From 67e8a83408c0e5b03ca4f8189f00092cb63b65d5 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Sun, 6 Jan 2019 15:43:45 +0100 Subject: o Switching arius from UFW to nftables. --- ansible/host_vars/arius/nftables.yml | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 ansible/host_vars/arius/nftables.yml (limited to 'ansible/host_vars') diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml new file mode 100644 index 0000000..6f4f167 --- /dev/null +++ b/ansible/host_vars/arius/nftables.yml @@ -0,0 +1,45 @@ +allowed_services: + - ssh + - http + - https + +nftables_tables: + - name: firewall + family: inet + chains: + - name: "input" + base: + type: "filter" + hook: "input" + priority: 0 + policy: "drop" + rules: + - position: 1 + statement: "iif lo accept" + - position: 2 + statement: 'ct state invalid log prefix "FW:DROP:" drop' + comment: "Log and drop invalid packets." + - position: 3 + statement: "ct state established,related accept" + - position: 10 + statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept" + - position: 11 + statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept" + + - name: "forward" + base: + type: "filter" + hook: "forward" + priority: 0 + policy: "accept" + + - name: "output" + base: + type: "filter" + hook: "output" + priority: 0 + policy: "accept" + rules: + - position: 1 + statement: "" +# statement: "ip daddr 192.0.2.100 counter" -- cgit v1.2.3