Setup nftables

ooni · Jun 29, 2020 · 1fee3d5 · 1fee3d5
1 parent e742b45
commit 1fee3d5
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 0 deletions.
diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc
@@ -0,0 +1,25 @@
+Install nftables based firewall
+
+Set up /etc/ooni/nftables/
+
+Rules for specific services are *not* configured by this role
+
+When creating rules to accept TCP traffic from any IPv4/6 address,
+files are named with the port number to detect collisions.
+
+Example:
+
+/etc/ooni/nftables/tcp/8080.nft
+
+```
+add rule inet filter input tcp dport 8080 counter accept comment "MyService"
+```
+
+
+Otherwise:
+
+/etc/ooni/nftables/tcp/5432_postgres_internal.nft
+
+```
+add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL"
+```
diff --git a/ansible/roles/nftables/tasks/main.yml b/ansible/roles/nftables/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: Install nftables
+  apt:
+    cache_valid_time: 86400
+    name: nftables
+
+- name: create config dir
+  file:
+    path: /etc/ooni/nftables/tcp
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: allow SSH
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/22.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH"
+
+- name: Overwrite nftables.conf
+  template:
+    src: templates/nftables.conf
+    dest: /etc/nftables.conf
+    mode: 0755
+    owner: root
+
+- name: Enable and start nftables service
+  systemd:
+    name: nftables.service
+    state: reloaded
+    enabled: yes
+
diff --git a/ansible/roles/nftables/templates/nftables.conf b/ansible/roles/nftables/templates/nftables.conf
@@ -0,0 +1,37 @@
+#!/usr/sbin/nft -f
+#
+# Nftables configuration script
+#
+# Managed by ansible
+# roles/nftables/templates/nftables.conf
+#
+# The ruleset is applied atomically
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+    policy drop;
+    iif lo accept comment "Accept incoming traffic from localhost"
+    ct state invalid drop
+    ct state established,related accept comment "Accept traffic related to outgoing connections"
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+    policy accept;
+  }
+
+  chain output {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}
+
+# Configure TCP traffic rules
+include "/etc/ooni/nftables/tcp/*.nft"
+
+# Configure any other rule
+include "/etc/ooni/nftables/*.nft"
+
diff --git a/ansible/roles/postgresql11/meta/main.yml b/ansible/roles/postgresql11/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: base-buster
+  - role: nftables