nft role + disable iptables when nft enabled

2024-07-24 21:32:13 +02:00 · 2024-07-24 21:32:13 +02:00 · 848917a72c
commit 848917a72c
parent a74dba4557
17 changed files with 348 additions and 57 deletions
--- a/roles/common/handlers/main.yaml
+++ b/roles/common/handlers/main.yaml
@ -29,3 +29,4 @@
  with_items:
    - { c: iptables, ip: v4 }
    - { c: ip6tables, ip: v6 }
+  when: not nft | bool
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@ -66,8 +66,6 @@
      - etckeeper
      - git
      - htop
-      - iptables
-      - iptables-persistent
      - jq
      - net-tools
      - netcat-openbsd
@ -133,6 +131,7 @@
    - ipv4
    - ipv6
  notify: persist iptables
+  when: not nft | bool

 - name: Allow ICMP
  ansible.builtin.iptables:
@ -144,6 +143,7 @@
    - { ip: ipv4, proto: icmp }
    - { ip: ipv6, proto: ipv6-icmp }
  notify: persist iptables
+  when: not nft | bool

 - name: Allow related and established connections
  ansible.builtin.iptables:
@ -155,6 +155,7 @@
    - ipv4
    - ipv6
  notify: persist iptables
+  when: not nft | bool

 - name: Allow local connections
  ansible.builtin.iptables:
@ -164,6 +165,7 @@
    ip_version: "{{ item.v }}"
  with_items: "{{ trusted_ranges }}"
  notify: persist iptables
+  when: not nft | bool

 - name: Deny inbound connections
  ansible.builtin.iptables:
@ -174,3 +176,4 @@
    - ipv4
    - ipv6
  notify: persist iptables
+  when: not nft | bool
--- a/roles/etherpad/tasks/main.yaml
+++ b/roles/etherpad/tasks/main.yaml
@ -139,3 +139,4 @@
    - { ip: ipv6, port: 80 }
    - { ip: ipv6, port: 443 }
  notify: persist iptables
+  when: not nft | bool
--- a/roles/git-server/tasks/main.yaml
+++ b/roles/git-server/tasks/main.yaml
@ -98,6 +98,7 @@
    - { ip: ipv6, port: 22 }
    - { ip: ipv6, port: 443 }
  notify: persist iptables
+  when: not nft | bool

 - ansible.builtin.debug:
    msg: If Forgejo has not been setup yet, please do so manually.
--- a/roles/monitoring/tasks/main.yaml
+++ b/roles/monitoring/tasks/main.yaml
@ -1,42 +1,41 @@
 ---
- name: monitoring
-  tags: monitoring
-  block:
-    - name: Install nginx site
-      ansible.builtin.template:
-        src: nginx-site.conf
-        dest: /etc/nginx/sites-available/monitoring
-        owner: root
-        group: root
-        mode: 0644
-      notify: reload nginx

-    - name: Enable nginx site
-      ansible.builtin.file:
-        src: /etc/nginx/sites-available/monitoring
-        dest: /etc/nginx/sites-enabled/monitoring
-        state: link
-      notify: reload nginx
+- name: Install nginx site
+  ansible.builtin.template:
+    src: nginx-site.conf
+    dest: /etc/nginx/sites-available/monitoring
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx

-    - name: Start nginx
-      ansible.builtin.systemd:
-        name: nginx
-        state: started
-        enabled: yes
+- name: Enable nginx site
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/monitoring
+    dest: /etc/nginx/sites-enabled/monitoring
+    state: link
+  notify: reload nginx

-    - name: Allow HTTP/HTTPS
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: "{{ item.port }}"
-        ctstate: NEW
-        jump: ACCEPT
-        ip_version: "{{ item.ip }}"
-        action: insert
-      with_items:
-        - { ip: ipv6, port: 80 }
-        - { ip: ipv6, port: 443 }
-      notify: persist iptables
+- name: Start nginx
+  ansible.builtin.systemd:
+    name: nginx
+    state: started
+    enabled: yes
+
+- name: Allow HTTP/HTTPS
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv6, port: 80 }
+    - { ip: ipv6, port: 443 }
+  notify: persist iptables
+  when: not nft | bool

 - name: mqtt_exporter
  tags: mqtt_exporter
--- a/roles/nft/defaults/main.yaml
+++ b/roles/nft/defaults/main.yaml
@ -0,0 +1,33 @@
+---
+
+nft: false  # totdat alles om is
+nft_main_config:            "/etc/nftables.conf"
+
+# Default policies per chain ( drop / reject / accept )
+nft_policy_input:           "drop"
+nft_policy_forward:         "accept"
+nft_policy_output:          "accept"
+# Same for nat traffic
+nft_policy_prerouting:  "accept"
+nft_policy_postrouting: "accept"
+
+# Host/Port allows
+nft_group_rules: []
+
+# And per host/group additions to rules:
+group_nft_input: []
+group_nft_forward: []
+group_nft_output: []
+
+host_nft_input: []
+host_nft_forward: []
+host_nft_output: []
+
+group_nft_postrouting: []
+host_nft_postrouting: []
+group_nft_prerouting: []
+host_nft_prerouting: []
+
+nft_defines: []
+nft_defines_group: []
+
--- a/roles/nft/handlers/main.yaml
+++ b/roles/nft/handlers/main.yaml
@ -0,0 +1,13 @@
+---
+
+- name: Reload nftables
+  ansible.builtin.systemd:
+    name: "nftables"
+    state: reloaded
+    enabled: true
+  tags:
+    - nft
+    - nftservice
+  when:
+    - nft|bool
+
--- a/roles/nft/tasks/main.yaml
+++ b/roles/nft/tasks/main.yaml
@ -0,0 +1,47 @@
+---
+
+- name: Install nftables related packages
+  ansible.builtin.apt:
+    state: present
+    pkg:
+      - nftables
+      - net-tools
+      - ipset
+
+- name: Template nftables.conf
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+    mode: "0700"
+    validate: "{{ item.validate | default() }}"
+  with_items:
+    - { src: "nftables.conf.j2", dest: "{{ nft_main_config }}",
+        backup: "yes", validate: "/usr/sbin/nft -c -f %s" }
+  tags:
+    - nft
+    - nftconfig
+  when:
+    - nft | bool
+  notify:
+    - Reload nftables
+
+- name: Cleanup netfilter packages
+  ansible.builtin.apt:
+    state: absent
+    pkg:
+      - netfilter-persistent
+  when:
+    - nft | bool
+
+- name: Cleanup iptables stuff
+  ansible.builtin.file:
+    state: absent
+    path: "{{ item }}"
+  with_items:
+    - "/etc/iptables/rules/v4"
+    - "/etc/iptables/rules/v6"
+    - "/etc/iptables"
+  when:
+    - nft | bool
--- a/roles/nft/templates/nftables.conf.j2
+++ b/roles/nft/templates/nftables.conf.j2
@ -0,0 +1,182 @@
+#!/usr/sbin/nft -f
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+
+# Named sets
+set trusted4 {
+    type ipv4_addr
+    flags interval
+    elements = {
+{% for ip in trusted_ranges %}
+{%     if ip.v == 'ipv4' %}
+        {{ ip.cidr }}, # {{ ip.comment | default('') }}
+{%     endif %}
+{% endfor %}
+    }
+}
+
+set trusted6 {
+    type ipv6_addr
+    flags interval
+    elements = {
+{% for ip in trusted_ranges %}
+{%     if ip.v == 'ipv6' %}
+        {{ ip.cidr }}, # {{ ip.comment | default('') }}
+{%     endif %}
+{% endfor %}
+    }
+}
+
+
+# Firewall chains
+    chain input {
+        type filter hook input priority 0;
+        policy {{ nft_policy_input }};
+
+        # Established connections
+        ct state established,related accept
+        ct state invalid counter drop comment "drop invalid packets"
+
+        # Limit icmp echo/reply
+        ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop
+        # icmp6 from trusted ranges
+        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+        # icmpv6 from the rest of the world
+        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop
+
+        # Loopback traffic
+        iifname lo accept
+
+        # icmp
+        ip protocol icmp icmp type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            source-quench,
+            time-exceeded
+        } accept
+
+        # icmp6
+        ip6 nexthdr icmpv6 icmpv6 type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            nd-neighbor-solicit,
+            nd-router-advert,
+            nd-neighbor-advert,
+            packet-too-big,
+            parameter-problem,
+            time-exceeded
+        } accept
+
+        # Open ssh only for trusted machines
+        ip saddr @trusted4 tcp dport { ssh } accept
+        ip6 saddr @trusted6 tcp dport { ssh } accept
+
+        # Rules based on group-vars
+{% for custom in nft_group_rules %}
+{%     if custom.comment is defined %}
+        # {{ custom.comment|default('') }}
+{%     endif %}
+        ip saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
+
+{% endfor %}
+
+{% for rule in group_nft_input %}
+        # Group input rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_input %}
+        # Host input rules
+        {{ rule }}
+{% endfor %}
+    }
+    chain forward {
+        type filter hook forward priority 0;
+        policy {{ nft_policy_forward }};
+
+        ct state established,related accept
+
+{% for rule in group_nft_forward %}
+        # Group forward rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_forward %}
+        # Host forward rules
+        {{ rule }}
+{% endfor %}
+
+        counter comment "count dropped incoming packets"
+    }
+    chain output {
+        type filter hook output priority 0;
+        policy {{ nft_policy_output }};
+
+        # Established connections
+        ct state established,related accept
+        ct state invalid counter drop comment "drop invalid packets"
+
+        # icmp
+        ip protocol icmp icmp type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            source-quench,
+            time-exceeded
+        } accept
+
+        # icmp6
+        ip6 nexthdr icmpv6 icmpv6 type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            nd-neighbor-solicit,
+            nd-router-advert,
+            nd-neighbor-advert,
+            packet-too-big,
+            parameter-problem,
+            time-exceeded
+        } accept
+
+{% for rule in group_nft_output %}
+        # Group output rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_output %}
+        # Host output rules
+        {{ rule }}
+{% endfor %}
+        counter comment "count dropped outgoing packets"
+    }
+}
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority 100
+        policy {{ nft_policy_prerouting }};
+{% for rule in group_nft_prerouting %}
+        # Group prerouting rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_prerouting %}
+        # Host prerouting rules
+        {{ rule }}
+{% endfor %}
+    }
+    chain postrouting {
+        type nat hook postrouting priority 100
+        policy {{ nft_policy_postrouting }};
+
+{% for rule in group_nft_postrouting %}
+        # Group postrouting rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_postrouting %}
+        # Host postrouting rules
+        {{ rule }}
+{% endfor %}
+    }
+}
--- a/roles/services/tasks/siahsd.yaml
+++ b/roles/services/tasks/siahsd.yaml
@ -46,3 +46,4 @@
    action: insert
  with_items: [ ipv4, ipv6 ]
  notify: persist iptables
+  when: not nft | bool
--- a/roles/www/tasks/mediawiki.yaml
+++ b/roles/www/tasks/mediawiki.yaml
@ -27,3 +27,4 @@
    - { ip: ipv6, port: 80 }
    - { ip: ipv6, port: 443 }
  notify: persist iptables
+  when: not nft | bool
--- a/roles/www/tasks/mqtt.yaml
+++ b/roles/www/tasks/mqtt.yaml
@ -19,6 +19,7 @@
    - { ip: ipv4, port: 1883 }
    - { ip: ipv6, port: 1883 }
  notify: persist iptables
+  when: not nft | bool

 - name: Install mqtt-simple
  ansible.builtin.command: