infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit 8271ad27ea60c4b7a9f3231f67cdc05a92e6803e
parent a56c5ab5a720424eb46aaa6cfb148165582071e8
Author: Jul <jul@9o.is>
Date:   Tue, 14 May 2024 23:53:15 +0800

configure nftables to only allow wireguard

Diffstat:

Mhost/roles/wireguard/handlers/main.yml | 5+++++


Mhost/roles/wireguard/tasks/client.yml | 11+++++++++++


Mhost/roles/wireguard/tasks/main.yml | 3+++


Ahost/roles/wireguard/tasks/nftables.yml | 21+++++++++++++++++++++


Ahost/roles/wireguard/templates/nftables.conf.j2 | 48++++++++++++++++++++++++++++++++++++++++++++++++


5 files changed, 88 insertions(+), 0 deletions(-)

diff --git a/host/roles/wireguard/handlers/main.yml b/host/roles/wireguard/handlers/main.yml
@@ -10,3 +10,8 @@
     name: wg-quick@wg0
     state: restarted
 
+- name: restart nftables
+  service:
+    name: nftables
+    state: restarted
+
diff --git a/host/roles/wireguard/tasks/client.yml b/host/roles/wireguard/tasks/client.yml
@@ -70,3 +70,14 @@
       ln -s /rw/config/wireguard /etc/wireguard
       systemctl start wg-quick@wg0
 
+- name: resolve {{ ansible_nodename }} to {{ wg_server_ip }}
+  delegate_to: localhost
+  delegate_facts: true
+  lineinfile:
+    path: /etc/hosts
+    search_string: '{{ wg_server_ip }}'
+    line: '{{ wg_server_ip }} {{ ansible_nodename }}'
+    owner: root
+    group: root
+    mode: '0644'
+
diff --git a/host/roles/wireguard/tasks/main.yml b/host/roles/wireguard/tasks/main.yml
@@ -10,3 +10,6 @@
 - name: configure wireguard server
   include_tasks: server.yml
 
+- name: configure server nftables
+  include_tasks: nftables.yml
+
diff --git a/host/roles/wireguard/tasks/nftables.yml b/host/roles/wireguard/tasks/nftables.yml
@@ -0,0 +1,21 @@
+---
+- name: install nftables
+  package:
+    name: nftables
+    state: present
+
+- name: enable nftables service
+  service:
+    name: nftables
+    enabled: true
+
+- name: upload server nftables config
+  template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: '0755'
+    validate: nft --check --file %s
+  notify: restart nftables
+
diff --git a/host/roles/wireguard/templates/nftables.conf.j2 b/host/roles/wireguard/templates/nftables.conf.j2
@@ -0,0 +1,48 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table ip filter {
+    chain input {
+        type filter hook input priority filter; policy drop;
+        ct state invalid counter log prefix "Invalid received" drop
+        ct state established,related accept
+        iifname lo accept
+
+        iifname {{ static_interface }} ct state new counter jump public-interface
+        iifname wg0 ct state new counter jump wireguard-wg0
+
+        counter log prefix "Dropped received"
+    }
+    
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+    }
+
+    chain output {
+        type filter hook output priority filter; policy accept;
+    }
+
+    chain public-interface {
+        udp dport {{ wireguard_port }} accept
+    }
+
+    chain wireguard-wg0 {
+        tcp dport {{ openssh_port }} accept
+    }
+}
+
+table ip6 filter {
+    chain input {
+        type filter hook input priority filter; policy drop;
+    }
+
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+    }
+
+    chain output {
+        type filter hook output priority filter; policy drop;
+    }
+}
+