From 5d011c9559c220eb2feee32a7170ea0caa7dcb91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20L=C3=A1szl=C3=B3?= <rlacko99@gmail.com> Date: Thu, 16 Sep 2021 11:10:34 +0200 Subject: [PATCH] template nftables accepted ports --- defaults/main.yml | 5 +++++ templates/etc/nftables.conf.j2 | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index db1d9e3..a77baa9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,11 @@ lan_port: ens224 # dnat: # - dport: 6443 # to: 192.168.69.1:6443 +# accept: +# - saddr: 152.66.0.0/16 +# dport: 10022 +# - saddr: 10.0.0.0/8 +# dport: 10022 # netplan: # network: diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index f72e107..68a66f9 100644 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -22,7 +22,11 @@ table inet filter { ip protocol icmp accept - tcp dport {{ ssh_port | default("10022", true) }} accept comment "SSH in" +{% if nftables.accept is defined %} +{% for accept in nftables.accept %} + ip saddr {{ accept.saddr }} tcp dport {{ accept.dport }} accept comment "{{ accept.comment }}" +{% endfor %} +{% endif %} } chain forward { -- GitLab