From 18559dab546003b0bca45e6a8e41db7119793c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 15:51:09 +0100 Subject: [PATCH] Move nftables ruleset to separate file --- infra/common/networking.nix | 76 ++----------------------------- infra/common/nftables-ruleset.nft | 71 +++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 71 deletions(-) create mode 100644 infra/common/nftables-ruleset.nft diff --git a/infra/common/networking.nix b/infra/common/networking.nix index 49b539c..376a9ca 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -22,6 +22,7 @@ in networking = { hostName = config.procolix.vm.name; domain = "procolix.com"; + interfaces = { eth0 = { ipv4 = { @@ -42,6 +43,7 @@ in }; }; }; + defaultGateway = { address = "185.206.232.1"; interface = "eth0"; @@ -50,85 +52,17 @@ in address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; + nameservers = [ "95.215.185.6" "95.215.185.7" "2a00:51c0::5fd7:b906" ]; + firewall.enable = false; nftables = { enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235/32, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; + rulesetFile = ./nftables-ruleset.nft; }; }; }; diff --git a/infra/common/nftables-ruleset.nft b/infra/common/nftables-ruleset.nft new file mode 100644 index 0000000..523027b --- /dev/null +++ b/infra/common/nftables-ruleset.nft @@ -0,0 +1,71 @@ +#!/usr/sbin/nft -f + +flush ruleset + +########### define usefull variables here ##################### + +define wan = eth0 +define ssh_allow = { + 83.161.147.127/32, # host801 ipv4 + 95.215.185.92/32, # host088 ipv4 + 95.215.185.211/32, # host089 ipv4 + 95.215.185.34/32, # nagios2 ipv4 + 95.215.185.181/32, # ansible.procolix.com + 95.215.185.235/32, # ansible-hq +} +define snmp_allow = { + 95.215.185.31/32, # cacti ipv4 +} +define nrpe_allow = { + 95.215.185.34/32, # nagios2 ipv4 +} + +########### here starts the automated bit ##################### + +table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + + # established/related connections + ct state established,related accept + ct state invalid drop + + # Limit ping requests. + ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop + ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop + + # loopback interface + iifname lo accept + + # icmp + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept + # Without the nd-* ones ipv6 will not work. + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept + + # open tcp ports: sshd (22) + tcp dport {ssh} accept + + # open tcp ports: snmp (161) + ip saddr $snmp_allow udp dport {snmp} accept + + # open tcp ports: nrpe (5666) + ip saddr $nrpe_allow tcp dport {nrpe} accept + + # open tcp ports: http (80,443) + tcp dport {http,https} accept + } + chain forward { + type filter hook forward priority 0; + } + chain output { + type filter hook output priority 0; + } +} + +table ip nat { + chain postrouting { + } + chain prerouting { + } +}