nftables Management

This role is used to manage nftables.

Since it's challenging to create a one-size-fits-all nftables template, this role simply transfers user-defined nftables configuration snippets to the server and executes them. You still need to know the nftables syntax.

Requirements

• Ansible: 2.4

Role Variables

OS-Specific Variables

Some variables are tailored for specific operating systems. These are found in vars/os-<OS>.yml files.

General Variables

• nftables_dir: Directory for nftables configuration, defaults to /etc/nftables
• nftables_service_state: Indicates if the service should be started.
• nftables_service_enabled: Indicates if the service should start at boot.

Firewall Rules

• nftables_rules_directory: Directory to look for firewall rules files, defaults to the playbook templates directory.
• nftables_families: IP version for rule generation, defaults to IPv4 and IPv6.
• nftables_rules: List of rules to apply. Defaults to allowing only SSH and ICMP; see sample rules in the templates/rules directory.

This role uses a templating engine to create rules. The main effort of writing the rules is still up to you, but you have everything under control.

Example

Host/Group Variables

nftables_rules_directory: {{ playbook_dir }}/files/nftables

nftables_rules:
  - default_rules
  - connection_tracking
  - input_icmp
  - management

In this example, you should create the following files:

• {{ playbook_dir }}/files/nftables/rules/default_rules.conf.j2
• {{ playbook_dir }}/files/nftables/rules/connection_tracking.conf.j2
• ...

You should adjust the nftables_rules in group_vars or host_vars for each group or server as needed.

Playbook

- hosts: ferm
  roles:
     - securcom.nftables

Dependencies

None

License

BSD

Author Information

Peter Hudec (@hudecof)