diff --git a/ansible/router/install.yaml b/ansible/router/install.yaml index 70b24a0f0ac3c945cce98e0e94cebd755dc1d483..ff8a481b5da9e6a8d8cd8a33477495a1101163e1 100644 --- a/ansible/router/install.yaml +++ b/ansible/router/install.yaml @@ -19,4 +19,14 @@ port: 10022 permitRootLogin: 'no' pubkeyAuthentication: 'yes' - passwordAuthentication: 'no' \ No newline at end of file + passwordAuthentication: 'no' + allow: + users: 'rlacko' + nftables: + snat_to: 152.66.211.122 + snat_from: 192.168.96.0/22 + dnat: + - dport: 80 + to: 192.168.96.101:80 + - dport: 443 + to: 192.168.96.101:443 diff --git a/ansible/router/inventory.yaml b/ansible/router/inventory.yaml index 47671573d9ef04b34c76b1a7d62688ac3a8e2245..80257bbb788557bf498f408b38b4c68b8848c383 100644 --- a/ansible/router/inventory.yaml +++ b/ansible/router/inventory.yaml @@ -1,4 +1,5 @@ all: hosts: # Use OpenSSH config to make it confortable - router.maze: + 152.66.211.122: + ansible_port: 10022 diff --git a/ansible/router/tasks/firewall.yaml b/ansible/router/tasks/firewall.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f8e91f0c4b7c7106788c88498a8ecf31c4a7f949 --- /dev/null +++ b/ansible/router/tasks/firewall.yaml @@ -0,0 +1,16 @@ +--- + +- name: Ensure nftables runs and enabled + service: + name: nftables + state: started + enabled: yes + +- name: Place nftables configuration file. + template: + src: etc/nftables.conf.j2 + dest: /etc/nftables.conf + mode: 0755 + +- name: Load config + command: nft -f /etc/nftables.conf diff --git a/ansible/router/tasks/iptables.yaml b/ansible/router/tasks/iptables.yaml deleted file mode 100644 index cd21505a47e530a967e3c44bd2a772d1b8d08bd7..0000000000000000000000000000000000000000 --- a/ansible/router/tasks/iptables.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- - diff --git a/ansible/router/tasks/main.yaml b/ansible/router/tasks/main.yaml index 05bc45c30b8a7e1594b2bee6aaeff9ef2ba66f42..454b163b01a6bf1ffb4b4b3814365e6f94fa5317 100644 --- a/ansible/router/tasks/main.yaml +++ b/ansible/router/tasks/main.yaml @@ -28,5 +28,6 @@ state: restarted enabled: yes -- name: Setup iptables - include_tasks: iptables.yaml +- name: Setup firewall + include_tasks: firewall.yaml + tags: [firewall] diff --git a/ansible/router/tasks/packages.yaml b/ansible/router/tasks/packages.yaml index 9ec7c5d7a0892faa3bca726703be99568588ec03..7477db35ac86ae1d17c38b461048f7ecfc0c693a 100644 --- a/ansible/router/tasks/packages.yaml +++ b/ansible/router/tasks/packages.yaml @@ -31,5 +31,5 @@ - jq - git - # Router - - iptables + # Firewall + - nftables diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..5dd25198a056dc2e9bdbcfaeb2fb9bc937af15c7 --- /dev/null +++ b/ansible/router/templates/etc/nftables.conf.j2 @@ -0,0 +1,64 @@ +#!/usr/bin/nft -f + +# !!! +# {{ ansible_managed }} +# !!! + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + ct state {established, related} accept + ct state invalid drop + + iif lo accept + + # Allow from internal network + iif eth1 accept + + ip protocol icmp accept + + tcp dport 10022 accept comment "SSH in" + } + + chain forward { + type filter hook forward priority 0; + + # Allow outgoing via wan + oif eth0 accept + # Allow dnat + ct status dnat accept + # Allow incoming on wan for related & established connections + iif eth0 ct state related, established accept + + # Drop any other incoming traffic on wan + iif eth0 drop + } + + # Allow all packets sent by the firewall + chain output { + type filter hook output priority 100; policy accept; + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority -100; + + # Port forwarding +{% if nftables.dnat is defined %} +{% for dnat in nftables.dnat %} + iif eth0 tcp dport {{ dnat.dport }} dnat {{ dnat.to }} +{% endfor %} +{% endif %} + } + + chain postrouting { + type nat hook postrouting priority 100; + + # SNAT outgoing traffic + ip saddr {{ nftables.snat_from }} oif eth0 snat to {{ nftables.snat_to }} + } +}