From 1e1a9e9a73daf23b87f3de49347b494ce0534ef0 Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Tue, 27 Feb 2024 09:21:04 +0100 Subject: Add playbook for managing nftables --- defaults | 11 +++++ playbooks.d/fw-nftables/description.txt | 1 + playbooks.d/fw-nftables/etc/defaults | 2 + playbooks.d/fw-nftables/playbook.bash | 83 +++++++++++++++++++++++++++++++++ 4 files changed, 97 insertions(+) create mode 100644 playbooks.d/fw-nftables/description.txt create mode 100644 playbooks.d/fw-nftables/etc/defaults create mode 100644 playbooks.d/fw-nftables/playbook.bash diff --git a/defaults b/defaults index db56c11..15203d5 100644 --- a/defaults +++ b/defaults @@ -9,6 +9,17 @@ dns.upstream.3=2a03:94e0:1804::1 dns.upstream.4=2001:470:71:6dc::53 etc-nixos.path=/etc/nixos etc-portage.path=/etc/portage +fw-nftables.input.icmp.ipv4.policy=accept +fw-nftables.input.icmp.ipv4.rate=2/second +fw-nftables.input.icmp.ipv6.policy=accept +fw-nftables.input.icmp.ipv6.rate=2/second +fw-nftables.input.policy=drop +fw-nftables.input.rules.ssh.policy=accept +fw-nftables.input.rules.ssh.port=22 +fw-nftables.input.rules.ssh.proto=tcp +fw-nftables.input.state.established.policy=accept +fw-nftables.input.state.invalid.policy=drop +fw-nftables.input.state.related.policy=accept k3s-master.cluster-domain=k3s.tyil.nl k3s-master.helm.apps.certmanager.chart=jetstack/cert-manager k3s-master.helm.apps.certmanager.namespace=base-system diff --git a/playbooks.d/fw-nftables/description.txt b/playbooks.d/fw-nftables/description.txt new file mode 100644 index 0000000..38683d6 --- /dev/null +++ b/playbooks.d/fw-nftables/description.txt @@ -0,0 +1 @@ +Firewall through nftables diff --git a/playbooks.d/fw-nftables/etc/defaults b/playbooks.d/fw-nftables/etc/defaults new file mode 100644 index 0000000..10cc38b --- /dev/null +++ b/playbooks.d/fw-nftables/etc/defaults @@ -0,0 +1,2 @@ +pkg.nftables=nftables +svc.nftables=nftables diff --git a/playbooks.d/fw-nftables/playbook.bash b/playbooks.d/fw-nftables/playbook.bash new file mode 100644 index 0000000..748c177 --- /dev/null +++ b/playbooks.d/fw-nftables/playbook.bash @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +playbook_add() { + pkg install nftables + + playbook_sync + + svc enable nftables + svc start nftables +} + +playbook_sync() { + { + printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")" + printf "flush ruleset\n\n" + printf "table inet filter {\n" + printf "\tchain input {\n" + printf "\t\ttype filter hook input priority filter;\n" + + # Add conntrack state rules + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state" + printf "\n" + printf "\t\tct state established %s;\n" \ + "$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")" + printf "\t\tct state related %s;\n" \ + "$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")" + printf "\t\tct state invalid %s;\n" \ + "$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")" + + # Add ICMP rules + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP" + printf "\n" + printf "\t\tip protocol icmp icmp type echo-request" \ # IPv4 + printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")" + printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")" + printf ";\n" + printf "\t\tip6 nexthdr icmpv6 icmpv6 type echo-request" \ # IPv6 + printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "2/second")" + printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")" + printf ";\n" + + # Add custom input rules + printf "\n" + while read -r rule + do + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule" + printf "\t\t%s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")" + printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")" + printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")" + printf ";\n" + done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules") + + # Add fallback policy + printf "\n" + printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")" + + printf "\t}\n" + printf "\tchain forward {\n" + printf "\t\ttype filter hook forward priority filter;\n" + + # TODO: Add forward rules + + printf "\t}\n" + printf "\tchain output {\n" + printf "\t\ttype filter hook output priority filter;\n" + + # TODO: Add output rules + + printf "\t}\n" + printf "}\n" + } > "$(config "fs.etcdir")/nftables.conf" + + [[ "$BASHTARD_COMMAND" == "add" ]] && return + + svc restart nftables +} + +playbook_del() { + svc stop nftables + svc disable nftables + pkg uninstall nftables + rm -fr -- "$(config "fs.etcdir")/nftables" +} -- cgit v1.1