You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

66 lines
1.9 KiB

{%- set grains = salt["grains.get"] -%}
{%- set nodetype = grains("app") -%}
{%- set datacenter = grains("datacenter") -%}
#!/usr/sbin/nft -f
table inet firewall {
include "/etc/firewall/sets.nft";
include "/etc/firewall/chains.nft";
chain input {
type filter hook input priority -10; policy drop;
# Fixup ICMPv6 to allow IPv6 communication
icmpv6 type {
nd-neighbor-solicit,
echo-request,
nd-router-advert,
nd-neighbor-advert,
} accept
# Accept established and related, but drop invalid
ct state established,related accept
ct state invalid drop
# Accept loopback and docker network traffic
iifname lo accept
iifname docker0 accept
# Allow all from management
ip saddr $management4 accept
ip6 saddr $management6 accept
# Extra perimeter chain jumps
jump critical_services
jump node_exporter_private
jump http_public
{%- if datacenter == "usc2" %}
jump usc2_privnet
{%- elif datacenter == "int" %}
jump int_privnet
{%- endif %}
{%- if nodetype == "builder" %}
jump concourse_worker
{%- elif nodetype == "matrix" %}
jump matrix_public
{%- elif nodetype == "saltbox" %}
jump salt_private
{%- elif nodetype == "vault" %}
jump vault_private
{%- endif %}
{%- if nodetype in ["es-data", "es-master", "vector"] and datacenter == "fsn1" %}
jump elasticsearch_cluster
{%- endif %}
{%- if nodetype == "docker" and datacenter == "usc2" %}
jump docker_usc2_ingress
{%- endif %}
# Don't insert any rules after this log.
log prefix "nft-blocked " flags all counter drop
}
chain output {
type filter hook output priority 0; policy accept;
}
}