space_server: nftables: clean up rules a bit

author: Emil Renner Berthing <esmil@labitat.dk> 2017-11-13 21:03:33 +0100
committer: Emil Renner Berthing <esmil@labitat.dk> 2017-11-13 21:03:33 +0100
commit: bc647a09b960723615a51ab6e6155c2556bc2e9d (patch)
tree: 3d6e2fb593b3a4fb0901c940868ed6369ca0e61e /roles
parent: 5700aa5eece98b1d5cda44ef604b14fb6f4867bb (diff)
download: labitat-ansible-bc647a09b960723615a51ab6e6155c2556bc2e9d.tar.gz
labitat-ansible-bc647a09b960723615a51ab6e6155c2556bc2e9d.tar.xz
labitat-ansible-bc647a09b960723615a51ab6e6155c2556bc2e9d.zip
2 files changed, 70 insertions, 109 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
index c9dc9d7..619d776 100755..100644
--- a/roles/space_server/files/nftables/nftables.conf
+++ b/roles/space_server/files/nftables/nftables.conf
@@ -1,5 +1,3 @@
-#!/usr/sbin/nft -f
-
 # our hosts
 define ap1 = 10.42.0.5
 define ap2 = 10.42.0.6
@@ -35,6 +33,7 @@ define priv_net6 = 2a01:4260:1ab:c::/64
 define free_if   = lan13
 define free_ip4  = 10.42.3.1
 define free_net4 = 10.42.3.0/24
+define free_net6 = 2a01:4260:1ab:d::/64
 
 define pass_if   = lan14
 define pass_ip4  = 10.42.4.1
@@ -65,31 +64,34 @@ table ip filter {
 
 		iif lo accept
 
-		# infrastructure
-		iif $ext_if  ip saddr $link_net4 ip daddr $link_net4 counter accept
-		udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests
-		iif $adm_if  ip saddr { $ap1, $ap2 } udp dport 1812 accept      # RADIUS from AP
-		iif $ext_if  ip saddr $labitat ip protocol 41 accept            # IPv6 tunnel
-		iif $wire_if ip saddr $wire_net4 udp dport 69 accept            # TFTP
-		iif $wire_if ip saddr $wire_net4 udp dport 123 accept           # NTP
+		# bird etc. on fiberby link
+		iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
+
+		# dhcp
+		udp sport bootpc udp dport bootps iif != $ext_if counter accept
+
+		# radius
+		iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
+
+		# tftp
+		iif $wire_if ip saddr $wire_net4 udp dport 69 accept
 
-		# allow ssh
+		# ssh
 		tcp dport 22 accept
 
 		# dns
-		ip saddr $int_net4 tcp dport 53 accept
-		ip saddr $int_net4 udp dport 53 accept
-		ip saddr $ext_net4 tcp dport 53 accept
-		ip saddr $ext_net4 udp dport 53 accept
+		tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
+		udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
 
-		# Avahi
+		# avahi
 		ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
-		ip protocol igmp iif $avahi_ifs accept # Allow IGMP here
+		ip protocol igmp iif $avahi_ifs accept
 
-		iif $ext_if counter drop
-		udp dport { 137, 138, 5353 } drop    # NetBIOS, Avahi
-		udp sport 17500 udp dport 17500 drop # Dropbox LANsync
-		ip protocol igmp drop                # IGMP
+		## debugging
+		#iif $ext_if counter drop
+		#udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
+		#udp sport 17500 udp dport 17500 drop # Dropbox LANsync
+		#ip protocol igmp drop                # IGMP
 		#counter log prefix "in4: " drop
 		drop
 	}
@@ -100,16 +102,14 @@ table ip filter {
 		ct state established,related accept
 		ct state invalid drop
 
-		# no ping floods
-		ip protocol icmp limit rate 100/second accept
-		ip protocol icmp drop
-
-		ip daddr $spacewand4 accept
-
 		ip saddr $labitat udp dport 161 counter accept # traffic stats
 
 		# no traffic to admin net
-		ip saddr $int_net4 ip daddr $adm_net4 drop
+		ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
+		ip daddr $adm_net4 drop
+
+		# accept all traffic to spacewand
+		ip daddr $spacewand4 accept
 
 		# local traffic
 		iif $adm_if  ip saddr $adm_net4  accept
@@ -119,37 +119,13 @@ table ip filter {
 		iif $pass_if ip saddr $pass_net4 accept
 		iif $serv_if ip saddr $serv_net4 accept
 
+		## debugging
+		#iif $ext_if counter drop
 		#counter log prefix "fw4: " drop
 		drop
 	}
 }
 
-table ip nat {
-	chain portforward {
-		ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9      # traffic stats
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority -150;
-		goto portforward
-	}
-
-	chain output {
-		type nat hook output priority -150;
-		goto portforward
-	}
-
-	chain input {
-		type nat hook input priority -150;
-		# this chain is needed to make dnat from the output chain work
-	}
-
-	chain postrouting {
-		type nat hook postrouting priority -150;
-		oif $ext_if snat $ext_ip4
-        }
-}
-
 table ip6 filter {
 	chain input {
 		type filter hook input priority 0;
@@ -158,20 +134,22 @@ table ip6 filter {
 		ct state invalid drop
 
 		# no ping floods
-		ip6 nexthdr icmpv6 limit rate 100/second accept
-		ip6 nexthdr icmpv6 drop
+		ip6 nexthdr { hopopt, ipv6-icmp } limit rate 100/second accept
+		ip6 nexthdr { hopopt, ipv6-icmp } drop
 
 		iif lo accept
 
+		# bird etc. on fiberby link
 		iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
 
-		# allow ssh
+		# ssh
 		tcp dport 22 accept
 
 		# dns
 		ip6 saddr $ext_net6 tcp dport 53 accept
 		ip6 saddr $ext_net6 udp dport 53 accept
 
+		## debugging
 		#counter log prefix "in6: " drop
 		drop
 	}
@@ -182,67 +160,42 @@ table ip6 filter {
 		ct state established,related accept
 		ct state invalid drop
 
-		# no ping floods
-		ip6 nexthdr icmpv6 limit rate 100/second accept
-		ip6 nexthdr icmpv6 drop
-
 		ip6 daddr $spacewand6 accept
 
 		iif $wire_if ip6 saddr $wire_net6 accept
 		iif $priv_if ip6 saddr $priv_net6 accept
+		#iif $free_if ip6 saddr $free_net6 ip6 daddr != $int_net6 accept
 		iif $pass_if ip6 saddr $pass_net6 accept
 		iif $serv_if ip6 saddr $serv_net6 accept
 
+		## debugging
 		#counter log prefix "fw6: " drop
 		drop
 	}
 }
 
-# Allow all by default
-# (couldn't get default-deny to work, and this script is better than nothing)
-
-#table ip6 filter {
-#	chain input {
-#		type filter hook input priority 0;
-#		# Don't allow ULA net on outside
-#		#ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net
-#		iif $ext_if6 ip6 daddr $ula_net reject
-#		#ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net
-#		iif $ext_if6 ip6 saddr $ula_net reject
-#
-#		accept
-#	}
-#
-#	chain output {
-#		type filter hook output priority 0;
-#		#ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net
-#		oif $ext_if6 ip6 daddr $ula_net reject
-#		#ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net
-#		oif $ext_if6 ip6 saddr $ula_net reject
-#
-#		accept
-#	}
-#
-#	chain forward {
-#		type filter hook forward priority 0;
-#		# Don't allow NAT64 for networks with IPv4
-#		# (remember: free and admin don't have IPv6)
-#		#ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6
-#		iif $wire_if ip6 daddr $nat64_net6 reject
-#		#ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6
-#		iif $priv_if ip6 daddr $nat64_net6 reject
-#		#ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6
-#		iif $pass_if ip6 daddr $nat64_net6 reject
-#
-#		#ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net
-#		iif $ext_if6 ip6 daddr $ula_net reject
-#		#ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net
-#		iif $ext_if6 ip6 saddr $ula_net reject
-#		#ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net
-#		oif $ext_if6 ip6 daddr $ula_net reject
-#		#ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net
-#		oif $ext_if6 ip6 saddr $ula_net reject
-#
-#		accept
-#	}
-#}
+table ip nat {
+	chain portforward {
+		ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority -150;
+		goto portforward
+	}
+
+	chain output {
+		type nat hook output priority -150;
+		goto portforward
+	}
+
+	chain input {
+		type nat hook input priority -150;
+		# this chain is needed to make dnat from the output chain work
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority -150;
+		oif $ext_if snat $ext_ip4
+        }
+}
diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml
index a7fb588..2dc8fce 100644
--- a/roles/space_server/tasks/nftables.yml
+++ b/roles/space_server/tasks/nftables.yml
@@ -11,10 +11,18 @@
   tags:
     - packages
 
+- name: Symlink to /etc/nftables.conf
+  file:
+    path: '/etc/sysconfig/nftables.conf'
+    state: link
+    src: '../nftables.conf'
+    force: yes
+  notify:
+    - reload nftables
 - name: Configure nftables
   copy:
     src: nftables/nftables.conf
-    dest: '/etc/sysconfig/nftables.conf'
+    dest: '/etc/nftables.conf'
   notify:
     - reload nftables
author	Emil Renner Berthing <esmil@labitat.dk>	2017-11-13 21:03:33 +0100
committer	Emil Renner Berthing <esmil@labitat.dk>	2017-11-13 21:03:33 +0100
commit	bc647a09b960723615a51ab6e6155c2556bc2e9d (patch)
tree	3d6e2fb593b3a4fb0901c940868ed6369ca0e61e /roles
parent	5700aa5eece98b1d5cda44ef604b14fb6f4867bb (diff)
download	labitat-ansible-bc647a09b960723615a51ab6e6155c2556bc2e9d.tar.gz labitat-ansible-bc647a09b960723615a51ab6e6155c2556bc2e9d.tar.xz labitat-ansible-bc647a09b960723615a51ab6e6155c2556bc2e9d.zip