From 67e8a83408c0e5b03ca4f8189f00092cb63b65d5 Mon Sep 17 00:00:00 2001
From: Trygve Laugstøl <trygvis@inamo.no>
Date: Sun, 6 Jan 2019 15:43:45 +0100
Subject: o Switching arius from UFW to nftables.

---
 ansible/host_vars/arius/nftables.yml | 45 ++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 ansible/host_vars/arius/nftables.yml

(limited to 'ansible/host_vars')

diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml
new file mode 100644
index 0000000..6f4f167
--- /dev/null
+++ b/ansible/host_vars/arius/nftables.yml
@@ -0,0 +1,45 @@
+allowed_services:
+  - ssh
+  - http
+  - https
+
+nftables_tables:
+  - name: firewall
+    family: inet
+    chains:
+      - name: "input"
+        base:
+          type: "filter"
+          hook: "input"
+          priority: 0
+          policy: "drop"
+        rules:
+          - position: 1
+            statement: "iif lo accept"
+          - position: 2
+            statement: 'ct state invalid log prefix "FW:DROP:" drop'
+            comment: "Log and drop invalid packets."
+          - position: 3
+            statement: "ct state established,related accept"
+          - position: 10
+            statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept"
+          - position: 11
+            statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept"
+
+      - name: "forward"
+        base:
+          type: "filter"
+          hook: "forward"
+          priority: 0
+          policy: "accept"
+
+      - name: "output"
+        base:
+          type: "filter"
+          hook: "output"
+          priority: 0
+          policy: "accept"
+        rules:
+          - position: 1
+            statement: ""
+#            statement: "ip daddr 192.0.2.100 counter"
-- 
cgit v1.2.3