Browse Source

whoops

master
Sean Johnson 1 year ago
parent
commit
edb2594eb0
  1. 15
      ci/pipeline.yml
  2. 46
      fwrules/chains/concourse_worker.sls
  3. 76
      fwrules/chains/docker_ingress.sls
  4. 86
      fwrules/chains/elasticsearch_cluster_private.sls
  5. 23
      fwrules/chains/elasticsearch_exporter_private.sls
  6. 38
      fwrules/chains/http_public.sls
  7. 8
      fwrules/chains/init.sls
  8. 36
      fwrules/chains/management.sls
  9. 42
      fwrules/chains/matrix_public.sls
  10. 23
      fwrules/chains/node_exporter_private.sls
  11. 46
      fwrules/chains/salt_private.sls
  12. 41
      fwrules/chains/ssh_private.sls
  13. 9
      fwrules/chains/usc2_privnet.sls
  14. 37
      fwrules/chains/vault_private.sls
  15. 7
      fwrules/ipsets/init.sls
  16. 43
      fwrules/ipsets/management.sls
  17. 22
      fwrules/ipsets/minions.sls
  18. 22
      fwrules/ipsets/scrapers.sls
  19. 103
      fwrules/templates/chains.nft.j2
  20. 50
      fwrules/templates/sets.nft.j2

15
ci/pipeline.yml

@ -67,21 +67,6 @@ jobs:
- set_pipeline: self
file: metadata/pipeline.yml
- name: "kitchen-integration-debian"
serial_groups: [kitchen]
public: true
plan:
- get: commons
- get: states
trigger: true
- task: "run-kitchen-integration-debian"
file: (( grab meta.tasks.kitchen ))
privileged: true
params:
PLATFORM: debian
input_mapping:
formula: states
- name: update-states
public: false
plan:

46
fwrules/chains/concourse_worker.sls

@ -1,46 +0,0 @@
---
{% set chain = "concourse_worker" %}
{% set families = [
("ipv4", ["107.155.67.64/29"]),
("ipv6", ["2604:880:396::/48"]),
] %}
{% set ports = [
("ssh", 22, "tcp"),
("concourse-atc", 7777, "tcp"),
("concourse-baggageclaim", 7778, "tcp"),
] %}
{% for family, addresses in families %}
{{ chain }} {{ family }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
- require:
- pkg: iptables
{{ chain }} {{ family }} input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
- require:
- iptables: {{ chain }} {{ family }} chain
{% for protocol, port, transport in ports %}
{{ family }} {{ protocol }} {{ port }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- source: {{ addresses | join(",") }}
- protocol: {{ transport }}
- match: {{ transport }}
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain }} {{ family }} input
{% endfor %}
{% endfor %}

76
fwrules/chains/docker_ingress.sls

@ -1,76 +0,0 @@
---
include:
- fwrules.ipsets.management
- fwrules.ipsets.minions
{% set chain_name = "INGRESS" %}
{# [ (service, port, transport, sources), ... ] #}
{% set ports = [
("factorio-game", 34197, "udp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("factorio-rcon", 27017, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtt-tcp", 1883, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtt-ws", 1884, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtts-tcp", 4883, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("mqtts-ws", 4884, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("icecast-direct", 9090, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-http", 8080, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("unifi-https", 8443, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-portal-http", 8880, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-portal-https", 8843, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-speed", 6789, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-stun", 3478, "udp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
] %}
{% for family in ["ipv4", "ipv6"] %}
{{ chain_name }} {{ family }}:
iptables.chain_present:
- name: {{ chain_name }}
- family: {{ family }}
{% for service, port, transport, sources in ports %}
{% set addresses, ipsets = salt["minion_net.split_ips_ipsets"](sources.get(family, [])) %}
{% for ipset in ipsets %}
{% set set_name = "{}-{}".format(ipset, family) %}
{{ chain_name }} {{ family }} {{ transport }} {{ service }} {{ ipset }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- protocol: {{ transport }}
- match: {{ ["set", transport] | tojson }}
- set: {{ set_name }} src
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}
{% if addresses %}
{{ chain_name }} {{ family }} {{ transport }} {{ service }} addresses:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- protocol: {{ transport }}
- match: {{ transport }}
- source: {{ addresses | join(",") }}
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain_name }} {{ family }}
{% endif %}
{% endfor %}
{% endfor %}
{% for family in ["ipv4", "ipv6"] %}
CHAINS entry {{ chain_name }} {{ family }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain_name }}
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}

86
fwrules/chains/elasticsearch_cluster_private.sls

@ -1,86 +0,0 @@
---
include:
- fwrules.ipsets.minions
elasticsearch_private ipv4 chain:
iptables.chain_present:
- name: elasticsearch_private
- family: ipv4
elasticsearch_private ipv4 input:
iptables.append:
- table: filter
- family: ipv4
- chain: CHAINS
- jump: elasticsearch_private
- require:
- iptables: elasticsearch_private ipv4 chain
elasticsearch_private ipv6 chain:
iptables.chain_present:
- name: elasticsearch_private
- family: ipv6
elasticsearch_private ipv6 input:
iptables.append:
- table: filter
- family: ipv6
- chain: CHAINS
- jump: elasticsearch_private
- require:
- iptables: elasticsearch_private ipv6 chain
es-ingest ipv4:
iptables.append:
- table: filter
- family: ipv4
- chain: elasticsearch_private
- source: "10.1.0.0/24"
- protocol: tcp
- match: tcp
- dport: 9200
- jump: ACCEPT
- require:
- iptables: elasticsearch_private ipv4 chain
es-transport ipv4:
iptables.append:
- table: filter
- family: ipv4
- chain: elasticsearch_private
- source: "10.1.0.0/24"
- protocol: tcp
- match: tcp
- dport: 9300
- jump: ACCEPT
- require:
- iptables: elasticsearch_private ipv4 chain
es-ingest ipv4 ipset:
iptables.append:
- table: filter
- family: ipv4
- chain: elasticsearch_private
- match: [set, tcp]
- set: minions-ipv4 src
- protocol: tcp
- dport: 9200
- jump: ACCEPT
- require:
- iptables: elasticsearch_private ipv4 chain
- ipset: ipv4 minions
es-ingest ipv6 ipset:
iptables.append:
- table: filter
- family: ipv6
- chain: elasticsearch_private
- match: [set, tcp]
- set: minions-ipv6 src
- protocol: tcp
- dport: 9200
- jump: ACCEPT
- require:
- iptables: elasticsearch_private ipv6 chain
- ipset: ipv6 minions

23
fwrules/chains/elasticsearch_exporter_private.sls

@ -1,23 +0,0 @@
---
include:
- fwrules.ipsets.scrapers
{% set ipset = "scrapers" %}
{% for family in ["ipv4", "ipv6"] %}
{% set setname = ipset ~ "-" ~ family %}
es-exporter {{ ipset }} {{ family }} accept:
iptables.append:
- table: filter
- family: {{ family }}
- chain: EXPORTERS
- protocol: tcp
- set: {{ setname }} src
- match: [set, tcp]
- dport: 9114
- jump: ACCEPT
- require:
- iptables: {{ family }} EXPORTERS chain
- ipset: {{ family }} {{ ipset }}
{% endfor %}

38
fwrules/chains/http_public.sls

@ -1,38 +0,0 @@
---
{% set chain = "http_public" %}
{% set families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
] %}
{% set ports = [
("http", 80, "tcp"),
("https", 443, "tcp"),
] %}
{% for family, addresses in families %}
{{ chain }} {{ family }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ chain }} {{ family }} input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
{% for protocol, port, transport in ports %}
{{ chain }} {{ family }} {{ protocol }} {{ transport }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- source: {{ addresses | join(",") }}
- protocol: {{ transport }}
- match: {{ transport }}
- dport: {{ port }}
- jump: ACCEPT
{% endfor %}
{% endfor %}

8
fwrules/chains/init.sls

@ -1,8 +0,0 @@
---
{% from "fwrules/map.jinja" import firewall with context -%}
include:
{% for chain in firewall.get("chains", []) %}
- {{ "fwrules.chains." ~ chain }}
{% endfor %}

36
fwrules/chains/management.sls

@ -1,36 +0,0 @@
---
include:
- fwrules.ipsets.management
{% set ipset = "management" %}
{% set chain = "management" %}
{% for family in ["ipv4", "ipv6"] %}
{{ family }} {{ chain }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ family }} {{ chain }} CHAINS entry:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
- require:
- iptables: {{ family }} {{ chain }} chain
{% set setname = ipset ~ "-" ~ family %}
{{ ipset }} {{ family }} accept:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- set: {{ setname }} src
- match: set
- jump: ACCEPT
- require:
- ipset: {{ family }} {{ ipset }}
- iptables: {{ family }} {{ chain }} chain
{% endfor %}

42
fwrules/chains/matrix_public.sls

@ -1,42 +0,0 @@
---
{% set chain = "matrix" %}
{% set families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
] %}
{% set ports = [
("matrix-server", 8448, "tcp"),
("coturn-tls", 5349, "tcp"),
("coturn-tls", 5349, "udp"),
("coturn-alt", 5349, "tcp"),
("coturn-alt", 5349, "udp"),
("coturn-relay", "49152:65535", "udp"),
] %}
{% for family, addresses in families %}
{{ chain }} {{ family }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ chain }} {{ family }} input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
{% for protocol, port, transport in ports %}
{{ chain }} {{ family }} {{ protocol }} {{ transport }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- source: {{ addresses | join(",") }}
- protocol: {{ transport }}
- match: {{ transport }}
- dport: {{ port }}
- jump: ACCEPT
{% endfor %}
{% endfor %}

23
fwrules/chains/node_exporter_private.sls

@ -1,23 +0,0 @@
---
include:
- fwrules.ipsets.scrapers
{% set ipset = "scrapers" %}
{% for family in ["ipv4", "ipv6"] %}
{% set setname = ipset ~ "-" ~ family %}
node_exporter {{ ipset }} {{ family }} accept:
iptables.append:
- table: filter
- family: {{ family }}
- chain: EXPORTERS
- protocol: tcp
- set: {{ setname }} src
- match: [set, tcp]
- dport: 9100
- jump: ACCEPT
- require:
- ipset: {{ family }} {{ ipset }}
- iptables: {{ family }} EXPORTERS chain
{% endfor %}

46
fwrules/chains/salt_private.sls

@ -1,46 +0,0 @@
---
include:
- fwrules.ipsets.minions
{% set ipset = "minions" %}
{% set chain = "salt_comm" %}
{% set ports = [
("grainsrv", 443, "tcp"),
("salt-publish", 4505, "tcp"),
("salt-return", 4506, "tcp"),
("salt-api", 8000, "tcp"),
] %}
{% for family in ["ipv4", "ipv6"] %}
{{ family }} {{ chain }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ family }} {{ chain }} CHAINS input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
- require:
- iptables: {{ family }} {{ chain }} chain
{% set setname = ipset ~ "-" ~ family %}
{% for protocol, port, transport in ports %}
salt {{ ipset }} {{ family }} {{ protocol }} {{ transport }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- protocol: {{ transport }}
- match: {{ ["set", transport] | tojson }}
- set: {{ setname }} src
- dport: {{ port }}
- jump: ACCEPT
- require:
- ipset: {{ family }} {{ ipset }}
- iptables: {{ family }} {{ chain }} chain
{% endfor %}
{% endfor %}

41
fwrules/chains/ssh_private.sls

@ -1,41 +0,0 @@
---
include:
- fwrules.ipsets.minions
{% set ipset = "minions" %}
{% set chain = "critical_services" %}
{% set ports = [
("ssh", 22, "tcp"),
] %}
{% for family in ["ipv4", "ipv6"] %}
{{ family }} {{ chain }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ family }} {{ chain }} CHAINS input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
{% set setname = ipset ~ "-" ~ family %}
{% for protocol, port, transport in ports %}
{{ protocol }} {{ ipset }} {{ family }} {{ transport }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- protocol: {{ transport }}
- match: {{ ["set", transport] | tojson }}
- set: {{ setname }} src
- dport: {{ port }}
- jump: ACCEPT
- require:
- ipset: {{ family }} {{ ipset }}
- iptables: {{ family }} {{ chain }} CHAINS input
{% endfor %}
{% endfor %}

9
fwrules/chains/usc2_privnet.sls

@ -1,9 +0,0 @@
---
usc2 privnet allow ipv4:
iptables.append:
- table: filter
- family: ipv4
- chain: USER
- source: "10.200.0.0/24"
- jump: ACCEPT

37
fwrules/chains/vault_private.sls

@ -1,37 +0,0 @@
---
include:
- fwrules.ipsets.minions
{% set ipset = "minions" %}
{% set chain = "vault" %}
{% for family in ["ipv4", "ipv6"] %}
{{ family }} {{ chain }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ family }} {{ chain }} CHAINS input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: CHAINS
- jump: {{ chain }}
- require:
- iptables: {{ family }} {{ chain }} chain
{% set setname = ipset ~ "-" ~ family %}
vault {{ ipset }} {{ family }} accept:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- protocol: tcp
- set: {{ setname }} src
- match: [set, tcp]
- dport: 8200
- jump: ACCEPT
- require:
- ipset: {{ family }} {{ ipset }}
- iptables: {{ family }} {{ chain }} chain
{% endfor %}

7
fwrules/ipsets/init.sls

@ -1,7 +0,0 @@
---
include:
- base.packages
- fwrules.ipsets.management
- fwrules.ipsets.minions
- fwrules.ipsets.scrapers

43
fwrules/ipsets/management.sls

@ -1,43 +0,0 @@
#!pydsl
import itertools
import socket
from copy import copy
from salt.utils import network
pillar = __salt__["pillar.get"]
public_addresses = __salt__.minion_net.public_addresses
names = pillar("firewall:management:resolve_names", [])
resolved_v4, resolved_v6 = __salt__.minion_net.flatten_hostnames(names)
families = [
("ipv4", itertools.chain(
pillar("firewall:management:ipv4", []),
public_addresses("app:builder", target_type="glob", addr_type="ipv4"),
public_addresses("app:saltbox", target_type="glob", addr_type="ipv4"),
resolved_v4,
)),
("ipv6", itertools.chain(
pillar("firewall:management:ipv6", []),
public_addresses("app:builder", target_type="glob", addr_type="ipv6"),
public_addresses("app:saltbox", target_type="glob", addr_type="ipv6"),
resolved_v6,
)),
]
ipset = "management"
for family, addresses in families:
setname = "{}-{}".format(ipset, family)
state("{} {}".format(family, ipset)).ipset.set_present(
name=setname,
set_type="hash:net",
family=family,
).require(pkg="ipset")
if addresses:
state("{} {} addresses".format(family, ipset)).ipset.present(
set_name=setname,
entry=list(addresses),
family=family
).require(ipset="{} {}".format(family, ipset))

22
fwrules/ipsets/minions.sls

@ -1,22 +0,0 @@
#!pydsl
families = [
("ipv4", __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")),
("ipv6", __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")),
]
ipset = "minions"
for family, addresses in families:
setname = "{}-{}".format(ipset, family)
state("{} {}".format(family, ipset)).ipset.set_present(
name=setname,
set_type="hash:net",
family=family,
).require(pkg="ipset")
if addresses:
state("{} {} addresses".format(family, ipset)).ipset.present(
set_name=setname,
entry=addresses,
family=family
).require(ipset="{} {}".format(family, ipset))

22
fwrules/ipsets/scrapers.sls

@ -1,22 +0,0 @@
#!pydsl
families = [
("ipv4", __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")),
("ipv6", __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")),
]
ipset = "scrapers"
for family, addresses in families:
setname = "{}-{}".format(ipset, family)
state("{} {}".format(family, ipset)).ipset.set_present(
name=setname,
set_type="hash:net",
family=family,
).require(pkg="ipset")
if addresses:
state("{} {} addresses".format(family, ipset)).ipset.present(
set_name=setname,
entry=addresses,
family=family
).require(ipset="{} {}".format(family, ipset))

103
fwrules/templates/chains.nft.j2

@ -0,0 +1,103 @@
chain concourse-worker {
define ports = {
22, # ssh
7777, # concourse-atc
7778, # concourse-baggageclaim
}
ip saddr { 107.155.67.65/29 } tcp dport $ports accept
ip6 saddr { 2604:880:396::/48 } tcp dport $ports accept
}
chain docker-usc2-ingress {
# factorio game
udp dport 34197 accept
# factorio rcon
ip saddr $management4 tcp dport 27017 accept
ip6 saddr $management6 tcp dport 27017 accept
# icecast direct
ip saddr $management4 tcp port 9090 accept
ip6 saddr $management6 tcp port 9090 accept
# unifi
define unifi_ports_tcp = {
8443, # unifi-https
8880, # unifi-portal-http
8843, # unifi-portal-https
6789, # unifi-speed
}
define unifi_ports_udp = {
3478, # unifi-stun
}
# unifi http
tcp dport 8080 accept
ip saddr $management4 tcp port $unifi_ports_tcp accept
ip saddr $management4 udp port $unifi_ports_udp accept
ip6 saddr $management6 tcp port $unifi_ports_tcp accept
ip6 saddr $management6 udp port $unifi_ports_udp accept
}
chain elasticsearch-cluster {
ip saddr 10.1.0.0/24 tcp dport { 9200, 9300 } accept
# external node ingress
ip saddr $minions4 tcp dport 9200 accept
ip6 saddr $minions6 tcp dport 9200 accept
# elasticsearch exporter
ip saddr $scrapers4 tcp dport 9114 accept
ip6 saddr $scrapers6 tcp dport 9114 accept
}
chain http-public {
tcp dport { 80, 443 } accept
}
chain matrix-public {
define ports_tcp = {
8448, # matrix-server
3478, # coturn-plain
5349, # coturn-tls
}
define ports_udp = {
3478, # coturn-plain
5349, # coturn-tls
49152-65535, # coturn-relay
}
tcp dport $ports_tcp accept
udp dport $ports_udp accept
}
chain node-exporter-private {
ip saddr $scrapers4 tcp dport 9100 accept
ip6 saddr $scrapers6 tcp dport 9100 accept
}
chain salt-private {
define ports_tcp = {
443, # grainsrv
4505, # salt-publish
4506, # salt-return
8000, # salt-api
}
ip saddr $minions4 tcp dport $ports_tcp accept
ip6 saddr $minions6 tcp dport $ports_tcp accept
}
chain critical-services {
define ports_tcp = {
22, # ssh
}
ip saddr $minions4 tcp dport $ports_tcp accept
ip6 saddr $minions6 tcp dport $ports_tcp accept
}
chain usc2-privnet {
ip saddr 10.200.0.0/24 accept
}
chain vault-private {
define ports_tcp = {
8200, # vault
}
ip saddr $minions4 tcp dport $ports_tcp accept
ip6 saddr $minions6 tcp dport $ports_tcp accept
}

50
fwrules/templates/sets.nft.j2

@ -0,0 +1,50 @@
#!/usr/sbin/nft -f
{% set public_addresses = salt["minion_net.public_addresses"] %}
{% set priv4 = (
public_addresses("app:builder", target_type="grain", addr_type="ipv4") ~
public_addresses("app:saltbox", target_type="grain", addr_type="ipv4")
) %}
{% set priv6 = (
public_addresses("app:builder", target_type="grain", addr_type="ipv6") ~
public_addresses("app:saltbox", target_type="grain", addr_type="ipv6")
) %}
define management4 = {
adephagia.synology.me,
107.155.67.64/29,
{% for addr in priv4 %}
{{ addr }},
{% endfor %}
}
define management6 = {
2604:880:396::/48,
{% for addr in priv6 %}
{{ addr }},
{% endfor %}
}
define scrapers4 = {
{% for addr in public_addresses("app:metrics", target_type="grain", addr_type="ipv4") %}
{{ addr }},
{% endfor %}
}
define scrapers6 = {
{% for addr in public_addresses("app:metrics", target_type="grain", addr_type="ipv6") %}
{{ addr }},
{% endfor %}
}
define minions4 = {
{% for addr in public_addresses("*", target_type="glob", addr_type="ipv4") %}
{{ addr }},
{% endfor %}
}
define minions6 = {
{% for addr in public_addresses("*", target_type="glob", addr_type="ipv6") %}
{{ addr }},
{% endfor %}
}
Loading…
Cancel
Save