flyingscorpio/self-hosting
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Write role nftables from ee

Browse source
This commit is contained in:
flyingscorpio@clevo 2022-03-13 12:46:07 +01:00
parent fb864fb54d
commit 75e2821e36
10 changed files with 210 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
roles/common/handlers/main.yml
View file

@ -1,4 +1,8 @@
---
- name: Reload systemd daemon
systemd:
daemon-reload: true
- name: Start apache2 service
become: true
systemd:
@ -20,6 +24,13 @@
enabled: true
- name: Start nftables service
become: true
systemd:
name: nftables
state: started
enabled: true
- name: Restart nftables service
become: true
systemd:
name: nftables
@ -31,3 +42,9 @@
systemd:
name: nftables
state: reloaded
- name: Restart rsyslog service
become: true
systemd:
name: rsyslog
state: restarted

1
roles/install-nftables/files/input.d/ssh.conf Normal file
View file

@ -0,0 +1 @@
tcp dport ssh accept comment "Allow ssh"

13
roles/install-nftables/files/netfilter.logrotate Normal file
View file

@ -0,0 +1,13 @@
/var/log/netfilter.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

2
roles/install-nftables/files/netfilter.rsyslog Normal file
View file

@ -0,0 +1,2 @@
:msg, regex, " IN=.*OUT=" -/var/log/netfilter.log
& stop

77
roles/install-nftables/files/nftables.conf Normal file
View file

@ -0,0 +1,77 @@
#! /usr/sbin/nft -f
flush ruleset
include "/etc/nftables/include.d/*.conf"
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# connection tracking
ct state invalid drop
ct state established,related accept
# allow local packets
iifname lo accept
# respond to ping
icmp type echo-request accept
# reject ident
tcp dport ident reject
# minimal rules for ipv6
icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-advert } accept
# Apply extra rules, if any
include "/etc/nftables/input.d/*.conf"
}
chain output {
type filter hook output priority 0; policy drop;
# connection tracking
ct state invalid drop
ct state established,related accept
# allow local packets
oifname lo accept;
# ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Ident
tcp dport ident accept
# DNS
udp dport domain accept
tcp dport domain accept
# HTTP
tcp dport http accept
# HTTPS
tcp dport https accept
# NTP
udp dport ntp accept
# Apply extra rules, if any
include "/etc/nftables/output.d/*.conf"
}
chain forward {
type filter hook forward priority 0; policy drop;
# connection tracking
ct state invalid drop
ct state established,related accept
# Apply extra rules, if any
include "/etc/nftables/forward.d/*.conf"
}
}
# vim: ai:expandtab:ts=4:sw=4

1
roles/install-nftables/files/output.d/dhclient.conf Normal file
View file

@ -0,0 +1 @@
udp dport 67 accept comment "Allow DHCP"

5
roles/install-nftables/files/post-hooks.d/fail2ban Normal file
View file

@ -0,0 +1,5 @@
#!/bin/bash
# Restart fail2ban if needed
[ "$(systemctl is-active fail2ban.service)" = inactive ] || fail2ban-client reload

3
roles/install-nftables/files/systemd-local.conf Normal file
View file

@ -0,0 +1,3 @@
[Service]
ExecStartPre=run-parts /etc/nftables/pre-hooks.d/
ExecStartPost=run-parts /etc/nftables/post-hooks.d/

2
roles/install-nftables/meta/main.yml Normal file
View file

@ -0,0 +1,2 @@
dependencies:
- role: setup-fail2ban

90
roles/install-nftables/tasks/main.yml
View file

@ -7,8 +7,96 @@
update_cache: yes
notify: Start nftables service
- name: Enable nftables
- name: Start nftables
become: true
systemd:
name: nftables
state: started
enabled: true
- name: Setup needed directories
become: true
file: path={{ item }} owner=root group=root mode=0750 state=directory
with_items:
- /etc/nftables/input.d
- /etc/nftables/output.d
- /etc/nftables/forward.d
- /etc/nftables/pre-hooks.d
- /etc/nftables/post-hooks.d
- /etc/nftables/include.d
- /etc/systemd/system/nftables.service.d
- name: Copy local systemd configuration
become: true
copy:
src: systemd-local.conf
dest: /etc/systemd/system/nftables.service.d/local.conf
owner: root
group: root
mode: 0640
notify: Reload systemd daemon
- name: Copy default configuration
become: true
copy:
src: nftables.conf
dest: /etc/nftables.conf
owner: root
group: root
mode: 0640
notify: Restart nftables service
- name: Copy default input rules
become: true
copy:
src: "{{ item }}"
dest: "/etc/nftables/input.d/{{ item }}"
owner: root
group: root
mode: 0640
with_fileglob:
- input.d/*
notify: Restart nftables service
- name: Copy default post-hook rules
become: true
copy:
src: "{{ item }}"
dest: "/etc/nftables/post-hooks.d/{{ item }}"
owner: root
group: root
mode: 0750
with_fileglob:
- post-hooks.d/*
notify: Restart nftables service
- name: Copy default output rules
become: true
copy:
src: "{{ item }}"
dest: "/etc/nftables/output.d/{{ item }}"
owner: root
group: root
mode: 0640
with_fileglob:
- output.d/*
notify: Restart nftables service
- name: Setup netfilter.log
become: true
copy:
src: netfilter.rsyslog
dest: /etc/rsyslog.d/netfilter.conf
owner: root
group: root
mode: 0644
notify: Restart rsyslog service
- name: Setup logrotate for netfilter.log
become: true
copy:
src: netfilter.logrotate
dest: /etc/logrotate.d/netfilter
owner: root
group: root
mode: 0644