Use nftables for firewall on ingress

See ya never, iptables!
This commit is contained in:
Jake Howard 2023-10-26 21:34:06 +01:00
parent 54e2205e48
commit 9f83efa53b
Signed by: jake
GPG key ID: 57AFB45680EDD477
9 changed files with 64 additions and 15 deletions

View file

@ -13,7 +13,6 @@ roles:
- src: realorangeone.reflector
- src: ironicbadger.proxmox_nag_removal
version: 1.0.2
- src: chmduquesne.iptables_persistent
- src: ironicbadger.snapraid
version: 1.0.0
- src: dokku_bot.ansible_dokku

View file

@ -1 +1,2 @@
private_ip: "{{ nebula.clients[hostname_slug].ip }}"
ssh_port: 7743

View file

@ -70,8 +70,6 @@
- hosts: ingress
roles:
- role: chmduquesne.iptables_persistent
become: true
- role: nginxinc.nginx # The nginx in debian's repos is very old
become: true
- ingress

View file

@ -1 +0,0 @@
ssh_port: 7743

View file

@ -0,0 +1,33 @@
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
policy drop
ct state {established, related} counter accept
iif lo accept
tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
}
chain POSTROUTING {
type nat hook postrouting priority srcnat
policy accept
# NAT - because the proxmox machines may not have routes back
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
}
chain FORWARD {
type filter hook forward priority mangle
policy drop
# Allow traffic from nebula to proxmox network
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
}
}

View file

@ -9,3 +9,11 @@
name: nginx
state: restarted
become: true
- name: reload nftables
command:
argv:
- nft
- -f
- /etc/nftables.conf
become: true

View file

@ -0,0 +1,19 @@
- name: Install nftables
package:
name: nftables
become: true
- name: Copy firewall config
template:
src: files/nftables.conf
dest: /etc/nftables.conf
validate: nft -c -f %s
become: true
notify: reload firewall
- name: Enable nftables
service:
name: nftables
enabled: true
state: started
become: true

View file

@ -3,3 +3,6 @@
- name: Configure nginx
include_tasks: nginx.yml
- name: Configure firewall
include_tasks: firewall.yml

View file

@ -53,14 +53,3 @@
name: nebula
enabled: true
become: true
- name: Enable unsafe routing
iptables:
table: nat
chain: POSTROUTING
out_interface: ens18
source: "{{ nebula.cidr }}"
jump: MASQUERADE
notify: persist iptables
become: true
when: ansible_hostname == "ingress"