From 665ad225006034a415729d4fc78a7d1940d24897 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 23 Apr 2023 19:33:41 +0200 Subject: ch-jump: limit jump targets for c3voc using nftables --- chaos-at-home/ch-jump.yml | 1 + inventory/host_vars/ch-jump.yml | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/chaos-at-home/ch-jump.yml b/chaos-at-home/ch-jump.yml index a8e11ce5..8078aa65 100644 --- a/chaos-at-home/ch-jump.yml +++ b/chaos-at-home/ch-jump.yml @@ -8,6 +8,7 @@ - role: core/zsh - role: core/ntp - role: core/sshd/jump + - role: network/nftables/base post_tasks: - name: install etherwake apt: diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml index e2fe51d6..ab03c1a4 100644 --- a/inventory/host_vars/ch-jump.yml +++ b/inventory/host_vars/ch-jump.yml @@ -49,3 +49,14 @@ sshd_jump_users: # fim: # authorized_keys: # - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzW8lF2i036gsT2BHaOzpHLZUZkit5FsoYHWaiuc9xmruuhzHDzADV17RBMckaIkXRmPnC4I3AZdfFO+RO/7bBdDMAOTw9eyKAcqVWEaR3JDc8C+TFSj8HKRi52jrRXsGD1epJFmhwOFV4VdMXKGlnLrEpTBKn+ZPf6x6bm5pDSfVR3U9nTuXNT/vs+FkrJPvkUZ3iA1cAnK8cRd7Dkasrob9YiskwhWDLSS0bmvTUZatQUqrfUmVcXQqyCkqvHhbOVdYx+gWsjpKHuykSyQEqLTBRzb9UmvzCRjN7sq+QoMRv/CoT1cQjAsgHk4D2tadXuNvRqTgLqrifwK4F3XnCfR+29twm4wSKY+6NKjHjECvJ63JcBFu3jHLXN3ph4va9Tfegkt07W7pdnfrqYxp7veCTyufuByMmReo8s1dwNb2nuBS0HN7Unv2x42ClAzox60QJFgf4sOFCVvJPzhr4mO3ZXahuR75VPYHmsp3TGJZ8RekNyZspD9KWw3FuRiNsYHP/QEFI0gg7X0w7rRQ2CaALA6NGmko0nyTo8CiRkMWVY8rhwJiQ1Eb+mQRW0Y35yqegw3oG/OHEEYIoKD8/Or4KqmrBzGRmFogDjEGmB91iO8XxwfrR+RD3kY34xSr7FXVIYFMK1b3Y4GJ80z6CzU7C2M80wxRww8hqRO1AIw== fim@digl012 + + +nftables_base_rules: + public-services: | + table ip filter { + chain sshd-jump { + type filter hook output priority filter; + ct state vmap { established: accept, related: accept, invalid: drop } + skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject + } + } -- cgit v1.2.3