From d677976dd1b42f429e994b8bfb92b2b832cce37b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20L=C3=A1szl=C3=B3?= <rlacko99@gmail.com>
Date: Wed, 28 Jul 2021 16:02:50 +0200
Subject: [PATCH] Use variables in nftables config and reorder
---
ansible/router/templates/etc/nftables.conf.j2 | 22 +++++++++----------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2
index 5dd2519..6c88617 100644
--- a/ansible/router/templates/etc/nftables.conf.j2
+++ b/ansible/router/templates/etc/nftables.conf.j2
@@ -6,6 +6,9 @@
flush ruleset
+define wan = eth0
+define lan = eth1
+
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
@@ -15,8 +18,7 @@ table inet filter {
iif lo accept
- # Allow from internal network
- iif eth1 accept
+ iif $lan accept
ip protocol icmp accept
@@ -26,15 +28,11 @@ table inet filter {
chain forward {
type filter hook forward priority 0;
- # Allow outgoing via wan
- oif eth0 accept
- # Allow dnat
- ct status dnat accept
- # Allow incoming on wan for related & established connections
- iif eth0 ct state related, established accept
+ oif $wan accept
+ iif $wan drop
- # Drop any other incoming traffic on wan
- iif eth0 drop
+ ct status dnat accept
+ iif $wan ct state related, established accept
}
# Allow all packets sent by the firewall
@@ -50,7 +48,7 @@ table ip nat {
# Port forwarding
{% if nftables.dnat is defined %}
{% for dnat in nftables.dnat %}
- iif eth0 tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
+ iif $wan tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
{% endfor %}
{% endif %}
}
@@ -59,6 +57,6 @@ table ip nat {
type nat hook postrouting priority 100;
# SNAT outgoing traffic
- ip saddr {{ nftables.snat_from }} oif eth0 snat to {{ nftables.snat_to }}
+ ip saddr {{ nftables.snat_from }} oif $wan snat to {{ nftables.snat_to }}
}
}
--
GitLab