Configure nftables

This commit is contained in:
Wojciech Kozlowski 2022-08-30 15:39:31 +02:00
parent 0ddf73d8ae
commit 2045cbd4d8
2 changed files with 45 additions and 0 deletions

View File

@ -28,6 +28,31 @@
when: when:
sshd_cfg is changed sshd_cfg is changed
# -------------------------------------------------------------------------
# Firewall configuration.
# -------------------------------------------------------------------------
- name: Install nftables
apt:
name: nftables
register: nftables_install
- name: Configure nftables
template:
src: ./root/etc/nftables.conf.j2
dest: /etc/nftables.conf
mode: 0755
register: nftables_cfg
- name: Enable/start/restart nftables
service:
name: nftables
state: restarted
enabled: yes
when:
nftables_install is changed or
nftables_cfg is changed
# ---------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------
# NTP configuration. # NTP configuration.
# ---------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------

View File

@ -5,6 +5,26 @@ flush ruleset
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0;
# Accept any localhost traffic.
iif lo accept;
# Accept traffic originated from us.
ct state established,related accept;
# Allow ICMP packets.
# Note that for IPv6 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert are needed to not break connectivity.
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
# Drop invalid connections.
ct state invalid drop;
# Activate the following line to accept common local services.
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
# Count and drop any other traffic.
counter drop;
} }
chain forward { chain forward {
type filter hook forward priority 0; type filter hook forward priority 0;