Skip to content

Commit

Permalink
Replace iptables resources with firewalld
Browse files Browse the repository at this point in the history
  • Loading branch information
jameslikeslinux committed Feb 21, 2022
1 parent dfe2807 commit a39cf2d
Show file tree
Hide file tree
Showing 13 changed files with 76 additions and 263 deletions.
1 change: 1 addition & 0 deletions data/common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ nest::kernel_config:
CONFIG_NETFILTER: y
CONFIG_NETFILTER_ADVANCED: y
CONFIG_NF_CONNTRACK: m
CONFIG_NF_CONNTRACK_NETBIOS_NS: m
CONFIG_NF_CONNTRACK_TFTP: m
CONFIG_NF_TABLES: m
CONFIG_NF_TABLES_INET: y
Expand Down
51 changes: 2 additions & 49 deletions manifests/base/openvpn.pp
Original file line number Diff line number Diff line change
Expand Up @@ -170,30 +170,8 @@
],
}

firewall {
default:
proto => udp,
dport => 1194,
state => 'NEW',
action => accept,
;

'100 openvpn (v4)':
provider => iptables,
;

'100 openvpn (v6)':
provider => ip6tables,
;
}

# Forwarding rules to control access to VPN
firewall { '100 nest vpn: allow kvm guests':
chain => 'FORWARD',
proto => all,
iniface => 'virbr0',
outiface => $device,
action => accept,
firewalld_service { 'openvpn':
ensure => present,
}
} else {
$mode = 'client'
Expand All @@ -209,31 +187,6 @@
mode => '0755',
require => Package[$openvpn_package_name],
}

# Allow and forward all VPN traffic
firewall {
default:
proto => all,
;

'001 nest vpn':
iniface => $device,
action => accept,
;

'001 nest vpn: forward all':
chain => 'FORWARD',
iniface => $device,
action => accept,
;

'002 nest vpn: allow return packets':
chain => 'FORWARD',
outiface => $device,
ctstate => ['RELATED', 'ESTABLISHED'],
action => accept,
;
}
}

'windows': {
Expand Down
17 changes: 2 additions & 15 deletions manifests/base/ssh.pp
Original file line number Diff line number Diff line change
Expand Up @@ -45,21 +45,8 @@
}

if $::nest::public_ssh {
firewall {
default:
proto => tcp,
dport => 22,
state => 'NEW',
action => accept,
;

'100 ssh (v4)':
provider => iptables,
;

'100 ssh (v6)':
provider => ip6tables,
;
firewalld_service { 'ssh':
ensure => present,
}
}
}
Expand Down
87 changes: 24 additions & 63 deletions manifests/lib/port_forward.pp
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
#
# XXX Refactor or remove this class for better firewalld support
#
define nest::lib::port_forward (
Enum['tcp', 'udp'] $proto,
Stdlib::Port $from_port,
Expand All @@ -7,71 +10,29 @@
Optional[Stdlib::IP::Address::V6] $source_ip6 = undef,
Optional[Stdlib::IP::Address::V6] $destination_ip6 = undef,
) {
$combined_spec = {
'v4' => {
'source' => $source_ip4,
'destination' => $destination_ip4,
'provider' => iptables,
},

'v6' => {
'source' => $source_ip6,
'destination' => $destination_ip6,
'provider' => ip6tables,
},
if $destination_ip4 {
firewalld_rich_rule { "${name} (v4)":
family => ipv4,
dest => $source_ip4,
forward_port => {
port => $from_port,
protocol => $proto,
to_addr => $destination_ip4,
to_port => $to_port,
},
}
}

$combined_spec.each |$comment, $spec| {
if $spec['source'] and $spec['destination'] {
firewall {
default:
provider => $spec['provider'],
;

"100 ${name} (${comment}): modify destination on incoming packets":
table => nat,
chain => 'PREROUTING',
destination => $spec['source'],
proto => $proto,
dport => $from_port,
jump => 'DNAT',
todest => "${spec['destination']}:${to_port}",
;

"100 ${name} (${comment}): modify destination on generated packets":
table => nat,
chain => 'OUTPUT',
destination => $spec['source'],
proto => $proto,
dport => $from_port,
jump => 'DNAT',
todest => "${spec['destination']}:${to_port}",
;

"100 ${name} (${comment}): allow forwarding":
chain => 'FORWARD',
destination => $spec['destination'],
proto => $proto,
dport => $to_port,
action => accept,
;

"100 ${name} (${comment}): allow return packets":
chain => 'FORWARD',
source => $spec['destination'],
ctstate => ['RELATED', 'ESTABLISHED'],
action => accept,
;

"100 ${name} (${comment}): modify source for return routing":
table => nat,
chain => 'POSTROUTING',
destination => $spec['destination'],
proto => $proto,
dport => $to_port,
jump => 'MASQUERADE',
;
}
if $destination_ip6 {
firewalld_rich_rule { "${name} (v6)":
family => ipv6,
dest => $source_ip6,
forward_port => {
port => $from_port,
protocol => $proto,
to_addr => $destination_ip6,
to_port => $to_port,
},
}
}
}
18 changes: 3 additions & 15 deletions manifests/lib/virtual_host.pp
Original file line number Diff line number Diff line change
Expand Up @@ -26,21 +26,9 @@
}

if $port and $::nest::service::apache::manage_firewall {
firewall {
default:
proto => tcp,
dport => $port,
state => 'NEW',
action => accept,
;

"100 ${name} (v4)":
provider => iptables,
;

"100 ${name} (v6)":
provider => ip6tables,
;
firewalld_port { $name:
port => $port,
protocol => tcp,
}
}

Expand Down
56 changes: 0 additions & 56 deletions manifests/node/falcon.pp
Original file line number Diff line number Diff line change
@@ -1,60 +1,4 @@
class nest::node::falcon {
firewall {
'012 multicast':
proto => udp,
pkttype => 'multicast',
action => accept,
;

'100 podman to apache':
iniface => 'cni-podman0',
proto => tcp,
dport => [80, 443],
state => 'NEW',
action => accept,
;

'100 podman to distccd':
iniface => 'cni-podman0',
proto => tcp,
dport => 3632,
state => 'NEW',
action => accept,
;

'100 podman to dnsmasq':
iniface => 'cni-podman0',
proto => udp,
dport => 53,
state => 'NEW',
action => accept,
;

'100 podman to smtp':
iniface => 'cni-podman0',
proto => udp,
dport => 25,
state => 'NEW',
action => accept,
;

'100 plex':
proto => tcp,
dport => 32400,
state => 'NEW',
action => accept,
;

'100 puppet from local network':
chain => 'FORWARD',
source => "${facts['networking']['network']}/${facts['networking']['netmask']}",
proto => tcp,
dport => 8140,
state => 'NEW',
action => accept,
;
}

nest::lib::toolchain {
[
'aarch64-unknown-linux-gnu',
Expand Down
9 changes: 0 additions & 9 deletions manifests/node/web.pp
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,4 @@
host => '%',
before => Class['nest::service::bitwarden'],
}

firewall { '100 podman to mysql':
iniface => 'cni-podman0',
proto => tcp,
dport => 3306,
state => 'NEW',
action => accept,
before => Class['nest::service::bitwarden'],
}
}
17 changes: 2 additions & 15 deletions manifests/service/apache.pp
Original file line number Diff line number Diff line change
Expand Up @@ -40,21 +40,8 @@
}

if $manage_firewall {
firewall {
default:
proto => tcp,
dport => [80, 443],
state => 'NEW',
action => accept,
;

'100 http (v4)':
provider => iptables,
;

'100 http (v6)':
provider => ip6tables,
;
firewalld_service { ['http', 'https']:
ensure => present,
}
}
}
9 changes: 3 additions & 6 deletions manifests/service/barrier.pp
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,9 @@
use => '-gui',
}

firewall { '100 barrier':
proto => tcp,
dport => 24800,
iniface => 'virbr0',
state => 'NEW',
action => accept,
firewalld_service { 'synergy':
ensure => present,
zone => 'libvirt',
}

# XXX: Cleanup from previous dependency on avahi
Expand Down
46 changes: 23 additions & 23 deletions manifests/service/kubernetes.pp
Original file line number Diff line number Diff line change
Expand Up @@ -58,35 +58,35 @@
ensure => installed,
}

firewall { '100 vxlan':
source => "${facts['networking']['network']}/${facts['networking']['netmask']}",
dport => 8472,
proto => udp,
state => 'NEW',
action => accept,
}
# firewall { '100 vxlan':
# source => "${facts['networking']['network']}/${facts['networking']['netmask']}",
# dport => 8472,
# proto => udp,
# state => 'NEW',
# action => accept,
# }

sysctl { 'net.ipv4.ip_forward':
ensure => present,
value => '1',
}

if $control_plane {
firewall {
default:
dport => 6443,
proto => tcp,
state => 'NEW',
action => accept,
;
# if $control_plane {
# firewall {
# default:
# dport => 6443,
# proto => tcp,
# state => 'NEW',
# action => accept,
# ;

'100 kubernetes from local network':
source => "${facts['networking']['network']}/${facts['networking']['netmask']}",
;
# '100 kubernetes from local network':
# source => "${facts['networking']['network']}/${facts['networking']['netmask']}",
# ;

'100 kubernetes from pod network':
iniface => 'cni0',
;
}
}
# '100 kubernetes from pod network':
# iniface => 'cni0',
# ;
# }
# }
}
Loading

0 comments on commit a39cf2d

Please sign in to comment.