WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): added nftables firewall

Browse source
This commit is contained in:
NaeiKinDus 2023-12-12 00:00:00 +00:00
parent 7e617bc471
commit 639b01c351
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
9 changed files with 211 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
View file

@ -5,6 +5,29 @@ security:
https_ignore_list: [] https_ignore_list: []
clamav: clamav:
version: 1.2.1 version: 1.2.1
firewall:
enable: true
nat:
policy:
prerouting: accept
input: accept
postrouting: accept
output: accept
additional_rules: ""
mangle:
drop_privatenets: true
policy:
prerouting: accept
postrouting: accept
output: accept
forward: drop
additional_rules: ""
filter:
policy:
input: drop
output: drop
forward: drop
additional_rules: ""
custom_security: {} custom_security: {}
recursive_combine: true recursive_combine: true

7
collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
View file

@ -1,4 +1,11 @@
--- ---
- name: '[firewall] restart service'
become: true
systemd_service:
name: nftables.service
enabled: true
state: restarted
- name: '[ssh] restart service' - name: '[ssh] restart service'
become: true become: true
ansible.builtin.systemd_service: ansible.builtin.systemd_service:

50
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml Normal file
View file

@ -0,0 +1,50 @@
---
- name: gather facts if required
ansible.builtin.setup:
gather_subset:
- distribution
- virtualization_type
- name: install and configure nftables
when: security.firewall.enable is truthy
become: true
notify:
- 'security : [firewall] restart service'
block:
- name: install nftables
ansible.builtin.apt:
pkg:
- nftables
- name: enable nftables
ansible.builtin.systemd:
name: nftables
enabled: true
masked: false
- name: create config dir
ansible.builtin.file:
path: /etc/nftables.d
mode: '0700'
state: directory
- name: base config file
ansible.builtin.template:
src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
dest: /etc/nftables.conf
mode: '0700'
vars:
controller_ip: "{{ lookup('pipe', '/bin/dig +short A $(/usr/bin/hostname -f)') }}"
controller_ip6: "{{ lookup('pipe', '/bin/dig +short AAAA $(/usr/bin/hostname -f)') }}"
- name: common firewall rules
ansible.builtin.template:
src: "../templates/system/nftables/{{ item }}.table.j2"
dest: "/etc/nftables.d/{{ item }}.table"
mode: '0600'
vars:
firewall: "{{ security.firewall }}"
loop:
- 01-nat
- 02-mangle
- 03-filter

2
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
View file

@ -9,6 +9,8 @@
security: "{{ security | combine(custom_security, recursive=recursive_combine) }}" security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
changed_when: false changed_when: false
- include_tasks: firewall.yml
- name: '[apt] force HTTPS sources' - name: '[apt] force HTTPS sources'
become: true become: true
when: security.apt.force_https is truthy when: security.apt.force_https is truthy

23
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 Normal file
View file

@ -0,0 +1,23 @@
#!/usr/sbin/nft -f
flush ruleset
define ansible_controller_ip = {{ controller_ip | default('127.0.0.1', true) }}
define ansible_controller_ip6 = {{ controller_ip6 | default('fe80::', true) }}
define dns_server = {{ dns_server | default('9.9.9.9', true) }}
define dns_server6 = {{ dns_server | default('2620:fe::fe', true) }}
define private_nets = {
10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12,
192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
}
define reserved_nets = {
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,
192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24,
224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4
}
include "/etc/nftables.d/01-nat.table"
include "/etc/nftables.d/02-mangle.table"
include "/etc/nftables.d/03-filter.table"
include "/etc/nftables.d/*.nft"

18
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2 Normal file
View file

@ -0,0 +1,18 @@
# Setup
table inet nat {
chain prerouting {
type nat hook prerouting priority -100; policy {{ firewall.nat.policy.prerouting }};
}
chain input {
type nat hook input priority 100; policy {{ firewall.nat.policy.input }};
}
chain postrouting {
type nat hook postrouting priority 100; policy {{ firewall.nat.policy.postrouting }};
}
chain output {
type nat hook output priority -100; policy {{ firewall.nat.policy.output }};
}
}

51
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 Normal file
View file

@ -0,0 +1,51 @@
# Setup
table inet mangle {
chain prerouting {
type filter hook prerouting priority -150; policy {{ firewall.mangle.policy.prerouting }};
ip saddr $ansible_controller_ip tcp dport 22 accept
ip6 saddr $ansible_controller_ip6 tcp dport 22 accept
ip daddr $ansible_controller_ip tcp sport 22 accept
ip6 daddr $ansible_controller_ip6 tcp sport 22 accept
ip protocol icmp accept
ip frag-off & 0x1fff != 0 counter drop
ct state invalid counter drop
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn) == fin|syn counter drop
tcp flags & (syn|rst) == syn|rst counter drop
tcp flags & (fin|rst) == fin|rst counter drop
tcp flags & (fin|ack) == fin counter drop
tcp flags & (ack|urg) == urg counter drop
tcp flags & (fin|ack) == fin counter drop
tcp flags & (psh|ack) == psh counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
{% if firewall.mangle.drop_privatenets %}
ip saddr $private_nets counter drop
{% endif %}
ip saddr $reserved_nets counter drop
iifname != "lo" ip saddr 127.0.0.0/8 counter drop
}
chain postrouting {
type filter hook postrouting priority -150; policy {{ firewall.mangle.policy.postrouting }};
ip saddr $ansible_controller_ip tcp dport 22 accept
ip6 saddr $ansible_controller_ip6 tcp dport 22 accept
ip daddr $ansible_controller_ip tcp sport 22 accept
ip6 daddr $ansible_controller_ip6 tcp sport 22 accept
}
chain output {
type route hook output priority -150; policy {{ firewall.mangle.policy.output }};
}
chain forward {
type filter hook forward priority -150; policy {{ firewall.mangle.policy.forward }};
}
}

26
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 Normal file
View file

@ -0,0 +1,26 @@
# Setup
table inet filter {
chain input {
type filter hook input priority 0; policy {{ firewall.filter.policy.input }};
ip saddr $ansible_controller_ip tcp dport 22 accept
ip6 saddr $ansible_controller_ip6 tcp dport 22 accept
iifname "lo" counter accept
ct state related,established counter accept
tcp dport 22 limit rate 10/hour burst 5 packets counter accept
}
chain output {
type filter hook output priority 0; policy {{ firewall.filter.policy.output }};
ip daddr $ansible_controller_ip tcp sport 22 accept
ip6 daddr $ansible_controller_ip6 tcp sport 22 accept
oifname "lo" counter accept
ct state related,established counter accept
tcp sport 22 counter accept
}
chain forward {
type filter hook forward priority 0; policy {{ firewall.filter.policy.forward }};
}
}

11
inventory/host_vars/unobtainium/vars.yml
View file

@ -21,3 +21,14 @@ custom_common:
force_sign: true force_sign: true
signing_key: "{{ vault_common_gitconfig_signingkey }}" signing_key: "{{ vault_common_gitconfig_signingkey }}"
install_fonts: true install_fonts: true
custom_security:
firewall:
filter:
policy:
output: accept
forward: accept
mangle:
drop_privatenets: false
policy:
forward: accept