Initial commit

defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults for nftables
+
+nftables_environment: {}

files/nftables.conf

@@ -0,0 +1,54 @@
+flush ruleset                                                                    
+                                                                                 
+table inet firewall {
+                                                                                 
+    chain inbound_ipv4 {
+        # accepting ping (icmp-echo-request) for diagnostic purposes.
+        # However, it also lets probes discover this host is alive.
+        # This sample accepts them within a certain rate limit:
+        #
+        icmp type echo-request limit rate 5/second accept      
+    }
+
+    chain inbound_ipv6 {                                                         
+        # accept neighbour discovery otherwise connectivity breaks
+        #
+        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+                                                                                 
+        # accepting ping (icmpv6-echo-request) for diagnostic purposes.
+        # However, it also lets probes discover this host is alive.
+        # This sample accepts them within a certain rate limit:
+        #
+        icmpv6 type echo-request limit rate 5/second accept
+    }
+
+    chain inbound {                                                              
+
+        # By default, drop all traffic unless it meets a filter
+        # criteria specified by the rules that follow below.
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap { established : accept, related : accept, invalid : drop } 
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Jump to chain according to layer 3 protocol using a verdict map
+        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
+
+        # Allow SSH on port TCP/22 and allow HTTPS on port TCP/443
+        # for IPv4 and IPv6.
+        tcp dport { 22, 443} accept
+
+        # Uncomment to enable logging of denied inbound traffic
+        log prefix "[nftables] Inbound Denied: " counter drop
+    }                                                                            
+                                                                                 
+    chain forward {                                                              
+        # Drop everything (assumes this device is not a router)                  
+        type filter hook forward priority 0; policy drop;                        
+    }                                                                            
+                                                                                 
+    # no need to define output chain, default policy is accept if undefined.
+}

handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for nftables
+
+- name: restart nftables
+  service:
+    name: nftables
+    state: restarted
+

tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+# Tasks to install nftables 
+
+- name: install nftables 
+  apt:
+    pkg:
+      - nftables
+    state: latest
+
+- name: setup nftables config
+  copy:
+    src: nftables.conf
+    dest: /etc/nftables.conf
+  notify:
+    - restart nftables
+
+- name: enable and start nftables
+  systemd:
+    enabled: true
+    state: started
+    name: nftables
+