From 4067c8d760cf00c459a3d974a3f707f33e573d0b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 4 Jun 2024 23:58:28 +0200 Subject: ch-iot: add basic firewall --- chaos-at-home/ch-iot.yml | 1 + inventory/host_vars/ch-iot.yml | 25 ++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/chaos-at-home/ch-iot.yml b/chaos-at-home/ch-iot.yml index 57d37a3e..9a5d1641 100644 --- a/chaos-at-home/ch-iot.yml +++ b/chaos-at-home/ch-iot.yml @@ -14,6 +14,7 @@ - role: apt-repo/spreadspace - role: x509/managed-ca/base - role: x509/managed-ca/ca + - role: network/nftables/base - role: network/coredns - role: mosquitto/broker - role: nginx/base diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 0aca3e57..043403b3 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -49,10 +49,33 @@ ntp_server: - "{{ network_zones.iot.prefix }}" +nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { domain, 1883 } accept + udp dport { bootps, domain, ntp } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } + + coredns_config: | . { + bind iot0 hosts { - {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org + {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org no_reverse } } -- cgit v1.2.3