ansible/group_vars/all/nftables.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

---
nftables_configuration: |
  flush ruleset

  table inet firewall {
    set tcp_accepted {
      type inet_service
      elements = {
        # OpenSSH
        ssh,
        # NGINX
        http,
        https
      }
    }

  {% if "databases" in group_names %}
    # Access control for database server
    set possible_lke_ipv4_addrs {
      type ipv4_addr
      flags interval
      elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} }
    }

    set possible_lke_ipv6_addrs {
      type ipv6_addr
      flags interval
      elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} }
    }
  {% endif %}

    chain input {
      type filter hook input priority 0

      # Drop anything not explicitly dropped or accepted by default
      policy drop

      # Drop invalid packets
      ct state invalid drop

      # Allow already established connections
      ct state established,related accept

      # Allow loopback
      iif lo accept

      # Allow certain inbound ICMP types (ping, traceroute).
      # With these allowed you are a good network citizen.
      meta l4proto { icmp, ipv6-icmp } counter accept

      # Standard allowed ports
      iifname {{ ansible_default_ipv4.interface }} tcp dport @tcp_accepted ct state new accept
  {% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %}
      iifname {{ ansible_default_ipv6.interface }} tcp dport @tcp_accepted ct state new accept
  {% endif %}

      # WireGuard client connections
      iifname {{ ansible_default_ipv4.interface }} udp dport {{ wireguard_port }} ct state new accept
  {% if ansible_default_ipv4.interface != ansible_default_ipv6.interface %}
      iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept
  {% endif %}

      # Node Exporter port for Prometheus scraping over WireGuard
      iifname wg0 tcp dport 9100 ct state new accept

  {% if "databases" in group_names %}
      # PostgreSQL connections
      iifname {{ ansible_default_ipv4.interface }} ip saddr @possible_lke_ipv4_addrs tcp dport postgresql ct state new accept
  {% if ansible_default_ipv6 is defined %}
      iifname {{ ansible_default_ipv6.interface }} ip6 saddr @possible_lke_ipv6_addrs tcp dport postgresql ct state new accept
  {% endif %}
  {% endif %}
    }

    chain forward {
      type filter hook forward priority 0
      policy drop
      ct state invalid drop
      ct state established,related accept

      iifname wg0 ip daddr 10.0.0.0/8 accept
    }

    chain output {
      type filter hook output priority 0
      policy accept

      ip6 nexthdr ipv6-icmp accept
    }

    chain postrouting {
      type nat hook postrouting priority 100;
    }
  }