diff --git a/roles/alpine/tasks/main.yml b/roles/alpine/tasks/main.yml index d37b3ed..626ebe6 100644 --- a/roles/alpine/tasks/main.yml +++ b/roles/alpine/tasks/main.yml @@ -74,8 +74,8 @@ - name: Set up firewall template: - dest: /etc/nftables.d/local.nft - src: local.nft.j2 + dest: /etc/nftables.d/services.nft + src: services.nft.j2 notify: reload nftables - name: Enable firewall diff --git a/roles/ceph/tasks/firewall.yml b/roles/ceph/tasks/firewall.yml deleted file mode 100644 index be12d9b..0000000 --- a/roles/ceph/tasks/firewall.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Install nftables - package: - name: nftables - -- name: Configure nftables - template: - dest: /etc/nftables.conf - src: nftables.conf.j2 - mode: 0644 - notify: reload nftables - -- name: Enable nftables - service: - name: nftables - enabled: true - state: started diff --git a/roles/ceph/tasks/main.yml b/roles/ceph/tasks/main.yml index 8f6bdbf..79d515f 100644 --- a/roles/ceph/tasks/main.yml +++ b/roles/ceph/tasks/main.yml @@ -3,6 +3,13 @@ dest: /etc/hosts src: hosts.j2 +- name: Configure nftables + template: + dest: /etc/nftables.d/ceph.nft + src: ceph.nft.j2 + mode: 0644 + notify: reload nftables + - name: Set up NTP servers lineinfile: path: /etc/systemd/timesyncd.conf @@ -38,6 +45,4 @@ dest: /usr/local/bin/cephadm mode: 0755 -- include_tasks: firewall.yml - - include_tasks: cert.yml diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/ceph.nft.j2 similarity index 65% rename from roles/ceph/templates/nftables.conf.j2 rename to roles/ceph/templates/ceph.nft.j2 index 254ef49..3c411f5 100644 --- a/roles/ceph/templates/nftables.conf.j2 +++ b/roles/ceph/templates/ceph.nft.j2 @@ -1,7 +1,3 @@ -#!/usr/sbin/nft -f - -flush ruleset - table inet filter { set cluster { type ipv4_addr; flags interval; auto-merge @@ -27,25 +23,6 @@ table inet filter { } chain input { - type filter hook input priority filter; policy drop - - ct state vmap { invalid : drop, established : accept, related : accept } - iif lo accept - - ip protocol icmp icmp type { - echo-request, echo-reply, destination-unreachable, - parameter-problem, time-exceeded, - } accept comment "accept some ICMPv4" - - ip6 nexthdr icmpv6 icmpv6 type { - echo-request, echo-reply, destination-unreachable, - packet-too-big, parameter-problem, time-exceeded, - } accept comment "accept some ICMPv6" - - iif mgmt0 ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type { - nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert - } accept comment "accept IPv6 neighbor discovery" - # BGP / BFD sessions iif lan0 ip6 saddr fe80::/64 accept iif lan1 ip6 saddr fe80::/64 accept @@ -73,12 +50,4 @@ table inet filter { {% endfor %} } - - chain forward { - type filter hook forward priority filter; policy accept - } - - chain output { - type filter hook output priority filter; policy accept - } } diff --git a/roles/debian/files/nftables.conf b/roles/debian/files/nftables.conf new file mode 100644 index 0000000..430db42 --- /dev/null +++ b/roles/debian/files/nftables.conf @@ -0,0 +1,36 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; policy drop + + ct state vmap { invalid : drop, established : accept, related : accept } + iif lo accept + + ip protocol icmp icmp type { + echo-request, echo-reply, destination-unreachable, + parameter-problem, time-exceeded, + } accept comment "accept some ICMPv4" + + ip6 nexthdr icmpv6 icmpv6 type { + echo-request, echo-reply, destination-unreachable, + packet-too-big, parameter-problem, time-exceeded, + } accept comment "accept some ICMPv6" + + ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type { + nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit + } accept comment "accept IPv6 neighbor discovery" + } + + chain forward { + type filter hook forward priority filter; policy drop + } + + chain output { + type filter hook output priority filter; policy accept + } +} + +include "/etc/nftables.d/*.nft" diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml index 49b89db..132491b 100644 --- a/roles/debian/handlers/main.yml +++ b/roles/debian/handlers/main.yml @@ -6,6 +6,12 @@ command: ifreload -a when: "'handler' not in ansible_skip_tags" +- name: reload nftables + service: + name: nftables + state: reloaded + when: "'handler' not in ansible_skip_tags" + - name: reload sshd service: name: sshd diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml index abe41d5..246c126 100644 --- a/roles/debian/tasks/main.yml +++ b/roles/debian/tasks/main.yml @@ -21,6 +21,7 @@ name: - git - ifupdown2 + - nftables - rsync - vim - tmux @@ -67,6 +68,29 @@ value: 'prohibit-password' notify: reload sshd +- name: Set up generic firewall rules + copy: + dest: /etc/nftables.conf + src: nftables.conf + notify: reload nftables + +- name: Create nftables include directory + file: + path: /etc/nftables.d + state: directory + +- name: Set up local firewall rules + template: + dest: /etc/nftables.d/services.nft + src: services.nft.j2 + notify: reload nftables + +- name: Enable firewall + service: + name: nftables + enabled: yes + state: started + - name: Run SSH instance in management VRF when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt') block: @@ -90,4 +114,4 @@ enabled: yes notify: reboot -- meta: flush_handlers + - meta: flush_handlers diff --git a/roles/alpine/templates/local.nft.j2 b/templates/services.nft.j2 similarity index 100% rename from roles/alpine/templates/local.nft.j2 rename to templates/services.nft.j2