diff options
Diffstat (limited to 'roles/common')
| -rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index bbc0e7c..c89a136 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -40,41 +40,41 @@ define out-tcp-ports = { {% endif %} } ############################################################################### flush ruleset table netdev filter { {% for if in ansible_interfaces %} {% if if != "lo" and ansible_facts[if].active %} {% set addr = (ansible_facts[if].ipv4 | default({'address': '0.0.0.0'})).address %} chain INGRESS-{{ if }} { type filter hook ingress device {{ if }} priority -499 policy accept # IPsec traffic (refined later in the filter rule) ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options) - icmp type { echo-reply, echo-request, destination-unreachable } counter accept + icmp type { echo-reply, echo-request, destination-unreachable, time-exceeded } counter accept icmpv6 type { echo-reply, echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1 ip6 hoplimit 255 icmpv6 type { 133,134,135,136,141,142 } counter accept # reject all remaining ICMP/ICMPv6 traffic meta l4proto { icmp, icmpv6 } drop # bogon filter (cf. RFC 6890 for non-global ip addresses) define bogon = { 0.0.0.0/8 # this host, on this network (RFC 1122 sec. 3.2.1.3) {% if not addr | ipaddr('10.0.0.0/8') %} , 10.0.0.0/8 # private-use (RFC 1918) {% endif %} , 100.64.0.0/10 # shared address space (RFC 6598) , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) , 169.254.0.0/16 # link local (RFC 3927) {% if not addr | ipaddr('172.16.0.0/12') %} , 172.16.0.0/12 # private-use (RFC 1918) @@ -148,40 +148,41 @@ table inet filter { set fail2ban { type ipv4_addr; timeout 10m; } set fail2ban6 { type ipv6_addr; timeout 10m; } chain input { type filter hook input priority 0 policy drop iif lo accept # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions # to match match inbound resp. outbound policies and source resp. destination tunnel addresses. # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP # encapsulation.) We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way # peers can't impersonate each other. meta l4proto esp accept # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept + # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already meta l4proto { icmp, icmpv6 } counter accept udp sport 123 udp dport 123 ct state related,established accept {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} udp sport 4500 udp dport 4500 ct state new,related,established accept {% endif %} {% endif %} udp sport 53 ct state related,established accept tcp sport 53 ct state related,established accept {% if 'dhclient' in group_names %} ip version 4 udp sport 67 udp dport 68 ct state related,established accept ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept {% endif %} meta l4proto tcp ip saddr @fail2ban counter drop meta l4proto tcp ip6 saddr @fail2ban6 counter drop |