From d3922e78787899a9900492582b09c2c06cf6df67 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Tue, 27 Jul 2021 21:22:32 +0300 Subject: [PATCH] roles/common: Port configurable firewall logic to nftables This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars. --- roles/common/templates/nftables.conf.j2 | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/roles/common/templates/nftables.conf.j2 b/roles/common/templates/nftables.conf.j2 index 65bd30e..06f70c8 100755 --- a/roles/common/templates/nftables.conf.j2 +++ b/roles/common/templates/nftables.conf.j2 @@ -48,7 +48,29 @@ table inet filter { ip6 nexthdr ipv6-icmp limit rate 4/second accept ip protocol igmp limit rate 4/second accept - ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept + {# SSH rules #} + ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept + ip6 saddr ::/0 ct state new tcp dport 22 counter accept + + {# Web rules #} + {% if 'web' in group_names %} + ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept + ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept + ip6 saddr ::/0 ct state new tcp dport 80 counter accept + ip6 saddr ::/0 ct state new tcp dport 443 counter accept + {% endif %} + + {# Extra rules #} + {% if extra_iptables_rules is defined %} + {% for rule in extra_iptables_rules %} + ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept + + {% if ghetto_ipsets[rule.acl].ipv6src is defined %} + ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept + {% endif %} + + {% endfor %} + {% endif %} # everything else reject with icmpx type port-unreachable