infrastructure/ansible/roles/ingress/files/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        ct state {established, related} counter accept

        iif lo accept

        # Allow ICMP (pings)
        ip protocol icmp accept
        meta l4proto icmpv6 accept

        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept

        # Allow nebula
        udp dport {{ nebula_listen_port }} accept;

        # Allow Tailscale
        udp dport {{ tailscale_port }} accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat
        policy accept

        # NAT - because the proxmox machines may not have routes back
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
        ip saddr {{ tailscale_cidr }} counter masquerade
    }

    chain FORWARD {
        type filter hook forward priority mangle
        policy drop

        # Allow traffic from nebula to proxmox network
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept

        # Allow monitoring of nebula network
        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept

        # Allow Tailscale exit node
        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
        ip saddr {{ tailscale_cidr }} accept
        ip daddr {{ tailscale_cidr }} ct state related,established accept
    }
}
Use nftables for firewall on ingress See ya never, iptables! 2023-10-26 21:34:06 +01:00			`#!/usr/sbin/nft -f`

			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0`
			`policy drop`

			`ct state {established, related} counter accept`

			`iif lo accept`

Allow pings to ingress This makes testing connections much simpler 2023-11-05 21:48:25 +00:00			`# Allow ICMP (pings)`
			`ip protocol icmp accept`
			`meta l4proto icmpv6 accept`

Use nftables for firewall on ingress See ya never, iptables! 2023-10-26 21:34:06 +01:00			`tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept`
Allow nebula through firewall 2023-11-03 18:06:36 +00:00
			`# Allow nebula`
			`udp dport {{ nebula_listen_port }} accept;`
Install tailscale Install, not configure 2024-02-01 19:41:47 +00:00
			`# Allow Tailscale`
			`udp dport {{ tailscale_port }} accept;`
Use nftables for firewall on ingress See ya never, iptables! 2023-10-26 21:34:06 +01:00			`}`

			`chain POSTROUTING {`
			`type nat hook postrouting priority srcnat`
			`policy accept`

			`# NAT - because the proxmox machines may not have routes back`
			`ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade`
Allow `ingress` to serve as tailscale exit node 2024-03-28 23:30:24 +00:00			`ip saddr {{ tailscale_cidr }} counter masquerade`
Use nftables for firewall on ingress See ya never, iptables! 2023-10-26 21:34:06 +01:00			`}`

			`chain FORWARD {`
			`type filter hook forward priority mangle`
			`policy drop`

			`# Allow traffic from nebula to proxmox network`
			`ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept`
			`ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept`
Monitor headscale with prometheus 2024-01-27 17:40:02 +00:00
			`# Allow monitoring of nebula network`
			`ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept`
Install tailscale Install, not configure 2024-02-01 19:41:47 +00:00
Allow `ingress` to serve as tailscale exit node 2024-03-28 23:30:24 +00:00			`# Allow Tailscale exit node`
			`ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop`
			`ip saddr {{ tailscale_cidr }} accept`
			`ip daddr {{ tailscale_cidr }} ct state related,established accept`
Use nftables for firewall on ingress See ya never, iptables! 2023-10-26 21:34:06 +01:00			`}`
			`}`