-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
network: domains: add firewall rules for multidomain and v6upstream
introduce two diffrent types (roles) of Gateways: gateway4 and gateway6 our normal Gateways (Hostname gw*.ffrn.de) are of the type gateway4 our IPv6 Gateway (Hostname v6upstream.ffrn.de) is of the type gateway6 This allows to distinguish between Firewall Rules for IPv4 and IPv6 and to only deploy the relevant ones. Also add MSS-Clamping for both IPv4 and IPv6 since this should result in better performance https://twitter.com/ffda_noc/status/1332737545986314246
- Loading branch information
Showing
7 changed files
with
84 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,42 @@ | ||
| {%- set nets4 = salt['pillar.get']('domains:%s:ip4'|format(domain)).keys() %} | ||
| {%- set nets6 = salt['pillar.get']('domains:%s:ip6'|format(domain)).keys() %} | ||
| {%- set mtu = salt['pillar.get']('domains:%s:mtu'|format(domain)) %} | ||
| {%- set public_interface = salt['pillar.get']('nftables:public_interface', 'eth0') %} | ||
|
|
||
| {% if "roles" in pillar and 'gateway4' in pillar.roles %} | ||
| table ip nat { | ||
| # chain PREROUTING { | ||
| # type nat hook prerouting priority -100; policy accept; | ||
| # } | ||
|
|
||
| chain POSTROUTING { | ||
| type nat hook postrouting priority 100; policy accept; | ||
| oifname "{{ salt['pillar.get']('nftables:public_interface', 'eth0') }}" ip saddr {{ ' '.join(nets4) }} counter snat to {{ grains['fqdn_ip4'][0] }}; | ||
| oifname "{{ public_interface }}" ip saddr { {{ ', '.join(nets4) }} } counter snat to {{ grains['fqdn_ip4'][0] }}; | ||
| } | ||
| } | ||
| {% endif %} | ||
|
|
||
| table inet filter { | ||
| chain forward { | ||
| iifname "dom{{ domain_id }}-br" ip saddr {{ " ".join(nets4) }} tcp dport 25 counter reject comment "don't allow smtp - {{ domain }}" | ||
| iifname "dom{{ domain_id }}-br" ip saddr {{ " ".join(nets4) }} counter accept | ||
| {%- if "roles" in pillar and 'gateway4' in pillar.roles %} | ||
| iifname "dom{{ domain_id }}-br" ip saddr { {{ ', '.join(nets4) }} } tcp dport 25 counter reject comment "don't allow smtp - {{ domain }}" | ||
| iifname "dom{{ domain_id }}-br" ip saddr { {{ ', '.join(nets4) }} } counter accept | ||
| {% endif %} | ||
| {%- if "roles" in pillar and 'gateway6' in pillar.roles %} | ||
| iifname "dom{{ domain_id }}-br" ip6 saddr { {{ ', '.join(nets6) }} } tcp dport smtp counter reject comment "don't allow smtp - {{ domain }}" | ||
| iifname "dom{{ domain_id }}-br" ip6 saddr { {{ ', '.join(nets6) }} } counter accept comment "allow out {{ domain }}" | ||
| iifname "{{ public_interface }}" oifname "dom{{ domain_id }}-br" ip6 daddr { {{ ', '.join(nets6) }} } counter accept comment "allow in {{ domain }}" | ||
| {%- endif %} | ||
| } | ||
| } | ||
|
|
||
| table inet mangle { | ||
| chain FORWARD { | ||
|
|
||
| {%- if "roles" in pillar and 'gateway4' in pillar.roles %} | ||
| # mss = transport mtu - (batman-adv + ether) - ipv4 - tcp | ||
| ip version 4 iifname "dom{{ domain_id }}-br" oifname "{{ public_interface }}" meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set {{ mtu - 32 - 20 - 20 }} | ||
| {%- endif %} | ||
|
|
||
| {%- if "roles" in pillar and 'gateway6' in pillar.roles %} | ||
| # mss = transport mtu - (batman-adv + ether) - ipv6 - tcp | ||
| ip version 6 iifname "dom{{ domain_id }}-br" oifname "{{ public_interface) }}" meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set {{ mtu - 32 - 40 - 20 }} | ||
| ip version 6 iifname "{{ public_interface }}" oifname "dom{{ domain_id }}-br" meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set {{ mtu - 32 - 40 - 20 }} | ||
| {%- endif %} | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| table inet mangle { | ||
| chain PREROUTING { | ||
| type filter hook prerouting priority -150; policy accept; | ||
| } | ||
|
|
||
| chain INPUT { | ||
| type filter hook input priority -150; policy accept; | ||
| } | ||
|
|
||
| chain FORWARD { | ||
| type filter hook forward priority -150; policy accept; | ||
| } | ||
|
|
||
| chain OUTPUT { | ||
| type route hook output priority -150; policy accept; | ||
| } | ||
|
|
||
| chain POSTROUTING { | ||
| type filter hook postrouting priority -150; policy accept; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| table ip nat { | ||
| chain PREROUTING { | ||
| type nat hook prerouting priority -100; policy accept; | ||
| } | ||
|
|
||
| chain INPUT { | ||
| type nat hook input priority 100; policy accept; | ||
| } | ||
|
|
||
| chain POSTROUTING { | ||
| type nat hook postrouting priority 100; policy accept; | ||
| } | ||
|
|
||
| chain OUTPUT { | ||
| type nat hook output priority -100; policy accept; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| {% import 'nftables/macro.sls' as nftables %} | ||
|
|
||
| {{ nftables.include('05-mangle', 'salt://nftables/tables/files/mangle.conf.j2' ) }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| {% import 'nftables/macro.sls' as nftables %} | ||
|
|
||
| {{ nftables.include('05-nat', 'salt://nftables/tables/files/nat4.conf.j2' ) }} |