From a06e5ed36944ce167b1e04e8c39ac583819871e4 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 5 Jun 2024 00:05:18 +0200
Subject: ch-mon: add basic firewall rules

---
 inventory/host_vars/ch-mon.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index 7671b155..64121848 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -58,6 +58,30 @@ spreadspace_apt_repo_components:
 
 
 nftables_base_rules:
+  main: |
+    table inet global {
+      chain input_iot {
+        ip saddr != {{ network_zones.iot.prefix }} drop
+        ip protocol icmp accept
+        ip6 nexthdr ipv6-icmp accept
+      }
+
+      chain input_mgmt {
+        ip saddr != {{ network_zones.mgmt.prefix }} drop
+        ip protocol icmp accept
+        ip6 nexthdr ipv6-icmp accept
+      }
+
+      chain input {
+        type filter hook input priority filter; policy drop;
+        ct state vmap { established: accept, related: accept, invalid: drop }
+        iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot, mgmt0: jump input_mgmt }
+      }
+
+      chain forward {
+        type filter hook forward priority 0; policy drop;
+      }
+    }
   protect-grafana-auth-proxy: |
     table inet filter {
       chain protect-grafana-auth-proxy {
-- 
cgit v1.2.3