o Switching arius from UFW to nftables.

5 files changed, 66 insertions, 1 deletions

diff --git a/.gitmodules b/.gitmodules
index 49861e4..0d8ea02 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -7,3 +7,6 @@
 [submodule "ansible/thirdparty/ansible-elasticsearch"]
 	path = ansible/thirdparty/ansible-elasticsearch
 	url = https://github.com/elastic/ansible-elasticsearch
+[submodule "ansible/thirdparty/nftables"]
+	path = ansible/thirdparty/nftables
+	url = https://github.com/Frzk/ansible-role-nftables
diff --git a/ansible/all.yml b/ansible/all.yml
index 6898a27..4e6de9e 100644
--- a/ansible/all.yml
+++ b/ansible/all.yml
@@ -5,7 +5,9 @@
     - superusers
     - packages
     - trygvis-base
-    - ufw
+#    - ufw
+
+- import_playbook: nftables.yml
 
 - hosts:
     - knot
diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml
new file mode 100644
index 0000000..6f4f167
--- /dev/null
+++ b/ansible/host_vars/arius/nftables.yml
@@ -0,0 +1,45 @@
+allowed_services:
+  - ssh
+  - http
+  - https
+
+nftables_tables:
+  - name: firewall
+    family: inet
+    chains:
+      - name: "input"
+        base:
+          type: "filter"
+          hook: "input"
+          priority: 0
+          policy: "drop"
+        rules:
+          - position: 1
+            statement: "iif lo accept"
+          - position: 2
+            statement: 'ct state invalid log prefix "FW:DROP:" drop'
+            comment: "Log and drop invalid packets."
+          - position: 3
+            statement: "ct state established,related accept"
+          - position: 10
+            statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept"
+          - position: 11
+            statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept"
+
+      - name: "forward"
+        base:
+          type: "filter"
+          hook: "forward"
+          priority: 0
+          policy: "accept"
+
+      - name: "output"
+        base:
+          type: "filter"
+          hook: "output"
+          priority: 0
+          policy: "accept"
+        rules:
+          - position: 1
+            statement: ""
+#            statement: "ip daddr 192.0.2.100 counter"
diff --git a/ansible/nftables.yml b/ansible/nftables.yml
new file mode 100644
index 0000000..72f98df
--- /dev/null
+++ b/ansible/nftables.yml
@@ -0,0 +1,15 @@
+- hosts:
+    - arius
+  tasks:
+    - name: Remove UFW
+      become: yes
+      apt:
+        name: ufw
+        state: absent
+        purge: yes
+
+- hosts:
+    - arius
+  roles:
+    - role: nftables
+      become: yes
diff --git a/ansible/thirdparty/nftables b/ansible/thirdparty/nftables
new file mode 160000
+Subproject 4deac341eb193843f7641a58d68ab90bcc50723