diff --git a/network/files/firewall_rules.nft.jinja b/network/files/firewall_rules.nft.jinja new file mode 100644 index 0000000..20b4858 --- /dev/null +++ b/network/files/firewall_rules.nft.jinja @@ -0,0 +1,12 @@ +# This file is managed by Saltstack. (State {{ STATE }}) + +#!/usr/sbin/nft + +table inet filter { + chain input { + tcp dport 22 accept + {% for port in ALLOWED_PORTS %} + tcp dport {{ port }} accept + {% endfor %} + } +} \ No newline at end of file diff --git a/system/files/network_interfaces b/network/files/network_interfaces similarity index 100% rename from system/files/network_interfaces rename to network/files/network_interfaces diff --git a/system/firewall.sls b/network/firewall.sls similarity index 50% rename from system/firewall.sls rename to network/firewall.sls index 17171d6..d52369d 100644 --- a/system/firewall.sls +++ b/network/firewall.sls @@ -1,12 +1,12 @@ -system_firewall_pkgs: +network_firewall_pkgs: pkg.installed: - pkgs: - - iptables + - nftables -system_firewall_rules: +network_firewall_rules: file.managed: - - name: /etc/iptables/rules-save - - source: salt://{{ tpldir }}/files/firewall_rules.v4.jinja + - name: /etc/nftables.d/noveria.nft + - source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja - template: jinja - context: STATE: {{ sls }} @@ -16,15 +16,15 @@ system_firewall_rules: - mode: '0600' - makedirs: true - require: - - system_firewall_pkgs + - network_firewall_pkgs -system_firewall_service_reload: +network_firewall_service_reload: service.running: - - name: iptables + - name: nftables - enable: true - reload: true - watch: - - system_firewall_rules + - network_firewall_rules - require: - - system_firewall_pkgs + - network_firewall_pkgs diff --git a/system/network.sls b/network/init.sls similarity index 75% rename from system/network.sls rename to network/init.sls index 0bda3fd..8be14cb 100644 --- a/system/network.sls +++ b/network/init.sls @@ -1,7 +1,7 @@ include: - - .base + - .firewall -system_network_interfaces: +network_interfaces: file.managed: - name: /etc/network/interfaces - source: salt://{{ tpldir }}/files/network_interfaces @@ -11,10 +11,10 @@ system_network_interfaces: - require: - system_base_pkgs -system_network_service_reload: +network_service_reload: service.running: - name: networking - enable: true - reload: true - watch: - - system_network_interfaces + - system_network_interfaces \ No newline at end of file diff --git a/system/files/firewall_rules.v4.jinja b/system/files/firewall_rules.v4.jinja deleted file mode 100644 index e1b594c..0000000 --- a/system/files/firewall_rules.v4.jinja +++ /dev/null @@ -1,23 +0,0 @@ -# This file is managed by Saltstack. (State {{ STATE }}) - -*filter - -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -i lo -j ACCEPT - --A INPUT ! -i lo -d 127.0.0.0/8 -j DROP - --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - --A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT - --A INPUT -p tcp -m tcp --dport 22 -j ACCEPT - -{% for port in ALLOWED_PORTS %} --A INPUT -p tcp --dport {{ port }} -j ACCEPT -{% endfor %} - -COMMIT diff --git a/system/init.sls b/system/init.sls index e7930e6..0086569 100644 --- a/system/init.sls +++ b/system/init.sls @@ -2,8 +2,6 @@ include: - .base - .bootloader - .disks - - .firewall - - .network - .user - .shell - .salt diff --git a/top.sls b/top.sls index df56b1b..4ae3cd7 100644 --- a/top.sls +++ b/top.sls @@ -1,5 +1,6 @@ base: '*': - system + - network - applications - util