From bc1e2ce7043d52bf44d852721734ec33c001be39 Mon Sep 17 00:00:00 2001 From: Jakob Meier Date: Sun, 23 Jul 2023 09:30:20 +0200 Subject: [PATCH] network/nftables: Initial nftables setup role --- roles/network/nftables/README.org | 6 ++++ roles/network/nftables/tasks/main.yml | 29 +++++++++++++++++++ roles/network/nftables/templates/50_ssh.nft | 8 +++++ .../network/nftables/templates/51_docker.nft | 12 ++++++++ roles/network/nftables/templates/53_http.nft | 10 +++++++ .../nftables/templates/54_rsync.nft.template | 7 +++++ 6 files changed, 72 insertions(+) create mode 100644 roles/network/nftables/README.org create mode 100644 roles/network/nftables/tasks/main.yml create mode 100644 roles/network/nftables/templates/50_ssh.nft create mode 100644 roles/network/nftables/templates/51_docker.nft create mode 100644 roles/network/nftables/templates/53_http.nft create mode 100644 roles/network/nftables/templates/54_rsync.nft.template diff --git a/roles/network/nftables/README.org b/roles/network/nftables/README.org new file mode 100644 index 0000000..a1d0689 --- /dev/null +++ b/roles/network/nftables/README.org @@ -0,0 +1,6 @@ +* /roles/network/nftables +Role used to setup ~nftables~. + +NOTE: This role blocks traffic from every port +except ~80~, ~443~, ~22~. +Permitting additional ports may be done in different roles diff --git a/roles/network/nftables/tasks/main.yml b/roles/network/nftables/tasks/main.yml new file mode 100644 index 0000000..68dc4aa --- /dev/null +++ b/roles/network/nftables/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Make sure nftables is installed + community.general.apk: + name: + - nftables + - nftables-openrc + state: latest + +- name: Allow http(s) + ansible.builtin.template: + mode: "0644" + src: 53_http.nft + dest: /etc/nftables.d/53_http.nft +- name: Allow docker connections + ansible.builtin.template: + mode: "0644" + src: 51_docker.nft + dest: /etc/nftables.d/51_docker.nft +- name: Allow ssh connections + ansible.builtin.template: + mode: "0644" + src: 50_ssh.nft + dest: /etc/nftables.d/50_ssh.nft + +- name: Make sure nftables is running and enabled on boot + ansible.builtin.service: + name: nftables + enabled: true + state: started diff --git a/roles/network/nftables/templates/50_ssh.nft b/roles/network/nftables/templates/50_ssh.nft new file mode 100644 index 0000000..5ff510f --- /dev/null +++ b/roles/network/nftables/templates/50_ssh.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { + # allow ssh + tcp dport 22 accept comment "accept SSH" + } +} diff --git a/roles/network/nftables/templates/51_docker.nft b/roles/network/nftables/templates/51_docker.nft new file mode 100644 index 0000000..7aebec8 --- /dev/null +++ b/roles/network/nftables/templates/51_docker.nft @@ -0,0 +1,12 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { + iifname "docker*" accept comment "Allow incoming network traffic from Docker" + } + + chain forward { + iifname "docker*" accept comment "Allow outgoing network traffic from Docker" + ct state {established, related} counter accept comment "accept established connections" + } +} diff --git a/roles/network/nftables/templates/53_http.nft b/roles/network/nftables/templates/53_http.nft new file mode 100644 index 0000000..0a0a640 --- /dev/null +++ b/roles/network/nftables/templates/53_http.nft @@ -0,0 +1,10 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { + # allow https + tcp dport 443 accept comment "Allow HTTPS" + # allow http + tcp dport 80 accept comment "Allow HTTP" + } +} diff --git a/roles/network/nftables/templates/54_rsync.nft.template b/roles/network/nftables/templates/54_rsync.nft.template new file mode 100644 index 0000000..011d1b3 --- /dev/null +++ b/roles/network/nftables/templates/54_rsync.nft.template @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { + # rsync + tcp dport {{ port }} accept comment "Allow rsync on {{ port }}" +} -- 2.38.5