

  36. 		type filter hook input priority 0; policy drop;
    37. 

  37. 		iifname "lo" counter accept
    38. 

  38. 		ip protocol icmp counter jump icmp_chain
    39. 

  39. 		udp dport 0 counter drop
    40. 

  40. 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
    41. 

  41. 		udp dport 4789 jump vxlan
    42. 

  42. 		ct state invalid counter drop
    43. 

  43. 		counter jump admin_access
    44. 

  44. 		counter jump monitoring
    45. 

  45. 		tcp dport 22 counter jump ssh
    46. 

  46. {%- if 'router' in roles %}
    47. 

  47. 		ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf accept
    48. 

  48. 		tcp dport 179 counter jump bgp
    49. 

  49. {%- endif %}
    50. 

  50. 		ct state related,established counter accept
    51. 

  51. 		counter jump services
    52. 

  52. 		limit rate 1/second burst 3 packets counter log prefix "nf input: "
    53. 

  53. 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
    54. 

  54. 		counter drop
    55. 

  55. 	}
    56. 

  56. 

  57. 	chain forward {
    58. 

  58. 		type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
    59. 

  59. {#- custom rules #}
    60. 

  60. {%- for rule in forward['rules'].get ('4', []) %}
    61. 

  61. 		{{ rule }}
    62. 

  62. {%- endfor %}
    63. 

  63. 

  64. {#- uRPF #}
    65. 

  65. {%- for iface_cfg in urpf  %}
    66. 

  66.   {%- if loop.first %}
    67. 

  67. 		# uRPF
    68. 

  68.   {%- endif %}
    69. 

  69.   {%- for pfx in iface_cfg[4] %}
    70. 

  70. 		iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} accept
    71. 

  71.   {%- endfor %}
    72. 

  72. 		iif {{ iface_cfg['iface'] }} counter drop
    73. 

  73. {%- endfor %}
    74. 

  74. 

  75. {%- if forward['policy'] == 'drop' %}
    76. 

  76. 		limit rate 1/second burst 3 packets counter log prefix "nf forward: "
    77. 

  77. 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
    78. 

  78. {%- endif %}
    79. 

  79. 	}
    80. 

  80. 

  81. 	chain icmp_chain {
    82. 

  82. 		icmp type { echo-request, destination-unreachable, time-exceeded } counter accept
    83. 

  83. 	}
    84. 

  84. 

  85. 	chain admin_access {
    86. 

  86. {%- for pfx in admin_access[4].keys()|sort %}
    87. 

  87.   {%- set comment = admin_access[4][pfx] %}
    88. 

  88. 		ip saddr {{ pfx }} counter accept comment "{{ comment }}"
    89. 

  89. {%- endfor %}
    90. 

  90. 	}
    91. 

  91. 

  92. {%- if 'router' in roles %}
    93. 

  93. 	chain bgp {
    94. 

  94. 		ip saddr @ibgp-peers counter accept comment "iBGP peers"
    95. 

  95. 		# TODO: Add external BGP peers, if any
    96. 

  96. 	}
    97. 

  97. {%- endif %}
    98. 

  98. 

  99. 	chain monitoring {
    100. 

  100. {%- for ip in icinga2_queriers if not ":" in ip %}
    101. 

  101. 		ip saddr {{ ip }} counter accept comment "Icinga2"
    102. 

  102. {%- endfor %}
    103. 

  103. {%- for ip in nms_list if not ":" in ip %}
    104. 

  104. 		ip saddr {{ ip }} udp dport 161 counter accept comment "NMS"
    105. 

  105. {%- endfor %}
    106. 

  106. 	}
    107. 

  107. 

  108. 	chain ssh {
    109. 

  109. {%- for pfx in ssh[4].keys()|sort %}
    110. 

  110.   {%- set comment = ssh[4][pfx] %}
    111. 

  111. 		ip saddr {{ pfx }} counter accept comment "{{ comment }}"
    112. 

  112. {%- endfor %}
    113. 

  113. 	}
    114. 

  114. 

  115. 	chain services {
    116. 

  116. {%- if allow_dhcp %}
    117. 

  117. 		udp dport 67 counter accept comment "DHCP"
    118. 

  118. {%- endif %}
    119. 

  119. 

  120. {%- for rule in salt['ffho_netfilter.generate_service_rules'](services, acls, 4) %}
    121. 

  121. 		{{ rule }}
    122. 

  122. {%- endfor %}
    123. 

  123. 	}
    124. 

  124. 

  125. 	chain vxlan {
    126. 

  126. {%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
    127. 

  127. 		iif {{ iface }} accept
    128. 

  128. {%- endfor %}
    129. 

  129. 		counter drop
    130. 

  130. 	}
    131. 

  131. 

  132. 	chain log-drop {
    133. 

  133. 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
    134. 

  134. 		counter drop
    135. 

  135. 	}
    136. 

  136. 

  137. 	chain log-reject {
    138. 

  138. 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
    139. 

  139. 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
    140. 

  140. 		counter drop
    141. 

  141. 	}
    142. 

  142. }
    143. 

  143. 

  144. table ip6 filter {
    145. 

  145. 	set ibgp-peers {
    146. 

  146. 		type ipv6_addr
    147. 

  147. 		elements = {
    148. 

  148. 			2a03:2260:2342:ffff::1,	# cr01.in.ffho.net
    149. 

  149. 			2a03:2260:2342:ffff::2,	# cr02.in.ffho.net
    150. 

  150. 			2a03:2260:2342:ffff::3,	# cr03.in.ffho.net
    151. 

  151. 		}
    152. 

  152. 	}
    153. 

  153. 

  154. 	chain input {
    155. 

  155. 		type filter hook input priority 0; policy drop;
    156. 

  156. 		iifname "lo" counter accept
    157. 

  157. 		ip6 nexthdr icmpv6 counter jump icmp_chain
    158. 

  158. 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
    159. 

  159. 		udp dport 4789 jump vxlan
    160. 

  160. 		ct state invalid counter drop comment "Drop packets that do not make sense."
    161. 

  161. 		counter jump admin_access
    162. 

  162. 		counter jump monitoring
    163. 

  163. 		tcp dport 22 counter jump ssh
    164. 

  164. {%- if 'router' in roles %}
    165. 

  165. 		ip6 saddr fe80::/64 ip6 daddr { fe80::/10, ff02::5, ff02::6 } meta l4proto ospf accept
    166. 

  166. 		tcp dport 179 counter jump bgp
    167. 

  167. {%- endif %}
    168. 

  168. 		ct state related,established counter accept comment "Allow established connections."
    169. 

  169. 		counter jump services
    170. 

  170. 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
    171. 

  171. 		limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
    172. 

  172. 		counter drop
    173. 

  173. 	}
    174. 

  174. 

  175. 	chain forward {
    176. 

  176. 		type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
    177. 

  177. {#- custom rules #}
    178. 

  178. {%- for rule in forward['rules'].get ('6', []) %}
    179. 

  179. 		{{ rule }}
    180. 

  180. {%- endfor %}
    181. 

  181. 

  182. {#- uRPF #}
    183. 

  183. {%- for iface_cfg in urpf  %}
    184. 

  184.   {%- if loop.first %}
    185. 

  185. 		# uRPF
    186. 

  186.   {%- endif %}
    187. 

  187.   {%- for pfx in iface_cfg[6] %}
    188. 

  188. 		iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} accept
    189. 

  189.   {%- endfor %}
    190. 

  190. 		iif {{ iface_cfg['iface'] }} counter drop
    191. 

  191. {%- endfor %}
    192. 

  192. 

  193. {%- if forward['policy'] == 'drop' %}
    194. 

  194. 		limit rate 1/second burst 3 packets counter log prefix "nf forward: "
    195. 

  195. 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
    196. 

  196. {%- endif %}
    197. 

  197. 	}
    198. 

  198. 

  199. 	chain icmp_chain {
    200. 

  200. 		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply } counter accept
    201. 

  201. 		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } ip6 hoplimit 255 counter accept
    202. 

  202. 	}
    203. 

  203. 

  204. 	chain admin_access {
    205. 

  205. {%- for pfx in admin_access[6].keys()|sort %}
    206. 

  206.   {%- set comment = admin_access[6][pfx] %}
    207. 

  207. 		ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
    208. 

  208. {%- endfor %}
    209. 

  209. 	}
    210. 

  210. 

  211. {%- if 'router' in roles %}
    212. 

  212. 	chain bgp {
    213. 

  213. 		ip6 saddr @ibgp-peers counter accept comment "iBGP peers"
    214. 

  214. 		# TODO: Add external BGP peers, if any
    215. 

  215. 	}
    216. 

  216. {%- endif %}
    217. 

  217. 

  218. 	chain monitoring {
    219. 

  219. {%- for ip in icinga2_queriers if ":" in ip %}
    220. 

  220. 		ip6 saddr {{ ip }} counter accept comment "Icinga2"
    221. 

  221. {%- endfor %}
    222. 

  222. {%- for ip in nms_list if ":" in ip %}
    223. 

  223. 		ip6 saddr {{ ip }} udp dport 161 counter accept comment "NMS"
    224. 

  224. {%- endfor %}
    225. 

  225. 	}
    226. 

  226. 

  227. 	chain ssh {
    228. 

  228. {%- for pfx in ssh[6].keys()|sort %}
    229. 

  229.   {%- set comment = ssh[6][pfx] %}
    230. 

  230. 		ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
    231. 

  231. {%- endfor %}
    232. 

  232. 	}
    233. 

  233. 

  234. 	chain services {
    235. 

  235. {%- for rule in salt['ffho_netfilter.generate_service_rules'](services, acls, 6) %}
    236. 

  236. 		{{ rule }}
    237. 

  237. {%- endfor %}
    238. 

  238. 	}
    239. 

  239. 

  240. 	chain vxlan {
    241. 

  241. {%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
    242. 

  242. 		iif {{ iface }} accept
    243. 

  243. {%- endfor %}
    244. 

  244. 		counter drop
    245. 

  245. 	}
    246. 

  246. 

  247. 	chain log-drop {
    248. 

  248. 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
    249. 

  249. 		counter drop
    250. 

  250. 	}
    251. 

  251. 

  252. 	chain log-reject {
    253. 

  253. 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
    254. 

  254. 		limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
    255. 

  255. 		counter drop
    256. 

  256. 	}
    257. 

  257. }
    258. 

  258. 

  259. {#-
    260. 

  260.  # NAT
    261. 

  261.  #}
    262. 

  262. {%- for af in [ 4, 6 ] %}
    263. 

  263.   {%- if nat_policy[af] %}
    264. 

  264.     {%- set af_name = "ip" if af == 4 else "ip6" %}
    265. 

  265. table {{ af_name }} nat {
    266. 

  266.     {%- for chain in ['output', 'prerouting', 'postrouting'] if chain in nat_policy[af] %}
    267. 

  267. 	chain {{ chain }} {
    268. 

  268. 		type nat hook {{ chain }} priority 0; policy accept;
    269. 

  269.       {%- for rule in nat_policy[af][chain] %}
    270. 

  270. 		{{ rule }}
    271. 

  271.       {%- endfor %}
    272. 

  272. 	}
    273. 

  273.     {%- endfor %}
    274. 

  274. }
    275. 

  275.   {%- endif %}
    276. 

  276. {%- endfor %}
    277.