include rule desc as "comment" in actual rule
templates/nftables.conf: conditionally add ruleset flushing
Fix loop_control / loop_var re-use warning from ansible
With the following changes/fixes:
This Ansible role install and configure a Linux Netfilter Nftables server and its rules.
To provide an easy way to manage the project, there are some make targets to run the most common tasks:
make deps
.make tests
.make changelog
.make clean
.You only need Python (v3, of course!). The rest of the packages or dependencies required to run the project
are downloaded with the make deps
command, but as in the resto of projects based on Python, it's a good recommendation to use a
Virtualenv before download dependencies, just like this:
$ python3 -m venv .venv
$ source .venv/bin/activate
(.venv) $ make deps
Almost every options have a default value (you can check these values in defaults/main.yml
file), but you can override as much as
you want (from command-line param, in your own vars.yml
file, etc).
General settings
nftables_remove_other_firewalls
: Set to true
to remove other firewalls installed (if exists) like firewalld
or iptables
,
false
otherwise (default: true
).nftables_config_path
: Path of the config file with the firewall rules (default: /etc/nftables.conf
).Firewall rules
nftables_ruleset
: Definition of the firewall ruleset (see below).To define the firewall rules you have to use the nftables_ruleset
parameter. This parameter could contain a list of tables. Each of these
tables could contain a list of chains. Each of these chains could contain a list of rules.
A very useful documentation about ruleset configuration is the official Nftables wiki: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
The parameters of a list of tables are:
name
: A name for the filtering table (for example firewall
or nat
).family
: Refers to a one of the following table types: ip
, arp
, ip6
, bridge
, inet
, netdev
.chains
: A list of chains for the current table.The parameters of a list of chains are:
name
: A name for the chain (for example incoming
or input
).type
: Refers to the kind of chain to be created. Possible types are:
arp
, bridge
, ip
, ip6
and inet
table families.ip
and ip6
.ip
and ip6
.hook
: Refers to a specific stage of the packet while it's being processed through the kernel. Possible hooks are:
ip
, ip6
and inet
families are: prerouting, input, forward, output, postrouting.arp
family are: input, output.bridge
family handles ethernet packets traversing bridge devices.netdev
is: ingress.priority
: Refers to a number used to order the chains or to set them between some Netfilter operations.
Possible values are (default: 0
):
default_policy
: This is the default verdict statement to control the flow in the chain.
Possible values are: accept, drop, queue, continue or return (default: drop
).rules
: A list of rules for the current chain.The parameters of a list of rules are:
desc
: A small description to add information about the purpose of the rule.matches
: A list of clues used to access to certain packet information and create filters according to them (check more information
about matches here: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Matches).statement
: The action performed when the packet match the rule. It could be terminal and non-terminal. The valid verdict statements
are:
A basic playbook example to allow established connections from everywhere, ping requests from everywhere, http and https connections
from everywhere, SSH connections from everywhere except 172.26.0.2
and enabling the NAT in eth1
interface could be:
- hosts: all
vars:
nftables_ruleset:
- name: firewall
family: ip
chains:
- name: incoming
type: filter
hook: input
priority: 0
default_policy: drop
rules:
- desc: Allow established/related connections
matches:
- ct state established,related
statement: accept
- desc: Allow localhost traffic
matches:
- meta iif lo
statement: accept
- desc: Allow PING
matches:
- icmp type echo-request
statement: accept
- desc: Allow SSH from everywhere except honeypot
matches:
- ip saddr != 172.26.0.2
- tcp dport 22
statement: accept
- desc: Allow web traffic
matches:
- tcp dport {80, 443}
statement: accept
- name: nat
family: ip
chains:
- name: postrouting
type: nat
hook: postrouting
priority: 100
rules:
- desc: NAT rules
matches:
- oifname "eth0"
- ip saddr 172.26.0.0/24
statement: counter masquerade
roles:
- "nftables"
Tools, external libraries, useful references and other third-part software used in the project:
This project is licensed under MIT License. See LICENSE for more details.
This project is just another amazing idea of BhEaN, created on 2020.