Skip to content

Commit

Permalink
Replace iptables by nftables
Browse files Browse the repository at this point in the history
  • Loading branch information
cmd-ntrf committed Dec 17, 2024
1 parent 5d5ba6a commit e96e1be
Show file tree
Hide file tree
Showing 13 changed files with 89 additions and 34 deletions.
2 changes: 1 addition & 1 deletion Puppetfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ mod 'puppet-healthcheck', '2.1.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-logrotate', '7.1.0'
mod 'puppet-nfs', '3.0.0'
mod 'puppet-nftables', '4.0.0'
mod 'puppet-prometheus', '15.0.0'
mod 'puppet-rsyslog', '7.1.0'
mod 'puppet-selinux', '5.0.0'
mod 'puppet-squid', '5.1.0'
mod 'puppet-systemd', '7.1.0'
mod 'puppet-yum', '7.1.0'
mod 'puppetlabs-concat', '9.0.2'
mod 'puppetlabs-firewall', '8.1.2'
mod 'puppetlabs-inifile', '6.1.1'
mod 'puppetlabs-lvm', '2.3.0'
mod 'puppetlabs-motd', '7.1.0'
Expand Down
3 changes: 3 additions & 0 deletions data/site.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ lookup_options:
magic_castle::site::all:
- profile::base
- profile::consul
- profile::firewall
- profile::freeipa
- profile::users::local
- profile::sssd::client
Expand Down Expand Up @@ -58,5 +59,7 @@ magic_castle::site::tags:
- profile::jupyterhub::hub
- profile::jupyterhub::hub::keytab
- profile::reverse_proxy
puppet:
- profile::puppetserver
efa:
- profile::efa
25 changes: 0 additions & 25 deletions site/profile/manifests/base.pp
Original file line number Diff line number Diff line change
Expand Up @@ -56,31 +56,6 @@
ensure => 'installed',
}

package { 'firewalld':
ensure => 'absent',
}

class { 'firewall':
tag => 'mc_bootstrap',
}

firewall { '001 accept all from local network':
chain => 'INPUT',
proto => 'all',
source => profile::getcidr(),
action => 'accept',
tag => 'mc_bootstrap',
}

firewall { '001 drop access to metadata server':
chain => 'OUTPUT',
proto => 'tcp',
destination => '169.254.169.254',
action => 'drop',
uid => '! root',
tag => 'mc_bootstrap',
}

package { 'haveged':
ensure => 'installed',
require => Yumrepo['epel'],
Expand Down
7 changes: 7 additions & 0 deletions site/profile/manifests/consul.pp
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,13 @@
$retry_join = $servers
}

nftables::rule { 'default_in-consul_tcp':
content => 'tcp dport {8300,8301,8302,8500,8501,8502,8503,8600} accept comment "Accept consul"',
}
nftables::rule { 'default_in-consul_udp':
content => 'udp dport {8301,8302,8600} accept comment "Accept consul"',
}

class { 'consul':
config_mode => '0640',
acl_api_token => lookup('profile::consul::acl_api_token'),
Expand Down
4 changes: 3 additions & 1 deletion site/profile/manifests/fail2ban.pp
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
include epel

class { 'fail2ban' :
whitelist => ['127.0.0.1/8', profile::getcidr()] + $ignoreip,
banaction => 'nftables-multiport',
iptables_chain => 'input',
whitelist => ['127.0.0.1/8', profile::getcidr()] + $ignoreip,
}

file_line { 'fail2ban_sshd_recv_disconnect':
Expand Down
14 changes: 14 additions & 0 deletions site/profile/manifests/firewall.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
class profile::firewall {
tag 'mc_bootstrap'
class { 'nftables':
out_all => true,
noflush_tables => ['inet-f2b-table'],
}

# Do not let user get access to cloud-init metadata server as it could
# include sensitive information.
nftables::rule { 'default_out-drop_metadata':
content => 'ip daddr 169.254.169.254 skuid != 0 drop comment "Drop metadata server"',
order => '89',
}
}
30 changes: 30 additions & 0 deletions site/profile/manifests/freeipa.pp
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,28 @@
include profile::freeipa::base
include profile::sssd::client

include nftables::rules::dns
include nftables::rules::http
include nftables::rules::https
include nftables::rules::ldap
include nftables::rules::ssdp

nftables::rule { 'default_in-kerberos_tcp':
content => 'tcp dport 88 accept comment "Accept kerberos"',
}
nftables::rule { 'default_in-kerberos_udp':
content => 'udp dport 88 accept comment "Accept kerberos"',
}
nftables::rule { 'default_in-kpasswd_tcp':
content => 'tcp dport 464 accept comment "Accept kpasswd"',
}
nftables::rule { 'default_in-kpasswd_udp':
content => 'udp dport 464 accept comment "Accept kpasswd"',
}
nftables::rule { 'default_in-kadmind':
content => 'tcp dport 749 accept comment "Accept kadmind"',
}

file { 'kinit_wrapper':
path => '/usr/bin/kinit_wrapper',
source => 'puppet:///modules/profile/freeipa/kinit_wrapper',
Expand Down Expand Up @@ -269,6 +291,10 @@
require => [
Package['ipa-server-dns'],
File['/etc/hosts'],
Class['nftables::rules::dns'],
Class['nftables::rules::https'],
Class['nftables::rules::ldap'],
Class['nftables::rules::ssdp'],
],
notify => [
Service['systemd-logind'],
Expand Down Expand Up @@ -454,6 +480,10 @@
) {
include mysql::server

nftables::rule { 'default_in-mokey_tcp':
content => 'tcp dport 12345 accept comment "Accept mokey"',
}

yumrepo { 'mokey-copr-repo':
enabled => true,
descr => 'Copr repo for mokey owned by cmdntrf',
Expand Down
6 changes: 6 additions & 0 deletions site/profile/manifests/jupyterhub.pp
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@
}
include profile::slurm::submitter

nftables::rule { 'default_in-jupyterhub_tcp':
content => 'tcp dport 8081 accept comment "Accept jupyterhub"',
}
consul::service { 'jupyterhub':
port => 8081,
tags => ['jupyterhub'],
Expand All @@ -40,6 +43,9 @@
Class['profile::software_stack'] -> Class['jupyterhub::kernel::venv']
}
}
nftables::rule { 'default_in-jupyter_server':
content => "tcp dport 32768-60999 accept comment \"Accept jupyter_server\"",
}
}

class profile::jupyterhub::hub::keytab {
Expand Down
1 change: 1 addition & 0 deletions site/profile/manifests/metrics.pp
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
class profile::metrics::node_exporter {
include profile::consul
include prometheus::node_exporter
include nftables::rules::node_exporter
consul::service { 'node-exporter':
port => 9100,
tags => ['node-exporter'],
Expand Down
1 change: 1 addition & 0 deletions site/profile/manifests/nfs.pp
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
Array[String] $no_root_squash_tags = ['mgmt']
) {
include profile::volumes
include nftables::rules::nfs

$nfs_domain = lookup('profile::nfs::domain')
class { 'nfs':
Expand Down
5 changes: 5 additions & 0 deletions site/profile/manifests/puppetserver.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class profile::puppetserver {
tag 'mc_bootstrap'
include profile::firewall
include nftables::rules::puppet
}
10 changes: 3 additions & 7 deletions site/profile/manifests/reverse_proxy.pp
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,16 @@
Hash[String, Array[String]] $remote_ips = {},
String $main2sub_redir = 'jupyter',
) {
include profile::firewall

selinux::boolean { 'httpd_can_network_connect': }

selinux::module { 'caddy':
ensure => 'present',
source_pp => 'puppet:///modules/profile/reverse_proxy/caddy.pp',
}

firewall { '200 httpd public':
chain => 'INPUT',
dport => [80, 443],
proto => 'tcp',
source => '0.0.0.0/0',
action => 'accept',
}
include nftables::rules::https

yumrepo { 'caddy-copr-repo':
enabled => true,
Expand Down
15 changes: 15 additions & 0 deletions site/profile/manifests/slurm.pp
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,10 @@
before => Service['slurmctld']
}

nftables::rule { 'default_in-slurmdbd':
content => "tcp dport ${dbd_port} accept comment \"Accept slurmdbd\"",
}

consul::service { 'slurmdbd':
port => $dbd_port,
require => Tcp_conn_validator['consul'],
Expand Down Expand Up @@ -477,6 +481,10 @@
),
}

nftables::rule { 'default_in-slurmctld':
content => 'tcp dport 6817 accept comment "Accept slurmctld"',
}

consul::service { 'slurmctld':
port => 6817,
require => Tcp_conn_validator['consul'],
Expand Down Expand Up @@ -527,6 +535,10 @@
) {
contain profile::slurm::base

nftables::rule { 'default_in-slurmd':
content => 'tcp dport 6818 accept comment "Accept slurmd"',
}

package { ['slurm-slurmd', 'slurm-pam_slurm']:
ensure => 'installed',
require => Package['slurm'],
Expand Down Expand Up @@ -738,4 +750,7 @@
# controller through Slurm command-line tools.
class profile::slurm::submitter {
contain profile::slurm::base
nftables::rule { 'default_in-slurm_srun':
content => "tcp dport 32768-60999 accept comment \"Accept srun\"",
}
}

0 comments on commit e96e1be

Please sign in to comment.