roles/common: Port configurable firewall logic to nftables

This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars.
2021-07-27 21:22:32 +03:00 · 2021-07-27 21:22:32 +03:00 · d3922e7878
parent 14814aa5d9
commit d3922e7878
1 changed files with 23 additions and 1 deletions
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@ -48,7 +48,29 @@ table inet filter {
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept

-        ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        {% endif %}
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}

        # everything else
        reject with icmpx type port-unreachable