diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-01-23 04:29:12 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-01-23 05:57:01 +0100 |
| commit | 7641a5d5d152db349082b1d0ec93a40888b2ef8e (patch) | |
| tree | 3f80c14c0e50b187a6698346cf8cffb9c5200154 /roles/common/tasks | |
| parent | 456e09fa40d01b70ac1788d0338fba00079e4121 (diff) | |
Convert firewall to nftables.
Debian Buster uses the nftables framework by default.
Diffstat (limited to 'roles/common/tasks')
| -rw-r--r-- | roles/common/tasks/firewall.yml | 48 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 1 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 |
3 files changed, 19 insertions, 32 deletions
diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index 133b631..fd1ad92 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -1,41 +1,27 @@ -- name: Install some packages required for the firewall - apt: pkg={{ packages }} - vars: - packages: - - iptables - - netmask - - bsdutils +- name: Install nftables + apt: pkg=nftables -- name: Create directory /etc/iptables - file: path=/etc/iptables - state=directory - owner=root group=root - mode=0755 - -- name: Generate /etc/iptables/services - template: src=etc/iptables/services.j2 - dest=/etc/iptables/services - owner=root group=root - mode=0600 - -- name: Copy /usr/local/sbin/update-firewall.sh - copy: src=usr/local/sbin/update-firewall.sh - dest=/usr/local/sbin/update-firewall.sh +- name: Copy /usr/local/sbin/update-firewall + copy: src=usr/local/sbin/update-firewall + dest=/usr/local/sbin/update-firewall owner=root group=staff mode=0755 -- name: Make the rulesets persistent - copy: src=etc/network/{{ item }} - dest=/etc/network/{{ item }} - owner=root group=root - mode=0755 - with_items: - - if-pre-up.d/iptables - - if-post-down.d/iptables +- name: Copy /etc/nftables.conf + template: src=etc/nftables.conf.j2 + dest=/etc/nftables.conf + owner=root group=root + mode=0644 - name: Ensure the firewall is up to date - command: /usr/local/sbin/update-firewall.sh -c + command: /usr/local/sbin/update-firewall -c register: rv # A non-zero return value will make ansible stop and show stderr. This # is what we want. changed_when: rv.rc + +- name: Enable nftables.service + service: name=nftables enabled=yes + +- name: Start nftables.service + service: name=nftables state=started diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7fa7b20..02a745c 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,7 @@ tags: - firewall - iptables + - nftables - import_tasks: stunnel.yml tags: stunnel diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index ffda544..3bf3b4f 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -18,7 +18,7 @@ - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } - # Disable paquet forwarding between interfaces (we are not a router). + # Disable packet forwarding between interfaces (we are not a router). - { name: 'net.ipv4.ip_forward', value: 0 } - { name: 'net.ipv6.conf.all.forwarding', value: 0 } |