From 6a692ac2d5470f3731335dde56f954a24ff9dd87 Mon Sep 17 00:00:00 2001
From: Tunui Franken <tfranken@protonmail.com>
Date: Sun, 6 Oct 2024 12:41:58 +0200
Subject: [PATCH] Don't allow output ssh and only allow dhclient if using dhcp

---
 roles/setup_nftables/files/output.d/ssh.conf |  1 -
 roles/setup_nftables/tasks/main.yml          | 18 ++++++++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)
 delete mode 100644 roles/setup_nftables/files/output.d/ssh.conf

diff --git a/roles/setup_nftables/files/output.d/ssh.conf b/roles/setup_nftables/files/output.d/ssh.conf
deleted file mode 100644
index 4ccb373..0000000
--- a/roles/setup_nftables/files/output.d/ssh.conf
+++ /dev/null
@@ -1 +0,0 @@
-tcp dport ssh accept comment "Allow SSH"
diff --git a/roles/setup_nftables/tasks/main.yml b/roles/setup_nftables/tasks/main.yml
index b43e101..483069a 100644
--- a/roles/setup_nftables/tasks/main.yml
+++ b/roles/setup_nftables/tasks/main.yml
@@ -7,7 +7,7 @@
     state: present
   notify: Start nftables service
 
-- name: Start nftables
+- name: Start and enable nftables
   become: true
   ansible.builtin.systemd:
     name: nftables
@@ -75,17 +75,23 @@
     - post-hooks.d/*
   notify: Restart nftables service
 
-- name: Copy default output rules
+- name: Check if server is using DHCP
+  become: true
+  ansible.builtin.shell:
+    cmd: "for interface in $(ip -o link show up | awk -F: '{print $2}'); do grep -r $interface.*dhcp /etc/network; done"
+  register: dhcp_grep
+  changed_when: false
+
+- name: Copy dhclient output rule
   become: true
   ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "/etc/nftables/output.d/{{ item | basename }}"
+    src: output.d/dhclient.conf
+    dest: /etc/nftables/output.d/dhclient.conf
     owner: root
     group: root
     mode: 0640
-  with_fileglob:
-    - output.d/*
   notify: Restart nftables service
+  when: dhcp_grep.stdout != ""
 
 - name: Setup netfilter.log
   become: true