diff options
author | Christian Pointner <equinox@spreadspace.org> | 2024-06-04 23:58:28 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2024-06-04 23:58:28 +0200 |
commit | 4067c8d760cf00c459a3d974a3f707f33e573d0b (patch) | |
tree | 09204e001600c7d45dd8b5fd0c75cafd7d28f688 | |
parent | install coredns to ch-iot (diff) |
ch-iot: add basic firewall
-rw-r--r-- | chaos-at-home/ch-iot.yml | 1 | ||||
-rw-r--r-- | inventory/host_vars/ch-iot.yml | 25 |
2 files changed, 25 insertions, 1 deletions
diff --git a/chaos-at-home/ch-iot.yml b/chaos-at-home/ch-iot.yml index 57d37a3e..9a5d1641 100644 --- a/chaos-at-home/ch-iot.yml +++ b/chaos-at-home/ch-iot.yml @@ -14,6 +14,7 @@ - role: apt-repo/spreadspace - role: x509/managed-ca/base - role: x509/managed-ca/ca + - role: network/nftables/base - role: network/coredns - role: mosquitto/broker - role: nginx/base diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 0aca3e57..043403b3 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -49,10 +49,33 @@ ntp_server: - "{{ network_zones.iot.prefix }}" +nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { domain, 1883 } accept + udp dport { bootps, domain, ntp } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } + + coredns_config: | . { + bind iot0 hosts { - {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org + {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org no_reverse } } |