infra-ansible
ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
commit 11cc802885c262b983b706d9277e7949a83a9f19 parent e517423cc98a26adf8542fce064e29e1215a1edd Author: Jul <jul@9o.is> Date: Fri, 17 May 2024 23:16:11 +0800 modify firewall to allow k0s/calico to work Diffstat:
| M | host/group_vars/all | | | 3 | +++ |
| M | host/roles/k0s/templates/k0s.yaml.j2 | | | 4 | ++-- |
| M | host/roles/wireguard/templates/nftables.conf.j2 | | | 63 | ++++++++++++++++++++++++++++++++++++++++++++------------------- |
3 files changed, 49 insertions(+), 21 deletions(-)
diff --git a/host/group_vars/all b/host/group_vars/all @@ -1,5 +1,8 @@ wireguard_port: 62620 + k0s_version: v1.29.4+k0s.0 +k0s_podCIDR: 10.244.0.0/16 +k0s_svcCIDR: 10.96.0.0/12 wg_client_ip: 10.0.0.2 wg_client_public_key: ZlBc9LbWP4CBm/9aIbZ2dwPZQbkYdvi7TZimAo5czWk= diff --git a/host/roles/k0s/templates/k0s.yaml.j2 b/host/roles/k0s/templates/k0s.yaml.j2 @@ -49,9 +49,9 @@ spec: apiServerBindPort: 7443 konnectivityServerBindPort: 7132 type: EnvoyProxy - podCIDR: 10.244.0.0/16 + podCIDR: {{ k0s_podCIDR }} provider: calico - serviceCIDR: 10.96.0.0/12 + serviceCIDR: {{ k0s_svcCIDR }} scheduler: {} storage: type: kine diff --git a/host/roles/wireguard/templates/nftables.conf.j2 b/host/roles/wireguard/templates/nftables.conf.j2 @@ -2,50 +2,75 @@ flush ruleset -table ip custom-filter { +table inet main { + set internalIPs { + type ipv4_addr; + elements = { {{ static_ip }} } + } + + set podCIDR { + type ipv4_addr; flags interval; + elements = { {{ k0s_podCIDR }} } + } + + set serviceCIDR { + type ipv4_addr; flags interval; + elements = { {{ k0s_svcCIDR }} } + } + + set nameservers { + type ipv4_addr; + elements = { {{ static_nameservers | join(',') }} } + } + chain input { type filter hook input priority filter; policy drop; - ct state invalid counter log prefix "Invalid received" drop + + ct state invalid counter log prefix "MAIN INPUT INVALID " drop ct state established,related accept iifname lo accept - iifname {{ static_interface }} ct state new counter jump public-interface - iifname wg0 ct state new counter jump wireguard-wg0 + iifname {{ static_interface }} ct state new jump public-input + iifname wg0 ct state new jump wireguard-input + iifname cali* ct state new jump calico-input - counter log prefix "Dropped received" + counter log prefix "MAIN INPUT DROPPED " } - + chain forward { type filter hook forward priority filter; policy drop; + + iifname cali* ct state new jump calico-forward + oifname cali* ct state established,related accept + + counter log prefix "MAIN FORWARD DROPPED " } chain output { type filter hook output priority filter; policy accept; } - chain public-interface { + chain public-input { udp dport {{ wireguard_port }} accept } - chain wireguard-wg0 { + chain wireguard-input { tcp dport ssh accept tcp dport 6443 accept } -} -table ip6 custom-filter { - chain input { - type filter hook input priority filter; policy drop; - iifname lo accept - } + chain calico-input { + icmpv6 type { nd-router-solicit } accept + ip saddr @podCIDR ip daddr @internalIPs accept - chain forward { - type filter hook forward priority filter; policy drop; + counter log prefix "CALICO INPUT DROPPED " } - chain output { - type filter hook output priority filter; policy drop; - oifname lo accept + chain calico-forward { + ip saddr @podCIDR ip daddr @serviceCIDR accept + ip saddr @podCIDR ip daddr @nameservers udp dport 53 accept + + counter log prefix "CALICO FORWARD DROPPED " } }