From fc5551b90f4317ccdf2d8c6b6a331647d676e138 Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Tue, 3 Jan 2023 14:35:21 +0100 Subject: firewall: move from iptables to firewalld (nftables) --- roles/git/files/runner-zola/webhook.sh | 21 ++++++++++++++++++--- roles/git/tasks/main.yml | 14 ++++++-------- roles/webserver/tasks/main.yml | 20 +++++--------------- 3 files changed, 29 insertions(+), 26 deletions(-) (limited to 'roles') diff --git a/roles/git/files/runner-zola/webhook.sh b/roles/git/files/runner-zola/webhook.sh index 1c10685..b874233 100755 --- a/roles/git/files/runner-zola/webhook.sh +++ b/roles/git/files/runner-zola/webhook.sh @@ -18,9 +18,24 @@ while true; do REF=${REF:-main} if [ ! -d blog ]; then - # Use non-redirected port as redirection is handled via PREROUTING - # iptables rules and if this hook runs on the same machine the request - # packages will not go through the routing chain. + # Use non-redirected port to clone repository as the runner executes on + # the same machine as the webserver. + # + # We use a NAT:PREROUTING chain to implement the redirection (dnat). + # However as described by the netfilter packet flow and the connection + # tracking system (CONNTRACK), the NAT hooks are only traversed for NEW + # connections. + # For packages originating from the local machine, the connection will + # be seen as NEW by the CONNTRACK system on the OUTPUT path and hence + # the NAT:OUTPUT hooks will be traversed. + # Once the package is looped-back and arrives at the PREROUTING path, + # the NAT:PREROUTING rules wont be traversed as the package is already + # known to the CONNTRACK system (not NEW). + # + # We could additionally implement dnat for lo interface on the OUTPUT + # path as described here, but we dont do it and just use the actual + # port here :^) + # https://unix.stackexchange.com/questions/618229/nftables-destination-nat-block-local-access-to-port git clone https://git.memzero.de:8443/blog fi git -C blog submodule init diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index 131b971..2c69953 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -23,7 +23,7 @@ image: gitolite-cgit network: "{{ NETWORK }}" ports: - - "2222:22" + - "8022:22" env: SSH_KEY: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/memzero.pub') }}" volumes: @@ -33,13 +33,11 @@ notify: Restart nginx - name: Open port for gitolite ssh port - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - match: tcp - destination_port: 2222 - jump: ACCEPT - comment: Accept gitolite SSH connections. + ansible.posix.firewalld: + port: 8022/tcp + permanent: yes + immediate: yes + state: enabled become: true - name: Build zola runner image diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml index e2624c4..7838896 100644 --- a/roles/webserver/tasks/main.yml +++ b/roles/webserver/tasks/main.yml @@ -29,22 +29,12 @@ # Use 'z' to shared-ly relable selinux contexts. - "{{ DATA_ROOT }}/nginx/www:/www:ro,z" -# All services run in rootless-podman and nginx is the only entry point from -# the outside acting as webserver and reverse proxy. -# Since we dont want to lower the *unprivileged* port start (1024) we install -# two forwarding routes from -# 80 -> 8080 -# 443 -> 8443 - name: Forward port 80/443 to 8080/8443 - ansible.builtin.iptables: - table: nat - chain: PREROUTING - protocol: tcp - match: tcp - destination_port: "{{ item.from }}" - jump: REDIRECT - to_ports: "{{ item.to }}" - comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}" + ansible.posix.firewalld: + rich_rule: "rule family=ipv4 forward-port port={{ item.from }} protocol=tcp to-port={{ item.to }}" + permanent: yes + immediate: yes + state: enabled become: true loop: - { from: 80 , to: 8080 } -- cgit v1.2.3