Allow AWS DNS queries through the firewall

author Tom Hughes <tom@compton.nu>

Sun, 5 Mar 2023 12:40:05 +0000 (12:40 +0000)

committer Tom Hughes <tom@compton.nu>

Sun, 5 Mar 2023 12:47:42 +0000 (12:47 +0000)
author Tom Hughes <tom@compton.nu>
Sun, 5 Mar 2023 12:40:05 +0000 (12:40 +0000)
committer Tom Hughes <tom@compton.nu>
Sun, 5 Mar 2023 12:47:42 +0000 (12:47 +0000)
diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb

index eb4ffbc404c022a1321648acd0d7b5ff982de79f..37e0b6533271db22790ad11bacde10a3ae3771ee 100644 (file)
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -11,6 +11,7 @@ default[:networking][:firewall][:log] = true
  default[:networking][:firewall][:mark] = true
  default[:networking][:firewall][:raw] = true
  default[:networking][:firewall][:mangle] = true
+default[:networking][:firewall][:whitelist] = []
  default[:networking][:roles] = {}
  default[:networking][:interfaces] = {}
  default[:networking][:nameservers] = %w[8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844]
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb

index 8594cc24498a0a05b64f74ff027fb872cc77934a..2545c97c868c733d8b2052e9aa11be0d53a3d0da 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -64,7 +64,11 @@ table inet filter {
    }
  
    chain incoming {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
      ip saddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
      ip6 saddr { $ip6-private-addresses } jump log-and-drop
  
      ip saddr @ip-blacklist jump log-and-drop
@@ -98,7 +102,11 @@ table inet filter {
    }
  
    chain outgoing {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
      ip daddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip daddr { $ip-private-addresses } ip daddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
      ip6 daddr { $ip6-private-addresses } jump log-and-drop
  
  <%- node[:networking][:firewall][:outgoing].each do |rule| %>
diff --git a/roles/palulukon.rb b/roles/palulukon.rb

index 69183cb9eb56f66a2f736c5f5047d2e1957ab9a5..9045e7bcc7833bc8a22af088246bbfdc627a95a8 100644 (file)
--- a/roles/palulukon.rb
+++ b/roles/palulukon.rb
@@ -3,6 +3,9 @@ description "Master role applied to palulukon"
  
  default_attributes(
    :networking => {
+    :firewall => {
+      :whitelist => ["172.31.0.2"]
+    },
      :interfaces => {
        :external_ipv4 => {
          :interface => "ens5",
author	Tom Hughes <tom@compton.nu>
	Sun, 5 Mar 2023 12:40:05 +0000 (12:40 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sun, 5 Mar 2023 12:47:42 +0000 (12:47 +0000)
cookbooks/networking/attributes/default.rb		patch \| blob \| history
cookbooks/networking/templates/default/nftables.conf.erb		patch \| blob \| history
roles/palulukon.rb		patch \| blob \| history