2017-08-07 12:09:13 +02:00
|
|
|
|
---
|
2018-05-16 14:38:33 +02:00
|
|
|
|
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
|
|
|
|
|
|
#
|
|
|
|
|
|
# ipr-cnrs.nftables default variables [[[
|
|
|
|
|
|
# =======================================
|
|
|
|
|
|
|
|
|
|
|
|
# Packages and installation [[[
|
|
|
|
|
|
# -----------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_enabled [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Enable or disable support for Nftables on a given host. Disabling this
|
|
|
|
|
|
# option does not remove existing installation and configuration.
|
|
|
|
|
|
#
|
|
|
|
|
|
nft_enabled: true
|
|
|
|
|
|
|
|
|
|
|
|
# ]]]
|
2017-08-07 12:09:13 +02:00
|
|
|
|
|
|
|
|
|
|
# packages
|
2018-07-25 15:09:04 +02:00
|
|
|
|
nft_pkg_state: 'present'
|
2017-08-18 09:25:28 +02:00
|
|
|
|
nft_old_pkg_list: 'iptables'
|
|
|
|
|
|
nft_old_pkg_state: 'absent'
|
|
|
|
|
|
nft_old_pkg_manage: true
|
2017-08-07 13:48:54 +02:00
|
|
|
|
|
2017-08-09 14:27:07 +02:00
|
|
|
|
# files
|
2017-08-18 09:18:43 +02:00
|
|
|
|
nft_conf_dir_path: '/etc/nftables.d'
|
2017-08-07 13:48:54 +02:00
|
|
|
|
nft_main_conf_path: '/etc/nftables.conf'
|
|
|
|
|
|
nft_main_conf_content: 'etc/nftables.conf.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
|
nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
|
2017-08-09 11:18:49 +02:00
|
|
|
|
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
|
nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
|
2017-08-09 11:18:49 +02:00
|
|
|
|
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
|
nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
2017-08-18 09:18:43 +02:00
|
|
|
|
nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
|
2017-08-09 11:18:49 +02:00
|
|
|
|
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
|
2017-08-07 14:14:14 +02:00
|
|
|
|
|
2018-05-16 14:38:33 +02:00
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# Nftables global rules [[[
|
|
|
|
|
|
# -------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_global_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for all hosts
|
|
|
|
|
|
# inherited from this role.
|
2017-08-07 17:07:35 +02:00
|
|
|
|
nft_global_default_rules:
|
2017-08-09 14:56:20 +02:00
|
|
|
|
005 state management:
|
2017-08-07 17:07:35 +02:00
|
|
|
|
- ct state established,related accept
|
|
|
|
|
|
- ct state invalid drop
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_global_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for all hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
2018-08-06 15:09:20 +02:00
|
|
|
|
nft_global_rules: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_global_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for hosts in
|
|
|
|
|
|
# specific Ansible inventory group.
|
2017-08-07 17:07:35 +02:00
|
|
|
|
nft_global_group_rules: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_global_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for specific hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
2017-08-07 17:07:35 +02:00
|
|
|
|
nft_global_host_rules: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2019-04-16 11:50:30 +02:00
|
|
|
|
# .. envvar:: nft__custom_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Custom content (tables, include,…) to add in Nftables configuration.
|
|
|
|
|
|
nft__custom_content: ''
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# Nftables vars definition [[[
|
|
|
|
|
|
# ----------------------------
|
2017-08-08 14:53:29 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# These lists allow to define some vars that can be used in nftables rules.
|
|
|
|
|
|
# See the official Nftables wiki page for more informations and examples :
|
|
|
|
|
|
# https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables
|
2017-08-07 17:07:35 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# .. envvar:: nft_define_default [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for all hosts inherited from this role.
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_default:
|
|
|
|
|
|
broadcast and multicast:
|
|
|
|
|
|
desc: 'broadcast and multicast'
|
|
|
|
|
|
name: badcast_addr
|
|
|
|
|
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
2017-08-09 17:14:26 +02:00
|
|
|
|
input tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: in_tcp_accept
|
2017-08-09 17:14:26 +02:00
|
|
|
|
value: '{ ssh }'
|
|
|
|
|
|
input udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: in_udp_accept
|
2017-08-09 17:14:26 +02:00
|
|
|
|
value: 'none'
|
2017-08-09 14:56:20 +02:00
|
|
|
|
output tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: out_tcp_accept
|
2017-08-11 13:46:50 +02:00
|
|
|
|
value: '{ http, https, hkp }'
|
2017-08-09 14:56:20 +02:00
|
|
|
|
output udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: out_udp_accept
|
2017-08-09 14:56:20 +02:00
|
|
|
|
value: '{ bootps, domain, ntp }'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for all hosts in the Ansible inventory.
|
2018-08-06 15:09:20 +02:00
|
|
|
|
nft_define: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define_group [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for hosts in specific
|
|
|
|
|
|
# Ansible inventory group.
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_group: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define_host [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for specific hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_host: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# Nftables sets definition [[[
|
|
|
|
|
|
# ----------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# These "set" lists allow to define sets that can be used in Nftables rules.
|
|
|
|
|
|
# See the official Nftables wiki page for more informations and examples :
|
|
|
|
|
|
# https://wiki.nftables.org/wiki-nftables/index.php/Sets
|
2017-08-08 14:53:29 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# .. envvar:: nft_define_default [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for all hosts inherited from this role.
|
2017-08-08 14:32:59 +02:00
|
|
|
|
nft_set_default:
|
|
|
|
|
|
blackhole:
|
|
|
|
|
|
- type ipv4_addr;
|
|
|
|
|
|
- elements = $badcast_addr
|
2018-01-05 15:01:30 +01:00
|
|
|
|
in_tcp_accept:
|
2017-08-09 17:14:26 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
- elements = $in_tcp_accept
|
|
|
|
|
|
in_udp_accept:
|
2017-08-09 17:14:26 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
out_tcp_accept:
|
2017-08-09 14:56:20 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
- elements = $out_tcp_accept
|
|
|
|
|
|
out_udp_accept:
|
2017-08-09 14:56:20 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
- elements = $out_udp_accept
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for all hosts in the Ansible inventory.
|
2018-08-06 15:09:20 +02:00
|
|
|
|
nft_set: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set_group [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for hosts in specific Ansible inventory group.
|
2017-08-08 14:32:59 +02:00
|
|
|
|
nft_set_group: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set_host [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for specific hosts in the Ansible inventory.
|
2017-08-08 14:32:59 +02:00
|
|
|
|
nft_set_host: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2017-08-08 12:11:58 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# inet filter table rules [[[
|
|
|
|
|
|
# ---------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# All these rules will be set up in an inet table in order to filter the
|
|
|
|
|
|
# input and output traffic.
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_input_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft_input_default_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type filter hook input priority 0; policy drop;
|
|
|
|
|
|
005 global:
|
|
|
|
|
|
- jump global
|
|
|
|
|
|
010 drop unwanted:
|
|
|
|
|
|
- ip daddr @blackhole counter drop
|
|
|
|
|
|
015 localhost:
|
|
|
|
|
|
- iif lo accept
|
|
|
|
|
|
200 input udp accepted:
|
|
|
|
|
|
- udp dport @in_udp_accept ct state new accept
|
|
|
|
|
|
210 input tcp accepted:
|
|
|
|
|
|
- tcp dport @in_tcp_accept ct state new accept
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft_input_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for hosts in specific Ansible inventory group.
|
|
|
|
|
|
nft_input_group_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for specific hosts in the Ansible inventory.
|
|
|
|
|
|
nft_input_host_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_output_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft_output_default_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type filter hook output priority 0; policy drop;
|
|
|
|
|
|
005 global:
|
|
|
|
|
|
- jump global
|
|
|
|
|
|
015 localhost:
|
|
|
|
|
|
- oif lo accept
|
|
|
|
|
|
050 icmp:
|
|
|
|
|
|
- ip protocol icmp accept
|
|
|
|
|
|
- ip6 nexthdr icmpv6 counter accept
|
|
|
|
|
|
200 output udp accepted:
|
|
|
|
|
|
- udp dport @out_udp_accept ct state new accept
|
|
|
|
|
|
210 output tcp accepted:
|
|
|
|
|
|
- tcp dport @out_tcp_accept ct state new accept
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft_output_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for hosts in specific Ansible inventory group.
|
|
|
|
|
|
nft_output_group_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for specific hosts in the Ansible inventory.
|
|
|
|
|
|
nft_output_host_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# Service management [[[
|
|
|
|
|
|
# ----------------------
|
|
|
|
|
|
# .. envvar:: nft_service_manage [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the nftables service should be managed ? Possible options are :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. The service is started.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# The service will not be touched.
|
2017-08-07 14:14:14 +02:00
|
|
|
|
nft_service_manage: true
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_name [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# The service name to manage.
|
2017-08-07 14:14:14 +02:00
|
|
|
|
nft_service_name: 'nftables'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_enabled [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the nftables service should be enabled at startup ? Possible options are :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. The service is enabled.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# The service is disabled from startup.
|
2017-08-09 14:27:07 +02:00
|
|
|
|
nft_service_enabled: true
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_unit_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to store nftables service.
|
2018-02-06 16:58:18 +01:00
|
|
|
|
nft_service_unit_path: '/lib/systemd/system/nftables.service'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_unit_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide systemd unit for nftables service.
|
2018-02-06 16:58:18 +01:00
|
|
|
|
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__service_protect [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the systemd unit should have the Protect directives ? Possible options :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. Directives will be set (ProtectSystem, ProtectHome,…).
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# The directives will be ignored.
|
2019-03-15 11:13:26 +01:00
|
|
|
|
nft__service_protect: true
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__fail2ban_service [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the nftables systemd unit should also restart Fail2ban service. Possible
|
|
|
|
|
|
# options are :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# Default. Nftables service will not affect Fail2ban service.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Any Nftables service (re)start will also restart Fail2ban service.
|
2018-08-07 11:03:29 +02:00
|
|
|
|
nft__fail2ban_service: False
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# ]]]
|
