1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
---
nftables_configuration: |
flush ruleset
table inet firewall {
set tcp_accepted {
type inet_service
elements = {
# OpenSSH
ssh,
# NGINX
http,
https
}
}
{% if "mail" in group_names %}
set mail_accepted {
type inet_service
elements = {
# Mail configuration
sieve,
# Mail submission
smtp,
smtps,
submission,
# Mail receiving
imap,
imaps
}
}
{% endif %}
{% if "databases" in group_names %}
# Access control for database server
set possible_lke_ipv4_addrs {
type ipv4_addr
flags interval
elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} }
}
set possible_lke_ipv6_addrs {
type ipv6_addr
flags interval
elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} }
}
{% endif %}
chain input {
type filter hook input priority 0
# Drop anything not explicitly dropped or accepted by default
policy drop
# Drop invalid packets
ct state invalid drop
# Allow already established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow certain inbound ICMP types (ping, traceroute).
# With these allowed you are a good network citizen.
meta l4proto { icmp, ipv6-icmp } counter accept
# Standard allowed ports
iifname {{ ansible_default_ipv4.interface }} tcp dport @tcp_accepted ct state new accept
{% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %}
iifname {{ ansible_default_ipv6.interface }} tcp dport @tcp_accepted ct state new accept
{% endif %}
# WireGuard client connections
iifname {{ ansible_default_ipv4.interface }} udp dport {{ wireguard_port }} ct state new accept
{% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %}
iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept
{% endif %}
# Node Exporter port for Prometheus scraping over WireGuard
iifname wg0 tcp dport 9100 ct state new accept
# Munin scraping over WireGuard
iifname wg0 tcp dport 4949 ct state new accept
{% if "databases" in group_names %}
# PostgreSQL connections
iifname {{ ansible_default_ipv4.interface }} ip saddr @possible_lke_ipv4_addrs tcp dport postgresql ct state new accept
{% if ansible_default_ipv6 is defined %}
iifname {{ ansible_default_ipv6.interface }} ip6 saddr @possible_lke_ipv6_addrs tcp dport postgresql ct state new accept
{% endif %}
{% endif %}
{% if "mail" in group_names %}
# Inbound mail
iifname {{ ansible_default_ipv4.interface }} tcp dport @mail_accepted ct state new accept
{% if ansible_default_ipv6 is defined %}
iifname {{ ansible_default_ipv6.interface }} tcp dport @mail_accepted ct state new accept
{% endif %}
{% endif %}
{% if "jitsi" in group_names %}
# Ports needed by Jitsi
define jitsi_tcp_ports = {5349}
define jitsi_udp_ports = {3478, 10000}
iifname {{ ansible_default_ipv4.interface }} tcp dport $jitsi_tcp_ports ct state new accept
iifname {{ ansible_default_ipv4.interface }} udp dport $jitsi_udp_ports ct state new accept
{% if ansible_default_ipv6 is defined %}
iifname {{ ansible_default_ipv6.interface }} tcp dport $jitsi_tcp_ports ct state new accept
iifname {{ ansible_default_ipv6.interface }} udp dport $jitsi_udp_ports ct state new accept
{% endif %}
{% endif %}
}
chain forward {
type filter hook forward priority 0
policy drop
ct state invalid drop
ct state established,related accept
iifname wg0 ip daddr 10.0.0.0/8 accept
}
chain output {
type filter hook output priority 0
policy accept
ip6 nexthdr ipv6-icmp accept
}
chain postrouting {
type nat hook postrouting priority 100;
}
}
|
