Loading handlers/main.yaml +3 −3 Original line number Diff line number Diff line --- # restart iptables - name: "restart iptables" # restart nftables - name: "restart nftables" ansible.builtin.service: name: "iptables" name: "nftables" state: "restarted" # apply local routes Loading tasks/firewall.yaml +6 −38 Original line number Diff line number Diff line --- # deploy ipv4 iptable rules - name: "firewall - ipv4 rules" ansible.builtin.copy: dest: "/etc/iptables/rules-save" # deploy nftables rules - name: "firewall - nftables rules" ansible.builtin.template: src: "nftables.conf.j2" dest: "/etc/nftables.conf" mode: "0600" owner: "root" group: "root" content: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # NAT masquerade from LAN to WAN -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE {% for forward in nat_port_forwards %} # {{ forward.name }} -A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }} {% endfor %} COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT {% for forward in nat_port_forwards %} # {{ forward.name }} -A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT {% endfor %} COMMIT notify: "restart iptables" notify: "restart nftables" # load nf_conntrack module - name: "firewall - load nf_conntrack module" Loading tasks/routing.yaml +3 −3 Original line number Diff line number Diff line --- # install iptables - name: "routing - install ptables" # install nftables - name: "routing - install nftables" community.general.apk: name: - "iptables" - "nftables" state: "present" update_cache: true Loading templates/nftables.conf.j2 0 → 100644 +57 −0 Original line number Diff line number Diff line #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established/related ct state established,related accept # Allow loopback iif lo accept # Allow LAN management access iif {{ lan_interface }} accept # Allow ICMP ip protocol icmp accept ip6 nexthdr ipv6-icmp accept } chain forward { type filter hook forward priority 0; policy drop; # Allow established/related ct state established,related accept # Allow forwarding from LAN to anywhere iif {{ lan_interface }} oif {{ wan_interface }} accept {% for forward in nat_port_forwards %} # {{ forward.name }} iif {{ wan_interface }} oif {{ lan_interface }} ip daddr {{ forward.dst }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} accept {% endfor %} } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; # NAT masquerade from LAN to WAN oif {{ wan_interface }} masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; {% for forward in nat_port_forwards %} # {{ forward.name }} iif {{ wan_interface }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} dnat to {{ forward.dst }}:{{ forward.port }} {% endfor %} } } Loading
handlers/main.yaml +3 −3 Original line number Diff line number Diff line --- # restart iptables - name: "restart iptables" # restart nftables - name: "restart nftables" ansible.builtin.service: name: "iptables" name: "nftables" state: "restarted" # apply local routes Loading
tasks/firewall.yaml +6 −38 Original line number Diff line number Diff line --- # deploy ipv4 iptable rules - name: "firewall - ipv4 rules" ansible.builtin.copy: dest: "/etc/iptables/rules-save" # deploy nftables rules - name: "firewall - nftables rules" ansible.builtin.template: src: "nftables.conf.j2" dest: "/etc/nftables.conf" mode: "0600" owner: "root" group: "root" content: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # NAT masquerade from LAN to WAN -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE {% for forward in nat_port_forwards %} # {{ forward.name }} -A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }} {% endfor %} COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT {% for forward in nat_port_forwards %} # {{ forward.name }} -A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT {% endfor %} COMMIT notify: "restart iptables" notify: "restart nftables" # load nf_conntrack module - name: "firewall - load nf_conntrack module" Loading
tasks/routing.yaml +3 −3 Original line number Diff line number Diff line --- # install iptables - name: "routing - install ptables" # install nftables - name: "routing - install nftables" community.general.apk: name: - "iptables" - "nftables" state: "present" update_cache: true Loading
templates/nftables.conf.j2 0 → 100644 +57 −0 Original line number Diff line number Diff line #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established/related ct state established,related accept # Allow loopback iif lo accept # Allow LAN management access iif {{ lan_interface }} accept # Allow ICMP ip protocol icmp accept ip6 nexthdr ipv6-icmp accept } chain forward { type filter hook forward priority 0; policy drop; # Allow established/related ct state established,related accept # Allow forwarding from LAN to anywhere iif {{ lan_interface }} oif {{ wan_interface }} accept {% for forward in nat_port_forwards %} # {{ forward.name }} iif {{ wan_interface }} oif {{ lan_interface }} ip daddr {{ forward.dst }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} accept {% endfor %} } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; # NAT masquerade from LAN to WAN oif {{ wan_interface }} masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; {% for forward in nat_port_forwards %} # {{ forward.name }} iif {{ wan_interface }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} dnat to {{ forward.dst }}:{{ forward.port }} {% endfor %} } }
