Switch from iptables to nftables, add separate network states

This commit is contained in:
LinuxSquare 2023-10-20 14:27:22 +02:00
parent 2dc09181ac
commit 57e7f057c6
7 changed files with 27 additions and 39 deletions

View file

@ -0,0 +1,12 @@
# This file is managed by Saltstack. (State {{ STATE }})
#!/usr/sbin/nft
table inet filter {
chain input {
tcp dport 22 accept
{% for port in ALLOWED_PORTS %}
tcp dport {{ port }} accept
{% endfor %}
}
}

View file

@ -1,12 +1,12 @@
system_firewall_pkgs: network_firewall_pkgs:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
- iptables - nftables
system_firewall_rules: network_firewall_rules:
file.managed: file.managed:
- name: /etc/iptables/rules-save - name: /etc/nftables.d/noveria.nft
- source: salt://{{ tpldir }}/files/firewall_rules.v4.jinja - source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja
- template: jinja - template: jinja
- context: - context:
STATE: {{ sls }} STATE: {{ sls }}
@ -16,15 +16,15 @@ system_firewall_rules:
- mode: '0600' - mode: '0600'
- makedirs: true - makedirs: true
- require: - require:
- system_firewall_pkgs - network_firewall_pkgs
system_firewall_service_reload: network_firewall_service_reload:
service.running: service.running:
- name: iptables - name: nftables
- enable: true - enable: true
- reload: true - reload: true
- watch: - watch:
- system_firewall_rules - network_firewall_rules
- require: - require:
- system_firewall_pkgs - network_firewall_pkgs

View file

@ -1,7 +1,7 @@
include: include:
- .base - .firewall
system_network_interfaces: network_interfaces:
file.managed: file.managed:
- name: /etc/network/interfaces - name: /etc/network/interfaces
- source: salt://{{ tpldir }}/files/network_interfaces - source: salt://{{ tpldir }}/files/network_interfaces
@ -11,10 +11,10 @@ system_network_interfaces:
- require: - require:
- system_base_pkgs - system_base_pkgs
system_network_service_reload: network_service_reload:
service.running: service.running:
- name: networking - name: networking
- enable: true - enable: true
- reload: true - reload: true
- watch: - watch:
- system_network_interfaces - system_network_interfaces

View file

@ -1,23 +0,0 @@
# This file is managed by Saltstack. (State {{ STATE }})
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
{% for port in ALLOWED_PORTS %}
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}
COMMIT

View file

@ -2,8 +2,6 @@ include:
- .base - .base
- .bootloader - .bootloader
- .disks - .disks
- .firewall
- .network
- .user - .user
- .shell - .shell
- .salt - .salt

View file

@ -1,5 +1,6 @@
base: base:
'*': '*':
- system - system
- network
- applications - applications
- util - util