~comcloudway/ansible-ccw.icu: network/nftables: Initial nftables setup role

6 files changed, 72 insertions(+), 0 deletions(-)

A roles/network/nftables/README.org
A roles/network/nftables/tasks/main.yml
A roles/network/nftables/templates/50_ssh.nft
A roles/network/nftables/templates/51_docker.nft
A roles/network/nftables/templates/53_http.nft
A roles/network/nftables/templates/54_rsync.nft.template

A roles/network/nftables/README.org => roles/network/nftables/README.org +6 -0

@@ 0,0 1,6 @@
+* /roles/network/nftables
+Role used to setup ~nftables~.
+
+NOTE: This role blocks traffic from every port
+except ~80~, ~443~, ~22~.
+Permitting additional ports may be done in different roles

A roles/network/nftables/tasks/main.yml => roles/network/nftables/tasks/main.yml +29 -0

@@ 0,0 1,29 @@
+---
+- name: Make sure nftables is installed
+  community.general.apk:
+    name:
+      - nftables
+      - nftables-openrc
+    state: latest
+
+- name: Allow http(s)
+  ansible.builtin.template:
+    mode: "0644"
+    src: 53_http.nft
+    dest: /etc/nftables.d/53_http.nft
+- name: Allow docker connections
+  ansible.builtin.template:
+    mode: "0644"
+    src: 51_docker.nft
+    dest: /etc/nftables.d/51_docker.nft
+- name: Allow ssh connections
+  ansible.builtin.template:
+    mode: "0644"
+    src: 50_ssh.nft
+    dest: /etc/nftables.d/50_ssh.nft
+
+- name: Make sure nftables is running and enabled on boot
+  ansible.builtin.service:
+    name: nftables
+    enabled: true
+    state: started

A roles/network/nftables/templates/50_ssh.nft => roles/network/nftables/templates/50_ssh.nft +8 -0

@@ 0,0 1,8 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+		# allow ssh
+		tcp dport 22 accept comment "accept SSH"
+	}
+}

A roles/network/nftables/templates/51_docker.nft => roles/network/nftables/templates/51_docker.nft +12 -0

@@ 0,0 1,12 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+		iifname "docker*" accept comment "Allow incoming network traffic from Docker"
+	}
+
+	chain forward {
+		iifname "docker*" accept comment "Allow outgoing network traffic from Docker"
+		ct state {established, related} counter accept comment "accept established connections"
+	}
+}

A roles/network/nftables/templates/53_http.nft => roles/network/nftables/templates/53_http.nft +10 -0

@@ 0,0 1,10 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+        # allow https
+        tcp dport 443 accept comment "Allow HTTPS"
+        # allow http
+		tcp dport 80 accept comment "Allow HTTP"
+	}
+}

A roles/network/nftables/templates/54_rsync.nft.template => roles/network/nftables/templates/54_rsync.nft.template +7 -0

@@ 0,0 1,7 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+        # rsync
+		tcp dport {{ port }} accept comment "Allow rsync on {{ port }}"
+}