Adding ansible section

2025-05-22 14:43:42 +02:00
parent 8c6e940433
commit 0985d65f86
26 changed files with 900 additions and 0 deletions
--- a/ansible/roles/bastion/templates/nftables.conf.j2
+++ b/ansible/roles/bastion/templates/nftables.conf.j2
@@ -0,0 +1,32 @@
+#{{ ansible_managed }}
+
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+        chain input {
+                type filter hook input priority 0; policy drop;
+                iifname lo accept;
+
+                tcp dport 22 accept;
+                icmp type echo-request accept;
+                # established/related connections
+                ct state established,related accept
+        }
+        chain forward {
+                type filter hook forward priority 0; policy drop;
+        }
+        chain output {
+                type filter hook output priority 0; policy drop;
+
+                iifname lo accept;
+                tcp dport 22 accept;
+                tcp dport {80, 443, 9200} accept;
+                tcp dport {53, 123} accept;
+                udp dport {53, 123, 1514} accept;
+                icmp type echo-request accept;
+                # established/related connections
+                ct state established,related accept;
+        }
+}