ansible-personal/roles/common/templates/nftables.conf.j2

#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#

flush ruleset

# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"

# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"

# Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft"

# Notes:
#   - tables hold chains, chains hold rules
#   - inet is for both ipv4 and ipv6
table inet filter {
    set spamhaus-ipv4 {
        type ipv4_addr
        # if the set contains prefixes we need to use the interval flag
        flags interval
        elements = $SPAMHAUS_IPV4
    }

    set spamhaus-ipv6 {
        type ipv6_addr
        flags interval
        elements = $SPAMHAUS_IPV6
    }

    set abusech-ipv4 {
        type ipv4_addr
        elements = $ABUSECH_IPV4
    }

    set abuseipdb-ipv4 {
        type ipv4_addr
        elements = $ABUSEIPDB_IPV4
    }

    set abuseipdb-ipv6 {
        type ipv6_addr
        elements = $ABUSEIPDB_IPV6
    }

    chain input {
        type filter hook input priority 0;

        ct state {established, related} accept comment "Allow traffic from established and related packets"

        ct state invalid counter drop comment "Early drop of invalid connections"

        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"

        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"

        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"

        iifname lo accept comment "Allow from loopback"

        ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
        ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
        ip protocol igmp limit rate 4/second accept comment "Allow IGMP"

        {# SSH rules #}
        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
        ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"

        {# Web rules #}
        {% if 'web' in group_names %}
        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
        ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
        ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
        {% endif %}

        ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
        ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"

        {# Extra rules #}
        {% if extra_iptables_rules is defined %}
        {% for rule in extra_iptables_rules %}
        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept

        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
        {% endif %}

        {% endfor %}
        {% endif %}

        # everything else
        reject with icmpx type port-unreachable
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;

        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"

        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"

        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
    }
}
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`#!/usr/sbin/nft -f`
			`#`
			`# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server`
			`#`

			`flush ruleset`

			`# Lists updated daily by update-spamhaus-nftables.sh`
			`include "/etc/nftables/spamhaus-ipv4.nft"`
			`include "/etc/nftables/spamhaus-ipv6.nft"`

roles/common: Use AbuseIPDB.com list in nftables For now I am still manually updating this, as we can only hit their API five times per day, so it is not possible to have each host get the list themselves every day with our one API key. 2021-07-31 20:46:50 +02:00			`# Lists updated monthly (manually)`
			`include "/etc/nftables/abuseipdb-ipv4.nft"`
			`include "/etc/nftables/abuseipdb-ipv6.nft"`

roles/common: Use Abuse.ch's SSL Blacklist in nftables This adds Abuse.sh's list of IPs using blacklisted SSL certificates to nftables. These IPs are high confidence indicators of compromise and we should not route them. The list is updated daily by a systemd timer. See: https://sslbl.abuse.ch/blacklist/ 2021-07-29 09:16:00 +02:00			`# Lists updated daily by update-abusech-nftables.sh`
			`include "/etc/nftables/abusech-ipv4.nft"`

roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`# Notes:`
			`# - tables hold chains, chains hold rules`
			`# - inet is for both ipv4 and ipv6`
			`table inet filter {`
roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`set spamhaus-ipv4 {`
			`type ipv4_addr`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`# if the set contains prefixes we need to use the interval flag`
			`flags interval`
roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`elements = $SPAMHAUS_IPV4`
			`}`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`set spamhaus-ipv6 {`
			`type ipv6_addr`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`flags interval`
roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`elements = $SPAMHAUS_IPV6`
			`}`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Use Abuse.ch's SSL Blacklist in nftables This adds Abuse.sh's list of IPs using blacklisted SSL certificates to nftables. These IPs are high confidence indicators of compromise and we should not route them. The list is updated daily by a systemd timer. See: https://sslbl.abuse.ch/blacklist/ 2021-07-29 09:16:00 +02:00			`set abusech-ipv4 {`
			`type ipv4_addr`
			`elements = $ABUSECH_IPV4`
			`}`

roles/common: Use AbuseIPDB.com list in nftables For now I am still manually updating this, as we can only hit their API five times per day, so it is not possible to have each host get the list themselves every day with our one API key. 2021-07-31 20:46:50 +02:00			`set abuseipdb-ipv4 {`
			`type ipv4_addr`
			`elements = $ABUSEIPDB_IPV4`
			`}`

			`set abuseipdb-ipv6 {`
			`type ipv6_addr`
			`elements = $ABUSEIPDB_IPV6`
			`}`

roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`chain input {`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`type filter hook input priority 0;`

roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ct state {established, related} accept comment "Allow traffic from established and related packets"`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ct state invalid counter drop comment "Early drop of invalid connections"`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"`
			`ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"`
roles/common: Use Abuse.ch's SSL Blacklist in nftables This adds Abuse.sh's list of IPs using blacklisted SSL certificates to nftables. These IPs are high confidence indicators of compromise and we should not route them. The list is updated daily by a systemd timer. See: https://sslbl.abuse.ch/blacklist/ 2021-07-29 09:16:00 +02:00
roles/common: Use AbuseIPDB.com list in nftables For now I am still manually updating this, as we can only hit their API five times per day, so it is not possible to have each host get the list themselves every day with our one API key. 2021-07-31 20:46:50 +02:00			`ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"`
			`ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"`

roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`iifname lo accept comment "Allow from loopback"`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ip protocol icmp limit rate 4/second accept comment "Allow ICMP"`
			`ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"`
			`ip protocol igmp limit rate 4/second accept comment "Allow IGMP"`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Port configurable firewall logic to nftables This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars. 2021-07-27 20:22:32 +02:00			`{# SSH rules #}`
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"`
			`ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"`
roles/common: Port configurable firewall logic to nftables This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars. 2021-07-27 20:22:32 +02:00
			`{# Web rules #}`
			`{% if 'web' in group_names %}`
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"`
			`ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"`
			`ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"`
			`ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"`
roles/common: Port configurable firewall logic to nftables This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars. 2021-07-27 20:22:32 +02:00			`{% endif %}`

roles/common: use a range for mosh ports in nftables This is better than a loop in Jinja (though that is useful!). 2021-09-28 06:34:25 +02:00			`ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"`
			`ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"`
roles/common: Add mosh ports to common These have been in each hosts's "extra" rules lists forever and I use them on every single host so they might as well be in the base rules. 2021-09-05 15:23:42 +02:00
roles/common: Port configurable firewall logic to nftables This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars. 2021-07-27 20:22:32 +02:00			`{# Extra rules #}`
			`{% if extra_iptables_rules is defined %}`
			`{% for rule in extra_iptables_rules %}`
			`ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept`

			`{% if ghetto_ipsets[rule.acl].ipv6src is defined %}`
			`ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept`
			`{% endif %}`

			`{% endfor %}`
			`{% endif %}`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
			`# everything else`
			`reject with icmpx type port-unreachable`
roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`}`
			`chain forward {`
			`type filter hook forward priority 0;`
			`}`
			`chain output {`
			`type filter hook output priority 0;`
roles/common: Use Abuse.ch's SSL Blacklist in nftables This adds Abuse.sh's list of IPs using blacklisted SSL certificates to nftables. These IPs are high confidence indicators of compromise and we should not route them. The list is updated daily by a systemd timer. See: https://sslbl.abuse.ch/blacklist/ 2021-07-29 09:16:00 +02:00
roles/common: Add comments to nftables.conf 2021-07-30 08:37:30 +02:00			`ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"`
			`ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"`

			`ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"`
roles/common: Use AbuseIPDB.com list in nftables For now I am still manually updating this, as we can only hit their API five times per day, so it is not possible to have each host get the list themselves every day with our one API key. 2021-07-31 20:46:50 +02:00
			`ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"`
			`ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"`
roles/common: Retab nftables.conf.j2 2021-07-27 21:03:23 +02:00			`}`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`}`