X-Git-Url: https://git.phdru.name/?a=blobdiff_plain;f=playbooks%2Froles%2Fredhat%2Ffirewall%2Ffiles%2Fetc%2Fnetwork%2Ffunctions.phd;h=f83af4e8c4612900c2612601951305ab0d50df52;hb=68c6d1968549ead2917de6323b5254317d1e9833;hp=613089b4dcf8e3e70c45e5a76c5c310f082d60d5;hpb=5f1d35a38ad720f8ac03969bd7fa6b05effa79d6;p=ansible.git

diff --git a/playbooks/roles/redhat/firewall/files/etc/network/functions.phd b/playbooks/roles/redhat/firewall/files/etc/network/functions.phd
index 613089b..f83af4e 100644
--- a/playbooks/roles/redhat/firewall/files/etc/network/functions.phd
+++ b/playbooks/roles/redhat/firewall/files/etc/network/functions.phd
@@ -1,61 +1,60 @@
-IPTABLES=/sbin/iptables
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
 my_ip() {
    MYIP=$1
 
    # Allow everything from this host
-   $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+   nft add rule ip filter input saddr $MYIP counter accept
 
    # Allow ICMP
-   $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+   nft add rule ip filter input daddr $MYIP proto icmp counter accept
 
    # Allow ports >1024
-   $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
-   $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+   nft add rule ip filter input daddr $MYIP dport 1024- proto tcp tcp flags & syn != syn counter accept
+   nft add rule ip filter input daddr $MYIP dport 1024- proto udp counter accept
 }
 
 start_firewall() {
    # Allow everything from localhost
-   $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+   nft add rule ip filter input saddr 127.0.0.1 counter accept
 
    # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
-   $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
-   $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
-   $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
-   $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+   nft add rule ip filter input dport 2049 proto tcp counter drop
+   nft add rule ip filter input dport 2049 proto udp counter drop
+   nft add rule ip filter input dport 6000-6063 proto tcp counter drop
+   nft add rule ip filter input dport 6000-6063 proto udp counter drop
 
    # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
-   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+   nft add rule ip filter input dport 22 proto tcp counter accept
+   nft add rule ip filter input dport 25 proto tcp counter accept
+   nft add rule ip filter input dport 53 proto tcp counter accept
+   nft add rule ip filter input dport 53 proto udp counter accept
+   nft add rule ip filter input sport 53 dport 1024- proto udp counter accept
+   nft add rule ip filter input dport 80 proto tcp counter accept
+   nft add rule ip filter input dport 113 proto tcp counter accept
+   nft add rule ip filter input dport 123 proto tcp counter accept
+   nft add rule ip filter input dport 123 proto udp counter accept
+   nft add rule ip filter input dport 137-139 proto tcp counter accept
+   nft add rule ip filter input dport 137-139 proto udp counter accept
+   nft add rule ip filter input dport 443 proto tcp counter accept
+   nft add rule ip filter input dport 445 proto tcp counter accept
+   nft add rule ip filter input dport 1194 proto udp counter accept
+   nft add rule ip filter input dport 9418 proto tcp counter accept
 
    # FTP
-   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+   nft add rule ip filter input dport 20 proto tcp counter accept
+   nft add rule ip filter input dport 21 proto tcp counter accept
    # Allow ftp-data for active connections
-   #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+   #nft add rule ip filter input sport 20 dport 1024- proto tcp counter accept
 
    # Track FTP connections to allow active and passive mode FTP
-   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --sport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-   MY_IP=$(ip -o -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
+   nft add rule ip filter input sport 20 proto tcp ct mstate state state state established,related counter accept
+   nft add rule ip filter input dport 20 proto tcp ct mstate state state state established,related counter accept
+   nft add rule ip filter input sport 21 proto tcp ct mstate state state state new,established counter accept
+   nft add rule ip filter input dport 21 proto tcp ct mstate state state state established,related counter accept
+   nft add rule ip filter input sport 1024-65535 proto tcp ct mstate state state state established,related counter accept
+   nft add rule ip filter input dport 1024-65535 proto tcp ct mstate state state state established,related counter accept
+
+   MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
    for ip in $MY_IP; do my_ip "$ip"; done
 }