Refactor firewall to use nftables (#2)

* Refactor firewall to use nftables * Fix module name * Avoid running the nftables role twice * Fix invalid subnet definition * Fix invalid nftables rule
ffddorf · Dec 4, 2023 · 94ed0f0 · 94ed0f0
1 parent f4e8336
commit 94ed0f0
Show file tree

Hide file tree

Showing 8 changed files with 62 additions and 43 deletions.
diff --git a/roles/gateway/handlers/main.yaml b/roles/gateway/handlers/main.yaml
@@ -8,7 +8,7 @@
     name: dnsmasq
     state: restarted
 
-- name: restart netfilter-persistent
+- name: reload nftables
   ansible.builtin.service:
-    name: netfilter-persistent
-    state: restarted
+    name: nftables
+    state: reloaded
diff --git a/roles/gateway/tasks/main.yaml b/roles/gateway/tasks/main.yaml
@@ -24,25 +24,13 @@
     dest: /etc/dnsmasq.conf
   notify: restart dnsmasq
 
-- name: Install firewall helper
+- name: (cleanup) Uninstall firewall helper
   ansible.builtin.package:
     name: iptables-persistent
-    state: present
-
-- name: Configure IPv4 firewall rules
-  ansible.builtin.template:
-    src: firewall.v4.j2
-    dest: /etc/iptables/rules.v4
-  notify: restart netfilter-persistent
+    state: absent
 
-- name: Configure IPv6 firewall rules
+- name: Configure firewall rules
   ansible.builtin.template:
-    src: firewall.v6.j2
-    dest: /etc/iptables/rules.v6
-  notify: restart netfilter-persistent
-
-- name: Enable firewall helper
-  ansible.builtin.service:
-    name: netfilter-persistent
-    state: started
-    enabled: true
+    src: firewall.nft.j2
+    dest: /etc/nftables.d/firewall.nft
+  notify: reload nftables
diff --git a/roles/gateway/templates/firewall.nft.j2 b/roles/gateway/templates/firewall.nft.j2
@@ -0,0 +1,22 @@
+define client_subnet = {{ gateway_ipv4_address | ansible.utils.ipaddr('network/prefix') }}
+
+table inet filter {
+  chain forward {
+    type filter hook forward priority 0; policy drop;
+
+    # reject SMTP
+    tcp dport 25 reject with icmp type port-unreachable
+
+    # limit routed traffic to ip subnet
+    iif br0 ip saddr $client_subnet accept
+    oif br0 ip daddr $client_subnet accept
+  }
+}
+
+table inet nat {
+  chain postrouting {
+    type nat hook postrouting priority 0;
+
+    ip saddr $client_subnet oif eth0 snat to {{ service_ipv4_address | ipaddr('address') }}
+  }
+}
diff --git a/roles/gateway/templates/firewall.v4.j2 b/roles/gateway/templates/firewall.v4.j2
diff --git a/roles/gateway/templates/firewall.v6.j2 b/roles/gateway/templates/firewall.v6.j2
diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: reload nftables
+  ansible.builtin.service:
+    name: nftables
+    state: reloaded
diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml
@@ -0,0 +1,26 @@
+- name: Install nftables
+  ansible.builtin.package:
+    name: nftables
+    state: present
+
+- name: Uninstall iptables
+  ansible.builtin.package:
+    name: iptables
+    state: absent
+
+- name: Create rule dir
+  ansible.builtin.file:
+    path: /etc/nftables.d
+    state: directory
+
+- name: Setup rule loading
+  ansible.builtin.lineinfile:
+    path: /etc/nftables.conf
+    line: include "/etc/nftables.d/*"
+  notify: reload nftables
+
+- name: Enable rule loading
+  ansible.builtin.service:
+    name: nftables
+    state: started
+    enabled: true
diff --git a/site.yml b/site.yml
@@ -3,6 +3,7 @@
   become: true
   roles:
     - { role: kernel-full, tags: kernel-full }
+    - { role: nftables, tags: nftables }
     - { role: service-ip, tags: service-ip }
     - { role: fastd, tags: fastd }
     - { role: batman, tags: batman }