Setup nftables

Federico Ceratto · Federico Ceratto · commit 363588fca5e0 · 2020-06-29T16:55:40.000+01:00
diff --git a/ansible/roles/nftables/README.adoc b/ansible/roles/nftables/README.adoc
@@ -0,0 +1,25 @@
+Install nftables based firewall
+
+Set up /etc/ooni/nftables/
+
+Rules for specific services are *not* configured by this role
+
+When creating rules to accept TCP traffic from any IPv4/6 address,
+files are named with the port number to detect collisions.
+
+Example:
+
+/etc/ooni/nftables/tcp/8080.nft
+
+```
+add rule inet filter input tcp dport 8080 counter accept comment "MyService"
+```
+
+
+Otherwise:
+
+/etc/ooni/nftables/tcp/5432_postgres_internal.nft
+
+```
+add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport 5432 counter accept comment "Internal PostgreSQL"
+```
diff --git a/ansible/roles/nftables/tasks/main.yml b/ansible/roles/nftables/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Install nftables
+  apt:
+    cache_valid_time: 86400
+    name: nftables
+
+- name: create config dir
+  file:
+    path: /etc/ooni/nftables/tcp
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: allow SSH
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/22.nft
+    block: |
+      add rule inet filter input tcp dport 22 counter accept comment "Incoming SSH"
+
+- name: Enable and start nftables service
+  systemd:
+    name: nftables.service
+    state: started
+    enabled: yes
+
diff --git a/ansible/roles/nftables/templates/nftables.conf b/ansible/roles/nftables/templates/nftables.conf
@@ -0,0 +1,34 @@
+#!/usr/sbin/nft -f
+#
+# Nftables configuration script
+#
+# Managed by ansible
+# roles/nftables/templates/nftables.conf
+#
+# The ruleset is applied atomically
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority filter; policy drop;
+    iif lo accept comment "Accept incoming traffic from localhost"
+    ct state invalid drop
+    ct state established,related accept comment "Accept traffic related to outgoing connections"
+  }
+
+  chain forward {
+    type filter hook forward priority filter; policy accept;
+  }
+
+  chain output {
+    type filter hook output priority filter; policy accept;
+  }
+}
+
+# Configure TCP traffic rules
+include "/etc/ooni/nftables/tcp/*.nft"
+
+# Configure any other rule
+include "/etc/ooni/nftables/*.nft"
+
diff --git a/ansible/roles/postgresql11/meta/main.yml b/ansible/roles/postgresql11/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: base-buster
+  - role: nftables
