feat: nftables firewall

bruzina · bruzina · commit d7cf1bbee542 · 2025-06-10T19:52:33.000+02:00
diff --git a/README.md b/README.md
@@ -6,12 +6,13 @@ This Ansible collection provides a set of roles designed for configuring Kubuntu
 
 ### Roles
 
-| Role                                           | Description                                                                                                                                | Dependencies                   |
-| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ |
-| [xebis.ansible.apt](roles/apt/README.md)       | Deb package updates and upgrades using the apt package manager. Can optionally clean up unused packages and reboot the system if required. | `xebis.ansible.system`         |
-| `xebis.ansible.openssh_server`                 | Installs OpenSSH server installation and provides `Restart ssh` handler.                                                                   | `xebis.ansible.apt`            |
-| [xebis.ansible.system](roles/system/README.md) | System-related tasks such as reboot handler or reboot when required handler.                                                               |                                |
-| [`xebis.ansible.users`](roles/users/README.md) | Ansible role for managing system users.                                                                                                    | `xebis.ansible.openssh_server` |
+| Role                                                                 | Description                                                                                                                                | Dependencies                   |
+| -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ |
+| [xebis.ansible.apt](roles/apt/README.md)                             | Deb package updates and upgrades using the apt package manager. Can optionally clean up unused packages and reboot the system if required. | `xebis.ansible.system`         |
+| [xebis.ansible.nftables_firewall](roles/nftables_firewall/README.md) | nftables firewall                                                                                                                          | `xebis.ansible.apt`            |
+| `xebis.ansible.openssh_server`                                       | Installs OpenSSH server and provides `Restart ssh` handler.                                                                                | `xebis.ansible.apt`            |
+| [xebis.ansible.system](roles/system/README.md)                       | System-related tasks such as reboot handler or reboot when required handler.                                                               |                                |
+| [`xebis.ansible.users`](roles/users/README.md)                       | Ansible role for managing system users.                                                                                                    | `xebis.ansible.openssh_server` |
 
 ## Installation and Configuration
 
diff --git a/roles/nftables_firewall/README.md b/roles/nftables_firewall/README.md
@@ -0,0 +1,22 @@
+# Xebis.Ansible.Nftables_Firewall
+
+`nftables` based extensible firewall chains and rules.
+
+## Tasks
+
+- Installs `nftables` package, creates `/etc/nftables` configuration directory.
+- Copies default nftables chains and rules.
+- Asynchronously starts and enables nftables service and waits until it is ready.
+
+## Variables
+
+- `nftables_firewall_log_rejected` [boolean]
+  - Whether to log rejected packets to syslog.
+  - Default `false`
+
+## Handlers
+
+- `Validate and reload nftables firewall`
+  - Validates and reloads all `nftables` firewall rules.
+- `Reload nftables firewall`
+  - Reloads all `nftables` firewall rules. Shouldn't be used without prior nftables configuration check.
diff --git a/roles/nftables_firewall/files/inet-chain-manual.conf b/roles/nftables_firewall/files/inet-chain-manual.conf
@@ -0,0 +1,6 @@
+# File for manually added nftables chains
+# Example chain:
+#chain inet-manual-example {
+#    tcp dport 8080 counter accept # Allow testing HTTP traffic
+#    tcp dport { 2000,3000,4000,5000 } counter accept # Allow usual HTTP ports for applications in development
+#}
diff --git a/roles/nftables_firewall/files/inet-fwd-manual.conf b/roles/nftables_firewall/files/inet-fwd-manual.conf
@@ -0,0 +1,4 @@
+# File for manually added nftables inet fwd rules
+# Example rules:
+#tcp dport 8080 counter accept # Allow testing HTTP traffic
+#ip saddr 192.168.1.0/24 jump inet-manual-example
diff --git a/roles/nftables_firewall/files/inet-in-manual.conf b/roles/nftables_firewall/files/inet-in-manual.conf
@@ -0,0 +1,4 @@
+# File for manually added nftables inet in rules
+# Example rules:
+#tcp dport 8080 counter accept # Allow testing HTTP traffic
+#ip saddr 192.168.1.0/24 jump inet-manual-example
diff --git a/roles/nftables_firewall/files/inet-out-manual.conf b/roles/nftables_firewall/files/inet-out-manual.conf
@@ -0,0 +1,4 @@
+# File for manually added nftables inet out rules
+# Example rules:
+#tcp dport 8080 counter accept # Allow testing HTTP traffic
+#ip saddr 192.168.1.0/24 jump inet-manual-example
diff --git a/roles/nftables_firewall/handlers/main.yaml b/roles/nftables_firewall/handlers/main.yaml
@@ -0,0 +1,15 @@
+---
+- name: Validate and reload all nftables firewall rules
+  become: true
+  ansible.builtin.command:
+    cmd: nft -c -f /etc/nftables.conf
+  changed_when: true
+  listen: Validate and reload nftables firewall
+  notify: Reload nftables firewall
+
+- name: Reload all nftables firewall rules
+  become: true
+  ansible.builtin.command:
+    cmd: /etc/nftables.conf
+  changed_when: true
+  listen: Reload nftables firewall
diff --git a/roles/nftables_firewall/meta/main.yaml b/roles/nftables_firewall/meta/main.yaml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: xebis.ansible.apt # Expects updated apt cache
diff --git a/roles/nftables_firewall/tasks/main.yaml b/roles/nftables_firewall/tasks/main.yaml
@@ -0,0 +1,56 @@
+---
+- name: Install firewall deb packages
+  become: true
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+
+- name: Create nftables directory
+  become: true
+  ansible.builtin.file:
+    path: /etc/nftables
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+
+- name: Copy common firewall rules from template
+  become: true
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    mode: u=rwx,g=r,o=r
+    validate: nft -c -f %s
+  notify: Validate and reload nftables firewall
+
+- name: Copy manual firewall rules files
+  become: true
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/nftables/{{ item }}
+    force: false
+    mode: u=rwx,g=rx,o=rx
+  with_items:
+    - inet-in-manual.conf
+    - inet-fwd-manual.conf
+    - inet-out-manual.conf
+    - inet-chain-manual.conf
+
+- name: Start and enable nftables service
+  become: true
+  ansible.builtin.systemd:
+    name: nftables
+    enabled: true
+    state: started
+  register: nftables_service
+  when: not ansible_check_mode
+  async: 60
+  poll: 0
+
+- name: Check on nftables service
+  become: true
+  ansible.builtin.async_status:
+    jid: "{{ nftables_service.ansible_job_id }}"
+  register: nftables_service_result
+  when: not ansible_check_mode
+  until: nftables_service_result.finished
+  retries: 12
+  delay: 5
diff --git a/roles/nftables_firewall/templates/nftables.conf.j2 b/roles/nftables_firewall/templates/nftables.conf.j2
@@ -0,0 +1,63 @@
+#!/usr/sbin/nft -f
+
+table inet filter
+delete table inet filter
+
+table inet filter {
+    chain inet-pre {
+        type filter hook prerouting priority 0; policy drop;
+        ct state invalid counter drop # Drop invalid and faulty packets
+        iif != lo ip daddr 127.0.0.0/8 counter drop
+        iif != lo ip6 daddr ::1 counter drop
+        counter accept
+    }
+
+    chain inet-in {
+        type filter hook input priority 0; policy drop;
+        ct state { established,related } counter accept # Allow traffic from established and related packets
+        iif lo accept # Allow loopback traffic
+        ip protocol icmp counter limit rate 10/second accept # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        ip protocol igmp counter limit rate 10/second accept
+        ip6 nexthdr icmpv6 counter limit rate 10/second accept
+        tcp dport 22 counter accept # Allow SSH traffic
+        include "/etc/nftables/inet-in-*.conf" # Include roles rules
+        counter {% if nftables_firewall_log_rejected is defined and nftables_firewall_log_rejected %}log prefix "nftables inet-in rejected " {% endif %}reject with icmpx type port-unreachable # Reject
+    }
+
+    chain inet-fwd {
+        type filter hook forward priority 0; policy drop;
+        ct state { established,related } counter accept # Allow traffic from established and related packets
+        ip protocol icmp counter accept # Allow all ICMP and IGMP traffic, but do NOT enforce a rate limit
+        ip protocol igmp counter accept
+        ip6 nexthdr icmpv6 counter accept
+        include "/etc/nftables/inet-fwd-*.conf" # Include roles rules
+        counter {% if nftables_firewall_log_rejected is defined and nftables_firewall_log_rejected %}log prefix "nftables inet-fwd rejected " {% endif %}reject with icmpx type host-unreachable # Reject
+    }
+
+    chain inet-out {
+        type filter hook output priority 0; policy drop;
+        ct state { established,related } counter accept # Allow traffic from established and related packets
+        oif lo counter accept
+        ip protocol icmp counter accept # Allow all ICMP and IGMP traffic, but do NOT enforce a rate limit
+        ip protocol igmp counter accept
+        ip6 nexthdr icmpv6 counter accept
+        udp dport 53 counter accept # Allow DNS traffic
+        tcp dport 53 counter accept
+        udp dport 123 counter accept # Allow NTP traffic
+        tcp dport 80 counter accept # Allow HTTP traffic
+        tcp dport 443 counter accept # Allow HTTPS traffic
+        tcp dport 22 counter accept # Allow SSH traffic
+        include "/etc/nftables/inet-out-*.conf" # Include roles rules
+        counter {% if nftables_firewall_log_rejected is defined and nftables_firewall_log_rejected %}log prefix "nftables inet-out rejected " {% endif %}reject with icmpx type admin-prohibited # Reject
+    }
+
+    chain inet-post {
+        type filter hook postrouting priority 0; policy drop;
+        ct state invalid counter drop # Drop invalid and faulty packets
+        oif != lo ip daddr 127.0.0.0/8 counter drop
+        oif != lo ip6 daddr ::1 counter drop
+        counter accept
+    }
+
+    include "/etc/nftables/inet-chain-*.conf" # Include roles chains
+}
diff --git a/test.yaml b/test.yaml
@@ -8,6 +8,7 @@
         cache_valid_time: 3600
         purge: true
         upgrade: "full"
+    - role: xebis.ansible.nftables_firewall
     - role: xebis.ansible.openssh_server
     - role: xebis.ansible.users
       vars:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+dependencies:`
	`3`	`+ - role: xebis.ansible.apt # Expects updated apt cache`