diff options
| -rw-r--r-- | inventory/host_vars/ch-mon.yml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 7671b155..64121848 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -58,6 +58,30 @@ spreadspace_apt_repo_components: nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip saddr != {{ network_zones.iot.prefix }} drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + } + + chain input_mgmt { + ip saddr != {{ network_zones.mgmt.prefix }} drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot, mgmt0: jump input_mgmt } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } protect-grafana-auth-proxy: | table inet filter { chain protect-grafana-auth-proxy { |