Commit bc036b58 authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

The local nftables role has been replaced by common.nftables

parent 9750619d
monitor_hosts:
- noc6.vh.hbone.hu
- noc7.vh.hbone.hu
- gum.vh.hbone.hu
- jujube.noc.einfra.hu
monitor_ports:
- ssh
- munin
- nrpe
- name: Reload nftables ruleset
become: yes
service:
name: nftables
state: reloaded
#- name: Remove old nftables backup files
# become: yes
# ?
- name: Install nftables
become: yes
apt:
name: nftables
state: present
- name: Blacklist ip_tables
become: yes
copy:
content: |
# Emphasize that we use nftables exclusively. No networkd or nspawn.
# (https://bugs.freedesktop.org/show_bug.cgi?id=89269)
# https://cgit.freedesktop.org/systemd/systemd/tree/src/core/kmod-setup.c be damned.
blacklist ip_tables
dest: /etc/modprobe.d/no-iptables.conf
owner: root
group: root
mode: 0644
- name: Check for connection tracking entries
become: yes
command:
cmd: head -c1 /proc/net/nf_conntrack
ignore_errors: yes
check_mode: no
changed_when: False
register: nf_conntrack_head
- name: Start up connection tracking to avoid locking ourselves out
become: yes
command:
cmd: nft -f -
stdin: |
table inet ansible_temporary {
chain ansible_temporary {
type filter hook input priority 0; policy accept;
ct state new comment "Activate connection tracking, pick up active connections"
}
}
when: nf_conntrack_head.stdout == ''
notify: Reload nftables ruleset
- name: Load candidate ruleset into a temporary network namespace, then dump it
become: yes
command:
cmd: unshare --net sh -c 'nft --file - && nft --stateless -nnn list ruleset'
stdin: "{{ lookup('template', 'firewall.nft') }}"
register: nftables_ruleset_candidate
check_mode: no
changed_when: False
- name: Install new nftables ruleset
become: yes
template:
src: nftables.conf
dest: /etc/nftables.conf
owner: root
group: root
mode: 0644
backup: yes
notify:
- Reload nftables ruleset
# - Remove old nftables backup files
- name: Enable nftables service
become: yes
systemd:
name: nftables
enabled: yes
flush ruleset
table inet filter {
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain INPUT {
type filter hook input priority 0; policy drop;
limit rate 15/hour burst 1 packets log prefix "Firewall heartbeat: " level info
iif "lo" accept
udp sport ntp udp dport ntp accept
meta l4proto ipv6-icmp accept
ct state related,established accept
ct state new jump new-in
ip saddr != { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 146.110.0.0/16, 148.6.0.0/16, 152.66.0.0/16, 157.181.0.0/16, 160.114.0.0/16, 192.146.134.0/24, 192.146.135.0/24, 192.153.18.0/24, 192.160.172.0/24, 192.188.242.0/23, 192.188.244.0/22, 192.190.173.0/24, 193.6.0.0/16, 193.224.0.0/15, 195.111.0.0/16, 193.224.152.0/23, 193.224.154.0/23 } drop
ip daddr 255.255.255.255 udp dport 2223 counter drop
ip protocol igmp ip daddr 224.0.0.1 counter drop
ip6 daddr ff00::/8 counter drop
jump log-drop
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
oif "lo" accept
udp sport ntp udp dport ntp accept
meta l4proto ipv6-icmp accept
ct state related,established accept
ct state new jump new-out
jump log-drop
}
chain new-in {
tcp flags & (syn|ack) == syn|ack counter reject with tcp reset
tcp flags & (fin|syn|rst|ack) != syn counter jump bad-new
ip saddr {{ monitor_hosts|dnsSetA }} tcp dport { {{ monitor_ports|join(',') }} } accept
ip6 saddr {{ monitor_hosts|dnsSetAAAA }} tcp dport { {{ monitor_ports|join(',') }} } accept
tcp dport { ssh, https, smtp, submission } accept
tcp dport { auth, http } reject
ip saddr {{ lookup('dig', 'baas-dir1.niif.hu') }} tcp dport bacula-fd accept
icmp type echo-request accept
}
chain new-out {
tcp dport { telnet, ssh, domain, http, https, smtp, ldaps, whois, mysql, git } accept
udp dport { domain, snmp, 33434-33600 } accept
ip protocol icmp accept
ip daddr {{ lookup('dig','rspamd.mail.einfra.hu') }} tcp dport 11333 accept
ip daddr {{ ['baas-sd1.niif.hu', 'baas-sd2.niif.hu']|dnsSetA }} tcp dport bacula-sd accept
ip daddr {{ lookup('dig','ingest.logger.niif.hu') }} tcp dport 9200 accept
ip6 daddr {{ lookup('dig','ingest.logger.niif.hu/AAAA') }} tcp dport 9200 accept
}
chain bad-new {
limit rate 3/hour burst 5 packets log prefix "New not syn: "
counter drop
}
chain log-drop {
limit rate 3/hour burst 5 packets log prefix "Dropped: " flags tcp sequence flags skuid
counter drop
}
}
flush ruleset
{{ nftables_ruleset_candidate.stdout }}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment