administrator
/
hetzner-devops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hetzner-devops/network.md

563 lines
19 KiB
Markdown
Raw Permalink Blame History

# Network & Firewall Configuration
## System Information
- **Date**: 2025-07-16
- **Host**: nsntr.ai
- **OS**: Ubuntu 24.04
- **Incus Version**: 6.14
- **Firewall**: UFW + nftables (Incus ACL)
## Network Architecture Overview
### Network Segmentation Strategy
```
┌─────────────────────────────────────────────────────────────────────────────────┐
│ NETWORK ISOLATION ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ services-net │ 10.10.10.0/24 │ Core services (Traefik, Gitea, Drone) │
│ development-net │ 10.20.20.0/24 │ Dev containers, staging │
│ production-net │ 10.30.30.0/24 │ Production containers, client apps │
│ management-net │ 10.40.40.0/24 │ Admin, monitoring, backup │
│ incusbr0 │ 10.94.230.0/24 │ Legacy network (ubuntu01 container) │
└─────────────────────────────────────────────────────────────────────────────────┘
```
## Network Configuration
### Network List
```
NAME TYPE MANAGED IPV4 IPV6 STATE
development-net bridge YES 10.20.20.1/24 none CREATED
incusbr0 bridge YES 10.94.230.1/24 auto CREATED
management-net bridge YES 10.40.40.1/24 none CREATED
production-net bridge YES 10.30.30.1/24 none CREATED
services-net bridge YES 10.10.10.1/24 none CREATED
```
### Services Network (10.10.10.0/24)
```yaml
name: services-net
type: bridge
config:
ipv4.address: 10.10.10.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.10.10.50-10.10.10.199
ipv6.address: none
ipv6.nat: true
description: Core services network
used_by:
- /1.0/profiles/default?project=services
security:
acls: services-acl
```
### Development Network (10.20.20.0/24)
```yaml
name: development-net
type: bridge
config:
ipv4.address: 10.20.20.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.20.20.50-10.20.20.199
ipv6.address: none
ipv6.nat: true
description: Development environment network
used_by:
- /1.0/profiles/default?project=development
security:
acls: development-acl
```
### Production Network (10.30.30.0/24)
```yaml
name: production-net
type: bridge
config:
ipv4.address: 10.30.30.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.30.30.50-10.30.30.199
ipv6.address: none
ipv6.nat: true
description: Production environment network
used_by:
- /1.0/profiles/default?project=production
security:
acls: production-acl
```
### Management Network (10.40.40.0/24)
```yaml
name: management-net
type: bridge
config:
ipv4.address: 10.40.40.1/24
ipv4.nat: true
ipv4.dhcp: true
ipv4.dhcp.ranges: 10.40.40.50-10.40.40.199
ipv6.address: none
ipv6.nat: true
description: Management and monitoring network
used_by: []
security:
acls: management-acl
```
## IP Address Allocation
### Static IP Ranges (Reserved)
```
Network Range Purpose
services-net 10.10.10.10-49 Static services
development-net 10.20.20.10-49 Static dev services
production-net 10.30.30.10-49 Static prod services
management-net 10.40.40.10-49 Static management
```
### DHCP Ranges
```
Network Range Purpose
services-net 10.10.10.50-199 Dynamic allocation
development-net 10.20.20.50-199 Dynamic allocation
production-net 10.30.30.50-199 Dynamic allocation
management-net 10.40.40.50-199 Dynamic allocation
```
### Planned Static Assignments
```
Service IP Address Network Purpose
Traefik 10.10.10.10 services-net Reverse proxy
Gitea 10.10.10.20 services-net Git hosting
Drone CI 10.10.10.30 services-net CI/CD pipeline
Monitoring 10.40.40.10 management-net System monitoring
Backup Services 10.40.40.20 management-net Backup services
```
## Network Creation Commands
### 1. Services Network
```bash
incus network create services-net
incus network set services-net ipv4.address=10.10.10.1/24
incus network set services-net ipv4.nat=true
incus network set services-net ipv4.dhcp=true
incus network set services-net ipv4.dhcp.ranges=10.10.10.50-10.10.10.199
incus network set services-net ipv6.address=none
```
### 2. Development Network
```bash
incus network create development-net
incus network set development-net ipv4.address=10.20.20.1/24
incus network set development-net ipv4.nat=true
incus network set development-net ipv4.dhcp=true
incus network set development-net ipv4.dhcp.ranges=10.20.20.50-10.20.20.199
incus network set development-net ipv6.address=none
```
### 3. Production Network
```bash
incus network create production-net
incus network set production-net ipv4.address=10.30.30.1/24
incus network set production-net ipv4.nat=true
incus network set production-net ipv4.dhcp=true
incus network set production-net ipv4.dhcp.ranges=10.30.30.50-10.30.30.199
incus network set production-net ipv6.address=none
```
### 4. Management Network
```bash
incus network create management-net
incus network set management-net ipv4.address=10.40.40.1/24
incus network set management-net ipv4.nat=true
incus network set management-net ipv4.dhcp=true
incus network set management-net ipv4.dhcp.ranges=10.40.40.50-10.40.40.199
incus network set management-net ipv6.address=none
```
## Project Network Assignments
### Network Restrictions
```bash
incus project set services restricted.networks.access=services-net
incus project set development restricted.networks.access=development-net
incus project set production restricted.networks.access=production-net
```
### Default Profile Updates
```bash
incus profile device add default eth0 nic network=services-net name=eth0 --project services
incus profile device add default eth0 nic network=development-net name=eth0 --project development
incus profile device add default eth0 nic network=production-net name=eth0 --project production
```
## Firewall Configuration
### Multi-Layer Security Architecture
```
┌─────────────────────────────────────────────────────────────────────────────────┐
│ LAYER 1: Host Firewall (UFW) │
│ ├── SSH (22) ✅ │
│ ├── HTTP (80) ✅ │
│ ├── HTTPS (443) ✅ │
│ └── Incus API (8443) ✅ │
│ │
│ LAYER 2: Network ACLs (nftables) │
│ ├── services-acl ✅ │
│ ├── development-acl ✅ │
│ └── production-acl ✅ │
│ │
│ LAYER 3: Network Isolation │
│ ├── services-net: Full access ✅ │
│ ├── development-net: Limited access ✅ │
│ └── production-net: Strict access ✅ │
└─────────────────────────────────────────────────────────────────────────────────┘
```
### Host Firewall (UFW)
```bash
# Enable UFW
ufw --force enable
# Allow essential services
ufw allow ssh
ufw allow 8443/tcp comment "Incus API"
ufw allow 80/tcp comment "HTTP"
ufw allow 443/tcp comment "HTTPS"
```
### Current UFW Status
```
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8443/tcp ALLOW Anywhere # Incus API
80/tcp ALLOW Anywhere # HTTP
443/tcp ALLOW Anywhere # HTTPS
22/tcp (v6) ALLOW Anywhere (v6)
8443/tcp (v6) ALLOW Anywhere (v6) # Incus API
80/tcp (v6) ALLOW Anywhere (v6) # HTTP
443/tcp (v6) ALLOW Anywhere (v6) # HTTPS
```
## Network ACL Configuration
### ACL List
```
NAME DESCRIPTION USED BY
development-acl 1
production-acl 1
services-acl 1
```
### Services ACL (services-acl)
```yaml
name: services-acl
description: ""
egress:
- action: allow
destination: 10.20.20.0/24
description: Access to development
state: enabled
- action: allow
destination: 10.30.30.0/24
description: Access to production
state: enabled
ingress:
- action: allow
protocol: tcp
destination_port: "22"
description: SSH
state: enabled
- action: allow
protocol: tcp
destination_port: "80"
description: HTTP
state: enabled
- action: allow
protocol: tcp
destination_port: "443"
description: HTTPS
state: enabled
- action: allow
protocol: tcp
destination_port: "3000"
description: Gitea
state: enabled
- action: allow
protocol: tcp
destination_port: "8000"
description: Drone
state: enabled
```
### Development ACL (development-acl)
```yaml
name: development-acl
description: ""
ingress:
- action: allow
protocol: tcp
destination_port: "22"
description: SSH
state: enabled
- action: allow
protocol: tcp
destination_port: "3000-9000"
description: Dev ports
state: enabled
- action: allow
source: 10.10.10.0/24
description: Services access
state: enabled
```
### Production ACL (production-acl)
```yaml
name: production-acl
description: ""
ingress:
- action: allow
protocol: tcp
destination_port: "22"
description: SSH
state: enabled
- action: allow
protocol: tcp
destination_port: "80,443"
description: HTTP/HTTPS
state: enabled
- action: allow
source: 10.10.10.0/24
description: Services access only
state: enabled
- action: drop
source: 10.20.20.0/24
description: Block development
state: enabled
```
## ACL Creation Commands
### 1. Create ACLs
```bash
incus network acl create services-acl
incus network acl create development-acl
incus network acl create production-acl
```
### 2. Services ACL Rules
```bash
# Ingress rules
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=22 description="SSH"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=80 description="HTTP"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=443 description="HTTPS"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=3000 description="Gitea"
incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=8000 description="Drone"
# Egress rules
incus network acl rule add services-acl egress action=allow destination=10.20.20.0/24 description="Access to development"
incus network acl rule add services-acl egress action=allow destination=10.30.30.0/24 description="Access to production"
```
### 3. Development ACL Rules
```bash
incus network acl rule add development-acl ingress action=allow protocol=tcp destination_port=22 description="SSH"
incus network acl rule add development-acl ingress action=allow protocol=tcp destination_port=3000-9000 description="Dev ports"
incus network acl rule add development-acl ingress action=allow source=10.10.10.0/24 description="Services access"
```
### 4. Production ACL Rules
```bash
incus network acl rule add production-acl ingress action=allow protocol=tcp destination_port=22 description="SSH"
incus network acl rule add production-acl ingress action=allow protocol=tcp destination_port=80,443 description="HTTP/HTTPS"
incus network acl rule add production-acl ingress action=allow source=10.10.10.0/24 description="Services access only"
incus network acl rule add production-acl ingress action=drop source=10.20.20.0/24 description="Block development"
```
### 5. Apply ACLs to Networks
```bash
incus network set services-net security.acls=services-acl
incus network set development-net security.acls=development-acl
incus network set production-net security.acls=production-acl
```
## Security Matrix
### Network Access Control
```
┌─────────────────────────────────────────────────────────────────────────────────┐
│ SOURCE │ DESTINATION │ PORTS │ STATUS │ PURPOSE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ Internet │ Host │ 22,80,443 │ ✅ ALLOW │ Admin & Web │
│ Services │ Development │ All │ ✅ ALLOW │ CI/CD deployment │
│ Services │ Production │ All │ ✅ ALLOW │ Production deploy │
│ Development │ Production │ All │ ❌ BLOCK │ Environment isolation│
│ Development │ Internet │ All │ ✅ ALLOW │ Updates & packages │
│ Production │ Internet │ All │ ✅ ALLOW │ Updates & packages │
└─────────────────────────────────────────────────────────────────────────────────┘
```
### Port Access Summary
```
┌─────────────────────────────────────────────────────────────────────────────────┐
│ NETWORK │ ALLOWED PORTS │ RESTRICTIONS │
├─────────────────────────────────────────────────────────────────────────────────┤
│ services-net │ 22,80,443,3000,8000 │ Full access to dev/prod │
│ development-net │ 22,3000-9000 │ Services access only │
│ production-net │ 22,80,443 │ Services access only, block dev │
│ management-net │ Not configured yet │ To be configured │
└─────────────────────────────────────────────────────────────────────────────────┘
```
## Network Routing
### Current Routes
```
10.10.10.0/24 dev services-net proto kernel scope link src 10.10.10.1
10.20.20.0/24 dev development-net proto kernel scope link src 10.20.20.1
10.30.30.0/24 dev production-net proto kernel scope link src 10.30.30.1
10.40.40.0/24 dev management-net proto kernel scope link src 10.40.40.1
```
### Gateway Configuration
```
Network Gateway NAT Status
services-net 10.10.10.1 Enabled
development-net 10.20.20.1 Enabled
production-net 10.30.30.1 Enabled
management-net 10.40.40.1 Enabled
```
## Monitoring & Troubleshooting
### Network Diagnostics
```bash
# Check network status
incus network list
incus network show <network-name>
# Check ACL configuration
incus network acl list
incus network acl show <acl-name>
# Check routing
ip route show
ip addr show
# Check firewall status
ufw status verbose
iptables -L -n
```
### Log Monitoring
```bash
# UFW logs
tail -f /var/log/ufw.log
# Incus logs
journalctl -u incus -f
# Network interface logs
dmesg | grep -i network
```
### Performance Monitoring
```bash
# Network statistics
incus network info <network-name>
cat /proc/net/dev
ss -tuln
# Bridge statistics
brctl show
bridge link show
```
## Security Best Practices
### Implemented Security Measures
1. **Network Segmentation**: Isolated environments
2. **Defense in Depth**: Multiple firewall layers
3. **Principle of Least Privilege**: Minimal required access
4. **Traffic Control**: Controlled inter-network communication
5. **Attack Surface Reduction**: Limited exposed ports
6. **Audit Trail**: All firewall rules documented
### Security Enhancements (Planned)
1. **Container-level firewalls** (iptables in containers)
2. **Service mesh security** (mTLS between services)
3. **Rate limiting** (fail2ban, nginx limits)
4. **Monitoring & alerting** (firewall logs, intrusion detection)
5. **SSL/TLS certificates** (Let's Encrypt automation)
6. **VPN access** for remote administration
7. **Network monitoring** (traffic analysis, anomaly detection)
## Backup & Recovery
### Network Configuration Backup
```bash
# Export network configurations
incus network export <network-name> > <network-name>.yaml
# Export ACL configurations
incus network acl export <acl-name> > <acl-name>.yaml
# Backup UFW rules
ufw status numbered > ufw-rules-backup.txt
```
### Recovery Procedures
```bash
# Import network configuration
incus network import <network-name>.yaml
# Restore ACL configuration
incus network acl import <acl-name>.yaml
# Restore UFW rules
ufw --force reset
# Then reapply rules from backup
```
## Maintenance Commands
### Regular Maintenance
```bash
# Check network health
incus network list
incus network acl list
# Update firewall rules if needed
ufw status
ufw reload
# Monitor network performance
incus network info <network-name>
```
### Troubleshooting Commands
```bash
# Test connectivity
ping <target-ip>
telnet <target-ip> <port>
# Check DNS resolution
nslookup <hostname>
dig <hostname>
# Check routing
traceroute <destination>
mtr <destination>
```
---
**Generated**: 2025-07-16 02:35:52 UTC
**Status**: Network and firewall configuration complete
**Security Level**: Multi-layer protection active
**Next**: Service container deployment with network assignments
Reference in New Issue View Git Blame Copy Permalink