Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cleanup firewall #87

Merged
merged 2 commits into from
Dec 1, 2024
Merged

cleanup firewall #87

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
372c702
cleanup firewall
trickeydan Nov 30, 2024
f4251c0
correctly label gw hostnames in firewall
trickeydan Nov 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
163 changes: 37 additions & 126 deletions roles/gw/templates/nftables.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,59 +26,16 @@ table inet filter {
# SOWN
define NET_SOWNLAN4 = 10.5.0.0/24
define NET_SOWNROUTED4 = 152.78.103.160/27
define NET_SOWNGW4 = {152.78.103.236 comment "gw", 152.78.103.237 comment "gw2"}

define NET_LEGACY_BGP4 = {
10.5.0.239 comment "auth2",
10.5.0.243 comment "monitor",
10.5.0.252 comment "gw",
10.5.0.253 comment "gw2"
}
define NET_LEGACY_BGP6 = {
2001:630:d0:f700::239 comment "auth2",
2001:630:d0:f700::243 comment "monitor",
2001:630:d0:f700::252 comment "gw",
2001:630:d0:f700::253 comment "gw2",
}
define NET_SOWNGW4 = {152.78.103.236 comment "gw-b53", 152.78.103.237 comment "gw-b32"}

# SOWN HOSTS

define HOST_LOGIN_4 = 152.78.103.165
define HOST_LOGIN_6 = 2001:630:d0:f700::209

define HOST_LOGIN2_4 = 152.78.103.168
define HOST_LOGIN2_6 = 2001:630:d0:f700::208

define HOST_AUTH2_4 = 152.78.103.166
define HOST_AUTH2_6 = 2001:630:d0:f700::239

define HOST_GIT_4 = 10.5.0.234
define HOST_GIT_6 = 2001:630:d0:f700::234

define HOST_MONITOR_4 = {152.78.103.164, 10.5.0.243}
define HOST_MONITOR_6 = 2001:630:d0:f700::243

define HOST_BACKUP3_4 = 10.5.0.247
define HOST_BACKUP3_6 = 2001:630:d0:f700::247

define HOST_WEBSDR_4 = 152.78.103.190
define HOST_WEBSDR_6 = 2001:630:d0:f700::218

define HOST_VMS_4 = {152.78.103.162, 10.5.0.237}
define HOST_VMS_6 = 2001:630:d0:f700::237

define HOST_NETBOX_4 = 152.78.103.188
define HOST_NETBOX_6 = 2001:630:d0:f700::216

define HOST_KEYCLOAK_4 = 152.78.103.170
define HOST_KEYCLOAK_6 = 2001:630:d0:f700::206

define HOST_MONITOR2_4 = 152.78.103.187
define HOST_MONITOR2_6 = 2001:630:d0:f700::215

define HOST_ZEPLER_WEBSDR_4 = 152.78.103.190
define HOST_ZEPLER_WEBSDR_6 = 2001:630:d0:f700::218

define HOST_CONTAINERS_1_4 = 152.78.103.171
define HOST_CONTAINERS_1_6 = 2001:630:d0:f700::205

Expand All @@ -88,16 +45,24 @@ table inet filter {
define HOST_CONTAINERS_3_4 = 152.78.103.173
define HOST_CONTAINERS_3_6 = 2001:630:d0:f700::203

# DMZ HOSTS
define HOST_SOWN_WWW_DMZ4 = 152.78.189.39
define HOST_SOWN_WWW_DMZ6 = 2001:630:d0:f104::5032:250

define HOST_SUWS_MARCONI_DMZ4 = 152.78.189.75
define HOST_SUWS_MARCONI_DMZ6 = {
2001:630:d0:f104::5032:80a comment "old ip",
2001:630:d0:f104::5032:5235 comment "new ip",
}
define HOST_LOGIN_4 = 152.78.103.165
define HOST_LOGIN_6 = 2001:630:d0:f700::209

define HOST_LOGIN2_4 = 152.78.103.168
define HOST_LOGIN2_6 = 2001:630:d0:f700::208

define HOST_MONITOR_4 = {152.78.103.164, 10.5.0.243}
define HOST_MONITOR_6 = 2001:630:d0:f700::243

define HOST_MONITOR2_4 = 152.78.103.187
define HOST_MONITOR2_6 = 2001:630:d0:f700::215

define HOST_NETBOX_4 = 152.78.103.188
define HOST_NETBOX_6 = 2001:630:d0:f700::216

define HOST_WEBSDR_4 = 152.78.103.190
define HOST_WEBSDR_6 = 2001:630:d0:f700::218

# ECS HOSTS

define HOST_ECS_STAFFLOGIN4 = 152.78.128.111
Expand Down Expand Up @@ -152,8 +117,6 @@ table inet filter {
ip6 saddr fe80::/64 tcp dport ssh counter accept comment "Allow link-local to SSH to the gateways"

# Routing Protocols
iifname $NIC_SOWN ip saddr $NET_LEGACY_BGP4 tcp dport bgp counter accept comment "Allow legacy BGP traffic to gateways"
iifname $NIC_SOWN ip6 saddr $NET_LEGACY_BGP6 tcp dport bgp counter accept comment "Allow legacy BGP6 traffic to gateways"
iifname $NIC_SOWN ip daddr 224.0.0.5 counter accept comment "Allow OSPF from SOWN"
iifname $NIC_SOWN ip6 daddr ff02::5 counter accept comment "Allow OSPFv3 from SOWN"

Expand Down Expand Up @@ -206,82 +169,30 @@ table inet filter {

ip saddr $HOST_ECS_STAFFLOGIN4 ip daddr $HOST_MONITOR_4 tcp dport 5668 counter accept comment "Accept traffic to monitor from stafflogin for CRON + SSH-DEBSUMS check"

# SSH Access
ip saddr $NET_EXTERNALTRUSTED4 ip daddr $HOST_AUTH2_4 tcp dport ssh counter accept comment "Allow trusted to access SSH on AUTH2"
ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_AUTH2_6 tcp dport ssh counter accept comment "Allow trusted to access SSH on AUTH2"

ip saddr $NET_UOSLOGINSERVERS4 ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow UoS Login Servers to access SSH on sown login servers"
ip saddr $NET_EXTERNALTRUSTED4 ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow trusted to access SSH on sown login servers"
ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr {$HOST_LOGIN_6, $HOST_LOGIN2_6} tcp dport ssh counter accept comment "Allow trusted to access SSH on sown login servers"
# SSH
ip saddr {$NET_EXTERNALTRUSTED4,$NET_UOSLOGINSERVERS4} ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow access SSH on sown login servers v4"
ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr {$HOST_LOGIN_6, $HOST_LOGIN2_6} tcp dport ssh counter accept comment "Allow access SSH on sown login servers v6"

# Auth2 Web Access
ip saddr {$NET_EXTERNALTRUSTED4, $NET_UOSLOGINSERVERS4} ip daddr $HOST_AUTH2_4 tcp dport {http, https} counter accept comment "Allow trusted and login to access web interface on auth2"
ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_AUTH2_6 tcp dport {http, https} counter accept comment "Allow trusted and login to access web interface on auth2"

# RADIUS
ip saddr {$HOST_SOWN_WWW_DMZ4, $HOST_SUWS_MARCONI_DMZ4} ip daddr $HOST_AUTH2_4 tcp dport radius counter accept comment "Allow www and marconi to auth against radius"

# Git
ip saddr {$HOST_SOWN_WWW_DMZ4, $HOST_SUWS_MARCONI_DMZ4} ip daddr $HOST_GIT_4 tcp dport http counter accept comment "Allow www and marconi to accedd git"

# Website
ip daddr $HOST_WEBSDR_4 tcp dport http counter accept comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external"
ip6 daddr $HOST_WEBSDR_6 tcp dport http counter accept comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external"

ip6 saddr $HOST_SOWN_WWW_DMZ6 ip6 daddr $HOST_MONITOR_6 tcp dport {
http comment "Allow HTTP to get XML files",
https comment "Allow HTTPS to get XML files",
mysql comment "Allow access to IRC logs database",
4444 comment "Allow access to SOWN-Bot",
} counter accept comment "Allow sown-www access to services on monitor"

ip saddr $HOST_SOWN_WWW_DMZ4 ip daddr $HOST_MONITOR_4 tcp dport {
http comment "Allow HTTP to get XML files",
https comment "Allow HTTPS to get XML files",
mysql comment "Allow access to IRC logs database",
4444 comment "Allow access to SOWN-Bot",
} counter accept comment "Allow sown-www access to services on monitor"

ip6 saddr $HOST_SOWN_WWW_DMZ6 ip6 daddr $HOST_AUTH2_6 tcp dport {
http comment "Allow HTTP to access graphs",
https comment "Allow HTTPS to access graphs",
mysql comment "Allow access to git database on mysql",
} counter accept comment "Allow sown-www access to services on auth2"

# VMS Access
ip saddr {$NET_UOSLOGINSERVERS4, $NET_EXTERNALTRUSTED4} ip daddr $HOST_VMS_4 tcp dport {
http,
https,
8010,
64667,
} counter accept comment "Allow access to VMS web interface"

ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_VMS_6 tcp dport {
http,
https,
8010,
64667,
} counter accept comment "Allow access to VMS web interface"

# Netbox
ip daddr $HOST_NETBOX_4 tcp dport {http, https} counter accept comment "Allow access to netbox"
ip6 daddr $HOST_NETBOX_6 tcp dport {http, https} counter accept comment "Allow access to netbox"

# SSO (keycloak)
ip daddr $HOST_KEYCLOAK_4 tcp dport {http, https} counter accept comment "Allow access to sso"
ip6 daddr $HOST_KEYCLOAK_6 tcp dport {http, https} counter accept comment "Allow access to sso"

# containers-1 (*.containers-dev)
ip daddr $HOST_CONTAINERS_1_4 tcp dport {http, https} counter accept comment "Allow access to web-based development Docker containers"
ip6 daddr $HOST_CONTAINERS_1_6 tcp dport {http, https} counter accept comment "Allow access to web-based development Docker containers"

# containers-2 / containers-prod
ip daddr $HOST_CONTAINERS_2_4 tcp dport {http, https} counter accept comment "Allow access to web-based production Docker containers"
ip6 daddr $HOST_CONTAINERS_2_6 tcp dport {http, https} counter accept comment "Allow access to web-based production Docker containers"

# containers-3 / containers-secure
ip daddr $HOST_CONTAINERS_3_4 tcp dport {http, https} counter accept comment "Allow access to web-based secure Docker containers"
ip6 daddr $HOST_CONTAINERS_3_6 tcp dport {http, https} counter accept comment "Allow access to web-based secure Docker containers"
# External HTTP(S) access
ip daddr {
$HOST_CONTAINERS_1_4,
$HOST_CONTAINERS_2_4,
$HOST_CONTAINERS_3_4,
$HOST_NETBOX_4,
$HOST_WEBSDR_4 comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external",
} tcp dport {http, https} counter accept comment "Allow access to HTTP(S) on v4"

ip6 daddr {
$HOST_CONTAINERS_1_6,
$HOST_CONTAINERS_2_6,
$HOST_CONTAINERS_3_6,
$HOST_NETBOX_6,
$HOST_WEBSDR_6 comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external",
} tcp dport {http, https} counter accept comment "Allow access to HTTP(S) on v6"

# SOWN LAN
iifname $NIC_SOWN counter accept comment "Allow all traffic from SOWN LAN"
Expand Down