-
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathconverge.yml
132 lines (120 loc) · 5.99 KB
/
converge.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
- name: Converge
hosts: test-ag-nftables-1
vars:
nftables:
enable:
sets: false # debian (11) kernel 5.x does not support it
vars:
global_var_test: '1.1.1.1'
tables:
example:
vars:
var_test: '1.1.1.1'
private_ranges: ['192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8']
dns_servers: ['1.1.1.1', '1.1.0.0', '8.8.8.8', '8.8.4.4']
int_public: 'eno1'
int_private: 'eno2'
int_private2: 'eno3'
sets:
set_test:
flags: ['dynamic', 'timeout']
settings:
timeout: '3m'
counters:
invalid_packages:
comment: 'Invalid'
limits:
icmp_limit:
rate: '10/second'
chains:
incoming:
vars:
chain_var: '1.1.1.1'
hook: 'input'
rules:
- sequence: 1
raw: 'ct state invalid counter name invalid_packages log prefix "DROP invalid states" drop'
- seq: 2
raw: 'ct state {established, related} counter accept comment "Allow open sessions"'
- s: 3
raw: 'iifname "lo" accept comment "Allow loopback traffic"'
- {proto: 'tcp', port: 22000, seq: 5, comment: 'test sequence 2'}
- {proto: 'tcp', port: 21000, seq: 4, comment: 'test sequence 1'}
- {proto: 'tcp', port: 23000, seq: 6, comment: 'test sequence 3'}
- {proto: 'icmp', type: 'echo-request', limit: 'icmp_limit', comment: 'Allow icmp-ping'}
- {proto: 'icmpv6', type: 'echo-request', limit: 'icmp_limit', comment: 'Allow icmp-ping'}
- {proto: 'icmp', code: 30, limit: 'icmp_limit', comment: 'Allow icmp-traceroute'}
- {proto: 'icmpv6', limit: 'icmp_limit', comment: 'Allow necessary icmpv6-types for ipv6 to work',
type: ['nd-neighbor-solicit', 'nd-router-advert', 'nd-neighbor-advert']}
- {proto: 'udp', port: 46251, counter: 'invalid_packages', action: 'drop'}
# - {proto: 'udp'}
- {proto: ['udp', 'tcp']}
- {proto: 'tcp', port: 50349}
- {proto: 'tcp', port: [50349, 34039]}
# - {proto: 'tcp', dport: [50349, 34039], sport: 40349}
# - {proto: 'tcp', dport: [50349, 34039], sport: [40349, 49303]}
- {proto: ['tcp', 'udp'], port: [53948, 49383]}
- {proto: 'icmp'}
- {proto: ['icmp', 'icmpv6']}
- {proto: 'icmp', type: 'echo-request'}
- {proto: 'icmp', type: ['echo-request', 'echo-reply']}
- {proto: 'icmp', code: 30}
- {proto: 'icmp', code: [30, 8]}
- {proto: 'icmp', code: [30, 8], src: '192.168.0.1'}
- {proto: 'icmp', code: [30, 8], src: ['192.168.0.1', '192.168.1.1']}
- {proto: 'icmp', code: [30, 8], src: ['192.168.0.1', '192.168.1.1'], comment: 'test'}
- {proto: 'icmp', code: [30, 8], src: ['192.168.0.1', '192.168.1.1'], comment: 'test', log: 'test2'}
- {proto: ['tcp', 'udp'], port: [80, 443], comment: 'web test', dest: '192.168.0.1'}
- {proto: ['tcp', 'udp'], port: [80, 443], comment: 'web test2', dest: ['192.168.0.1', '192.168.0.2']}
- {proto: 'tcp', port: '2000-2100', comment: 'test port range'}
- {if: '$int_private', comment: 'input interface'}
- {of: '$int_private', comment: 'output interface'}
- {of: '$int_public', if: '$int_private', comment: 'in- & output interface'}
- {proto: 'icmp', if: '$int_public', limit: 'rate 10/second', comment: 'limit icmp traffic from public int'}
- {proto: 'icmp', type: 'echo-request', if: '$int_public', limit: 'rate over 10/second', comment: 'drop ping floods', action: 'drop'}
- {proto: 'icmp', if: '$int_public', limit: 'icmp_limit', comment: 'limit icmp traffic from public int with pre-defined limit'}
- {proto: 'udp', port: 51820, counter: true, comment: 'Count wireguard packets', action: none}
- {proto: 'udp', port: 51821, counter: 'invalid_packages', comment: 'Count wrong wireguard packets with pre-defined counter', action: none}
- {proto: 'tcp', port: [80, 443], comment: 'v6 test1', dest6: '2001:db8::1'}
- {proto: 'udp', port: 1339, comment: 'v6 test2', src6: '2001:db8::1'}
- {proto: 'udp', port: 1339, comment: 'v6 test3', src6: '2001:db8::1', dest6: '2001:db8::1:1'}
outgoing:
hook: 'output'
policy: 'accept'
rules:
- {dest: '$dns_servers', proto: 'udp', port: 53}
- {dest: '$dns_servers', proto: 'tcp', port: [53, 853]}
- {proto: ['tcp', 'udp'], port: [80, 443]}
- {proto: ['icmp', 'icmpv6']}
preroute:
hook: 'prerouting'
type: 'nat'
priority: -100
policy: 'accept'
rules:
- {if: '$int_private', proto: 'tcp', port: 8888, dnat: 'ip 192.168.10.1:8888'}
translate:
hook: 'postrouting'
type: 'nat'
priority: -100
policy: 'accept'
rules:
- {'src': '$private_ranges', oif: '$int_private', masquerade: true} # dynamic outbound nat
- {'src': '$private_ranges', oif: '$int_private2', snat: '192.168.0.1'} # static outbound nat
example6:
type: 'ip6'
chains:
test:
hook: 'output'
rules:
- {'src6': '2001:db8::1/128'}
example4:
type: 'ip'
chains:
test:
hook: 'output'
rules:
- {'src': '192.168.0.1/32'}
roles:
- ansibleguy.infra_nftables