init

2026-02-19 11:34:13 +00:00
commit f243f440c3
191 changed files with 6183 additions and 0 deletions
--- a/ansible/roles/harden/nftables/templates/proxmox-nftables.j2
+++ b/ansible/roles/harden/nftables/templates/proxmox-nftables.j2
@@ -0,0 +1,36 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+        iif "lo" accept
+        ct state established,related accept
+
+        # SSH
+        tcp dport {{ ssh_port }} accept
+
+        # ICMP
+        ip protocol icmp accept
+        ip6 nexthdr icmpv6 accept
+
+        # Proxmox Web/API (LAN only)
+        ip saddr 192.168.0.0/24 tcp dport 8006 accept
+
+        # NTP
+        ip saddr 192.168.0.0/24 udp dport {{ ntp_port }} accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}
--- a/ansible/roles/harden/nftables/templates/vm-nftables.conf.j2
+++ b/ansible/roles/harden/nftables/templates/vm-nftables.conf.j2
@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+        iif "lo" accept
+        ct state established,related accept
+
+        # SSH
+        tcp dport {{ ssh_port }} accept
+
+        # udp dport {{ ntp_port }} accept
+
+        # ICMP
+        ip protocol icmp accept
+        ip6 nexthdr icmpv6 accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}