From 68c6d1968549ead2917de6323b5254317d1e9833 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Wed, 4 Jan 2023 14:20:22 +0300 Subject: [PATCH] Feat(firewall): Switch to `nftables` --- playbooks/roles/debian/firewall/README.txt | 2 +- .../firewall/files/etc/init.d/iptables.sh | 62 ----------------- .../firewall/files/etc/init.d/nftables.sh | 60 +++++++++++++++++ .../debian/firewall/files/etc/init.d/rc.masq | 3 - .../firewall/files/etc/network/functions.phd | 67 +++++++++---------- .../firewall/files/etc/network/if-down.d/eth | 2 +- .../firewall/files/etc/network/if-up.d/eth | 2 +- .../roles/debian/firewall/handlers/main.yaml | 2 +- .../roles/debian/firewall/tasks/main.yaml | 30 ++++++++- playbooks/roles/redhat/firewall/README.txt | 2 +- .../firewall/files/etc/network/functions.phd | 67 +++++++++---------- .../firewall/files/etc/network/if-down.d/eth | 2 +- .../firewall/files/etc/network/if-up.d/eth | 2 +- .../files/etc/rc.d/init.d/iptables.sh | 62 ----------------- .../files/etc/rc.d/init.d/nftables.sh | 60 +++++++++++++++++ .../firewall/files/etc/rc.d/init.d/rc.masq | 3 - .../roles/redhat/firewall/handlers/main.yaml | 2 +- .../roles/redhat/firewall/tasks/main.yaml | 8 +-- 18 files changed, 226 insertions(+), 212 deletions(-) delete mode 100755 playbooks/roles/debian/firewall/files/etc/init.d/iptables.sh create mode 100755 playbooks/roles/debian/firewall/files/etc/init.d/nftables.sh delete mode 100755 playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/iptables.sh create mode 100755 playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/nftables.sh diff --git a/playbooks/roles/debian/firewall/README.txt b/playbooks/roles/debian/firewall/README.txt index 6f8f7e2..88b7909 100644 --- a/playbooks/roles/debian/firewall/README.txt +++ b/playbooks/roles/debian/firewall/README.txt @@ -1,3 +1,3 @@ -Configure Debian iptables firewall. +Configure Debian nftables firewall. Allow everything out, limit in, disable forward. diff --git a/playbooks/roles/debian/firewall/files/etc/init.d/iptables.sh b/playbooks/roles/debian/firewall/files/etc/init.d/iptables.sh deleted file mode 100755 index 64fd5c1..0000000 --- a/playbooks/roles/debian/firewall/files/etc/init.d/iptables.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: iptables.sh -# Required-Start: $remote_fs $network -# Required-Stop: $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: iptables firewall -### END INIT INFO - -# Setup ip firewall - -. /etc/network/functions.phd - -case "$1" in - start) - /etc/init.d/fail2ban stop - - # Start afresh - $IPTABLES -F - $IPTABLES -F -t nat - $IPTABLES -F -t mangle - - # Default policies - $IPTABLES -P INPUT DROP - $IPTABLES -P OUTPUT ACCEPT - $IPTABLES -P FORWARD DROP - - start_firewall - /etc/init.d/rc.masq - /etc/init.d/fail2ban start - ;; - - stop) - /etc/init.d/fail2ban stop - - $IPTABLES -F - $IPTABLES -F -t nat - $IPTABLES -F -t mangle - $IPTABLES -P INPUT DROP - $IPTABLES -P OUTPUT DROP - $IPTABLES -P FORWARD DROP - ;; - - clear) - /etc/init.d/fail2ban stop - - # Flush (delete) all rules - $IPTABLES -F - $IPTABLES -F -t nat - $IPTABLES -F -t mangle - $IPTABLES -P INPUT ACCEPT - $IPTABLES -P OUTPUT ACCEPT - $IPTABLES -P FORWARD ACCEPT - ;; - - *) - echo "Usage: firewall {start|stop|clear}" - exit 1 -esac - -exit 0 diff --git a/playbooks/roles/debian/firewall/files/etc/init.d/nftables.sh b/playbooks/roles/debian/firewall/files/etc/init.d/nftables.sh new file mode 100755 index 0000000..f16ebd8 --- /dev/null +++ b/playbooks/roles/debian/firewall/files/etc/init.d/nftables.sh @@ -0,0 +1,60 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: nftables.sh +# Required-Start: $remote_fs $network +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: nftables firewall +### END INIT INFO + +# Setup ip firewall + +. /etc/network/functions.phd + +case "$1" in + start) + /etc/init.d/fail2ban stop + + # Start afresh + nft flush ruleset + + # Default policies + nft add table ip filter + nft add table ip nat + nft add chain ip nat prerouting \{ type nat hook prerouting priority dstnat\; policy accept\; \} + nft add chain ip nat postrouting \{ type nat hook postrouting priority srcnat\; policy accept\; \} + nft add chain ip filter input \{ type filter hook input priority filter\; policy drop\; \} + nft add chain ip filter output \{ type filter hook output priority filter\; policy accept\; \} + nft add chain ip filter forward \{ type filter hook forward priority filter\; policy drop\; \} + + start_firewall + /etc/init.d/rc.masq + /etc/init.d/fail2ban start + ;; + + stop) + /etc/init.d/fail2ban stop + + nft flush ruleset + nft add chain ip filter input \{ type filter hook input priority filter\; policy drop\; \} + nft add chain ip filter output \{ type filter hook output priority filter\; policy drop\; \} + nft add chain ip filter forward \{ type filter hook forward priority filter\; policy drop\; \} + ;; + + clear) + /etc/init.d/fail2ban stop + + # Flush (delete) all rules + nft flush ruleset + nft add chain ip filter input \{ type filter hook input priority filter\; policy accept\; \} + nft add chain ip filter output \{ type filter hook output priority filter\; policy accept\; \} + nft add chain ip filter forward \{ type filter hook forward priority filter\; policy accept\; \} + ;; + + *) + echo "Usage: firewall {start|stop|clear}" + exit 1 +esac + +exit 0 diff --git a/playbooks/roles/debian/firewall/files/etc/init.d/rc.masq b/playbooks/roles/debian/firewall/files/etc/init.d/rc.masq index 69be427..27ffc4d 100755 --- a/playbooks/roles/debian/firewall/files/etc/init.d/rc.masq +++ b/playbooks/roles/debian/firewall/files/etc/init.d/rc.masq @@ -69,9 +69,6 @@ echo 1 > /proc/sys/net/ipv4/ip_forward #echo "1" > /proc/sys/net/ipv4/ip_dynaddr -IPTABLES=/sbin/iptables - - # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced diff --git a/playbooks/roles/debian/firewall/files/etc/network/functions.phd b/playbooks/roles/debian/firewall/files/etc/network/functions.phd index 8d4e865..ff5c17f 100644 --- a/playbooks/roles/debian/firewall/files/etc/network/functions.phd +++ b/playbooks/roles/debian/firewall/files/etc/network/functions.phd @@ -1,60 +1,59 @@ -IPTABLES=/sbin/iptables PATH=/sbin:/bin:/usr/sbin:/usr/bin my_ip() { MYIP=$1 # Allow everything from this host - $IPTABLES -A INPUT -s $MYIP -j ACCEPT + nft add rule ip filter input ip saddr $MYIP accept # Allow ICMP - $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT + nft add rule ip filter input ip daddr $MYIP accept # Allow ports >1024 - $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT - $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT + nft add rule ip filter input ip daddr $MYIP tcp dport 1024-65535 tcp flags \& syn != syn accept + nft add rule ip filter input ip daddr $MYIP udp dport 1024-65535 accept } start_firewall() { # Allow everything from localhost - $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT + nft add rule ip filter input ip saddr 127.0.0.1 accept # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024 - $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP - $IPTABLES -A INPUT -p udp --dport 2049 -j DROP - $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP - $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP + nft add rule ip filter input tcp dport 2049 drop + nft add rule ip filter input udp dport 2049 drop + nft add rule ip filter input tcp dport 6000-6063 drop + nft add rule ip filter input udp dport 6000-6063 drop # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon - $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT - $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT + nft add rule ip filter input tcp dport 22 accept + nft add rule ip filter input tcp dport 25 accept + nft add rule ip filter input tcp dport 53 accept + nft add rule ip filter input udp dport 53 accept + nft add rule ip filter input udp sport 53 udp dport 1024-65535 accept + nft add rule ip filter input tcp dport 80 accept + nft add rule ip filter input tcp dport 113 accept + nft add rule ip filter input tcp dport 123 accept + nft add rule ip filter input udp dport 123 accept + nft add rule ip filter input tcp dport 137-139 accept + nft add rule ip filter input udp dport 137-139 accept + nft add rule ip filter input tcp dport 443 accept + nft add rule ip filter input tcp dport 445 accept + nft add rule ip filter input udp dport 1194 accept + nft add rule ip filter input tcp dport 9418 accept # FTP - $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT + nft add rule ip filter input tcp dport 20 accept + nft add rule ip filter input tcp dport 21 accept # Allow ftp-data for active connections - #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT + #nft add rule ip filter input tcp sport 20 tcp dport 1024-65535 accept # Track FTP connections to allow active and passive mode FTP - $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + nft add rule ip filter input tcp sport 20 ct state established,related accept + nft add rule ip filter input tcp dport 20 ct state established,related accept + nft add rule ip filter input tcp sport 21 ct state new,established accept + nft add rule ip filter input tcp dport 21 ct state established,related accept + nft add rule ip filter input tcp sport 1024-65535 ct state established,related accept + nft add rule ip filter input tcp dport 1024-65535 ct state established,related accept MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}') for ip in $MY_IP; do my_ip "$ip"; done diff --git a/playbooks/roles/debian/firewall/files/etc/network/if-down.d/eth b/playbooks/roles/debian/firewall/files/etc/network/if-down.d/eth index 3e002ca..8ab5695 100755 --- a/playbooks/roles/debian/firewall/files/etc/network/if-down.d/eth +++ b/playbooks/roles/debian/firewall/files/etc/network/if-down.d/eth @@ -1,2 +1,2 @@ #!/bin/sh -exec /etc/init.d/iptables.sh start +exec /etc/init.d/nftables.sh start diff --git a/playbooks/roles/debian/firewall/files/etc/network/if-up.d/eth b/playbooks/roles/debian/firewall/files/etc/network/if-up.d/eth index 3e002ca..8ab5695 100755 --- a/playbooks/roles/debian/firewall/files/etc/network/if-up.d/eth +++ b/playbooks/roles/debian/firewall/files/etc/network/if-up.d/eth @@ -1,2 +1,2 @@ #!/bin/sh -exec /etc/init.d/iptables.sh start +exec /etc/init.d/nftables.sh start diff --git a/playbooks/roles/debian/firewall/handlers/main.yaml b/playbooks/roles/debian/firewall/handlers/main.yaml index 2c79610..33594fd 100644 --- a/playbooks/roles/debian/firewall/handlers/main.yaml +++ b/playbooks/roles/debian/firewall/handlers/main.yaml @@ -1,5 +1,5 @@ - name: Restart firewall become: true service: - name: iptables.sh + name: nftables.sh state: started diff --git a/playbooks/roles/debian/firewall/tasks/main.yaml b/playbooks/roles/debian/firewall/tasks/main.yaml index 29c9bc9..b266fbb 100644 --- a/playbooks/roles/debian/firewall/tasks/main.yaml +++ b/playbooks/roles/debian/firewall/tasks/main.yaml @@ -1,13 +1,33 @@ -- name: Install iptables and fail2ban +- name: Install fail2ban and nftables become: true apt: cache_valid_time: 3600 install_recommends: no - name: ['iptables', 'fail2ban'] + name: ['fail2ban', 'nftables'] state: latest update_cache: yes notify: Restart firewall +- name: "Change /etc/fail2ban/jail.conf (iptables -> nftables)" + become: true + lineinfile: + path: /etc/fail2ban/jail.conf + regexp: '^banaction = iptables-multiport$' + line: 'banaction = nftables-multiport' + notify: Restart firewall +- become: true + lineinfile: + path: /etc/fail2ban/jail.conf + regexp: '^banaction = iptables-multiport-log$' + line: 'banaction = nftables-multiport' + notify: Restart firewall +- become: true + lineinfile: + path: /etc/fail2ban/jail.conf + regexp: '^banaction_allports = iptables-allports$' + line: 'banaction_allports = nftables-allports' + notify: Restart firewall + - name: Configure Debian firewall become: true copy: @@ -26,3 +46,9 @@ path: /etc/network/functions.phd mode: '0640' notify: Restart firewall + +- name: Remove iptables leftovers + become: true + file: + path: /etc/init.d/iptables.sh + state: absent diff --git a/playbooks/roles/redhat/firewall/README.txt b/playbooks/roles/redhat/firewall/README.txt index c90cb67..ee0436c 100644 --- a/playbooks/roles/redhat/firewall/README.txt +++ b/playbooks/roles/redhat/firewall/README.txt @@ -1,3 +1,3 @@ -Configure iptables firewall. +Configure nftables firewall. Allow everything out, limit in, disable forward. diff --git a/playbooks/roles/redhat/firewall/files/etc/network/functions.phd b/playbooks/roles/redhat/firewall/files/etc/network/functions.phd index 8d4e865..f83af4e 100644 --- a/playbooks/roles/redhat/firewall/files/etc/network/functions.phd +++ b/playbooks/roles/redhat/firewall/files/etc/network/functions.phd @@ -1,60 +1,59 @@ -IPTABLES=/sbin/iptables PATH=/sbin:/bin:/usr/sbin:/usr/bin my_ip() { MYIP=$1 # Allow everything from this host - $IPTABLES -A INPUT -s $MYIP -j ACCEPT + nft add rule ip filter input saddr $MYIP counter accept # Allow ICMP - $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT + nft add rule ip filter input daddr $MYIP proto icmp counter accept # Allow ports >1024 - $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT - $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT + nft add rule ip filter input daddr $MYIP dport 1024- proto tcp tcp flags & syn != syn counter accept + nft add rule ip filter input daddr $MYIP dport 1024- proto udp counter accept } start_firewall() { # Allow everything from localhost - $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT + nft add rule ip filter input saddr 127.0.0.1 counter accept # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024 - $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP - $IPTABLES -A INPUT -p udp --dport 2049 -j DROP - $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP - $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP + nft add rule ip filter input dport 2049 proto tcp counter drop + nft add rule ip filter input dport 2049 proto udp counter drop + nft add rule ip filter input dport 6000-6063 proto tcp counter drop + nft add rule ip filter input dport 6000-6063 proto udp counter drop # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon - $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT - $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT - $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT + nft add rule ip filter input dport 22 proto tcp counter accept + nft add rule ip filter input dport 25 proto tcp counter accept + nft add rule ip filter input dport 53 proto tcp counter accept + nft add rule ip filter input dport 53 proto udp counter accept + nft add rule ip filter input sport 53 dport 1024- proto udp counter accept + nft add rule ip filter input dport 80 proto tcp counter accept + nft add rule ip filter input dport 113 proto tcp counter accept + nft add rule ip filter input dport 123 proto tcp counter accept + nft add rule ip filter input dport 123 proto udp counter accept + nft add rule ip filter input dport 137-139 proto tcp counter accept + nft add rule ip filter input dport 137-139 proto udp counter accept + nft add rule ip filter input dport 443 proto tcp counter accept + nft add rule ip filter input dport 445 proto tcp counter accept + nft add rule ip filter input dport 1194 proto udp counter accept + nft add rule ip filter input dport 9418 proto tcp counter accept # FTP - $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT + nft add rule ip filter input dport 20 proto tcp counter accept + nft add rule ip filter input dport 21 proto tcp counter accept # Allow ftp-data for active connections - #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT + #nft add rule ip filter input sport 20 dport 1024- proto tcp counter accept # Track FTP connections to allow active and passive mode FTP - $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + nft add rule ip filter input sport 20 proto tcp ct mstate state state state established,related counter accept + nft add rule ip filter input dport 20 proto tcp ct mstate state state state established,related counter accept + nft add rule ip filter input sport 21 proto tcp ct mstate state state state new,established counter accept + nft add rule ip filter input dport 21 proto tcp ct mstate state state state established,related counter accept + nft add rule ip filter input sport 1024-65535 proto tcp ct mstate state state state established,related counter accept + nft add rule ip filter input dport 1024-65535 proto tcp ct mstate state state state established,related counter accept MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}') for ip in $MY_IP; do my_ip "$ip"; done diff --git a/playbooks/roles/redhat/firewall/files/etc/network/if-down.d/eth b/playbooks/roles/redhat/firewall/files/etc/network/if-down.d/eth index b75a12b..0d6fa04 100755 --- a/playbooks/roles/redhat/firewall/files/etc/network/if-down.d/eth +++ b/playbooks/roles/redhat/firewall/files/etc/network/if-down.d/eth @@ -1,2 +1,2 @@ #!/bin/sh -exec /etc/rc.d/init.d/iptables.sh start +exec /etc/rc.d/init.d/nftables.sh start diff --git a/playbooks/roles/redhat/firewall/files/etc/network/if-up.d/eth b/playbooks/roles/redhat/firewall/files/etc/network/if-up.d/eth index b75a12b..0d6fa04 100755 --- a/playbooks/roles/redhat/firewall/files/etc/network/if-up.d/eth +++ b/playbooks/roles/redhat/firewall/files/etc/network/if-up.d/eth @@ -1,2 +1,2 @@ #!/bin/sh -exec /etc/rc.d/init.d/iptables.sh start +exec /etc/rc.d/init.d/nftables.sh start diff --git a/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/iptables.sh b/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/iptables.sh deleted file mode 100755 index 72e43e6..0000000 --- a/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/iptables.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: iptables.sh -# Required-Start: $remote_fs $network -# Required-Stop: $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: iptables firewall -### END INIT INFO - -# Setup ip firewall - -. /etc/network/functions.phd - -case "$1" in - start) - systemctl stop fail2ban.service - - # Start afresh - $IPTABLES -F - $IPTABLES -F -t nat - $IPTABLES -F -t mangle - - # Default policies - $IPTABLES -P INPUT DROP - $IPTABLES -P OUTPUT ACCEPT - $IPTABLES -P FORWARD DROP - - start_firewall - /etc/rc.d/init.d/rc.masq - systemctl start fail2ban.service - ;; - - stop) - systemctl stop fail2ban.service - - $IPTABLES -F - $IPTABLES -F -t nat - $IPTABLES -F -t mangle - $IPTABLES -P INPUT DROP - $IPTABLES -P OUTPUT DROP - $IPTABLES -P FORWARD DROP - ;; - - clear) - systemctl stop fail2ban.service - - # Flush (delete) all rules - $IPTABLES -F - $IPTABLES -F -t nat - $IPTABLES -F -t mangle - $IPTABLES -P INPUT ACCEPT - $IPTABLES -P OUTPUT ACCEPT - $IPTABLES -P FORWARD ACCEPT - ;; - - *) - echo "Usage: firewall {start|stop|clear}" - exit 1 -esac - -exit 0 diff --git a/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/nftables.sh b/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/nftables.sh new file mode 100755 index 0000000..42717e7 --- /dev/null +++ b/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/nftables.sh @@ -0,0 +1,60 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: nftables.sh +# Required-Start: $remote_fs $network +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: nftables firewall +### END INIT INFO + +# Setup ip firewall + +. /etc/network/functions.phd + +case "$1" in + start) + systemctl stop fail2ban.service + + # Start afresh + nft flush + + # Default policies + nft create table ip filter + nft create table ip nat + nft create chain ip nat prerouting { type nat hook preroutung priority 0; policy accept; } + nft create chain ip nat postrouting { type nat hook postroutung priority 0; policy accept; } + nft create chain ip filter input { type filter hook input priority 0; policy drop; } + nft create chain ip filter output { type filter hook output priority 0; policy accept; } + nft create chain ip filter forward { type filter hook forward priority 0; policy drop; } + + start_firewall + /etc/rc.d/init.d/rc.masq + systemctl start fail2ban.service + ;; + + stop) + systemctl stop fail2ban.service + + nft flush + nft create chain ip filter input { type filter hook input priority 0; policy drop; } + nft create chain ip filter output { type filter hook output priority 0; policy drop; } + nft create chain ip filter forward { type filter hook forward priority 0; policy drop; } + ;; + + clear) + systemctl stop fail2ban.service + + # Flush (delete) all rules + nft flush + nft create chain ip filter input { type filter hook input priority 0; policy accept; } + nft create chain ip filter output { type filter hook output priority 0; policy accept; } + nft create chain ip filter forward { type filter hook forward priority 0; policy accept; } + ;; + + *) + echo "Usage: firewall {start|stop|clear}" + exit 1 +esac + +exit 0 diff --git a/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/rc.masq b/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/rc.masq index 69be427..27ffc4d 100755 --- a/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/rc.masq +++ b/playbooks/roles/redhat/firewall/files/etc/rc.d/init.d/rc.masq @@ -69,9 +69,6 @@ echo 1 > /proc/sys/net/ipv4/ip_forward #echo "1" > /proc/sys/net/ipv4/ip_dynaddr -IPTABLES=/sbin/iptables - - # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced diff --git a/playbooks/roles/redhat/firewall/handlers/main.yaml b/playbooks/roles/redhat/firewall/handlers/main.yaml index 8eac456..7be1af2 100644 --- a/playbooks/roles/redhat/firewall/handlers/main.yaml +++ b/playbooks/roles/redhat/firewall/handlers/main.yaml @@ -1,3 +1,3 @@ - name: Restart firewall become: true - command: /etc/rc.d/init.d/iptables.sh start + command: /etc/rc.d/init.d/nftables.sh start diff --git a/playbooks/roles/redhat/firewall/tasks/main.yaml b/playbooks/roles/redhat/firewall/tasks/main.yaml index 86c73ba..99dd1ce 100644 --- a/playbooks/roles/redhat/firewall/tasks/main.yaml +++ b/playbooks/roles/redhat/firewall/tasks/main.yaml @@ -1,7 +1,7 @@ -- name: Install fail2ban and iptables-services +- name: Install fail2ban and nftables become: true dnf: - name: ['fail2ban', 'iptables-services'] + name: ['fail2ban', 'nftables-services', 'nftables'] state: latest update_cache: yes notify: Restart firewall @@ -20,10 +20,10 @@ state: started enabled: yes -- name: Enable iptables-service +- name: Enable nftables-service become: true service: - name: iptables + name: nftables state: started enabled: yes -- 2.39.2