Allow AWS DNS queries through the firewall

Author: tomhughes

cookbooks/networking/attributes/default.rb

@@ -11,6 +11,7 @@
 default[:networking][:firewall][:mark] = true
 default[:networking][:firewall][:raw] = true
 default[:networking][:firewall][:mangle] = true
+default[:networking][:firewall][:whitelist] = []
 default[:networking][:roles] = {}
 default[:networking][:interfaces] = {}
 default[:networking][:nameservers] = %w[8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844]

cookbooks/networking/templates/default/nftables.conf.erb

@@ -64,7 +64,11 @@ table inet filter {
   }
 
   chain incoming {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
     ip saddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
     ip6 saddr { $ip6-private-addresses } jump log-and-drop
 
     ip saddr @ip-blacklist jump log-and-drop
@@ -98,7 +102,11 @@ table inet filter {
   }
 
   chain outgoing {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
     ip daddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip daddr { $ip-private-addresses } ip daddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
     ip6 daddr { $ip6-private-addresses } jump log-and-drop
 
 <%- node[:networking][:firewall][:outgoing].each do |rule| %>

roles/palulukon.rb

@@ -3,6 +3,9 @@
 
 default_attributes(
   :networking => {
+    :firewall => {
+      :whitelist => ["172.31.0.2"]
+    },
     :interfaces => {
       :external_ipv4 => {
         :interface => "ens5",