roles/common: Port configurable firewall logic to nftables

This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts
in the web group, and allows configuration of "extra" rules in the
host or group vars.
This commit is contained in:
Alan Orth 2021-07-27 21:22:32 +03:00
parent 14814aa5d9
commit d3922e7878
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9

View File

@ -48,7 +48,29 @@ table inet filter {
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
{# SSH rules #}
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
ip6 saddr ::/0 ct state new tcp dport 22 counter accept
{# Web rules #}
{% if 'web' in group_names %}
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
ip6 saddr ::/0 ct state new tcp dport 80 counter accept
ip6 saddr ::/0 ct state new tcp dport 443 counter accept
{% endif %}
{# Extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% endif %}
{% endfor %}
{% endif %}
# everything else
reject with icmpx type port-unreachable