bitlair/ansible
6
0
Fork 1
Code Issues Pull requests Activity Actions

nft role + disable iptables when nft enabled

Browse source
This commit is contained in:
Mark Janssen 2024-07-24 21:32:13 +02:00
parent a74dba4557
commit 848917a72c
Signed by: foobar
GPG key ID: D8674D8FC4F69BD2
17 changed files with 348 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

33
roles/nft/defaults/main.yaml Normal file
View file

@ -0,0 +1,33 @@
---
nft: false # totdat alles om is
nft_main_config: "/etc/nftables.conf"
# Default policies per chain ( drop / reject / accept )
nft_policy_input: "drop"
nft_policy_forward: "accept"
nft_policy_output: "accept"
# Same for nat traffic
nft_policy_prerouting: "accept"
nft_policy_postrouting: "accept"
# Host/Port allows
nft_group_rules: []
# And per host/group additions to rules:
group_nft_input: []
group_nft_forward: []
group_nft_output: []
host_nft_input: []
host_nft_forward: []
host_nft_output: []
group_nft_postrouting: []
host_nft_postrouting: []
group_nft_prerouting: []
host_nft_prerouting: []
nft_defines: []
nft_defines_group: []

13
roles/nft/handlers/main.yaml Normal file
View file

@ -0,0 +1,13 @@
---
- name: Reload nftables
ansible.builtin.systemd:
name: "nftables"
state: reloaded
enabled: true
tags:
- nft
- nftservice
when:
- nft|bool

47
roles/nft/tasks/main.yaml Normal file
View file

@ -0,0 +1,47 @@
---
- name: Install nftables related packages
ansible.builtin.apt:
state: present
pkg:
- nftables
- net-tools
- ipset
- name: Template nftables.conf
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0700"
validate: "{{ item.validate | default() }}"
with_items:
- { src: "nftables.conf.j2", dest: "{{ nft_main_config }}",
backup: "yes", validate: "/usr/sbin/nft -c -f %s" }
tags:
- nft
- nftconfig
when:
- nft | bool
notify:
- Reload nftables
- name: Cleanup netfilter packages
ansible.builtin.apt:
state: absent
pkg:
- netfilter-persistent
when:
- nft | bool
- name: Cleanup iptables stuff
ansible.builtin.file:
state: absent
path: "{{ item }}"
with_items:
- "/etc/iptables/rules/v4"
- "/etc/iptables/rules/v6"
- "/etc/iptables"
when:
- nft | bool

182
roles/nft/templates/nftables.conf.j2 Normal file
View file

@ -0,0 +1,182 @@
#!/usr/sbin/nft -f
# {{ ansible_managed }}
flush ruleset
table inet filter {
# Named sets
set trusted4 {
type ipv4_addr
flags interval
elements = {
{% for ip in trusted_ranges %}
{% if ip.v == 'ipv4' %}
{{ ip.cidr }}, # {{ ip.comment | default('') }}
{% endif %}
{% endfor %}
}
}
set trusted6 {
type ipv6_addr
flags interval
elements = {
{% for ip in trusted_ranges %}
{% if ip.v == 'ipv6' %}
{{ ip.cidr }}, # {{ ip.comment | default('') }}
{% endif %}
{% endfor %}
}
}
# Firewall chains
chain input {
type filter hook input priority 0;
policy {{ nft_policy_input }};
# Established connections
ct state established,related accept
ct state invalid counter drop comment "drop invalid packets"
# Limit icmp echo/reply
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop
# icmp6 from trusted ranges
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
# icmpv6 from the rest of the world
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop
# Loopback traffic
iifname lo accept
# icmp
ip protocol icmp icmp type {
destination-unreachable,
echo-reply,
echo-request,
source-quench,
time-exceeded
} accept
# icmp6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
echo-reply,
echo-request,
nd-neighbor-solicit,
nd-router-advert,
nd-neighbor-advert,
packet-too-big,
parameter-problem,
time-exceeded
} accept
# Open ssh only for trusted machines
ip saddr @trusted4 tcp dport { ssh } accept
ip6 saddr @trusted6 tcp dport { ssh } accept
# Rules based on group-vars
{% for custom in nft_group_rules %}
{% if custom.comment is defined %}
# {{ custom.comment|default('') }}
{% endif %}
ip saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
{% endfor %}
{% for rule in group_nft_input %}
# Group input rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_input %}
# Host input rules
{{ rule }}
{% endfor %}
}
chain forward {
type filter hook forward priority 0;
policy {{ nft_policy_forward }};
ct state established,related accept
{% for rule in group_nft_forward %}
# Group forward rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_forward %}
# Host forward rules
{{ rule }}
{% endfor %}
counter comment "count dropped incoming packets"
}
chain output {
type filter hook output priority 0;
policy {{ nft_policy_output }};
# Established connections
ct state established,related accept
ct state invalid counter drop comment "drop invalid packets"
# icmp
ip protocol icmp icmp type {
destination-unreachable,
echo-reply,
echo-request,
source-quench,
time-exceeded
} accept
# icmp6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
echo-reply,
echo-request,
nd-neighbor-solicit,
nd-router-advert,
nd-neighbor-advert,
packet-too-big,
parameter-problem,
time-exceeded
} accept
{% for rule in group_nft_output %}
# Group output rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_output %}
# Host output rules
{{ rule }}
{% endfor %}
counter comment "count dropped outgoing packets"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 100
policy {{ nft_policy_prerouting }};
{% for rule in group_nft_prerouting %}
# Group prerouting rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_prerouting %}
# Host prerouting rules
{{ rule }}
{% endfor %}
}
chain postrouting {
type nat hook postrouting priority 100
policy {{ nft_policy_postrouting }};
{% for rule in group_nft_postrouting %}
# Group postrouting rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_postrouting %}
# Host postrouting rules
{{ rule }}
{% endfor %}
}
}