From ca4f05dac0347f2a26995bfa871efc192c01e24c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20L=C3=A1szl=C3=B3?= <rlacko99@gmail.com>
Date: Wed, 28 Jul 2021 15:41:04 +0200
Subject: [PATCH] Add nftables config

---
 ansible/router/install.yaml                   | 12 +++-
 ansible/router/inventory.yaml                 |  3 +-
 ansible/router/tasks/firewall.yaml            | 16 +++++
 ansible/router/tasks/iptables.yaml            |  2 -
 ansible/router/tasks/main.yaml                |  5 +-
 ansible/router/tasks/packages.yaml            |  4 +-
 ansible/router/templates/etc/nftables.conf.j2 | 64 +++++++++++++++++++
 7 files changed, 98 insertions(+), 8 deletions(-)
 create mode 100644 ansible/router/tasks/firewall.yaml
 delete mode 100644 ansible/router/tasks/iptables.yaml
 create mode 100644 ansible/router/templates/etc/nftables.conf.j2

diff --git a/ansible/router/install.yaml b/ansible/router/install.yaml
index 70b24a0..ff8a481 100644
--- a/ansible/router/install.yaml
+++ b/ansible/router/install.yaml
@@ -19,4 +19,14 @@
       port: 10022
       permitRootLogin: 'no'
       pubkeyAuthentication: 'yes'
-      passwordAuthentication: 'no'
\ No newline at end of file
+      passwordAuthentication: 'no'
+      allow:
+        users: 'rlacko'
+    nftables:
+      snat_to: 152.66.211.122
+      snat_from: 192.168.96.0/22
+      dnat:
+        - dport: 80
+          to: 192.168.96.101:80
+        - dport: 443
+          to: 192.168.96.101:443
diff --git a/ansible/router/inventory.yaml b/ansible/router/inventory.yaml
index 4767157..80257bb 100644
--- a/ansible/router/inventory.yaml
+++ b/ansible/router/inventory.yaml
@@ -1,4 +1,5 @@
 all:
   hosts:
     # Use OpenSSH config to make it confortable
-    router.maze:
+    152.66.211.122:
+      ansible_port: 10022
diff --git a/ansible/router/tasks/firewall.yaml b/ansible/router/tasks/firewall.yaml
new file mode 100644
index 0000000..f8e91f0
--- /dev/null
+++ b/ansible/router/tasks/firewall.yaml
@@ -0,0 +1,16 @@
+---
+
+- name: Ensure nftables runs and enabled
+  service:
+    name: nftables
+    state: started
+    enabled: yes
+
+- name: Place nftables configuration file.
+  template:
+    src: etc/nftables.conf.j2
+    dest: /etc/nftables.conf
+    mode: 0755
+
+- name: Load config
+  command: nft -f /etc/nftables.conf
diff --git a/ansible/router/tasks/iptables.yaml b/ansible/router/tasks/iptables.yaml
deleted file mode 100644
index cd21505..0000000
--- a/ansible/router/tasks/iptables.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-
diff --git a/ansible/router/tasks/main.yaml b/ansible/router/tasks/main.yaml
index 05bc45c..454b163 100644
--- a/ansible/router/tasks/main.yaml
+++ b/ansible/router/tasks/main.yaml
@@ -28,5 +28,6 @@
     state: restarted
     enabled: yes
 
-- name: Setup iptables
-  include_tasks: iptables.yaml
+- name: Setup firewall
+  include_tasks: firewall.yaml
+  tags: [firewall]
diff --git a/ansible/router/tasks/packages.yaml b/ansible/router/tasks/packages.yaml
index 9ec7c5d..7477db3 100644
--- a/ansible/router/tasks/packages.yaml
+++ b/ansible/router/tasks/packages.yaml
@@ -31,5 +31,5 @@
       - jq
       - git
 
-      # Router
-      - iptables
+      # Firewall
+      - nftables
diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2
new file mode 100644
index 0000000..5dd2519
--- /dev/null
+++ b/ansible/router/templates/etc/nftables.conf.j2
@@ -0,0 +1,64 @@
+#!/usr/bin/nft -f
+
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    ct state {established, related} accept
+    ct state invalid drop
+
+    iif lo accept
+
+    # Allow from internal network
+    iif eth1 accept
+
+    ip protocol icmp accept
+
+    tcp dport 10022 accept comment "SSH in"
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+
+    # Allow outgoing via wan
+    oif eth0 accept
+    # Allow dnat
+    ct status dnat accept
+    # Allow incoming on wan for related & established connections
+    iif eth0 ct state related, established accept
+
+    # Drop any other incoming traffic on wan
+    iif eth0 drop
+  }
+
+  # Allow all packets sent by the firewall
+  chain output {
+    type filter hook output priority 100; policy accept;
+  }
+}
+
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority -100;
+
+    # Port forwarding
+{% if nftables.dnat is defined %}
+{% for dnat in nftables.dnat %}
+    iif eth0 tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
+{% endfor %}
+{% endif %}
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 100;
+
+    # SNAT outgoing traffic
+    ip saddr {{ nftables.snat_from }} oif eth0 snat to {{ nftables.snat_to }}
+  }
+}
-- 
GitLab