From e0d8f8fb893a010808d5c21feed8f660179cc0dc Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Wed, 25 Oct 2023 16:39:22 +0200
Subject: [PATCH] nftables almost done (still more frr stuff to do)

---
 defaults/main.yml        |   4 ++
 handlers/main.yml        |   8 +++
 tasks/all.yml            |  27 ++++++++++
 tasks/main.yml           |  18 +++++++
 templates/frr_conf.j2    |  10 ++++
 templates/int_rtr.nft.j2 | 107 +++++++++++++++++++++++++++++++++++++++
 6 files changed, 174 insertions(+)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/all.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/frr_conf.j2
 create mode 100644 templates/int_rtr.nft.j2

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..16eaff6
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+
+allow_default_ipv4: False
+allow_default_ipv6: False
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..3bf4ce1
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: restart nftables
+  command: 'nft -f /etc/nftables.conf'
+- name: ifup all
+  command: "ifreload -a"
+- name: reload networking
+  command: "ifreload -a"
diff --git a/tasks/all.yml b/tasks/all.yml
new file mode 100644
index 0000000..33a0851
--- /dev/null
+++ b/tasks/all.yml
@@ -0,0 +1,27 @@
+---
+- name: set ipv6 max routes
+  sysctl:
+    name: 'net.ipv6.route.max_size'
+    value: '2147483647'
+    state: present
+    reload: yes
+  tags: network
+
+- name: required packages
+  package:
+    name: 
+    - nftables
+    - traceroute
+    - ifupdown2
+
+- name: kernel forwarding
+  sysctl:
+    name: "{{item}}"
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  with_items:
+    - net.ipv4.ip_forward
+    - net.ipv6.conf.all.forwarding
+
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..8746538
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+
+- import_tasks: all.yml
+ 
+- name: nftables
+  import_role:
+    name: nftables
+  vars:
+    nft_templates:
+      int_rtr: "{{lookup('template','int_rtr.nft.j2')}}"
+  tags: nftables
+
+- import_role:
+    name: frr
+  vars:
+    frr_conf: "{{lookup('template','frr_conf.j2')}}"
+  tags: frr
+
diff --git a/templates/frr_conf.j2 b/templates/frr_conf.j2
new file mode 100644
index 0000000..51f3533
--- /dev/null
+++ b/templates/frr_conf.j2
@@ -0,0 +1,10 @@
+hostname {{ansible_hostname}}
+log syslog informational
+router bgp {{bgp_asn}}
+ bgp bestpath as-path multipath-relax
+ bgp bestpath compare-routerid
+ no bgp network import-check
+ neighbor internet peer-group
+ neighbor outside peer-group
+ neighbor outside remote-as external
+ 
diff --git a/templates/int_rtr.nft.j2 b/templates/int_rtr.nft.j2
new file mode 100644
index 0000000..0210bd7
--- /dev/null
+++ b/templates/int_rtr.nft.j2
@@ -0,0 +1,107 @@
+#!/usr/sbin/nft -f
+### AUTOMATICALLY GENERATED FILE CREATED BY ANSIBLE PLEASE DO NOT EDIT MANUALLY AS IT WILL BE OVERWRITTEN!!! ###
+table inet filter {
+	chain preload_input {
+		type filter hook input priority -5; policy accept;
+		iif == lo accept
+			jump preload_drop
+			tcp dport 113 drop
+	}
+	chain preload_forward {
+		type filter hook forward priority -5; policy accept;
+		iif == lo accept
+			jump preload_drop
+	}
+	chain preload_drop {
+{% for address in (ansible_all_ipv6_addresses|sort|unique) %}
+{%  if address is not search('fe80') %}
+		ip6 saddr {{address}} drop
+{%  endif %}
+{% endfor %} 
+{% for address in (ansible_all_ipv4_addresses|sort|unique) %}
+		ip saddr {{address}} drop
+{% endfor %}
+{% for peer in internet_connections %}
+		iifname {{peer.interface}} jump internet_peers
+{% endfor %}
+		jump martians
+		jump f2ban
+	}
+	chain internet_peers {
+{% for range in dc_ranges %}
+	ip{% if range is search(':') %}6{% endif %} saddr {{range|regex_replace('ge.*','')|regex_replace('le.*','')}} drop
+{% endfor %}
+	}
+	chain f2ban {
+	}
+	chain input {
+		type filter hook input priority 0; policy drop;
+		ip protocol igmp accept
+			ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept
+			ip6 saddr fe80::/64 accept
+			icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-neighbor-solicit, nd-router-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report, echo-request } accept
+			ct state established, related accept
+			iif == lo accept
+			tcp dport ssh accept
+{% for range in dc_ranges %}
+			ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} tcp dport ssh accept
+{% endfor %}
+	}
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+	}
+	chain martians {
+			ip6 saddr ::/128 drop
+			ip6 saddr ::1/128 drop
+			ip6 saddr ::ffff:0:0/96 drop
+			ip6 saddr ::/96 drop
+			ip6 saddr 100::/64 drop
+			ip6 saddr 2001:10::/28 drop
+			ip6 saddr 2001:db8::/32 drop
+			ip6 saddr fc00::/7 drop
+			ip6 saddr fec0::/10 drop
+			ip6 saddr ff00::/8 drop
+			ip6 saddr 2002::/24 drop
+			ip6 saddr 2002:a00::/24 drop
+			ip6 saddr 2002:7f00::/24 drop
+			ip6 saddr 2002:a9fe::/32 drop
+			ip6 saddr 2002:ac10::/28 drop
+			ip6 saddr 2002:c000::/40 drop
+			ip6 saddr 2002:c000:200::/40 drop
+			ip6 saddr 2002:c0a8::/32 drop
+			ip6 saddr 2002:c612::/31 drop
+			ip6 saddr 2002:c633:6400::/40 drop
+			ip6 saddr 2002:cb00:7100::/40 drop
+			ip6 saddr 2002:e000::/20 drop
+			ip6 saddr 2002:f000::/20 drop
+			ip6 saddr 2002:ffff:ffff::/48 drop
+			ip6 saddr 2001::/40 drop
+			ip6 saddr 2001:0:a00::/40 drop
+			ip6 saddr 2001:0:7f00::/40 drop
+			ip6 saddr 2001:0:a9fe::/48 drop
+			ip6 saddr 2001:0:ac10::/44 drop
+			ip6 saddr 2001:0:c000::/56 drop
+			ip6 saddr 2001:0:c000:200::/56 drop
+			ip6 saddr 2001:0:c0a8::/48 drop
+			ip6 saddr 2001:0:c612::/47 drop
+			ip6 saddr 2001:0:c633:6400::/56 drop
+			ip6 saddr 2001:0:cb00:7100::/56 drop
+			ip6 saddr 2001:0:e000::/36 drop
+			ip6 saddr 2001:0:f000::/36 drop
+			ip6 saddr 2001:0:ffff:ffff::/64 drop
+			ip6 saddr 2001:0:ffff:ffff::/64 drop
+			ip saddr 0.0.0.0/8 drop
+			ip saddr 10.0.0.0/8 drop
+			ip saddr 100.64.0.0/10 drop
+			ip saddr 127.0.0.0/8 drop
+			ip saddr 169.254.0.0/16 drop
+			ip saddr 172.16.0.0/12 drop
+			ip saddr 192.0.0.0/24 drop
+			ip saddr 192.0.2.0/24 drop
+			ip saddr 192.168.0.0/16 drop
+			ip saddr 198.18.0.0/15 drop
+			ip saddr 198.51.100.0/24 drop
+			ip saddr 203.0.113.0/24 drop
+			ip saddr 224.0.0.0/3 drop
+	}
+}
-- 
GitLab