infra-ansible
ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
commit 9c5e9a193ad16b6ba2be3ef9f388c6076e27ced2 parent a6e86913ac78c45a2a2e1c33c6d36a92ad55933f Author: Jul <jul@9o.is> Date: Fri, 17 May 2024 23:42:40 +0800 remove k0s nftables Diffstat:
| M | host/roles/firewall/templates/nftables.conf.j2 | | | 40 | ---------------------------------------- |
1 file changed, 0 insertions(+), 40 deletions(-)
diff --git a/host/roles/firewall/templates/nftables.conf.j2 b/host/roles/firewall/templates/nftables.conf.j2 @@ -3,26 +3,6 @@ flush ruleset table inet main { - set internalIPs { - type ipv4_addr; - elements = { {{ static_ip }} } - } - - set podCIDR { - type ipv4_addr; flags interval; - elements = { {{ k0s_podCIDR }} } - } - - set serviceCIDR { - type ipv4_addr; flags interval; - elements = { {{ k0s_svcCIDR }} } - } - - set nameservers { - type ipv4_addr; - elements = { {{ static_nameservers | join(',') }} } - } - chain input { type filter hook input priority filter; policy drop; @@ -32,17 +12,12 @@ table inet main { iifname {{ static_interface }} ct state new jump public-input iifname wg0 ct state new jump wireguard-input - iifname cali* ct state new jump calico-input counter log prefix "MAIN INPUT DROPPED " } chain forward { type filter hook forward priority filter; policy drop; - - iifname cali* ct state new jump calico-forward - oifname cali* ct state established,related accept - counter log prefix "MAIN FORWARD DROPPED " } @@ -56,21 +31,6 @@ table inet main { chain wireguard-input { tcp dport ssh accept - tcp dport 6443 accept - } - - chain calico-input { - icmpv6 type { nd-router-solicit } accept - ip saddr @podCIDR ip daddr @internalIPs accept - - counter log prefix "CALICO INPUT DROPPED " - } - - chain calico-forward { - ip saddr @podCIDR ip daddr @serviceCIDR accept - ip saddr @podCIDR ip daddr @nameservers udp dport 53 accept - - counter log prefix "CALICO FORWARD DROPPED " } }