Merge pull request 'alpha' (#1) from alpha into master

Reviewed-on: pulsar/role_nftables#1
This commit is contained in:
pulsar89.5 2023-05-24 10:07:37 +00:00
commit 35d31eb752
10 changed files with 231 additions and 3 deletions

View File

@ -1,3 +1,47 @@
# role_modele
# role_nftables
Modèle
Ce rôle permet d'installer et configurer nftables.
## Variables
### nftables_rules_*
Liste contenant un nom de fichier et une liste de règles. Les règles doivent être au format nftables.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### nftables_tables_*
Liste contenant un nom de fichier et la configuration de la table. La table doit être au format nftables.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
## Exemple d'utilisation
### inventory.yml
```yaml
---
all:
hosts:
host1.ykn.local:
host2.ykn.local:
children:
dnsservers:
hosts:
dnsmasq1.ykn.local:
dnsmasq2.ykn.local:
```
### host_vars/host1.ykn.local.yml
```yaml
---
nftables_rules:
- filename: ansible
rules:
- ip saddr 192.168.50.12 tcp dport 22 accept
- ip6 saddr fd00:ff50::d012 tcp dport 22 accept
```

5
defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# defaults file for nftables
nftables_rules: []
nftables_tables: []

10
handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
# handlers file for nftables
- name: Redémarrer nftables.service
ansible.builtin.systemd:
state: restarted
enabled: true
masked: false
name: nftables.service
become: true

View File

@ -1,7 +1,7 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
description: Rôle modèle
description: Rôle de déploiement de nftables (pare-feu)
license: GPL-3.0-or-later

54
tasks/configuration.yml Normal file
View File

@ -0,0 +1,54 @@
---
# tasks file for nftables
- name: Déployer la configuration générale
ansible.builtin.template:
owner: root
group: root
mode: u=rw,g=,o=
src: nftables.conf.j2
dest: /etc/nftables.conf
become: true
notify: Redémarrer nftables.service
- name: Construire la liste des règles
ansible.builtin.set_fact:
nftables_rules: "{{ nftables_rules + specific }}"
when: specific | length > 0
loop: "{{ lookup('ansible.builtin.varnames', '^nftables_rules_.+', wantlist=True) }}"
vars:
specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
- name: Construire la liste des tables
ansible.builtin.set_fact:
nftables_tables: "{{ nftables_tables + specific }}"
when: specific | length > 0
loop: "{{ lookup('ansible.builtin.varnames', '^nftables_tables_.+', wantlist=True) }}"
vars:
specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
- name: Déployer les règles
ansible.builtin.template:
owner: root
group: root
mode: u=rw,g=,o=
src: "{{ role_path }}/templates/rules.conf.j2"
dest: "/srv/nftables/rules_{{ item.filename }}.conf"
loop: "{{ nftables_rules }}"
loop_control:
label: "{{ item.filename }}"
become: true
notify: Redémarrer nftables.service
- name: Déployer les tables
ansible.builtin.template:
owner: root
group: root
mode: u=rw,g=,o=
src: "{{ role_path }}/templates/tables.conf.j2"
dest: "/srv/nftables/tables_{{ item.filename }}.conf"
loop: "{{ nftables_tables }}"
loop_control:
label: "{{ item.filename }}"
become: true
notify: Redémarrer nftables.service

17
tasks/installation.yml Normal file
View File

@ -0,0 +1,17 @@
---
# tasks file for nftables
- name: Installer le paquet
become: true
ansible.builtin.package:
state: present
name: nftables
- name: Créer le dossier contenant la configuration
ansible.builtin.file:
owner: root
group: root
mode: u=rwx,g=rx,o=rx
state: directory
path: /srv/nftables
become: true

8
tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# tasks file for nftables
- name: Importer les tâches d'installation
ansible.builtin.import_tasks: installation.yml
- name: Importer les tâches de configuration
ansible.builtin.import_tasks: configuration.yml

View File

@ -0,0 +1,28 @@
#!/usr/sbin/nft -f
# {{ ansible_managed }}
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
# include specifics rules
include "/srv/nftables/rules_*.conf"
# count and drop any other traffic
counter drop
}
}
# include more tables
include "/srv/nftables/tables_*.conf"

5
templates/rules.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
{% for rule in item.rules %}
{{ rule }}
{% endfor %}

57
templates/tables.conf.j2 Normal file
View File

@ -0,0 +1,57 @@
# {{ ansible_managed }}
{% if
item.ipv4_rules.prerouting | length > 0
or
item.ipv4_rules.postrouting | length > 0
%}
table ip {{ item.filename }} {
{% if item.ipv4_rules.prerouting | length > 0 %}
chain prerouting {
type nat hook prerouting priority 0;
{% for rule in item.ipv4_rules.prerouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
{% if item.ipv4_rules.postrouting | length > 0 %}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for rule in item.ipv4_rules.postrouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
}
{% endif %}
{% if
item.ipv6_rules.prerouting | length > 0
or
item.ipv6_rules.postrouting | length > 0
%}
table ip6 {{ item.filename }} {
{% if item.ipv6_rules.prerouting | length > 0 %}
chain prerouting {
type nat hook prerouting priority 0;
{% for rule in item.ipv6_rules.prerouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
{% if item.ipv6_rules.postrouting | length > 0 %}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for rule in item.ipv6_rules.postrouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
}
{% endif %}