alpha #1
48
README.md
48
README.md
@ -1,3 +1,47 @@
|
|||||||
# role_modele
|
# role_nftables
|
||||||
|
|
||||||
Modèle
|
Ce rôle permet d'installer et configurer nftables.
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
### nftables_rules_*
|
||||||
|
|
||||||
|
Liste contenant un nom de fichier et une liste de règles. Les règles doivent être au format nftables.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### nftables_tables_*
|
||||||
|
|
||||||
|
Liste contenant un nom de fichier et la configuration de la table. La table doit être au format nftables.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
## Exemple d'utilisation
|
||||||
|
|
||||||
|
### inventory.yml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
|
||||||
|
all:
|
||||||
|
hosts:
|
||||||
|
host1.ykn.local:
|
||||||
|
host2.ykn.local:
|
||||||
|
children:
|
||||||
|
dnsservers:
|
||||||
|
hosts:
|
||||||
|
dnsmasq1.ykn.local:
|
||||||
|
dnsmasq2.ykn.local:
|
||||||
|
```
|
||||||
|
|
||||||
|
### host_vars/host1.ykn.local.yml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
|
||||||
|
nftables_rules:
|
||||||
|
- filename: ansible
|
||||||
|
rules:
|
||||||
|
- ip saddr 192.168.50.12 tcp dport 22 accept
|
||||||
|
- ip6 saddr fd00:ff50::d012 tcp dport 22 accept
|
||||||
|
```
|
||||||
|
5
defaults/main.yml
Normal file
5
defaults/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
# defaults file for nftables
|
||||||
|
|
||||||
|
nftables_rules: []
|
||||||
|
nftables_tables: []
|
10
handlers/main.yml
Normal file
10
handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
# handlers file for nftables
|
||||||
|
|
||||||
|
- name: Redémarrer nftables.service
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: restarted
|
||||||
|
enabled: true
|
||||||
|
masked: false
|
||||||
|
name: nftables.service
|
||||||
|
become: true
|
@ -1,7 +1,7 @@
|
|||||||
galaxy_info:
|
galaxy_info:
|
||||||
namespace: ykn
|
namespace: ykn
|
||||||
author: pulsar89.5
|
author: pulsar89.5
|
||||||
description: Rôle modèle
|
description: Rôle de déploiement de nftables (pare-feu)
|
||||||
|
|
||||||
license: GPL-3.0-or-later
|
license: GPL-3.0-or-later
|
||||||
|
|
||||||
|
54
tasks/configuration.yml
Normal file
54
tasks/configuration.yml
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
---
|
||||||
|
# tasks file for nftables
|
||||||
|
|
||||||
|
- name: Déployer la configuration générale
|
||||||
|
ansible.builtin.template:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=,o=
|
||||||
|
src: nftables.conf.j2
|
||||||
|
dest: /etc/nftables.conf
|
||||||
|
become: true
|
||||||
|
notify: Redémarrer nftables.service
|
||||||
|
|
||||||
|
- name: Construire la liste des règles
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
nftables_rules: "{{ nftables_rules + specific }}"
|
||||||
|
when: specific | length > 0
|
||||||
|
loop: "{{ lookup('ansible.builtin.varnames', '^nftables_rules_.+', wantlist=True) }}"
|
||||||
|
vars:
|
||||||
|
specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
|
||||||
|
|
||||||
|
- name: Construire la liste des tables
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
nftables_tables: "{{ nftables_tables + specific }}"
|
||||||
|
when: specific | length > 0
|
||||||
|
loop: "{{ lookup('ansible.builtin.varnames', '^nftables_tables_.+', wantlist=True) }}"
|
||||||
|
vars:
|
||||||
|
specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
|
||||||
|
|
||||||
|
- name: Déployer les règles
|
||||||
|
ansible.builtin.template:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=,o=
|
||||||
|
src: "{{ role_path }}/templates/rules.conf.j2"
|
||||||
|
dest: "/srv/nftables/rules_{{ item.filename }}.conf"
|
||||||
|
loop: "{{ nftables_rules }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.filename }}"
|
||||||
|
become: true
|
||||||
|
notify: Redémarrer nftables.service
|
||||||
|
|
||||||
|
- name: Déployer les tables
|
||||||
|
ansible.builtin.template:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=,o=
|
||||||
|
src: "{{ role_path }}/templates/tables.conf.j2"
|
||||||
|
dest: "/srv/nftables/tables_{{ item.filename }}.conf"
|
||||||
|
loop: "{{ nftables_tables }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.filename }}"
|
||||||
|
become: true
|
||||||
|
notify: Redémarrer nftables.service
|
17
tasks/installation.yml
Normal file
17
tasks/installation.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
# tasks file for nftables
|
||||||
|
|
||||||
|
- name: Installer le paquet
|
||||||
|
become: true
|
||||||
|
ansible.builtin.package:
|
||||||
|
state: present
|
||||||
|
name: nftables
|
||||||
|
|
||||||
|
- name: Créer le dossier contenant la configuration
|
||||||
|
ansible.builtin.file:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
|
state: directory
|
||||||
|
path: /srv/nftables
|
||||||
|
become: true
|
8
tasks/main.yml
Normal file
8
tasks/main.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
# tasks file for nftables
|
||||||
|
|
||||||
|
- name: Importer les tâches d'installation
|
||||||
|
ansible.builtin.import_tasks: installation.yml
|
||||||
|
|
||||||
|
- name: Importer les tâches de configuration
|
||||||
|
ansible.builtin.import_tasks: configuration.yml
|
28
templates/nftables.conf.j2
Normal file
28
templates/nftables.conf.j2
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
#!/usr/sbin/nft -f
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
|
||||||
|
# accept any localhost traffic
|
||||||
|
iif lo accept
|
||||||
|
|
||||||
|
# accept traffic originated from us
|
||||||
|
ct state established,related accept
|
||||||
|
|
||||||
|
# accept neighbour discovery otherwise IPv6 connectivity breaks.
|
||||||
|
ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
|
||||||
|
|
||||||
|
# include specifics rules
|
||||||
|
include "/srv/nftables/rules_*.conf"
|
||||||
|
|
||||||
|
# count and drop any other traffic
|
||||||
|
counter drop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# include more tables
|
||||||
|
include "/srv/nftables/tables_*.conf"
|
5
templates/rules.conf.j2
Normal file
5
templates/rules.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% for rule in item.rules %}
|
||||||
|
{{ rule }}
|
||||||
|
{% endfor %}
|
57
templates/tables.conf.j2
Normal file
57
templates/tables.conf.j2
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% if
|
||||||
|
item.ipv4_rules.prerouting | length > 0
|
||||||
|
or
|
||||||
|
item.ipv4_rules.postrouting | length > 0
|
||||||
|
%}
|
||||||
|
table ip {{ item.filename }} {
|
||||||
|
{% if item.ipv4_rules.prerouting | length > 0 %}
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority 0;
|
||||||
|
|
||||||
|
{% for rule in item.ipv4_rules.prerouting %}
|
||||||
|
{{ rule }}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if item.ipv4_rules.postrouting | length > 0 %}
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100; policy accept;
|
||||||
|
|
||||||
|
{% for rule in item.ipv4_rules.postrouting %}
|
||||||
|
{{ rule }}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if
|
||||||
|
item.ipv6_rules.prerouting | length > 0
|
||||||
|
or
|
||||||
|
item.ipv6_rules.postrouting | length > 0
|
||||||
|
%}
|
||||||
|
table ip6 {{ item.filename }} {
|
||||||
|
{% if item.ipv6_rules.prerouting | length > 0 %}
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority 0;
|
||||||
|
|
||||||
|
{% for rule in item.ipv6_rules.prerouting %}
|
||||||
|
{{ rule }}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if item.ipv6_rules.postrouting | length > 0 %}
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100; policy accept;
|
||||||
|
|
||||||
|
{% for rule in item.ipv6_rules.postrouting %}
|
||||||
|
{{ rule }}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
Loading…
Reference in New Issue
Block a user