roles/common: Retab nftables.conf.j2

The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.

roles/common/tasks/firewall_Debian.yml

@@ -39,7 +39,7 @@
 
   - name: Copy extra nftables configuration files
     when: ansible_distribution_major_version is version('11', '>=')
-    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644
+    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
     loop:
       - spamhaus-ipv4.nft
       - spamhaus-ipv6.nft

roles/common/templates/nftables.conf.j2

@@ -13,20 +13,20 @@ include "/etc/nftables/spamhaus-ipv6.nft"
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-	set spamhaus-ipv4 {
+    set spamhaus-ipv4 {
-		type ipv4_addr
+        type ipv4_addr
         # if the set contains prefixes we need to use the interval flag
         flags interval
-		elements = $SPAMHAUS_IPV4
+        elements = $SPAMHAUS_IPV4
-	}
+    }
 
-	set spamhaus-ipv6 {
+    set spamhaus-ipv6 {
-		type ipv6_addr
+        type ipv6_addr
         flags interval
-		elements = $SPAMHAUS_IPV6
+        elements = $SPAMHAUS_IPV6
-	}
+    }
 
-	chain input {
+    chain input {
         type filter hook input priority 0;
 
         # Allow traffic from established and related packets.
@@ -48,18 +48,40 @@ table inet filter {
         ip6 nexthdr ipv6-icmp limit rate 4/second accept
         ip protocol igmp limit rate 4/second accept
 
-        ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        {% endif %}
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}
 
         # everything else
         reject with icmpx type port-unreachable
-	}
+    }
-	chain forward {
+    chain forward {
-		type filter hook forward priority 0;
+        type filter hook forward priority 0;
-	}
+    }
-	chain output {
+    chain output {
-		type filter hook output priority 0;
+        type filter hook output priority 0;
         # Drop outgoing packets matching the spamhaus sets too
         ip daddr @spamhaus-ipv4 counter drop
         ip6 daddr @spamhaus-ipv6 counter drop
-	}
+    }
 }