cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

nftables

Browse source
This commit is contained in:
cronekorkn 2022-09-09 19:50:42 +02:00
parent 936630322f
commit c64aa70b49
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
12 changed files with 158 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
bundles/bind/metadata.py
View file

@ -41,6 +41,12 @@ defaults = {
}, },
'zones': set(), 'zones': set(),
}, },
'nftables': {
'input': {
'tcp dport 53 accept',
'udp dport 53 accept',
},
},
'telegraf': { 'telegraf': {
'config': { 'config': {
'inputs': { 'inputs': {
@ -97,7 +103,7 @@ def dns(metadata):
def collect_records(metadata): def collect_records(metadata):
if metadata.get('bind/type') == 'slave': if metadata.get('bind/type') == 'slave':
return {} return {}
views = {} views = {}
for view_name, view_conf in metadata.get('bind/views').items(): for view_name, view_conf in metadata.get('bind/views').items():
@ -117,7 +123,7 @@ def collect_records(metadata):
name = fqdn[0:-len(zone) - 1] name = fqdn[0:-len(zone) - 1]
for type, values in records.items(): for type, values in records.items():
for value in values: for value in values:
if repo.libs.bind.record_matches_view(value, type, name, zone, view_name, metadata): if repo.libs.bind.record_matches_view(value, type, name, zone, view_name, metadata):
views\ views\
@ -128,7 +134,7 @@ def collect_records(metadata):
.add( .add(
h({'name': name, 'type': type, 'value': value}) h({'name': name, 'type': type, 'value': value})
) )
return { return {
'bind': { 'bind': {
'views': views, 'views': views,
@ -160,7 +166,7 @@ def ns_records(metadata):
# FIXME: bw currently cant handle lists of dicts :( # FIXME: bw currently cant handle lists of dicts :(
h({'name': '@', 'type': 'NS', 'value': f"{nameserver}."}) h({'name': '@', 'type': 'NS', 'value': f"{nameserver}."})
for nameserver in nameservers for nameserver in nameservers
} }
} }
for zone_name, zone_conf in view_conf['zones'].items() for zone_name, zone_conf in view_conf['zones'].items()
} }
@ -177,7 +183,7 @@ def ns_records(metadata):
def slaves(metadata): def slaves(metadata):
if metadata.get('bind/type') == 'slave': if metadata.get('bind/type') == 'slave':
return {} return {}
return { return {
'bind': { 'bind': {
'slaves': [ 'slaves': [

13
bundles/dovecot/metadata.py
View file

@ -13,15 +13,20 @@ defaults = {
'catdoc': {}, # catdoc, catppt, xls2csv 'catdoc': {}, # catdoc, catppt, xls2csv
}, },
}, },
'dovecot': {
'database': {
'dbname': 'mailserver',
'dbuser': 'mailserver',
},
},
'letsencrypt': { 'letsencrypt': {
'reload_after': { 'reload_after': {
'dovecot', 'dovecot',
}, },
}, },
'dovecot': { 'nftables': {
'database': { 'input': {
'dbname': 'mailserver', 'tcp dport {143, 993, 4190} accept',
'dbuser': 'mailserver',
}, },
}, },
} }

5
bundles/icinga2/metadata.py
View file

@ -20,6 +20,11 @@ defaults = {
} }
}, },
}, },
'nftables': {
'input': {
'tcp dport 5665 accept',
},
},
'postgresql': { 'postgresql': {
'databases': { 'databases': {
'icinga2': { 'icinga2': {

5
bundles/influxdb2/metadata.py
View file

@ -10,6 +10,11 @@ defaults = {
'deb https://repos.influxdata.com/debian {release} stable', 'deb https://repos.influxdata.com/debian {release} stable',
}, },
}, },
'nftables': {
'input': {
'tcp dport 8200 accept',
},
},
'influxdb': { 'influxdb': {
'port': '8200', 'port': '8200',
'username': 'admin', 'username': 'admin',

65
bundles/nftables/files/nftables.conf Normal file
View file

@ -0,0 +1,65 @@
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
# INPUT
chain input {
type filter hook input priority 0;
policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
#rules
% for rule in sorted(input):
${rule}
% endfor
}
chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
icmpv6 type echo-request limit rate 5/second accept
}
# FORWARD
chain forward {
type filter hook forward priority 0;
#rules
% for rule in sorted(forward):
${rule}
% endfor
}
# OUTPUT
chain output {
type filter hook output priority 0;
% for rule in sorted(output):
${rule}
% endfor
}
}

22
bundles/nftables/items.py Normal file
View file

@ -0,0 +1,22 @@
files = {
'/etc/nftables.conf': {
'content_type': 'mako',
'mode': '0755',
'context': {
'input': node.metadata.get('nftables/input'),
'forward': node.metadata.get('nftables/forward'),
'output': node.metadata.get('nftables/output'),
},
'triggers': [
'svc_systemd:nftables.service:reload',
],
},
}
svc_systemd = {
'nftables.service': {
'needs': [
'pkg_apt:nftables',
],
},
}

14
bundles/nftables/metadata.py Normal file
View file

@ -0,0 +1,14 @@
defaults = {
'apt': {
'packages': {
'nftables': {},
},
},
'nftables': {
'input': {
'tcp dport 22 accept',
},
'forward': {},
'output': {},
},
}

24
bundles/nginx/metadata.py
View file

@ -8,26 +8,12 @@ defaults = {
'nginx': {}, 'nginx': {},
}, },
}, },
'nginx': { 'nftables': {
'default_vhosts': { 'input': {
'80': { 'tcp dport {80, 443} accept',
'listen': [
'80',
'[::]:80',
],
'location /.well-known/acme-challenge/': {
'alias': '/var/lib/dehydrated/acme-challenges/',
},
'location /': {
'return': '301 https://$host$request_uri',
},
},
'stub_status': {
'listen': '127.0.0.1:22999 default_server',
'server_name': '_',
'stub_status': '',
},
}, },
},
'nginx': {
'vhosts': { 'vhosts': {
# '80': { # '80': {
# 'content': 'nginx/80.conf', # 'content': 'nginx/80.conf',

13
bundles/postfix/metadata.py
View file

@ -11,10 +11,18 @@ defaults = {
'/var/vmail', '/var/vmail',
}, },
}, },
'grafana_rows': {
'postfix_queue',
},
'letsencrypt': { 'letsencrypt': {
'reload_after': { 'reload_after': {
'postfix', 'postfix',
}, },
},
'nftables': {
'input': {
'tcp dport {25, 465, 587} accept',
},
}, },
'telegraf': { 'telegraf': {
'config': { 'config': {
@ -23,7 +31,4 @@ defaults = {
}, },
}, },
}, },
'grafana_rows': {
'postfix_queue',
},
} }

5
bundles/postgresql/metadata.py
View file

@ -14,6 +14,11 @@ defaults = {
'/var/lib/postgresql', '/var/lib/postgresql',
}, },
}, },
'nftables': {
'input': {
'tcp dport 5432 accept',
},
},
'postgresql': { 'postgresql': {
'conf': {}, 'conf': {},
'roles': { 'roles': {

9
bundles/wireguard/metadata.py
View file

@ -17,6 +17,11 @@ defaults = {
}, },
}, },
}, },
'nftables': {
'input': {
'tcp dport 51820 accept',
},
},
'wireguard': { 'wireguard': {
's2s': {}, 's2s': {},
'clients': {}, 'clients': {},
@ -106,7 +111,7 @@ def systemd_networkd_netdevs(metadata):
'ListenPort': 51820, 'ListenPort': 51820,
}, },
} }
for peer, config in { for peer, config in {
**metadata.get('wireguard/s2s'), **metadata.get('wireguard/s2s'),
**metadata.get('wireguard/clients'), **metadata.get('wireguard/clients'),
@ -121,7 +126,7 @@ def systemd_networkd_netdevs(metadata):
}) })
if config.get('endpoint'): if config.get('endpoint'):
netdev[f'WireGuardPeer#{peer}']['Endpoint'] = config['endpoint'] netdev[f'WireGuardPeer#{peer}']['Endpoint'] = config['endpoint']
return { return {
'systemd': { 'systemd': {
'units': { 'units': {

1
groups/os/debian.py
View file

@ -4,6 +4,7 @@
], ],
'bundles': [ 'bundles': [
'apt', 'apt',
'nftables',
], ],
'metadata': { 'metadata': {
'apt': { 'apt': {