From 75e2821e360d8ea881826e97c44a412df4765eee Mon Sep 17 00:00:00 2001 From: "flyingscorpio@clevo" Date: Sun, 13 Mar 2022 12:46:07 +0100 Subject: [PATCH] Write role nftables from ee --- roles/common/handlers/main.yml | 17 ++++ roles/install-nftables/files/input.d/ssh.conf | 1 + .../files/netfilter.logrotate | 13 +++ .../install-nftables/files/netfilter.rsyslog | 2 + roles/install-nftables/files/nftables.conf | 77 ++++++++++++++++ .../files/output.d/dhclient.conf | 1 + .../files/post-hooks.d/fail2ban | 5 ++ .../install-nftables/files/systemd-local.conf | 3 + roles/install-nftables/meta/main.yml | 2 + roles/install-nftables/tasks/main.yml | 90 ++++++++++++++++++- 10 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 roles/install-nftables/files/input.d/ssh.conf create mode 100644 roles/install-nftables/files/netfilter.logrotate create mode 100644 roles/install-nftables/files/netfilter.rsyslog create mode 100644 roles/install-nftables/files/nftables.conf create mode 100644 roles/install-nftables/files/output.d/dhclient.conf create mode 100644 roles/install-nftables/files/post-hooks.d/fail2ban create mode 100644 roles/install-nftables/files/systemd-local.conf create mode 100644 roles/install-nftables/meta/main.yml diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index ef46e63..42bd5b9 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,4 +1,8 @@ --- +- name: Reload systemd daemon + systemd: + daemon-reload: true + - name: Start apache2 service become: true systemd: @@ -20,6 +24,13 @@ enabled: true - name: Start nftables service + become: true + systemd: + name: nftables + state: started + enabled: true + +- name: Restart nftables service become: true systemd: name: nftables @@ -31,3 +42,9 @@ systemd: name: nftables state: reloaded + +- name: Restart rsyslog service + become: true + systemd: + name: rsyslog + state: restarted diff --git a/roles/install-nftables/files/input.d/ssh.conf b/roles/install-nftables/files/input.d/ssh.conf new file mode 100644 index 0000000..4795ff2 --- /dev/null +++ b/roles/install-nftables/files/input.d/ssh.conf @@ -0,0 +1 @@ +tcp dport ssh accept comment "Allow ssh" diff --git a/roles/install-nftables/files/netfilter.logrotate b/roles/install-nftables/files/netfilter.logrotate new file mode 100644 index 0000000..8e1d024 --- /dev/null +++ b/roles/install-nftables/files/netfilter.logrotate @@ -0,0 +1,13 @@ +/var/log/netfilter.log +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} diff --git a/roles/install-nftables/files/netfilter.rsyslog b/roles/install-nftables/files/netfilter.rsyslog new file mode 100644 index 0000000..4893cf2 --- /dev/null +++ b/roles/install-nftables/files/netfilter.rsyslog @@ -0,0 +1,2 @@ +:msg, regex, " IN=.*OUT=" -/var/log/netfilter.log +& stop diff --git a/roles/install-nftables/files/nftables.conf b/roles/install-nftables/files/nftables.conf new file mode 100644 index 0000000..9e24992 --- /dev/null +++ b/roles/install-nftables/files/nftables.conf @@ -0,0 +1,77 @@ +#! /usr/sbin/nft -f + +flush ruleset + +include "/etc/nftables/include.d/*.conf" + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + # connection tracking + ct state invalid drop + ct state established,related accept + + # allow local packets + iifname lo accept + + # respond to ping + icmp type echo-request accept + + # reject ident + tcp dport ident reject + + # minimal rules for ipv6 + icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-advert } accept + + # Apply extra rules, if any + include "/etc/nftables/input.d/*.conf" + } + + chain output { + type filter hook output priority 0; policy drop; + + # connection tracking + ct state invalid drop + ct state established,related accept + + # allow local packets + oifname lo accept; + + # ICMP + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # Ident + tcp dport ident accept + + # DNS + udp dport domain accept + tcp dport domain accept + + # HTTP + tcp dport http accept + + # HTTPS + tcp dport https accept + + # NTP + udp dport ntp accept + + # Apply extra rules, if any + include "/etc/nftables/output.d/*.conf" + } + + chain forward { + type filter hook forward priority 0; policy drop; + + # connection tracking + ct state invalid drop + ct state established,related accept + + # Apply extra rules, if any + include "/etc/nftables/forward.d/*.conf" + } +} + +# vim: ai:expandtab:ts=4:sw=4 diff --git a/roles/install-nftables/files/output.d/dhclient.conf b/roles/install-nftables/files/output.d/dhclient.conf new file mode 100644 index 0000000..8a70a5e --- /dev/null +++ b/roles/install-nftables/files/output.d/dhclient.conf @@ -0,0 +1 @@ +udp dport 67 accept comment "Allow DHCP" diff --git a/roles/install-nftables/files/post-hooks.d/fail2ban b/roles/install-nftables/files/post-hooks.d/fail2ban new file mode 100644 index 0000000..8898dbe --- /dev/null +++ b/roles/install-nftables/files/post-hooks.d/fail2ban @@ -0,0 +1,5 @@ +#!/bin/bash + +# Restart fail2ban if needed + +[ "$(systemctl is-active fail2ban.service)" = inactive ] || fail2ban-client reload diff --git a/roles/install-nftables/files/systemd-local.conf b/roles/install-nftables/files/systemd-local.conf new file mode 100644 index 0000000..cedd25a --- /dev/null +++ b/roles/install-nftables/files/systemd-local.conf @@ -0,0 +1,3 @@ +[Service] +ExecStartPre=run-parts /etc/nftables/pre-hooks.d/ +ExecStartPost=run-parts /etc/nftables/post-hooks.d/ diff --git a/roles/install-nftables/meta/main.yml b/roles/install-nftables/meta/main.yml new file mode 100644 index 0000000..4a59999 --- /dev/null +++ b/roles/install-nftables/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: setup-fail2ban diff --git a/roles/install-nftables/tasks/main.yml b/roles/install-nftables/tasks/main.yml index 32cb819..b6b076a 100644 --- a/roles/install-nftables/tasks/main.yml +++ b/roles/install-nftables/tasks/main.yml @@ -7,8 +7,96 @@ update_cache: yes notify: Start nftables service -- name: Enable nftables +- name: Start nftables become: true systemd: name: nftables + state: started enabled: true + +- name: Setup needed directories + become: true + file: path={{ item }} owner=root group=root mode=0750 state=directory + with_items: + - /etc/nftables/input.d + - /etc/nftables/output.d + - /etc/nftables/forward.d + - /etc/nftables/pre-hooks.d + - /etc/nftables/post-hooks.d + - /etc/nftables/include.d + - /etc/systemd/system/nftables.service.d + +- name: Copy local systemd configuration + become: true + copy: + src: systemd-local.conf + dest: /etc/systemd/system/nftables.service.d/local.conf + owner: root + group: root + mode: 0640 + notify: Reload systemd daemon + +- name: Copy default configuration + become: true + copy: + src: nftables.conf + dest: /etc/nftables.conf + owner: root + group: root + mode: 0640 + notify: Restart nftables service + +- name: Copy default input rules + become: true + copy: + src: "{{ item }}" + dest: "/etc/nftables/input.d/{{ item }}" + owner: root + group: root + mode: 0640 + with_fileglob: + - input.d/* + notify: Restart nftables service + +- name: Copy default post-hook rules + become: true + copy: + src: "{{ item }}" + dest: "/etc/nftables/post-hooks.d/{{ item }}" + owner: root + group: root + mode: 0750 + with_fileglob: + - post-hooks.d/* + notify: Restart nftables service + +- name: Copy default output rules + become: true + copy: + src: "{{ item }}" + dest: "/etc/nftables/output.d/{{ item }}" + owner: root + group: root + mode: 0640 + with_fileglob: + - output.d/* + notify: Restart nftables service + +- name: Setup netfilter.log + become: true + copy: + src: netfilter.rsyslog + dest: /etc/rsyslog.d/netfilter.conf + owner: root + group: root + mode: 0644 + notify: Restart rsyslog service + +- name: Setup logrotate for netfilter.log + become: true + copy: + src: netfilter.logrotate + dest: /etc/logrotate.d/netfilter + owner: root + group: root + mode: 0644