19 KiB
19 KiB
Network & Firewall Configuration
System Information
- Date: 2025-07-16
- Host: nsntr.ai
- OS: Ubuntu 24.04
- Incus Version: 6.14
- Firewall: UFW + nftables (Incus ACL)
Network Architecture Overview
Network Segmentation Strategy
┌─────────────────────────────────────────────────────────────────────────────────┐
│ NETWORK ISOLATION ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ services-net │ 10.10.10.0/24 │ Core services (Traefik, Gitea, Drone) │
│ development-net │ 10.20.20.0/24 │ Dev containers, staging │
│ production-net │ 10.30.30.0/24 │ Production containers, client apps │
│ management-net │ 10.40.40.0/24 │ Admin, monitoring, backup │
│ incusbr0 │ 10.94.230.0/24 │ Legacy network (ubuntu01 container) │
└─────────────────────────────────────────────────────────────────────────────────┘
Network Configuration
Network List
NAME TYPE MANAGED IPV4 IPV6 STATE
development-net bridge YES 10.20.20.1/24 none CREATED
incusbr0 bridge YES 10.94.230.1/24 auto CREATED
management-net bridge YES 10.40.40.1/24 none CREATED
production-net bridge YES 10.30.30.1/24 none CREATED
services-net bridge YES 10.10.10.1/24 none CREATED
Services Network (10.10.10.0/24)
name: services-net
type: bridge
config:
ipv4.address: 10.10.10.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.10.10.50-10.10.10.199
ipv6.address: none
ipv6.nat: true
description: Core services network
used_by:
- /1.0/profiles/default?project=services
security:
acls: services-acl
Development Network (10.20.20.0/24)
name: development-net
type: bridge
config:
ipv4.address: 10.20.20.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.20.20.50-10.20.20.199
ipv6.address: none
ipv6.nat: true
description: Development environment network
used_by:
- /1.0/profiles/default?project=development
security:
acls: development-acl
Production Network (10.30.30.0/24)
name: production-net
type: bridge
config:
ipv4.address: 10.30.30.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.30.30.50-10.30.30.199
ipv6.address: none
ipv6.nat: true
description: Production environment network
used_by:
- /1.0/profiles/default?project=production
security:
acls: production-acl
Management Network (10.40.40.0/24)
name: management-net
type: bridge
config:
ipv4.address: 10.40.40.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.40.40.50-10.40.40.199
ipv6.address: none
ipv6.nat: true
description: Management and monitoring network
used_by: []
security:
acls: management-acl
IP Address Allocation
Static IP Ranges (Reserved)
Network Range Purpose
services-net 10.10.10.10-49 Static services
development-net 10.20.20.10-49 Static dev services
production-net 10.30.30.10-49 Static prod services
management-net 10.40.40.10-49 Static management
DHCP Ranges
Network Range Purpose
services-net 10.10.10.50-199 Dynamic allocation
development-net 10.20.20.50-199 Dynamic allocation
production-net 10.30.30.50-199 Dynamic allocation
management-net 10.40.40.50-199 Dynamic allocation
Planned Static Assignments
Service IP Address Network Purpose
Traefik 10.10.10.10 services-net Reverse proxy
Gitea 10.10.10.20 services-net Git hosting
Drone CI 10.10.10.30 services-net CI/CD pipeline
Monitoring 10.40.40.10 management-net System monitoring
Backup Services 10.40.40.20 management-net Backup services
Network Creation Commands
1. Services Network
incus network create services-net
incus network set services-net ipv4.address=10.10.10.1/24
incus network set services-net ipv4.nat=true
incus network set services-net ipv4.dhcp=true
incus network set services-net ipv4.dhcp.ranges=10.10.10.50-10.10.10.199
incus network set services-net ipv6.address=none
2. Development Network
incus network create development-net
incus network set development-net ipv4.address=10.20.20.1/24
incus network set development-net ipv4.nat=true
incus network set development-net ipv4.dhcp=true
incus network set development-net ipv4.dhcp.ranges=10.20.20.50-10.20.20.199
incus network set development-net ipv6.address=none
3. Production Network
incus network create production-net
incus network set production-net ipv4.address=10.30.30.1/24
incus network set production-net ipv4.nat=true
incus network set production-net ipv4.dhcp=true
incus network set production-net ipv4.dhcp.ranges=10.30.30.50-10.30.30.199
incus network set production-net ipv6.address=none
4. Management Network
incus network create management-net
incus network set management-net ipv4.address=10.40.40.1/24
incus network set management-net ipv4.nat=true
incus network set management-net ipv4.dhcp=true
incus network set management-net ipv4.dhcp.ranges=10.40.40.50-10.40.40.199
incus network set management-net ipv6.address=none
Project Network Assignments
Network Restrictions
incus project set services restricted.networks.access=services-net
incus project set development restricted.networks.access=development-net
incus project set production restricted.networks.access=production-net
Default Profile Updates
incus profile device add default eth0 nic network=services-net name=eth0 --project services
incus profile device add default eth0 nic network=development-net name=eth0 --project development
incus profile device add default eth0 nic network=production-net name=eth0 --project production
Firewall Configuration
Multi-Layer Security Architecture
┌─────────────────────────────────────────────────────────────────────────────────┐
│ LAYER 1: Host Firewall (UFW) │
│ ├── SSH (22) ✅ │
│ ├── HTTP (80) ✅ │
│ ├── HTTPS (443) ✅ │
│ └── Incus API (8443) ✅ │
│ │
│ LAYER 2: Network ACLs (nftables) │
│ ├── services-acl ✅ │
│ ├── development-acl ✅ │
│ └── production-acl ✅ │
│ │
│ LAYER 3: Network Isolation │
│ ├── services-net: Full access ✅ │
│ ├── development-net: Limited access ✅ │
│ └── production-net: Strict access ✅ │
└─────────────────────────────────────────────────────────────────────────────────┘
Host Firewall (UFW)
# Enable UFW
ufw --force enable
# Allow essential services
ufw allow ssh
ufw allow 8443/tcp comment "Incus API"
ufw allow 80/tcp comment "HTTP"
ufw allow 443/tcp comment "HTTPS"
Current UFW Status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8443/tcp ALLOW Anywhere # Incus API
80/tcp ALLOW Anywhere # HTTP
443/tcp ALLOW Anywhere # HTTPS
22/tcp (v6) ALLOW Anywhere (v6)
8443/tcp (v6) ALLOW Anywhere (v6) # Incus API
80/tcp (v6) ALLOW Anywhere (v6) # HTTP
443/tcp (v6) ALLOW Anywhere (v6) # HTTPS
Network ACL Configuration
ACL List
NAME DESCRIPTION USED BY
development-acl 1
production-acl 1
services-acl 1
Services ACL (services-acl)
name: services-acl
description: ""
egress:
- action: allow
destination: 10.20.20.0/24
description: Access to development
state: enabled
- action: allow
destination: 10.30.30.0/24
description: Access to production
state: enabled
ingress:
- action: allow
protocol: tcp
destination_port: "22"
description: SSH
state: enabled
- action: allow
protocol: tcp
destination_port: "80"
description: HTTP
state: enabled
- action: allow
protocol: tcp
destination_port: "443"
description: HTTPS
state: enabled
- action: allow
protocol: tcp
destination_port: "3000"
description: Gitea
state: enabled
- action: allow
protocol: tcp
destination_port: "8000"
description: Drone
state: enabled
Development ACL (development-acl)
name: development-acl
description: ""
ingress:
- action: allow
protocol: tcp
destination_port: "22"
description: SSH
state: enabled
- action: allow
protocol: tcp
destination_port: "3000-9000"
description: Dev ports
state: enabled
- action: allow
source: 10.10.10.0/24
description: Services access
state: enabled
Production ACL (production-acl)
name: production-acl
description: ""
ingress:
- action: allow
protocol: tcp
destination_port: "22"
description: SSH
state: enabled
- action: allow
protocol: tcp
destination_port: "80,443"
description: HTTP/HTTPS
state: enabled
- action: allow
source: 10.10.10.0/24
description: Services access only
state: enabled
- action: drop
source: 10.20.20.0/24
description: Block development
state: enabled
ACL Creation Commands
1. Create ACLs
incus network acl create services-acl
incus network acl create development-acl
incus network acl create production-acl
2. Services ACL Rules
# Ingress rules
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=22 description="SSH"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=80 description="HTTP"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=443 description="HTTPS"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=3000 description="Gitea"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=8000 description="Drone"
# Egress rules
incus network acl rule add services-acl egress action=allow destination=10.20.20.0/24 description="Access to development"
incus network acl rule add services-acl egress action=allow destination=10.30.30.0/24 description="Access to production"
3. Development ACL Rules
incus network acl rule add development-acl ingress action=allow protocol=tcp destination_port=22 description="SSH"
incus network acl rule add development-acl ingress action=allow protocol=tcp destination_port=3000-9000 description="Dev ports"
incus network acl rule add development-acl ingress action=allow source=10.10.10.0/24 description="Services access"
4. Production ACL Rules
incus network acl rule add production-acl ingress action=allow protocol=tcp destination_port=22 description="SSH"
incus network acl rule add production-acl ingress action=allow protocol=tcp destination_port=80,443 description="HTTP/HTTPS"
incus network acl rule add production-acl ingress action=allow source=10.10.10.0/24 description="Services access only"
incus network acl rule add production-acl ingress action=drop source=10.20.20.0/24 description="Block development"
5. Apply ACLs to Networks
incus network set services-net security.acls=services-acl
incus network set development-net security.acls=development-acl
incus network set production-net security.acls=production-acl
Security Matrix
Network Access Control
┌─────────────────────────────────────────────────────────────────────────────────┐
│ SOURCE │ DESTINATION │ PORTS │ STATUS │ PURPOSE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ Internet │ Host │ 22,80,443 │ ✅ ALLOW │ Admin & Web │
│ Services │ Development │ All │ ✅ ALLOW │ CI/CD deployment │
│ Services │ Production │ All │ ✅ ALLOW │ Production deploy │
│ Development │ Production │ All │ ❌ BLOCK │ Environment isolation│
│ Development │ Internet │ All │ ✅ ALLOW │ Updates & packages │
│ Production │ Internet │ All │ ✅ ALLOW │ Updates & packages │
└─────────────────────────────────────────────────────────────────────────────────┘
Port Access Summary
┌─────────────────────────────────────────────────────────────────────────────────┐
│ NETWORK │ ALLOWED PORTS │ RESTRICTIONS │
├─────────────────────────────────────────────────────────────────────────────────┤
│ services-net │ 22,80,443,3000,8000 │ Full access to dev/prod │
│ development-net │ 22,3000-9000 │ Services access only │
│ production-net │ 22,80,443 │ Services access only, block dev │
│ management-net │ Not configured yet │ To be configured │
└─────────────────────────────────────────────────────────────────────────────────┘
Network Routing
Current Routes
10.10.10.0/24 dev services-net proto kernel scope link src 10.10.10.1
10.20.20.0/24 dev development-net proto kernel scope link src 10.20.20.1
10.30.30.0/24 dev production-net proto kernel scope link src 10.30.30.1
10.40.40.0/24 dev management-net proto kernel scope link src 10.40.40.1
Gateway Configuration
Network Gateway NAT Status
services-net 10.10.10.1 Enabled
development-net 10.20.20.1 Enabled
production-net 10.30.30.1 Enabled
management-net 10.40.40.1 Enabled
Monitoring & Troubleshooting
Network Diagnostics
# Check network status
incus network list
incus network show <network-name>
# Check ACL configuration
incus network acl list
incus network acl show <acl-name>
# Check routing
ip route show
ip addr show
# Check firewall status
ufw status verbose
iptables -L -n
Log Monitoring
# UFW logs
tail -f /var/log/ufw.log
# Incus logs
journalctl -u incus -f
# Network interface logs
dmesg | grep -i network
Performance Monitoring
# Network statistics
incus network info <network-name>
cat /proc/net/dev
ss -tuln
# Bridge statistics
brctl show
bridge link show
Security Best Practices
Implemented Security Measures
- Network Segmentation: Isolated environments
- Defense in Depth: Multiple firewall layers
- Principle of Least Privilege: Minimal required access
- Traffic Control: Controlled inter-network communication
- Attack Surface Reduction: Limited exposed ports
- Audit Trail: All firewall rules documented
Security Enhancements (Planned)
- Container-level firewalls (iptables in containers)
- Service mesh security (mTLS between services)
- Rate limiting (fail2ban, nginx limits)
- Monitoring & alerting (firewall logs, intrusion detection)
- SSL/TLS certificates (Let's Encrypt automation)
- VPN access for remote administration
- Network monitoring (traffic analysis, anomaly detection)
Backup & Recovery
Network Configuration Backup
# Export network configurations
incus network export <network-name> > <network-name>.yaml
# Export ACL configurations
incus network acl export <acl-name> > <acl-name>.yaml
# Backup UFW rules
ufw status numbered > ufw-rules-backup.txt
Recovery Procedures
# Import network configuration
incus network import <network-name>.yaml
# Restore ACL configuration
incus network acl import <acl-name>.yaml
# Restore UFW rules
ufw --force reset
# Then reapply rules from backup
Maintenance Commands
Regular Maintenance
# Check network health
incus network list
incus network acl list
# Update firewall rules if needed
ufw status
ufw reload
# Monitor network performance
incus network info <network-name>
Troubleshooting Commands
# Test connectivity
ping <target-ip>
telnet <target-ip> <port>
# Check DNS resolution
nslookup <hostname>
dig <hostname>
# Check routing
traceroute <destination>
mtr <destination>
Generated: 2025-07-16 02:35:52 UTC
Status: Network and firewall configuration complete
Security Level: Multi-layer protection active
Next: Service container deployment with network assignments