Skip to content
Snippets Groups Projects
Commit ca4f05da authored by Rafael László's avatar Rafael László :speech_balloon:
Browse files

Add nftables config

parent dd50946f
No related branches found
No related tags found
No related merge requests found
...@@ -20,3 +20,13 @@ ...@@ -20,3 +20,13 @@
permitRootLogin: 'no' permitRootLogin: 'no'
pubkeyAuthentication: 'yes' pubkeyAuthentication: 'yes'
passwordAuthentication: 'no' passwordAuthentication: 'no'
allow:
users: 'rlacko'
nftables:
snat_to: 152.66.211.122
snat_from: 192.168.96.0/22
dnat:
- dport: 80
to: 192.168.96.101:80
- dport: 443
to: 192.168.96.101:443
all: all:
hosts: hosts:
# Use OpenSSH config to make it confortable # Use OpenSSH config to make it confortable
router.maze: 152.66.211.122:
ansible_port: 10022
---
- name: Ensure nftables runs and enabled
service:
name: nftables
state: started
enabled: yes
- name: Place nftables configuration file.
template:
src: etc/nftables.conf.j2
dest: /etc/nftables.conf
mode: 0755
- name: Load config
command: nft -f /etc/nftables.conf
---
...@@ -28,5 +28,6 @@ ...@@ -28,5 +28,6 @@
state: restarted state: restarted
enabled: yes enabled: yes
- name: Setup iptables - name: Setup firewall
include_tasks: iptables.yaml include_tasks: firewall.yaml
tags: [firewall]
...@@ -31,5 +31,5 @@ ...@@ -31,5 +31,5 @@
- jq - jq
- git - git
# Router # Firewall
- iptables - nftables
#!/usr/bin/nft -f
# !!!
# {{ ansible_managed }}
# !!!
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state {established, related} accept
ct state invalid drop
iif lo accept
# Allow from internal network
iif eth1 accept
ip protocol icmp accept
tcp dport 10022 accept comment "SSH in"
}
chain forward {
type filter hook forward priority 0;
# Allow outgoing via wan
oif eth0 accept
# Allow dnat
ct status dnat accept
# Allow incoming on wan for related & established connections
iif eth0 ct state related, established accept
# Drop any other incoming traffic on wan
iif eth0 drop
}
# Allow all packets sent by the firewall
chain output {
type filter hook output priority 100; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100;
# Port forwarding
{% if nftables.dnat is defined %}
{% for dnat in nftables.dnat %}
iif eth0 tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
{% endfor %}
{% endif %}
}
chain postrouting {
type nat hook postrouting priority 100;
# SNAT outgoing traffic
ip saddr {{ nftables.snat_from }} oif eth0 snat to {{ nftables.snat_to }}
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment