Skip to content

Commit

Permalink
Allow AWS DNS queries through the firewall
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomhughes
tomhughes committed Mar 5, 2023
1 parent beb8df4 commit 4ae2339
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 0 deletions.
1 change: 1 addition & 0 deletions cookbooks/networking/attributes/default.rb
View file
Expand Up @@ -11,6 +11,7 @@
default[:networking][:firewall][:mark] = true
default[:networking][:firewall][:raw] = true
default[:networking][:firewall][:mangle] = true
default[:networking][:firewall][:whitelist] = []
default[:networking][:roles] = {}
default[:networking][:interfaces] = {}
default[:networking][:nameservers] = %w[8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844]
Expand Down
8 changes: 8 additions & 0 deletions cookbooks/networking/templates/default/nftables.conf.erb
View file
Expand Up @@ -64,7 +64,11 @@ table inet filter {
}

chain incoming {
<%- if node[:networking][:firewall][:whitelist].empty? %>
ip saddr { $ip-private-addresses } jump log-and-drop
<%- else %>
ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
<%- end %>
ip6 saddr { $ip6-private-addresses } jump log-and-drop

ip saddr @ip-blacklist jump log-and-drop
Expand Down Expand Up @@ -98,7 +102,11 @@ table inet filter {
}

chain outgoing {
<%- if node[:networking][:firewall][:whitelist].empty? %>
ip daddr { $ip-private-addresses } jump log-and-drop
<%- else %>
ip daddr { $ip-private-addresses } ip daddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
<%- end %>
ip6 daddr { $ip6-private-addresses } jump log-and-drop

<%- node[:networking][:firewall][:outgoing].each do |rule| %>
Expand Down
3 changes: 3 additions & 0 deletions roles/palulukon.rb
View file
Expand Up @@ -3,6 +3,9 @@

default_attributes(
:networking => {
:firewall => {
:whitelist => ["172.31.0.2"]
},
:interfaces => {
:external_ipv4 => {
:interface => "ens5",
Expand Down

0 comments on commit 4ae2339

Please sign in to comment.