From 4948782947d68eb09c7c1b6a07991978035e7ff1 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 16 Nov 2023 00:57:32 +0100
Subject: ch-mon: add firewall to protect grafana with auth.proxy form
 localhost attackers

---
 inventory/host_vars/ch-mon.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'inventory/host_vars/ch-mon.yml')

diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index cb5bcfed..2e8ca38a 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -57,6 +57,15 @@ spreadspace_apt_repo_components:
   - prometheus
 
 
+nftables_base_rules:
+  protect-grafana-auth-proxy: |
+    table inet filter {
+      chain protect-grafana-auth-proxy {
+        type filter hook output priority filter; policy accept;
+        meta skuid != { root, www-data } tcp dport 3000 counter reject
+      }
+    }
+
 whawty_nginx_sso_backends:
   chaos-at-home:
     port: 1234
-- 
cgit v1.2.3