nftables almost done (still more frr stuff to do)

e0d8f8fb · Karl Grube · a802d23a · e0d8f8fb · e0d8f8fb · e0d8f8fb
Commit e0d8f8fb authored 1 year ago by Karl Grube
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+allow_default_ipv4: False
+allow_default_ipv6: False
--- a/handlers/main.yml
+++ b/handlers/main.yml
+---
+- name: restart nftables
+  command: 'nft -f /etc/nftables.conf'
+- name: ifup all
+  command: "ifreload -a"
+- name: reload networking
+  command: "ifreload -a"
--- a/tasks/all.yml
+++ b/tasks/all.yml
+---
+- name: set ipv6 max routes
+  sysctl:
+    name: 'net.ipv6.route.max_size'
+    value: '2147483647'
+    state: present
+    reload: yes
+  tags: network
+- name: required packages
+  package:
+    name: 
+    - nftables
+    - traceroute
+    - ifupdown2
+- name: kernel forwarding
+  sysctl:
+    name: "{{item}}"
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  with_items:
+    - net.ipv4.ip_forward
+    - net.ipv6.conf.all.forwarding
--- a/tasks/main.yml
+++ b/tasks/main.yml
+---
+- import_tasks: all.yml
+- name: nftables
+  import_role:
+    name: nftables
+  vars:
+    nft_templates:
+      int_rtr: "{{lookup('template','int_rtr.nft.j2')}}"
+  tags: nftables
+- import_role:
+    name: frr
+  vars:
+    frr_conf: "{{lookup('template','frr_conf.j2')}}"
+  tags: frr
--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
+hostname {{ansible_hostname}}
+log syslog informational
+router bgp {{bgp_asn}}
+ bgp bestpath as-path multipath-relax
+ bgp bestpath compare-routerid
+ no bgp network import-check
+ neighbor internet peer-group
+ neighbor outside peer-group
+ neighbor outside remote-as external
--- a/templates/int_rtr.nft.j2
+++ b/templates/int_rtr.nft.j2
+#!/usr/sbin/nft -f
+### AUTOMATICALLY GENERATED FILE CREATED BY ANSIBLE PLEASE DO NOT EDIT MANUALLY AS IT WILL BE OVERWRITTEN!!! ###
+table inet filter {
+	chain preload_input {
+		type filter hook input priority -5; policy accept;
+		iif == lo accept
+			jump preload_drop
+			tcp dport 113 drop
+	}
+	chain preload_forward {
+		type filter hook forward priority -5; policy accept;
+		iif == lo accept
+			jump preload_drop
+	}
+	chain preload_drop {
+{% for address in (ansible_all_ipv6_addresses|sort|unique) %}
+{%  if address is not search('fe80') %}
+		ip6 saddr {{address}} drop
+{%  endif %}
+{% endfor %} 
+{% for address in (ansible_all_ipv4_addresses|sort|unique) %}
+		ip saddr {{address}} drop
+{% endfor %}
+{% for peer in internet_connections %}
+		iifname {{peer.interface}} jump internet_peers
+{% endfor %}
+		jump martians
+		jump f2ban
+	}
+	chain internet_peers {
+{% for range in dc_ranges %}
+	ip{% if range is search(':') %}6{% endif %} saddr {{range|regex_replace('ge.*','')|regex_replace('le.*','')}} drop
+{% endfor %}
+	}
+	chain f2ban {
+	}
+	chain input {
+		type filter hook input priority 0; policy drop;
+		ip protocol igmp accept
+			ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept
+			ip6 saddr fe80::/64 accept
+			icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-neighbor-solicit, nd-router-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report, echo-request } accept
+			ct state established, related accept
+			iif == lo accept
+			tcp dport ssh accept
+{% for range in dc_ranges %}
+			ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} tcp dport ssh accept
+{% endfor %}
+	}
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+	}
+	chain martians {
+			ip6 saddr ::/128 drop
+			ip6 saddr ::1/128 drop
+			ip6 saddr ::ffff:0:0/96 drop
+			ip6 saddr ::/96 drop
+			ip6 saddr 100::/64 drop
+			ip6 saddr 2001:10::/28 drop
+			ip6 saddr 2001:db8::/32 drop
+			ip6 saddr fc00::/7 drop
+			ip6 saddr fec0::/10 drop
+			ip6 saddr ff00::/8 drop
+			ip6 saddr 2002::/24 drop
+			ip6 saddr 2002:a00::/24 drop
+			ip6 saddr 2002:7f00::/24 drop
+			ip6 saddr 2002:a9fe::/32 drop
+			ip6 saddr 2002:ac10::/28 drop
+			ip6 saddr 2002:c000::/40 drop
+			ip6 saddr 2002:c000:200::/40 drop
+			ip6 saddr 2002:c0a8::/32 drop
+			ip6 saddr 2002:c612::/31 drop
+			ip6 saddr 2002:c633:6400::/40 drop
+			ip6 saddr 2002:cb00:7100::/40 drop
+			ip6 saddr 2002:e000::/20 drop
+			ip6 saddr 2002:f000::/20 drop
+			ip6 saddr 2002:ffff:ffff::/48 drop
+			ip6 saddr 2001::/40 drop
+			ip6 saddr 2001:0:a00::/40 drop
+			ip6 saddr 2001:0:7f00::/40 drop
+			ip6 saddr 2001:0:a9fe::/48 drop
+			ip6 saddr 2001:0:ac10::/44 drop
+			ip6 saddr 2001:0:c000::/56 drop
+			ip6 saddr 2001:0:c000:200::/56 drop
+			ip6 saddr 2001:0:c0a8::/48 drop
+			ip6 saddr 2001:0:c612::/47 drop
+			ip6 saddr 2001:0:c633:6400::/56 drop
+			ip6 saddr 2001:0:cb00:7100::/56 drop
+			ip6 saddr 2001:0:e000::/36 drop
+			ip6 saddr 2001:0:f000::/36 drop
+			ip6 saddr 2001:0:ffff:ffff::/64 drop
+			ip6 saddr 2001:0:ffff:ffff::/64 drop
+			ip saddr 0.0.0.0/8 drop
+			ip saddr 10.0.0.0/8 drop
+			ip saddr 100.64.0.0/10 drop
+			ip saddr 127.0.0.0/8 drop
+			ip saddr 169.254.0.0/16 drop
+			ip saddr 172.16.0.0/12 drop
+			ip saddr 192.0.0.0/24 drop
+			ip saddr 192.0.2.0/24 drop
+			ip saddr 192.168.0.0/16 drop
+			ip saddr 198.18.0.0/15 drop
+			ip saddr 198.51.100.0/24 drop
+			ip saddr 203.0.113.0/24 drop
+			ip saddr 224.0.0.0/3 drop
+	}
+}