From 6ca1808bb51e92371ef3615acf3874e120c5e7d1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 27 Oct 2022 18:27:25 +0000 Subject: [PATCH] nftables: Initial version of role --- roles/nftables/defaults/main.yml | 3 ++ roles/nftables/handlers/main.yml | 5 ++ roles/nftables/tasks/main.yml | 25 ++++++++++ roles/nftables/templates/nftables.conf.j2 | 58 +++++++++++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 roles/nftables/defaults/main.yml create mode 100644 roles/nftables/handlers/main.yml create mode 100644 roles/nftables/tasks/main.yml create mode 100644 roles/nftables/templates/nftables.conf.j2 diff --git a/roles/nftables/defaults/main.yml b/roles/nftables/defaults/main.yml new file mode 100644 index 0000000..d50d859 --- /dev/null +++ b/roles/nftables/defaults/main.yml @@ -0,0 +1,3 @@ +--- +firewall_in: + - {proto: tcp, port: 22} diff --git a/roles/nftables/handlers/main.yml b/roles/nftables/handlers/main.yml new file mode 100644 index 0000000..31c046f --- /dev/null +++ b/roles/nftables/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload nftables + ansible.builtin.service: + name: nftables + state: restarted diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml new file mode 100644 index 0000000..2341e81 --- /dev/null +++ b/roles/nftables/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: remove firewalld + ansible.builtin.package: + name: firewalld + state: removed + +- name: install packages + ansible.builtin.package: + name: nftables + state: installed + +- name: create config + ansible.builtin.template: + src: nftables.conf.j2 + dest: /etc/sysconfig/nftables.conf + mode: 0600 + owner: root + group: "{{ ansible_wheel }}" + notify: reload nftables + +- name: enable service + ansible.builtin.service: + name: nftables + state: started + enabled: true diff --git a/roles/nftables/templates/nftables.conf.j2 b/roles/nftables/templates/nftables.conf.j2 new file mode 100644 index 0000000..692a6e2 --- /dev/null +++ b/roles/nftables/templates/nftables.conf.j2 @@ -0,0 +1,58 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table ip filter { + chain INPUT { + type filter hook input priority 0; policy accept + ct state vmap { established : accept, related : accept } + ip protocol icmp accept + iifname lo accept +{% for rule in firewall_in %} +{% if rule.from is defined %} +{% for from in rule.from %} +{% if not from | ipv4 and not from | ipv6 %} +{% set from = lookup('dig', from) %} +{% endif %} +{% if from | ipv4 %} + ip saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept +{% endif %} +{% endfor %} +{% else %} + ip {{ rule.proto }} dport {{ rule.port }} accept +{% endif %} +{% endfor %} + reject with icmp type host-prohibited + } + chain FORWARD { + type filter hook forward priority 0; policy drop + reject with icmp type host-prohibited + } +} + +table ip6 filter { + chain INPUT { + type filter hook input priority 0; policy accept + ct state vmap { established : accept, related : accept } + ip6 nexthdr icmpv6 accept +{% for rule in firewall_in %} +{% if rule.from is defined %} +{% for from in rule.from %} +{% if not from | ipv4 and not from | ipv6 %} +{% set from = lookup('dig', from) %} +{% endif %} +{% if from | ipv6 %} + ip saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept +{% endif %} +{% endfor %} +{% else %} + ip {{ rule.proto }} dport {{ rule.port }} accept +{% endif %} +{% endfor %} + reject with icmpv6 type admin-prohibited + } + chain FORWARD { + type filter hook forward priority 0; policy drop + reject with icmpv6 type admin-prohibited + } +}