From 4ae23398ffb24aebf67db392cdea316d8550f6da Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 5 Mar 2023 12:40:05 +0000 Subject: [PATCH] Allow AWS DNS queries through the firewall --- cookbooks/networking/attributes/default.rb | 1 + cookbooks/networking/templates/default/nftables.conf.erb | 8 ++++++++ roles/palulukon.rb | 3 +++ 3 files changed, 12 insertions(+) diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index eb4ffbc40..37e0b6533 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -11,6 +11,7 @@ default[:networking][:firewall][:log] = true default[:networking][:firewall][:mark] = true default[:networking][:firewall][:raw] = true default[:networking][:firewall][:mangle] = true +default[:networking][:firewall][:whitelist] = [] default[:networking][:roles] = {} default[:networking][:interfaces] = {} default[:networking][:nameservers] = %w[8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844] diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index 8594cc244..2545c97c8 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -64,7 +64,11 @@ table inet filter { } chain incoming { +<%- if node[:networking][:firewall][:whitelist].empty? %> ip saddr { $ip-private-addresses } jump log-and-drop +<%- else %> + ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop +<%- end %> ip6 saddr { $ip6-private-addresses } jump log-and-drop ip saddr @ip-blacklist jump log-and-drop @@ -98,7 +102,11 @@ table inet filter { } chain outgoing { +<%- if node[:networking][:firewall][:whitelist].empty? %> ip daddr { $ip-private-addresses } jump log-and-drop +<%- else %> + ip daddr { $ip-private-addresses } ip daddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop +<%- end %> ip6 daddr { $ip6-private-addresses } jump log-and-drop <%- node[:networking][:firewall][:outgoing].each do |rule| %> diff --git a/roles/palulukon.rb b/roles/palulukon.rb index 69183cb9e..9045e7bcc 100644 --- a/roles/palulukon.rb +++ b/roles/palulukon.rb @@ -3,6 +3,9 @@ description "Master role applied to palulukon" default_attributes( :networking => { + :firewall => { + :whitelist => ["172.31.0.2"] + }, :interfaces => { :external_ipv4 => { :interface => "ens5", -- 2.39.5