diff options
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | ansible/group_vars/all/nftables.yml | 69 | ||||
| -rw-r--r-- | ansible/playbook.yml | 3 | ||||
| m--------- | ansible/roles/nftables | 0 | ||||
| -rw-r--r-- | ansible/roles/ufw/tasks/main.yml | 44 | ||||
| -rw-r--r-- | ansible/roles/ufw/vars/main.yml | 6 |
6 files changed, 86 insertions, 39 deletions
diff --git a/.gitmodules b/.gitmodules index 16ad7a1..e1d214b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "hugodocs/themes/hugo-book"] path = docs/themes/hugo-book url = https://github.com/alex-shpak/hugo-book +[submodule "ansible/roles/nftables"] + path = ansible/roles/nftables + url = [email protected]:jchristgit/ansible-role-nftables.git diff --git a/ansible/group_vars/all/nftables.yml b/ansible/group_vars/all/nftables.yml new file mode 100644 index 0000000..53a7239 --- /dev/null +++ b/ansible/group_vars/all/nftables.yml @@ -0,0 +1,69 @@ +--- +nftables_configuration: | + flush ruleset + + table inet firewall { + set tcp_accepted { + type inet_service + elements = { + # OpenSSH + ssh, + # NGINX + http, + https + } + } + + chain input { + type filter hook input priority 0 + + # Drop anything not explicitly dropped or accepted by default + policy drop + + # Drop invalid packets + ct state invalid drop + + # Allow already established connections + ct state established,related accept + + # Allow loopback + iif lo accept + + # Allow certain inbound ICMP types (ping, traceroute). + # With these allowed you are a good network citizen. + meta l4proto { icmp, ipv6-icmp } counter accept + + # Standard allowed ports + iifname {{ ansible_default_ipv4.interface }} tcp dport @tcp_accepted ct state new accept + {% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %} + iifname {{ ansible_default_ipv6.interface }} tcp dport @tcp_accepted ct state new accept + {% endif %} + + # WireGuard client connections + iifname {{ ansible_default_ipv4.interface }} udp dport {{ wireguard_port }} ct state new accept + {% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %} + iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept + {% endif %} + + } + + chain forward { + type filter hook forward priority 0 + policy drop + ct state invalid drop + ct state established,related accept + + iifname wg0 ip daddr 10.0.0.0/8 accept + } + + chain output { + type filter hook output priority 0 + policy accept + + ip6 nexthdr ipv6-icmp accept + } + + chain postrouting { + type nat hook postrouting priority 100; + } + } diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 7881bf4..b316432 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -3,7 +3,8 @@ roles: - common - pydis-users - - ufw + - ufw # can be removed + - nftables - prometheus-node-exporter - wireguard - fail2ban diff --git a/ansible/roles/nftables b/ansible/roles/nftables new file mode 160000 +Subproject 8fbc92fa7effee6e7ce9e04b5a15b1af12b93f8 diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index 89e25d9..e44d173 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -1,37 +1,17 @@ -- name: Install UFW - apt: - update_cache: true - cache_valid_time: 3600 - pkg: - - ufw - tags: - - role::ufw - -- name: Allow OpenSSH - community.general.ufw: - rule: allow - name: OpenSSH - tags: - - role::ufw - -- name: Enable UFW and deny all traffic by default +- name: Disable UFW # noqa community.general.ufw: - state: enabled - policy: deny + state: disabled tags: - role::ufw + ignore_errors: true # subsequent deploys -- name: Allow WireGuard - community.general.ufw: - rule: allow - proto: udp - port: "{{ wireguard_port }}" - comment: "Allow WireGuard" - tags: - - role::ufw +- name: Uninstall UFW + apt: + name: ufw + state: absent + purge: true -- name: Apply service-specific rules - community.general.ufw: "{{ item }}" - with_items: "{{ ufw_rules }}" - tags: - - role::ufw +- name: Purge UFW files + file: + path: /etc/ufw + state: absent diff --git a/ansible/roles/ufw/vars/main.yml b/ansible/roles/ufw/vars/main.yml deleted file mode 100644 index 3c342ec..0000000 --- a/ansible/roles/ufw/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -ufw_rules: - - comment: Allow internal traffic - interface: wg0 - direction: in - rule: allow - from_ip: 10.0.0.0/8 |