-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Federico Ceratto
committed
Jun 29, 2020
1 parent
e742b45
commit 363588f
Showing
4 changed files
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| Install nftables based firewall | ||
|
|
||
| Set up /etc/ooni/nftables/ | ||
|
|
||
| Rules for specific services are *not* configured by this role | ||
|
|
||
| When creating rules to accept TCP traffic from any IPv4/6 address, | ||
| files are named with the port number to detect collisions. | ||
|
|
||
| Example: | ||
|
|
||
| /etc/ooni/nftables/tcp/8080.nft | ||
|
|
||
| ``` | ||
| add rule inet filter input tcp dport 8080 counter accept comment "MyService" | ||
| ``` | ||
|
|
||
|
|
||
| Otherwise: | ||
|
|
||
| /etc/ooni/nftables/tcp/5432_postgres_internal.nft | ||
|
|
||
| ``` | ||
| add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL" | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| --- | ||
| - name: Install nftables | ||
| apt: | ||
| cache_valid_time: 86400 | ||
| name: nftables | ||
|
|
||
| - name: create config dir | ||
| file: | ||
| path: /etc/ooni/nftables/tcp | ||
| state: directory | ||
| owner: root | ||
| group: root | ||
| mode: 0755 | ||
|
|
||
| - name: allow SSH | ||
| blockinfile: | ||
| path: /etc/ooni/nftables/tcp/22.nft | ||
| block: | | ||
| add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH" | ||
| - name: Enable and start nftables service | ||
| systemd: | ||
| name: nftables.service | ||
| state: started | ||
| enabled: yes | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| #!/usr/sbin/nft -f | ||
| # | ||
| # Nftables configuration script | ||
| # | ||
| # Managed by ansible | ||
| # roles/nftables/templates/nftables.conf | ||
| # | ||
| # The ruleset is applied atomically | ||
|
|
||
| flush ruleset | ||
|
|
||
| table inet filter { | ||
| chain input { | ||
| type filter hook input priority filter; policy drop; | ||
| iif lo accept comment "Accept incoming traffic from localhost" | ||
| ct state invalid drop | ||
| ct state established,related accept comment "Accept traffic related to outgoing connections" | ||
| } | ||
|
|
||
| chain forward { | ||
| type filter hook forward priority filter; policy accept; | ||
| } | ||
|
|
||
| chain output { | ||
| type filter hook output priority filter; policy accept; | ||
| } | ||
| } | ||
|
|
||
| # Configure TCP traffic rules | ||
| include "/etc/ooni/nftables/tcp/*.nft" | ||
|
|
||
| # Configure any other rule | ||
| include "/etc/ooni/nftables/*.nft" | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,4 @@ | ||
| --- | ||
| dependencies: | ||
| - role: base-buster | ||
| - role: nftables |