2022-03-13 11:46:24 +01:00
|
|
|
---
|
2024-04-09 20:21:59 +02:00
|
|
|
|
2022-03-13 11:46:24 +01:00
|
|
|
- name: Install nftables
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.apt:
|
2022-03-13 11:46:24 +01:00
|
|
|
name: nftables
|
|
|
|
|
state: present
|
|
|
|
|
|
2025-01-24 16:58:13 +01:00
|
|
|
- name: Start and enable nftables service
|
2022-03-13 11:46:24 +01:00
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.systemd:
|
2022-03-13 11:46:24 +01:00
|
|
|
name: nftables
|
2022-03-13 12:46:07 +01:00
|
|
|
state: started
|
2022-03-13 11:46:24 +01:00
|
|
|
enabled: true
|
2022-03-13 12:46:07 +01:00
|
|
|
|
|
|
|
|
- name: Setup needed directories
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.file:
|
|
|
|
|
path: "{{ item }}"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0750
|
|
|
|
|
state: directory
|
2022-03-13 12:46:07 +01:00
|
|
|
with_items:
|
|
|
|
|
- /etc/nftables/input.d
|
|
|
|
|
- /etc/nftables/output.d
|
|
|
|
|
- /etc/nftables/forward.d
|
|
|
|
|
- /etc/nftables/pre-hooks.d
|
|
|
|
|
- /etc/nftables/post-hooks.d
|
|
|
|
|
- /etc/nftables/include.d
|
|
|
|
|
- /etc/systemd/system/nftables.service.d
|
|
|
|
|
|
|
|
|
|
- name: Copy local systemd configuration
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2022-03-13 12:46:07 +01:00
|
|
|
src: systemd-local.conf
|
|
|
|
|
dest: /etc/systemd/system/nftables.service.d/local.conf
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0640
|
|
|
|
|
notify: Reload systemd daemon
|
|
|
|
|
|
|
|
|
|
- name: Copy default configuration
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2022-03-13 12:46:07 +01:00
|
|
|
src: nftables.conf
|
|
|
|
|
dest: /etc/nftables.conf
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0640
|
2025-01-24 16:58:13 +01:00
|
|
|
notify: Reload nftables service
|
2022-03-13 12:46:07 +01:00
|
|
|
|
|
|
|
|
- name: Copy default input rules
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2022-03-13 12:46:07 +01:00
|
|
|
src: "{{ item }}"
|
2022-03-13 22:41:08 +01:00
|
|
|
dest: "/etc/nftables/input.d/{{ item | basename }}"
|
2022-03-13 12:46:07 +01:00
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0640
|
|
|
|
|
with_fileglob:
|
|
|
|
|
- input.d/*
|
2025-01-24 16:58:13 +01:00
|
|
|
notify: Reload nftables service
|
2022-03-13 12:46:07 +01:00
|
|
|
|
|
|
|
|
- name: Copy default post-hook rules
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2022-03-13 12:46:07 +01:00
|
|
|
src: "{{ item }}"
|
2022-03-13 22:41:08 +01:00
|
|
|
dest: "/etc/nftables/post-hooks.d/{{ item | basename }}"
|
2022-03-13 12:46:07 +01:00
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0750
|
|
|
|
|
with_fileglob:
|
|
|
|
|
- post-hooks.d/*
|
2025-01-24 16:58:13 +01:00
|
|
|
notify: Reload nftables service
|
2022-03-13 12:46:07 +01:00
|
|
|
|
2024-10-06 12:41:58 +02:00
|
|
|
- name: Check if server is using DHCP
|
|
|
|
|
become: true
|
2024-11-01 18:04:21 +01:00
|
|
|
ansible.builtin.command:
|
|
|
|
|
cmd: "ip addr show dynamic"
|
2024-10-06 12:41:58 +02:00
|
|
|
register: dhcp_grep
|
|
|
|
|
changed_when: false
|
|
|
|
|
|
|
|
|
|
- name: Copy dhclient output rule
|
2022-03-13 12:46:07 +01:00
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2024-10-06 12:41:58 +02:00
|
|
|
src: output.d/dhclient.conf
|
|
|
|
|
dest: /etc/nftables/output.d/dhclient.conf
|
2022-03-13 12:46:07 +01:00
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0640
|
2025-01-24 16:58:13 +01:00
|
|
|
notify: Reload nftables service
|
2024-10-06 12:41:58 +02:00
|
|
|
when: dhcp_grep.stdout != ""
|
2022-03-13 12:46:07 +01:00
|
|
|
|
2025-01-31 22:07:56 +01:00
|
|
|
# The restart of rsyslog service seems to hang when done just after reloading of nftables service
|
|
|
|
|
- name: Make sure nftables service is reloaded
|
|
|
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
|
|
2022-03-13 12:46:07 +01:00
|
|
|
- name: Setup netfilter.log
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2022-03-13 12:46:07 +01:00
|
|
|
src: netfilter.rsyslog
|
|
|
|
|
dest: /etc/rsyslog.d/netfilter.conf
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify: Restart rsyslog service
|
|
|
|
|
|
|
|
|
|
- name: Setup logrotate for netfilter.log
|
|
|
|
|
become: true
|
2022-12-16 20:12:49 +01:00
|
|
|
ansible.builtin.copy:
|
2022-03-13 12:46:07 +01:00
|
|
|
src: netfilter.logrotate
|
|
|
|
|
dest: /etc/logrotate.d/netfilter
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 0644
|
