From 2045cbd4d875891120248134afb7b3d3fa6d9175 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Tue, 30 Aug 2022 15:39:31 +0200 Subject: [PATCH] Configure nftables --- machine.yml | 25 +++++++++++++++++++++++++ root/etc/nftables.conf.j2 | 20 ++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/machine.yml b/machine.yml index 7f881f7..c2c72ae 100644 --- a/machine.yml +++ b/machine.yml @@ -28,6 +28,31 @@ when: sshd_cfg is changed + # ------------------------------------------------------------------------- + # Firewall configuration. + # ------------------------------------------------------------------------- + + - name: Install nftables + apt: + name: nftables + register: nftables_install + + - name: Configure nftables + template: + src: ./root/etc/nftables.conf.j2 + dest: /etc/nftables.conf + mode: 0755 + register: nftables_cfg + + - name: Enable/start/restart nftables + service: + name: nftables + state: restarted + enabled: yes + when: + nftables_install is changed or + nftables_cfg is changed + # ---------------------------------------------------------------------------------------------- # NTP configuration. # ---------------------------------------------------------------------------------------------- diff --git a/root/etc/nftables.conf.j2 b/root/etc/nftables.conf.j2 index a58f4ce..2b812e4 100755 --- a/root/etc/nftables.conf.j2 +++ b/root/etc/nftables.conf.j2 @@ -5,6 +5,26 @@ flush ruleset table inet filter { chain input { type filter hook input priority 0; + + # Accept any localhost traffic. + iif lo accept; + + # Accept traffic originated from us. + ct state established,related accept; + + # Allow ICMP packets. + # Note that for IPv6 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert are needed to not break connectivity. + ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept; + ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept; + + # Drop invalid connections. + ct state invalid drop; + + # Activate the following line to accept common local services. + tcp dport { 80, 443, {{ ansible_port }} } ct state new accept; + + # Count and drop any other traffic. + counter drop; } chain forward { type filter hook forward priority 0;