initial commit
This commit is contained in:
nd
commit
88b851cfff
4 changed files with 109 additions and 0 deletions
17
defaults/main.yml
Normal file
17
defaults/main.yml
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
firewall:
|
||||||
|
defaults:
|
||||||
|
all:
|
||||||
|
statement: accept
|
||||||
|
matches: ~
|
||||||
|
input: {}
|
||||||
|
forward: {}
|
||||||
|
output: {}
|
||||||
|
chains:
|
||||||
|
input:
|
||||||
|
allow_ssh: tcp dport ssh
|
||||||
|
output: {}
|
||||||
|
forward: {}
|
||||||
|
policies:
|
||||||
|
input: drop
|
||||||
|
output: accept
|
||||||
|
forward: drop
|
||||||
5
handlers/main.yml
Normal file
5
handlers/main.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
- name: reload nftables
|
||||||
|
service:
|
||||||
|
name: nftables
|
||||||
|
enabled: True
|
||||||
|
state: reloaded
|
||||||
31
tasks/main.yml
Normal file
31
tasks/main.yml
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
- name: remove legacy firewalls
|
||||||
|
apt:
|
||||||
|
pkg:
|
||||||
|
- ferm
|
||||||
|
- iptables
|
||||||
|
purge: True
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: ensure nft is installed
|
||||||
|
package:
|
||||||
|
name: nftables
|
||||||
|
notify:
|
||||||
|
- reload nftables
|
||||||
|
|
||||||
|
- name: setup firewall directories
|
||||||
|
file:
|
||||||
|
path: /etc/nftables.d
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: update firewall rules
|
||||||
|
template:
|
||||||
|
src: nftables.conf.j2
|
||||||
|
dest: /etc/nftables.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
notify:
|
||||||
|
- reload nftables
|
||||||
56
templates/nftables.conf.j2
Normal file
56
templates/nftables.conf.j2
Normal file
|
|
@ -0,0 +1,56 @@
|
||||||
|
#jinja2:lstrip_blocks: True
|
||||||
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
|
{%- macro nftrule(name, rule) -%}
|
||||||
|
{{rule.matches }} {{ rule.statement }} comment "{{ name }}"
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
|
{%- macro nftchain(name) -%}
|
||||||
|
{% for i in firewall.chains[name] %}
|
||||||
|
{% if not firewall.chains[name][i] is mapping %}
|
||||||
|
{% set tmprule = { 'matches': firewall.chains[name][i] }%}
|
||||||
|
{% else %}
|
||||||
|
{% set tmprule = firewall.chains[name][i] %}
|
||||||
|
{% endif%}
|
||||||
|
{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %}
|
||||||
|
{{ nftrule(i, rule) }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endmacro%}
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
policy {{ firewall.policies.input }};
|
||||||
|
|
||||||
|
iif lo accept comment "Accept any localhost traffic"
|
||||||
|
ct state invalid drop comment "Drop invalid connections"
|
||||||
|
ct state established,related accept comment "Accept traffic originated from us"
|
||||||
|
|
||||||
|
ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
|
||||||
|
ip protocol icmp accept comment "Accept ICMP"
|
||||||
|
ip protocol igmp accept comment "Accept IGMP"
|
||||||
|
|
||||||
|
{{ nftchain('input') }}
|
||||||
|
|
||||||
|
counter comment "Count dropped"
|
||||||
|
|
||||||
|
}
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority 0;
|
||||||
|
policy {{ firewall.policies.forward }};
|
||||||
|
|
||||||
|
{{ nftchain('forward') }}
|
||||||
|
|
||||||
|
counter comment "Count dropped"
|
||||||
|
}
|
||||||
|
chain output {
|
||||||
|
type filter hook output priority 0;
|
||||||
|
policy {{ firewall.policies.output }};
|
||||||
|
|
||||||
|
{{ nftchain('output') }}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
include "/etc/nftables/*.nft"
|
||||||
Loading…
Add table
Add a link
Reference in a new issue