o Switching arius from UFW to nftables.

1 files changed, 45 insertions, 0 deletions

diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml
new file mode 100644
index 0000000..6f4f167
--- /dev/null
+++ b/ansible/host_vars/arius/nftables.yml
@@ -0,0 +1,45 @@
+allowed_services:
+  - ssh
+  - http
+  - https
+
+nftables_tables:
+  - name: firewall
+    family: inet
+    chains:
+      - name: "input"
+        base:
+          type: "filter"
+          hook: "input"
+          priority: 0
+          policy: "drop"
+        rules:
+          - position: 1
+            statement: "iif lo accept"
+          - position: 2
+            statement: 'ct state invalid log prefix "FW:DROP:" drop'
+            comment: "Log and drop invalid packets."
+          - position: 3
+            statement: "ct state established,related accept"
+          - position: 10
+            statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept"
+          - position: 11
+            statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept"
+
+      - name: "forward"
+        base:
+          type: "filter"
+          hook: "forward"
+          priority: 0
+          policy: "accept"
+
+      - name: "output"
+        base:
+          type: "filter"
+          hook: "output"
+          priority: 0
+          policy: "accept"
+        rules:
+          - position: 1
+            statement: ""
+#            statement: "ip daddr 192.0.2.100 counter"