aboutsummaryrefslogtreecommitdiff
path: root/ansible/host_vars/arius
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/host_vars/arius')
-rw-r--r--ansible/host_vars/arius/nftables.yml45
1 files changed, 45 insertions, 0 deletions
diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml
new file mode 100644
index 0000000..6f4f167
--- /dev/null
+++ b/ansible/host_vars/arius/nftables.yml
@@ -0,0 +1,45 @@
+allowed_services:
+ - ssh
+ - http
+ - https
+
+nftables_tables:
+ - name: firewall
+ family: inet
+ chains:
+ - name: "input"
+ base:
+ type: "filter"
+ hook: "input"
+ priority: 0
+ policy: "drop"
+ rules:
+ - position: 1
+ statement: "iif lo accept"
+ - position: 2
+ statement: 'ct state invalid log prefix "FW:DROP:" drop'
+ comment: "Log and drop invalid packets."
+ - position: 3
+ statement: "ct state established,related accept"
+ - position: 10
+ statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept"
+ - position: 11
+ statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept"
+
+ - name: "forward"
+ base:
+ type: "filter"
+ hook: "forward"
+ priority: 0
+ policy: "accept"
+
+ - name: "output"
+ base:
+ type: "filter"
+ hook: "output"
+ priority: 0
+ policy: "accept"
+ rules:
+ - position: 1
+ statement: ""
+# statement: "ip daddr 192.0.2.100 counter"