refactor(security): reworked firewall configuration and added support for DNS, HTTP and ICMP rules; added autoconf for resolv.conf to match FW rules
This commit is contained in:
NaeiKinDus
parent
3a7440f570
commit
da45c7c409
GPG key ID:
8E52ADFF7CA8AE56
22 changed files with 169 additions and 48 deletions
|
|
@ -11,23 +11,20 @@ security:
|
|||
policy:
|
||||
prerouting: accept
|
||||
input: accept
|
||||
postrouting: accept
|
||||
output: accept
|
||||
additional_rules: ""
|
||||
postrouting: accept
|
||||
mangle:
|
||||
drop_privatenets: true
|
||||
policy:
|
||||
prerouting: accept
|
||||
postrouting: accept
|
||||
output: accept
|
||||
forward: drop
|
||||
additional_rules: ""
|
||||
postrouting: accept
|
||||
filter:
|
||||
policy:
|
||||
input: drop
|
||||
output: drop
|
||||
forward: drop
|
||||
additional_rules: ""
|
||||
|
||||
custom_security: {}
|
||||
recursive_combine: true
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: '[firewall] restart service'
|
||||
become: true
|
||||
systemd_service:
|
||||
ansible.builtin.systemd_service:
|
||||
name: nftables.service
|
||||
enabled: true
|
||||
state: restarted
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@
|
|||
dest: /etc/nftables.conf
|
||||
mode: '0700'
|
||||
|
||||
- name: common firewall rules
|
||||
- name: base tables definition
|
||||
ansible.builtin.template:
|
||||
src: "../templates/system/nftables/{{ item }}.table.j2"
|
||||
dest: "/etc/nftables.d/{{ item }}.table"
|
||||
|
|
@ -56,3 +56,10 @@
|
|||
- 01-nat
|
||||
- 02-mangle
|
||||
- 03-filter
|
||||
|
||||
- name: common firewall rules
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/nftables.d/{{ (item.split('/') | last)[:-3] }}"
|
||||
mode: '0600'
|
||||
loop: "{{ q('fileglob', '../templates/system/nftables.d/*.j2') }}"
|
||||
|
|
|
|||
|
|
@ -4,8 +4,12 @@ flush ruleset
|
|||
|
||||
define ansible_controller_ip = {{ supervisor_ip | default('127.0.0.1', true) }}
|
||||
define ansible_controller_ip6 = {{ supervisor_ip6 | default('fe80::', true) }}
|
||||
define dns_server = {{ dns_server | default('9.9.9.9', true) }}
|
||||
define dns_server6 = {{ dns_server | default('2620:fe::fe', true) }}
|
||||
define dns_servers = {
|
||||
{{ dns[dns.type].dns4 | default(["9.9.9.9", "149.112.112.112"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }}
|
||||
}
|
||||
define dns_servers6 = {
|
||||
{{ dns[dns.type].dns6 | default(["2620:fe::fe", "2620:fe::9"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }}
|
||||
}
|
||||
define private_nets = {
|
||||
10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12,
|
||||
192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
|
||||
|
|
@ -15,6 +19,7 @@ define reserved_nets = {
|
|||
192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24,
|
||||
224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4
|
||||
}
|
||||
define ssh_localport = {{ ssh_localport | default(22, true) }}
|
||||
|
||||
include "/etc/nftables.d/01-nat.table"
|
||||
include "/etc/nftables.d/02-mangle.table"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
table inet filter {
|
||||
chain output {
|
||||
meta nfproto { ipv4, ipv6 } tcp dport { http, https } accept
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
table inet filter {
|
||||
chain output {
|
||||
icmp type {
|
||||
echo-reply, destination-unreachable, source-quench, redirect, echo-request,
|
||||
time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request,
|
||||
info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation
|
||||
} accept
|
||||
icmpv6 type {
|
||||
destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query,
|
||||
mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
|
||||
nd-neighbor-advert, parameter-problem, mld2-listener-report
|
||||
} accept
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
table inet filter {
|
||||
chain input {
|
||||
icmp type {
|
||||
echo-reply, destination-unreachable, source-quench, redirect, echo-request,
|
||||
time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request,
|
||||
info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation
|
||||
} accept
|
||||
icmpv6 type {
|
||||
destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query,
|
||||
mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
|
||||
nd-neighbor-advert, parameter-problem, mld2-listener-report
|
||||
} accept
|
||||
}
|
||||
}
|
||||
|
|
@ -8,11 +8,11 @@ table inet nat {
|
|||
type nat hook input priority 100; policy {{ firewall.nat.policy.input }};
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy {{ firewall.nat.policy.postrouting }};
|
||||
}
|
||||
|
||||
chain output {
|
||||
type nat hook output priority -100; policy {{ firewall.nat.policy.output }};
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy {{ firewall.nat.policy.postrouting }};
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,15 +2,10 @@
|
|||
table inet mangle {
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority -150; policy {{ firewall.mangle.policy.prerouting }};
|
||||
ip saddr $ansible_controller_ip tcp dport 22 accept
|
||||
ip6 saddr $ansible_controller_ip6 tcp dport 22 accept
|
||||
ip daddr $ansible_controller_ip tcp sport 22 accept
|
||||
ip6 daddr $ansible_controller_ip6 tcp sport 22 accept
|
||||
|
||||
ip protocol icmp accept
|
||||
ip frag-off & 0x1fff != 0 counter drop
|
||||
ct state invalid counter drop
|
||||
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
|
||||
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
|
||||
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
|
||||
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
|
||||
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
|
||||
|
|
@ -26,6 +21,12 @@ table inet mangle {
|
|||
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
|
||||
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
|
||||
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
|
||||
|
||||
ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
|
||||
ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
|
||||
ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
|
||||
ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept
|
||||
|
||||
{% if firewall.mangle.drop_privatenets -%}
|
||||
ip saddr $private_nets counter drop
|
||||
{% endif -%}
|
||||
|
|
@ -33,14 +34,6 @@ table inet mangle {
|
|||
iifname != "lo" ip saddr 127.0.0.0/8 counter drop
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority -150; policy {{ firewall.mangle.policy.postrouting }};
|
||||
ip saddr $ansible_controller_ip tcp dport 22 accept
|
||||
ip6 saddr $ansible_controller_ip6 tcp dport 22 accept
|
||||
ip daddr $ansible_controller_ip tcp sport 22 accept
|
||||
ip6 daddr $ansible_controller_ip6 tcp sport 22 accept
|
||||
}
|
||||
|
||||
chain output {
|
||||
type route hook output priority -150; policy {{ firewall.mangle.policy.output }};
|
||||
}
|
||||
|
|
@ -48,4 +41,12 @@ table inet mangle {
|
|||
chain forward {
|
||||
type filter hook forward priority -150; policy {{ firewall.mangle.policy.forward }};
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority -150; policy {{ firewall.mangle.policy.postrouting }};
|
||||
ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
|
||||
ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
|
||||
ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
|
||||
ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,22 +2,26 @@
|
|||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0; policy {{ firewall.filter.policy.input }};
|
||||
ip saddr $ansible_controller_ip tcp dport 22 accept
|
||||
ip6 saddr $ansible_controller_ip6 tcp dport 22 accept
|
||||
ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
|
||||
ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
|
||||
|
||||
iifname "lo" counter accept
|
||||
ct state related,established counter accept
|
||||
tcp dport 22 limit rate 10/hour burst 5 packets counter accept
|
||||
tcp dport $ssh_localport limit rate 10/hour burst 5 packets counter accept
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy {{ firewall.filter.policy.output }};
|
||||
ip daddr $ansible_controller_ip tcp sport 22 accept
|
||||
ip6 daddr $ansible_controller_ip6 tcp sport 22 accept
|
||||
ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
|
||||
ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept
|
||||
|
||||
oifname "lo" counter accept
|
||||
ct state related,established counter accept
|
||||
tcp sport 22 counter accept
|
||||
tcp sport $ssh_localport counter accept
|
||||
|
||||
# Allow DNS queries using UDP, DoT and DoH
|
||||
ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
|
||||
ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue