Switch from iptables to nftables, add separate network states
This commit is contained in:
LinuxSquare
parent
2dc09181ac
commit
57e7f057c6
7 changed files with 27 additions and 39 deletions
12
network/files/firewall_rules.nft.jinja
Normal file
12
network/files/firewall_rules.nft.jinja
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
# This file is managed by Saltstack. (State {{ STATE }})
|
||||||
|
|
||||||
|
#!/usr/sbin/nft
|
||||||
|
|
||||||
|
table inet filter {
|
||||||
|
chain input {
|
||||||
|
tcp dport 22 accept
|
||||||
|
{% for port in ALLOWED_PORTS %}
|
||||||
|
tcp dport {{ port }} accept
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -1,12 +1,12 @@
|
||||||
system_firewall_pkgs:
|
network_firewall_pkgs:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
- pkgs:
|
- pkgs:
|
||||||
- iptables
|
- nftables
|
||||||
|
|
||||||
system_firewall_rules:
|
network_firewall_rules:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /etc/iptables/rules-save
|
- name: /etc/nftables.d/noveria.nft
|
||||||
- source: salt://{{ tpldir }}/files/firewall_rules.v4.jinja
|
- source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja
|
||||||
- template: jinja
|
- template: jinja
|
||||||
- context:
|
- context:
|
||||||
STATE: {{ sls }}
|
STATE: {{ sls }}
|
||||||
|
|
@ -16,15 +16,15 @@ system_firewall_rules:
|
||||||
- mode: '0600'
|
- mode: '0600'
|
||||||
- makedirs: true
|
- makedirs: true
|
||||||
- require:
|
- require:
|
||||||
- system_firewall_pkgs
|
- network_firewall_pkgs
|
||||||
|
|
||||||
system_firewall_service_reload:
|
network_firewall_service_reload:
|
||||||
service.running:
|
service.running:
|
||||||
- name: iptables
|
- name: nftables
|
||||||
- enable: true
|
- enable: true
|
||||||
- reload: true
|
- reload: true
|
||||||
- watch:
|
- watch:
|
||||||
- system_firewall_rules
|
- network_firewall_rules
|
||||||
- require:
|
- require:
|
||||||
- system_firewall_pkgs
|
- network_firewall_pkgs
|
||||||
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
include:
|
include:
|
||||||
- .base
|
- .firewall
|
||||||
|
|
||||||
system_network_interfaces:
|
network_interfaces:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /etc/network/interfaces
|
- name: /etc/network/interfaces
|
||||||
- source: salt://{{ tpldir }}/files/network_interfaces
|
- source: salt://{{ tpldir }}/files/network_interfaces
|
||||||
|
|
@ -11,7 +11,7 @@ system_network_interfaces:
|
||||||
- require:
|
- require:
|
||||||
- system_base_pkgs
|
- system_base_pkgs
|
||||||
|
|
||||||
system_network_service_reload:
|
network_service_reload:
|
||||||
service.running:
|
service.running:
|
||||||
- name: networking
|
- name: networking
|
||||||
- enable: true
|
- enable: true
|
||||||
|
|
@ -1,23 +0,0 @@
|
||||||
# This file is managed by Saltstack. (State {{ STATE }})
|
|
||||||
|
|
||||||
*filter
|
|
||||||
|
|
||||||
:INPUT DROP [0:0]
|
|
||||||
:FORWARD DROP [0:0]
|
|
||||||
:OUTPUT ACCEPT [0:0]
|
|
||||||
|
|
||||||
-A INPUT -i lo -j ACCEPT
|
|
||||||
|
|
||||||
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
|
||||||
|
|
||||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
|
|
||||||
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
|
|
||||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
||||||
|
|
||||||
{% for port in ALLOWED_PORTS %}
|
|
||||||
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
COMMIT
|
|
||||||
|
|
@ -2,8 +2,6 @@ include:
|
||||||
- .base
|
- .base
|
||||||
- .bootloader
|
- .bootloader
|
||||||
- .disks
|
- .disks
|
||||||
- .firewall
|
|
||||||
- .network
|
|
||||||
- .user
|
- .user
|
||||||
- .shell
|
- .shell
|
||||||
- .salt
|
- .salt
|
||||||
|
|
|
||||||
1
top.sls
1
top.sls
|
|
@ -1,5 +1,6 @@
|
||||||
base:
|
base:
|
||||||
'*':
|
'*':
|
||||||
- system
|
- system
|
||||||
|
- network
|
||||||
- applications
|
- applications
|
||||||
- util
|
- util
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue