infra/ansible-role-firewall
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move defaults to variables and clean up

Browse source
This commit is contained in:
nd 2021-09-17 03:42:30 +02:00
parent 6c659413c2
commit c9088a7a24
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
2 changed files with 32 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

26
defaults/main.yml
View file

@ -3,6 +3,7 @@ firewall:
all: all:
statement: accept statement: accept
matches: ~ matches: ~
priority: 1000
input: {} input: {}
forward: {} forward: {}
output: {} output: {}
@ -12,9 +13,32 @@ firewall:
nat6_postrouting: {} nat6_postrouting: {}
chains: chains:
input: input:
"statefull-invalid":
matches: ct state invalid
priority: 240
statement: drop
"statefull-accept":
matches: ct state established,related
priority: 250
allow_localhost:
matches: iif lo
priority: 500
allow_icmp:
matches: ip protocol icmp
priority: 500
allow_icmp6:
matches: ip6 nexthdr icmpv6
priority: 500
allow_ssh: tcp dport ssh allow_ssh: tcp dport ssh
output: {} output: {}
forward: {} forward:
"statefull-invalid":
matches: ct state invalid
priority: 240
statement: drop
"statefull-accept":
matches: ct state established,related
priority: 250
nat_prerouting: {} nat_prerouting: {}
nat_postrouting: {} nat_postrouting: {}
nat6_prerouting: {} nat6_prerouting: {}

22
templates/nftables.conf.j2
View file

@ -1,19 +1,22 @@
#jinja2:lstrip_blocks: True #jinja2:lstrip_blocks: True
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
{%- macro nftrule(name, rule) -%} {%- macro nftrule(rule) -%}
{{rule.matches }} {{ rule.statement }} comment "{{ name }}" {{rule.matches }} {% if not rule.statement == "counter" %}counter {% endif %}{{ rule.statement }} comment "{{ rule.comment }}"
{% endmacro %} {% endmacro %}
{%- macro nftchain(name) -%} {%- macro nftchain(name) -%}
{% set chain_rules = [] %}
{% for i in firewall.chains[name] %} {% for i in firewall.chains[name] %}
{% if not firewall.chains[name][i] is mapping %} {% if not firewall.chains[name][i] is mapping %}
{% set tmprule = { 'matches': firewall.chains[name][i] }%} {% set tmprule = { 'matches': firewall.chains[name][i] }%}
{% else %} {% else %}
{% set tmprule = firewall.chains[name][i] %} {% set tmprule = firewall.chains[name][i] %}
{% endif%} {% endif%}
{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %} {% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], {'comment': i}, tmprule, recursive=True) %}{{ chain_rules.append(rule) }}
{{ nftrule(i, rule) }} {% endfor %}
{% for rule in chain_rules|sort(attribute='priority') %}
{{ nftrule(rule) }}
{% endfor %} {% endfor %}
{% endmacro%} {% endmacro%}
@ -28,14 +31,6 @@ table inet filter {
type filter hook input priority 0; type filter hook input priority 0;
policy {{ firewall.policies.input }}; policy {{ firewall.policies.input }};
iif lo accept comment "Accept any localhost traffic"
ct state invalid drop comment "Drop invalid connections"
ct state established,related accept comment "Accept established (statefull)"
ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
ip protocol icmp accept comment "Accept ICMP"
ip protocol igmp accept comment "Accept IGMP"
{{ nftchain('input') }} {{ nftchain('input') }}
counter comment "Count dropped" counter comment "Count dropped"
@ -45,9 +40,6 @@ table inet filter {
type filter hook forward priority 0; type filter hook forward priority 0;
policy {{ firewall.policies.forward }}; policy {{ firewall.policies.forward }};
ct state invalid drop comment "Drop invalid connections"
ct state established,related accept comment "Accept established (statefull)"
{{ nftchain('forward') }} {{ nftchain('forward') }}
counter comment "Count dropped" counter comment "Count dropped"