init
This commit is contained in:
12
ansible/roles/harden/nftables/handlers/main.yml
Normal file
12
ansible/roles/harden/nftables/handlers/main.yml
Normal file
@@ -0,0 +1,12 @@
|
||||
---
|
||||
- name: validate nftables config
|
||||
ansible.builtin.command:
|
||||
cmd: nft -c -f /etc/nftables.conf
|
||||
listen: apply nftables
|
||||
changed_when: false
|
||||
|
||||
- name: reload nftables
|
||||
ansible.builtin.systemd:
|
||||
name: nftables
|
||||
state: reloaded
|
||||
listen: apply nftables
|
||||
22
ansible/roles/harden/nftables/tasks/main.yml
Normal file
22
ansible/roles/harden/nftables/tasks/main.yml
Normal file
@@ -0,0 +1,22 @@
|
||||
---
|
||||
- name: install nftables
|
||||
ansible.builtin.apt:
|
||||
name: nftables
|
||||
state: present
|
||||
update_cache: true
|
||||
notify: apply nftables
|
||||
|
||||
- name: deploy nftables config
|
||||
ansible.builtin.template:
|
||||
src: "{{ nftables_conf_name }}"
|
||||
dest: /etc/nftables.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: apply nftables
|
||||
|
||||
- name: enable and start nftables service
|
||||
ansible.builtin.systemd:
|
||||
name: nftables
|
||||
enabled: true
|
||||
state: started
|
||||
36
ansible/roles/harden/nftables/templates/proxmox-nftables.j2
Normal file
36
ansible/roles/harden/nftables/templates/proxmox-nftables.j2
Normal file
@@ -0,0 +1,36 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
iif "lo" accept
|
||||
ct state established,related accept
|
||||
|
||||
# SSH
|
||||
tcp dport {{ ssh_port }} accept
|
||||
|
||||
# ICMP
|
||||
ip protocol icmp accept
|
||||
ip6 nexthdr icmpv6 accept
|
||||
|
||||
# Proxmox Web/API (LAN only)
|
||||
ip saddr 192.168.0.0/24 tcp dport 8006 accept
|
||||
|
||||
# NTP
|
||||
ip saddr 192.168.0.0/24 udp dport {{ ntp_port }} accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
||||
32
ansible/roles/harden/nftables/templates/vm-nftables.conf.j2
Normal file
32
ansible/roles/harden/nftables/templates/vm-nftables.conf.j2
Normal file
@@ -0,0 +1,32 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
iif "lo" accept
|
||||
ct state established,related accept
|
||||
|
||||
# SSH
|
||||
tcp dport {{ ssh_port }} accept
|
||||
|
||||
# udp dport {{ ntp_port }} accept
|
||||
|
||||
# ICMP
|
||||
ip protocol icmp accept
|
||||
ip6 nexthdr icmpv6 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user