Use nftables for firewall on ingress

See ya never, iptables!
2023-10-26 21:34:06 +01:00
parent 54e2205e48
commit 9f83efa53b
9 changed files with 64 additions and 15 deletions
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0
+        policy drop
+
+        ct state {established, related} counter accept
+
+        iif lo accept
+
+        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority srcnat
+        policy accept
+
+        # NAT - because the proxmox machines may not have routes back
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+    }
+
+    chain FORWARD {
+        type filter hook forward priority mangle
+        policy drop
+
+        # Allow traffic from nebula to proxmox network
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+    }
+}