From 9f83efa53bce9a25265d0c033c1d9d24d1b270f5 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Thu, 26 Oct 2023 21:34:06 +0100
Subject: [PATCH] Use nftables for firewall on ingress

See ya never, iptables!
---
 ansible/galaxy-requirements.yml           |  1 -
 ansible/group_vars/all/network.yml        |  1 +
 ansible/main.yml                          |  2 --
 ansible/roles/base/vars/main.yml          |  1 -
 ansible/roles/ingress/files/nftables.conf | 33 +++++++++++++++++++++++
 ansible/roles/ingress/handlers/main.yml   |  8 ++++++
 ansible/roles/ingress/tasks/firewall.yml  | 19 +++++++++++++
 ansible/roles/ingress/tasks/main.yml      |  3 +++
 ansible/roles/nebula/tasks/main.yml       | 11 --------
 9 files changed, 64 insertions(+), 15 deletions(-)
 delete mode 100644 ansible/roles/base/vars/main.yml
 create mode 100644 ansible/roles/ingress/files/nftables.conf
 create mode 100644 ansible/roles/ingress/tasks/firewall.yml

diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml
index 5d7ed8e..0f62e27 100644
--- a/ansible/galaxy-requirements.yml
+++ b/ansible/galaxy-requirements.yml
@@ -13,7 +13,6 @@ roles:
   - src: realorangeone.reflector
   - src: ironicbadger.proxmox_nag_removal
     version: 1.0.2
-  - src: chmduquesne.iptables_persistent
   - src: ironicbadger.snapraid
     version: 1.0.0
   - src: dokku_bot.ansible_dokku
diff --git a/ansible/group_vars/all/network.yml b/ansible/group_vars/all/network.yml
index 878ea3a..46c9de9 100644
--- a/ansible/group_vars/all/network.yml
+++ b/ansible/group_vars/all/network.yml
@@ -1 +1,2 @@
 private_ip: "{{ nebula.clients[hostname_slug].ip }}"
+ssh_port: 7743
diff --git a/ansible/main.yml b/ansible/main.yml
index a5b27ef..f8e7618 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -70,8 +70,6 @@
 
 - hosts: ingress
   roles:
-    - role: chmduquesne.iptables_persistent
-      become: true
     - role: nginxinc.nginx  # The nginx in debian's repos is very old
       become: true
     - ingress
diff --git a/ansible/roles/base/vars/main.yml b/ansible/roles/base/vars/main.yml
deleted file mode 100644
index df90549..0000000
--- a/ansible/roles/base/vars/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-ssh_port: 7743
diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf
new file mode 100644
index 0000000..1b8c5b0
--- /dev/null
+++ b/ansible/roles/ingress/files/nftables.conf
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0
+        policy drop
+
+        ct state {established, related} counter accept
+
+        iif lo accept
+
+        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority srcnat
+        policy accept
+
+        # NAT - because the proxmox machines may not have routes back
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+    }
+
+    chain FORWARD {
+        type filter hook forward priority mangle
+        policy drop
+
+        # Allow traffic from nebula to proxmox network
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+    }
+}
diff --git a/ansible/roles/ingress/handlers/main.yml b/ansible/roles/ingress/handlers/main.yml
index c6f45b7..741b4e8 100644
--- a/ansible/roles/ingress/handlers/main.yml
+++ b/ansible/roles/ingress/handlers/main.yml
@@ -9,3 +9,11 @@
     name: nginx
     state: restarted
   become: true
+
+- name: reload nftables
+  command:
+    argv:
+      - nft
+      - -f
+      - /etc/nftables.conf
+  become: true
diff --git a/ansible/roles/ingress/tasks/firewall.yml b/ansible/roles/ingress/tasks/firewall.yml
new file mode 100644
index 0000000..84424a1
--- /dev/null
+++ b/ansible/roles/ingress/tasks/firewall.yml
@@ -0,0 +1,19 @@
+- name: Install nftables
+  package:
+    name: nftables
+  become: true
+
+- name: Copy firewall config
+  template:
+    src: files/nftables.conf
+    dest: /etc/nftables.conf
+    validate: nft -c -f %s
+  become: true
+  notify: reload firewall
+
+- name: Enable nftables
+  service:
+    name: nftables
+    enabled: true
+    state: started
+  become: true
diff --git a/ansible/roles/ingress/tasks/main.yml b/ansible/roles/ingress/tasks/main.yml
index 3bdbc3c..df48c9b 100644
--- a/ansible/roles/ingress/tasks/main.yml
+++ b/ansible/roles/ingress/tasks/main.yml
@@ -3,3 +3,6 @@
 
 - name: Configure nginx
   include_tasks: nginx.yml
+
+- name: Configure firewall
+  include_tasks: firewall.yml
diff --git a/ansible/roles/nebula/tasks/main.yml b/ansible/roles/nebula/tasks/main.yml
index c24112b..1c1d055 100644
--- a/ansible/roles/nebula/tasks/main.yml
+++ b/ansible/roles/nebula/tasks/main.yml
@@ -53,14 +53,3 @@
     name: nebula
     enabled: true
   become: true
-
-- name: Enable unsafe routing
-  iptables:
-    table: nat
-    chain: POSTROUTING
-    out_interface: ens18
-    source: "{{ nebula.cidr }}"
-    jump: MASQUERADE
-  notify: persist iptables
-  become: true
-  when: ansible_hostname == "ingress"