ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 8b01d7dc50c98c07134f99bf1f47cce727da1a67
parent 9351114cfed0efe0425a69b7345350f5b670346d
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sat, 20 Feb 2021 22:50:43 +0100

add nftables file for joguhrtbecher
2 files changed, 69 insertions(+), 2 deletions(-)
A
config-files/nftables/joguhrtbecher.nft
|
45
+++++++++++++++++++++++++++++++++++++++++++++
M
roles/common/tasks/firewall-nftables.yml
|
26
++++++++++++++++++++++++--
diff --git a/config-files/nftables/joguhrtbecher.nft b/config-files/nftables/joguhrtbecher.nft
@@ -0,0 +1,45 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet firewall {
+    chain inbound {
+    	# By default, drop all traffic unless it meets a filter
+    	# criteria specified by the rules that follow below.
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets.
+        ct state established,related accept
+
+        # Drop invalid packets.
+        ct state invalid drop
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Allow local vlan traffic.
+        iifname enp2s0 accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 5/second accept
+        ip6 nexthdr ipv6-icmp limit rate 5/second accept
+        ip protocol igmp limit rate 5/second accept
+
+        # Allow SSH on port 22.
+        tcp dport 22 accept
+    }
+
+    chain forward {
+        # Drop everything (assumes this device is not a router)
+        type filter hook forward priority 0; policy drop;
+    }
+
+    chain outbound {
+        # Allow all outbound traffic
+        type filter hook output priority 0; policy accept;
+    }
+
+}
+
+include "/etc/nftables.d/*.nft"
diff --git a/roles/common/tasks/firewall-nftables.yml b/roles/common/tasks/firewall-nftables.yml
@@ -25,13 +25,35 @@
     - network.nftables.enable is true
     - network.nftables.configFile is not defined
 
-- name: copy nftables config to destination
+
+- name: "[Alpine] Copy nftables config to destination"
   copy:
     src: "{{ network.nftables.configFile }}"
     dest: /etc/nftables.nft
     mode: 0644
   register: nftablesConfig
-  when: network.nftables.enable is true
+  when:
+    - ansible_distribution == "Alpine"
+    - network.nftables.enable is true
+
+- name: "[Archlinux]  Copy nftables config to destination"
+  copy:
+    src: "{{ network.nftables.configFile }}"
+    dest: /etc/nftables.conf
+    mode: 0644
+  register: nftablesConfig
+  when:
+    - ansible_distribution == "Archlinux"
+    - network.nftables.enable is true
+
+- name: "[Archlinux] Create directory: /etc/nftables.d"
+  file:
+    state: directory
+    path: /etc/nftables.d
+    mode: 0755
+  when: 
+    - ansible_distribution == "Archlinux"
+    - network.nftables.enable is true
 
 
 - name: "[OpenRC] Enable and start service: nftables"