ch-mon: add basic firewall rules

author: Christian Pointner <equinox@spreadspace.org> 2024-06-05 00:05:18 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2024-06-05 00:05:18 +0200
commit: a06e5ed36944ce167b1e04e8c39ac583819871e4 (patch)
tree: 523363d2b7bf65e1de5a74d85fe4fac152eb0a6b
parent: ch-iot: add basic firewall (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index 7671b155..64121848 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -58,6 +58,30 @@ spreadspace_apt_repo_components:
 
 
 nftables_base_rules:
+  main: |
+    table inet global {
+      chain input_iot {
+        ip saddr != {{ network_zones.iot.prefix }} drop
+        ip protocol icmp accept
+        ip6 nexthdr ipv6-icmp accept
+      }
+
+      chain input_mgmt {
+        ip saddr != {{ network_zones.mgmt.prefix }} drop
+        ip protocol icmp accept
+        ip6 nexthdr ipv6-icmp accept
+      }
+
+      chain input {
+        type filter hook input priority filter; policy drop;
+        ct state vmap { established: accept, related: accept, invalid: drop }
+        iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot, mgmt0: jump input_mgmt }
+      }
+
+      chain forward {
+        type filter hook forward priority 0; policy drop;
+      }
+    }
   protect-grafana-auth-proxy: |
     table inet filter {
       chain protect-grafana-auth-proxy {
author	Christian Pointner <equinox@spreadspace.org>	2024-06-05 00:05:18 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2024-06-05 00:05:18 +0200
commit	a06e5ed36944ce167b1e04e8c39ac583819871e4 (patch)
tree	523363d2b7bf65e1de5a74d85fe4fac152eb0a6b
parent	ch-iot: add basic firewall (diff)