2017-08-07 12:09:13 +02:00
|
|
|
---
|
2018-05-16 14:38:33 +02:00
|
|
|
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
|
|
|
|
#
|
|
|
|
# ipr-cnrs.nftables default variables [[[
|
|
|
|
# =======================================
|
|
|
|
|
|
|
|
# Packages and installation [[[
|
|
|
|
# -----------------------------
|
|
|
|
|
|
|
|
# .. envvar:: nft_enabled [[[
|
|
|
|
#
|
|
|
|
# Enable or disable support for Nftables on a given host. Disabling this
|
|
|
|
# option does not remove existing installation and configuration.
|
|
|
|
#
|
|
|
|
nft_enabled: true
|
|
|
|
|
|
|
|
# ]]]
|
2017-08-07 12:09:13 +02:00
|
|
|
|
|
|
|
# packages
|
2018-07-25 15:09:04 +02:00
|
|
|
nft_pkg_state: 'present'
|
2017-08-18 09:25:28 +02:00
|
|
|
nft_old_pkg_list: 'iptables'
|
|
|
|
nft_old_pkg_state: 'absent'
|
|
|
|
nft_old_pkg_manage: true
|
2017-08-07 13:48:54 +02:00
|
|
|
|
2017-08-09 14:27:07 +02:00
|
|
|
# files
|
2017-08-18 09:18:43 +02:00
|
|
|
nft_conf_dir_path: '/etc/nftables.d'
|
2017-08-07 13:48:54 +02:00
|
|
|
nft_main_conf_path: '/etc/nftables.conf'
|
|
|
|
nft_main_conf_content: 'etc/nftables.conf.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
|
2017-08-09 11:18:49 +02:00
|
|
|
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
|
2017-08-09 11:18:49 +02:00
|
|
|
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
|
2017-08-08 12:11:58 +02:00
|
|
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
|
2017-08-09 11:18:49 +02:00
|
|
|
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
|
2017-08-07 14:14:14 +02:00
|
|
|
|
2018-05-16 14:38:33 +02:00
|
|
|
# ]]]
|
2017-08-07 17:07:35 +02:00
|
|
|
# rules
|
|
|
|
nft_global_default_rules:
|
2017-08-09 14:56:20 +02:00
|
|
|
005 state management:
|
2017-08-07 17:07:35 +02:00
|
|
|
- ct state established,related accept
|
|
|
|
- ct state invalid drop
|
2018-08-06 15:09:20 +02:00
|
|
|
nft_global_rules: {}
|
2017-08-07 17:07:35 +02:00
|
|
|
nft_global_group_rules: {}
|
|
|
|
nft_global_host_rules: {}
|
2017-08-08 14:53:29 +02:00
|
|
|
|
2017-08-07 17:41:03 +02:00
|
|
|
nft_input_default_rules:
|
|
|
|
000 policy:
|
|
|
|
- type filter hook input priority 0; policy drop;
|
2017-08-08 14:32:59 +02:00
|
|
|
005 global:
|
2017-08-07 17:41:03 +02:00
|
|
|
- jump global
|
2017-08-08 14:37:54 +02:00
|
|
|
010 drop unwanted:
|
|
|
|
- ip daddr @blackhole counter drop
|
2017-08-09 11:05:00 +02:00
|
|
|
015 localhost:
|
|
|
|
- iif lo accept
|
2017-08-09 17:14:26 +02:00
|
|
|
200 input udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
- udp dport @in_udp_accept ct state new accept
|
2017-08-09 17:14:26 +02:00
|
|
|
210 input tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
- tcp dport @in_tcp_accept ct state new accept
|
2018-08-06 15:09:20 +02:00
|
|
|
nft_input_rules: {}
|
2017-08-07 17:41:03 +02:00
|
|
|
nft_input_group_rules: {}
|
|
|
|
nft_input_host_rules: {}
|
2017-08-07 17:07:35 +02:00
|
|
|
|
2017-08-08 15:35:05 +02:00
|
|
|
nft_output_default_rules:
|
|
|
|
000 policy:
|
2017-08-09 10:34:29 +02:00
|
|
|
- type filter hook output priority 0; policy drop;
|
2017-08-08 15:35:05 +02:00
|
|
|
005 global:
|
|
|
|
- jump global
|
2017-08-09 11:05:00 +02:00
|
|
|
015 localhost:
|
|
|
|
- oif lo accept
|
2017-08-09 16:04:54 +02:00
|
|
|
050 icmp:
|
|
|
|
- ip protocol icmp accept
|
2017-08-25 17:05:42 +02:00
|
|
|
- ip6 nexthdr icmpv6 counter accept
|
2017-08-09 14:56:20 +02:00
|
|
|
200 output udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
- udp dport @out_udp_accept ct state new accept
|
2017-08-09 14:56:20 +02:00
|
|
|
210 output tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
- tcp dport @out_tcp_accept ct state new accept
|
2018-08-06 15:09:20 +02:00
|
|
|
nft_output_rules: {}
|
2017-08-08 15:35:05 +02:00
|
|
|
nft_output_group_rules: {}
|
|
|
|
nft_output_host_rules: {}
|
|
|
|
|
2017-08-08 12:11:58 +02:00
|
|
|
# define nft vars
|
|
|
|
nft_define_default:
|
|
|
|
broadcast and multicast:
|
|
|
|
desc: 'broadcast and multicast'
|
|
|
|
name: badcast_addr
|
|
|
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
2017-08-09 17:14:26 +02:00
|
|
|
input tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
name: in_tcp_accept
|
2017-08-09 17:14:26 +02:00
|
|
|
value: '{ ssh }'
|
|
|
|
input udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
name: in_udp_accept
|
2017-08-09 17:14:26 +02:00
|
|
|
value: 'none'
|
2017-08-09 14:56:20 +02:00
|
|
|
output tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
name: out_tcp_accept
|
2017-08-11 13:46:50 +02:00
|
|
|
value: '{ http, https, hkp }'
|
2017-08-09 14:56:20 +02:00
|
|
|
output udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
name: out_udp_accept
|
2017-08-09 14:56:20 +02:00
|
|
|
value: '{ bootps, domain, ntp }'
|
2018-08-06 15:09:20 +02:00
|
|
|
nft_define: {}
|
2017-08-08 12:11:58 +02:00
|
|
|
nft_define_group: {}
|
|
|
|
nft_define_host: {}
|
2017-08-08 14:53:29 +02:00
|
|
|
|
2017-08-09 14:56:20 +02:00
|
|
|
# sets and maps
|
2017-08-08 14:32:59 +02:00
|
|
|
nft_set_default:
|
|
|
|
blackhole:
|
|
|
|
- type ipv4_addr;
|
|
|
|
- elements = $badcast_addr
|
2018-01-05 15:01:30 +01:00
|
|
|
in_tcp_accept:
|
2017-08-09 17:14:26 +02:00
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
- elements = $in_tcp_accept
|
|
|
|
in_udp_accept:
|
2017-08-09 17:14:26 +02:00
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
out_tcp_accept:
|
2017-08-09 14:56:20 +02:00
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
- elements = $out_tcp_accept
|
|
|
|
out_udp_accept:
|
2017-08-09 14:56:20 +02:00
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
- elements = $out_udp_accept
|
2018-08-06 15:09:20 +02:00
|
|
|
nft_set: {}
|
2017-08-08 14:32:59 +02:00
|
|
|
nft_set_group: {}
|
|
|
|
nft_set_host: {}
|
2017-08-08 12:11:58 +02:00
|
|
|
|
2017-08-07 14:14:14 +02:00
|
|
|
# service
|
|
|
|
nft_service_manage: true
|
|
|
|
nft_service_name: 'nftables'
|
2017-08-09 14:27:07 +02:00
|
|
|
nft_service_enabled: true
|
2018-02-06 16:58:18 +01:00
|
|
|
nft_service_unit_path: '/lib/systemd/system/nftables.service'
|
|
|
|
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
|
2018-08-07 11:03:29 +02:00
|
|
|
nft__fail2ban_service: False
|