Feat(firewall): Switch to `nftables`

[ansible.git] / playbooks / roles / debian / firewall / files / etc / network / functions.phd

diff --git a/playbooks/roles/debian/firewall/files/etc/network/functions.phd b/playbooks/roles/debian/firewall/files/etc/network/functions.phd
index 8d4e865e819f1892ee0ae6388edebe4093aa6781..ff5c17fb3dac0716d4a1607d973b7728715253bd 100644 (file)
--- a/playbooks/roles/debian/firewall/files/etc/network/functions.phd
+++ b/playbooks/roles/debian/firewall/files/etc/network/functions.phd
@@ -1,60 +1,59 @@
-IPTABLES=/sbin/iptables
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
 my_ip() {
    MYIP=$1
 
    # Allow everything from this host
-   $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+   nft add rule ip filter input ip saddr $MYIP accept
 
    # Allow ICMP
-   $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+   nft add rule ip filter input ip daddr $MYIP accept
 
    # Allow ports >1024
-   $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
-   $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+   nft add rule ip filter input ip daddr $MYIP tcp dport 1024-65535 tcp flags \& syn != syn accept
+   nft add rule ip filter input ip daddr $MYIP udp dport 1024-65535 accept
 }
 
 start_firewall() {
    # Allow everything from localhost
-   $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+   nft add rule ip filter input ip saddr 127.0.0.1 accept
 
    # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
-   $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
-   $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
-   $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
-   $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+   nft add rule ip filter input tcp dport 2049 drop
+   nft add rule ip filter input udp dport 2049 drop
+   nft add rule ip filter input tcp dport 6000-6063 drop
+   nft add rule ip filter input udp dport 6000-6063 drop
 
    # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
-   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+   nft add rule ip filter input tcp dport 22 accept
+   nft add rule ip filter input tcp dport 25 accept
+   nft add rule ip filter input tcp dport 53 accept
+   nft add rule ip filter input udp dport 53 accept
+   nft add rule ip filter input udp sport 53 udp dport 1024-65535 accept
+   nft add rule ip filter input tcp dport 80 accept
+   nft add rule ip filter input tcp dport 113 accept
+   nft add rule ip filter input tcp dport 123 accept
+   nft add rule ip filter input udp dport 123 accept
+   nft add rule ip filter input tcp dport 137-139 accept
+   nft add rule ip filter input udp dport 137-139 accept
+   nft add rule ip filter input tcp dport 443 accept
+   nft add rule ip filter input tcp dport 445 accept
+   nft add rule ip filter input udp dport 1194 accept
+   nft add rule ip filter input tcp dport 9418 accept
 
    # FTP
-   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+   nft add rule ip filter input tcp dport 20 accept
+   nft add rule ip filter input tcp dport 21 accept
    # Allow ftp-data for active connections
-   #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+   #nft add rule ip filter input tcp sport 20 tcp dport 1024-65535 accept
 
    # Track FTP connections to allow active and passive mode FTP
-   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --sport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
+   nft add rule ip filter input tcp sport 20 ct state established,related accept
+   nft add rule ip filter input tcp dport 20 ct state established,related accept
+   nft add rule ip filter input tcp sport 21 ct state new,established accept
+   nft add rule ip filter input tcp dport 21 ct state established,related accept
+   nft add rule ip filter input tcp sport 1024-65535 ct state established,related accept
+   nft add rule ip filter input tcp dport 1024-65535 ct state established,related accept
 
    MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
    for ip in $MY_IP; do my_ip "$ip"; done