diff --git a/roles/gw/templates/nftables.conf b/roles/gw/templates/nftables.conf index a062c50..548d313 100644 --- a/roles/gw/templates/nftables.conf +++ b/roles/gw/templates/nftables.conf @@ -26,59 +26,16 @@ table inet filter { # SOWN define NET_SOWNLAN4 = 10.5.0.0/24 define NET_SOWNROUTED4 = 152.78.103.160/27 - define NET_SOWNGW4 = {152.78.103.236 comment "gw", 152.78.103.237 comment "gw2"} - - define NET_LEGACY_BGP4 = { - 10.5.0.239 comment "auth2", - 10.5.0.243 comment "monitor", - 10.5.0.252 comment "gw", - 10.5.0.253 comment "gw2" - } - define NET_LEGACY_BGP6 = { - 2001:630:d0:f700::239 comment "auth2", - 2001:630:d0:f700::243 comment "monitor", - 2001:630:d0:f700::252 comment "gw", - 2001:630:d0:f700::253 comment "gw2", - } + define NET_SOWNGW4 = {152.78.103.236 comment "gw-b53", 152.78.103.237 comment "gw-b32"} # SOWN HOSTS - - define HOST_LOGIN_4 = 152.78.103.165 - define HOST_LOGIN_6 = 2001:630:d0:f700::209 - - define HOST_LOGIN2_4 = 152.78.103.168 - define HOST_LOGIN2_6 = 2001:630:d0:f700::208 define HOST_AUTH2_4 = 152.78.103.166 define HOST_AUTH2_6 = 2001:630:d0:f700::239 - define HOST_GIT_4 = 10.5.0.234 - define HOST_GIT_6 = 2001:630:d0:f700::234 - - define HOST_MONITOR_4 = {152.78.103.164, 10.5.0.243} - define HOST_MONITOR_6 = 2001:630:d0:f700::243 - define HOST_BACKUP3_4 = 10.5.0.247 define HOST_BACKUP3_6 = 2001:630:d0:f700::247 - define HOST_WEBSDR_4 = 152.78.103.190 - define HOST_WEBSDR_6 = 2001:630:d0:f700::218 - - define HOST_VMS_4 = {152.78.103.162, 10.5.0.237} - define HOST_VMS_6 = 2001:630:d0:f700::237 - - define HOST_NETBOX_4 = 152.78.103.188 - define HOST_NETBOX_6 = 2001:630:d0:f700::216 - - define HOST_KEYCLOAK_4 = 152.78.103.170 - define HOST_KEYCLOAK_6 = 2001:630:d0:f700::206 - - define HOST_MONITOR2_4 = 152.78.103.187 - define HOST_MONITOR2_6 = 2001:630:d0:f700::215 - - define HOST_ZEPLER_WEBSDR_4 = 152.78.103.190 - define HOST_ZEPLER_WEBSDR_6 = 2001:630:d0:f700::218 - define HOST_CONTAINERS_1_4 = 152.78.103.171 define HOST_CONTAINERS_1_6 = 2001:630:d0:f700::205 @@ -88,16 +45,24 @@ table inet filter { define HOST_CONTAINERS_3_4 = 152.78.103.173 define HOST_CONTAINERS_3_6 = 2001:630:d0:f700::203 - # DMZ HOSTS - define HOST_SOWN_WWW_DMZ4 = 152.78.189.39 - define HOST_SOWN_WWW_DMZ6 = 2001:630:d0:f104::5032:250 - - define HOST_SUWS_MARCONI_DMZ4 = 152.78.189.75 - define HOST_SUWS_MARCONI_DMZ6 = { - 2001:630:d0:f104::5032:80a comment "old ip", - 2001:630:d0:f104::5032:5235 comment "new ip", - } + define HOST_LOGIN_4 = 152.78.103.165 + define HOST_LOGIN_6 = 2001:630:d0:f700::209 + + define HOST_LOGIN2_4 = 152.78.103.168 + define HOST_LOGIN2_6 = 2001:630:d0:f700::208 + + define HOST_MONITOR_4 = {152.78.103.164, 10.5.0.243} + define HOST_MONITOR_6 = 2001:630:d0:f700::243 + define HOST_MONITOR2_4 = 152.78.103.187 + define HOST_MONITOR2_6 = 2001:630:d0:f700::215 + + define HOST_NETBOX_4 = 152.78.103.188 + define HOST_NETBOX_6 = 2001:630:d0:f700::216 + + define HOST_WEBSDR_4 = 152.78.103.190 + define HOST_WEBSDR_6 = 2001:630:d0:f700::218 + # ECS HOSTS define HOST_ECS_STAFFLOGIN4 = 152.78.128.111 @@ -152,8 +117,6 @@ table inet filter { ip6 saddr fe80::/64 tcp dport ssh counter accept comment "Allow link-local to SSH to the gateways" # Routing Protocols - iifname $NIC_SOWN ip saddr $NET_LEGACY_BGP4 tcp dport bgp counter accept comment "Allow legacy BGP traffic to gateways" - iifname $NIC_SOWN ip6 saddr $NET_LEGACY_BGP6 tcp dport bgp counter accept comment "Allow legacy BGP6 traffic to gateways" iifname $NIC_SOWN ip daddr 224.0.0.5 counter accept comment "Allow OSPF from SOWN" iifname $NIC_SOWN ip6 daddr ff02::5 counter accept comment "Allow OSPFv3 from SOWN" @@ -206,82 +169,30 @@ table inet filter { ip saddr $HOST_ECS_STAFFLOGIN4 ip daddr $HOST_MONITOR_4 tcp dport 5668 counter accept comment "Accept traffic to monitor from stafflogin for CRON + SSH-DEBSUMS check" - # SSH Access - ip saddr $NET_EXTERNALTRUSTED4 ip daddr $HOST_AUTH2_4 tcp dport ssh counter accept comment "Allow trusted to access SSH on AUTH2" - ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_AUTH2_6 tcp dport ssh counter accept comment "Allow trusted to access SSH on AUTH2" - - ip saddr $NET_UOSLOGINSERVERS4 ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow UoS Login Servers to access SSH on sown login servers" - ip saddr $NET_EXTERNALTRUSTED4 ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow trusted to access SSH on sown login servers" - ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr {$HOST_LOGIN_6, $HOST_LOGIN2_6} tcp dport ssh counter accept comment "Allow trusted to access SSH on sown login servers" + # SSH + ip saddr {$NET_EXTERNALTRUSTED4,$NET_UOSLOGINSERVERS4} ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow access SSH on sown login servers v4" + ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr {$HOST_LOGIN_6, $HOST_LOGIN2_6} tcp dport ssh counter accept comment "Allow access SSH on sown login servers v6" # Auth2 Web Access ip saddr {$NET_EXTERNALTRUSTED4, $NET_UOSLOGINSERVERS4} ip daddr $HOST_AUTH2_4 tcp dport {http, https} counter accept comment "Allow trusted and login to access web interface on auth2" ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_AUTH2_6 tcp dport {http, https} counter accept comment "Allow trusted and login to access web interface on auth2" - # RADIUS - ip saddr {$HOST_SOWN_WWW_DMZ4, $HOST_SUWS_MARCONI_DMZ4} ip daddr $HOST_AUTH2_4 tcp dport radius counter accept comment "Allow www and marconi to auth against radius" - - # Git - ip saddr {$HOST_SOWN_WWW_DMZ4, $HOST_SUWS_MARCONI_DMZ4} ip daddr $HOST_GIT_4 tcp dport http counter accept comment "Allow www and marconi to accedd git" - - # Website - ip daddr $HOST_WEBSDR_4 tcp dport http counter accept comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external" - ip6 daddr $HOST_WEBSDR_6 tcp dport http counter accept comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external" - - ip6 saddr $HOST_SOWN_WWW_DMZ6 ip6 daddr $HOST_MONITOR_6 tcp dport { - http comment "Allow HTTP to get XML files", - https comment "Allow HTTPS to get XML files", - mysql comment "Allow access to IRC logs database", - 4444 comment "Allow access to SOWN-Bot", - } counter accept comment "Allow sown-www access to services on monitor" - - ip saddr $HOST_SOWN_WWW_DMZ4 ip daddr $HOST_MONITOR_4 tcp dport { - http comment "Allow HTTP to get XML files", - https comment "Allow HTTPS to get XML files", - mysql comment "Allow access to IRC logs database", - 4444 comment "Allow access to SOWN-Bot", - } counter accept comment "Allow sown-www access to services on monitor" - - ip6 saddr $HOST_SOWN_WWW_DMZ6 ip6 daddr $HOST_AUTH2_6 tcp dport { - http comment "Allow HTTP to access graphs", - https comment "Allow HTTPS to access graphs", - mysql comment "Allow access to git database on mysql", - } counter accept comment "Allow sown-www access to services on auth2" - - # VMS Access - ip saddr {$NET_UOSLOGINSERVERS4, $NET_EXTERNALTRUSTED4} ip daddr $HOST_VMS_4 tcp dport { - http, - https, - 8010, - 64667, - } counter accept comment "Allow access to VMS web interface" - - ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_VMS_6 tcp dport { - http, - https, - 8010, - 64667, - } counter accept comment "Allow access to VMS web interface" - - # Netbox - ip daddr $HOST_NETBOX_4 tcp dport {http, https} counter accept comment "Allow access to netbox" - ip6 daddr $HOST_NETBOX_6 tcp dport {http, https} counter accept comment "Allow access to netbox" - - # SSO (keycloak) - ip daddr $HOST_KEYCLOAK_4 tcp dport {http, https} counter accept comment "Allow access to sso" - ip6 daddr $HOST_KEYCLOAK_6 tcp dport {http, https} counter accept comment "Allow access to sso" - - # containers-1 (*.containers-dev) - ip daddr $HOST_CONTAINERS_1_4 tcp dport {http, https} counter accept comment "Allow access to web-based development Docker containers" - ip6 daddr $HOST_CONTAINERS_1_6 tcp dport {http, https} counter accept comment "Allow access to web-based development Docker containers" - - # containers-2 / containers-prod - ip daddr $HOST_CONTAINERS_2_4 tcp dport {http, https} counter accept comment "Allow access to web-based production Docker containers" - ip6 daddr $HOST_CONTAINERS_2_6 tcp dport {http, https} counter accept comment "Allow access to web-based production Docker containers" - - # containers-3 / containers-secure - ip daddr $HOST_CONTAINERS_3_4 tcp dport {http, https} counter accept comment "Allow access to web-based secure Docker containers" - ip6 daddr $HOST_CONTAINERS_3_6 tcp dport {http, https} counter accept comment "Allow access to web-based secure Docker containers" + # External HTTP(S) access + ip daddr { + $HOST_CONTAINERS_1_4, + $HOST_CONTAINERS_2_4, + $HOST_CONTAINERS_3_4, + $HOST_NETBOX_4, + $HOST_WEBSDR_4 comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external", + } tcp dport {http, https} counter accept comment "Allow access to HTTP(S) on v4" + + ip6 daddr { + $HOST_CONTAINERS_1_6, + $HOST_CONTAINERS_2_6, + $HOST_CONTAINERS_3_6, + $HOST_NETBOX_6, + $HOST_WEBSDR_6 comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external", + } tcp dport {http, https} counter accept comment "Allow access to HTTP(S) on v6" # SOWN LAN iifname $NIC_SOWN counter accept comment "Allow all traffic from SOWN LAN"