Use nftables for firewalling

nftables is the modern replacement for iptables, which ufw uses under
the hood. It allows us to specify firewall rules in a simple text file
(with as much or as little abstraction as we want) and is quick to
update and read. The text-file format allows more liberty with
commenting compared to UFW. The existing `ufw` role has been converted
to simply remove UFW. This has already been deployed on lovelace.

6 files changed, 86 insertions, 39 deletions

diff --git a/.gitmodules b/.gitmodules
index 16ad7a1..e1d214b 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "hugodocs/themes/hugo-book"]
 	path = docs/themes/hugo-book
 	url = https://github.com/alex-shpak/hugo-book
+[submodule "ansible/roles/nftables"]
+	path = ansible/roles/nftables
+	url = [email protected]:jchristgit/ansible-role-nftables.git
diff --git a/ansible/group_vars/all/nftables.yml b/ansible/group_vars/all/nftables.yml
new file mode 100644
index 0000000..53a7239
--- /dev/null
+++ b/ansible/group_vars/all/nftables.yml
@@ -0,0 +1,69 @@
+---
+nftables_configuration: |
+  flush ruleset
+
+  table inet firewall {
+    set tcp_accepted {
+      type inet_service
+      elements = {
+        # OpenSSH
+        ssh,
+        # NGINX
+        http,
+        https
+      }
+    }
+
+    chain input {
+      type filter hook input priority 0
+
+      # Drop anything not explicitly dropped or accepted by default
+      policy drop
+
+      # Drop invalid packets
+      ct state invalid drop
+
+      # Allow already established connections
+      ct state established,related accept
+
+      # Allow loopback
+      iif lo accept
+
+      # Allow certain inbound ICMP types (ping, traceroute).
+      # With these allowed you are a good network citizen.
+      meta l4proto { icmp, ipv6-icmp } counter accept
+
+      # Standard allowed ports
+      iifname {{ ansible_default_ipv4.interface }} tcp dport @tcp_accepted ct state new accept
+  {% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %}
+      iifname {{ ansible_default_ipv6.interface }} tcp dport @tcp_accepted ct state new accept
+  {% endif %}
+
+      # WireGuard client connections
+      iifname {{ ansible_default_ipv4.interface }} udp dport {{ wireguard_port }} ct state new accept
+  {% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %}
+      iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept
+  {% endif %}
+
+    }
+
+    chain forward {
+      type filter hook forward priority 0
+      policy drop
+      ct state invalid drop
+      ct state established,related accept
+
+      iifname wg0 ip daddr 10.0.0.0/8 accept
+    }
+
+    chain output {
+      type filter hook output priority 0
+      policy accept
+
+      ip6 nexthdr ipv6-icmp accept
+    }
+
+    chain postrouting {
+      type nat hook postrouting priority 100;
+    }
+  }
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 7881bf4..b316432 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -3,7 +3,8 @@
   roles:
     - common
     - pydis-users
-    - ufw
+    - ufw  # can be removed
+    - nftables
     - prometheus-node-exporter
     - wireguard
     - fail2ban
diff --git a/ansible/roles/nftables b/ansible/roles/nftables
new file mode 160000
+Subproject 8fbc92fa7effee6e7ce9e04b5a15b1af12b93f8
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index 89e25d9..e44d173 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -1,37 +1,17 @@
-- name: Install UFW
-  apt:
-    update_cache: true
-    cache_valid_time: 3600
-    pkg:
-      - ufw
-  tags:
-    - role::ufw
-
-- name: Allow OpenSSH
-  community.general.ufw:
-    rule: allow
-    name: OpenSSH
-  tags:
-    - role::ufw
-
-- name: Enable UFW and deny all traffic by default
+- name: Disable UFW  # noqa
   community.general.ufw:
-    state: enabled
-    policy: deny
+    state: disabled
   tags:
     - role::ufw
+  ignore_errors: true  # subsequent deploys
 
-- name: Allow WireGuard
-  community.general.ufw:
-    rule: allow
-    proto: udp
-    port: "{{ wireguard_port }}"
-    comment: "Allow WireGuard"
-  tags:
-    - role::ufw
+- name: Uninstall UFW
+  apt:
+    name: ufw
+    state: absent
+    purge: true
 
-- name: Apply service-specific rules
-  community.general.ufw: "{{ item }}"
-  with_items: "{{ ufw_rules }}"
-  tags:
-    - role::ufw
+- name: Purge UFW files
+  file:
+    path: /etc/ufw
+    state: absent
diff --git a/ansible/roles/ufw/vars/main.yml b/ansible/roles/ufw/vars/main.yml
deleted file mode 100644
index 3c342ec..0000000
--- a/ansible/roles/ufw/vars/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-ufw_rules:
-  - comment: Allow internal traffic
-    interface: wg0
-    direction: in
-    rule: allow
-    from_ip: 10.0.0.0/8