feat: nftables > iptables

tasks/firewall.yaml

@@ -1,46 +1,14 @@
 ---
 
-# deploy ipv4 iptable rules
-- name: "firewall - ipv4 rules"
-  ansible.builtin.copy:
-    dest: "/etc/iptables/rules-save"
+# deploy nftables rules
+- name: "firewall - nftables rules"
+  ansible.builtin.template:
+    src: "nftables.conf.j2"
+    dest: "/etc/nftables.conf"
     mode: "0600"
     owner: "root"
     group: "root"
-    content: |
-      *nat
-      :PREROUTING ACCEPT [0:0]
-      :INPUT ACCEPT [0:0]
-      :OUTPUT ACCEPT [0:0]
-      :POSTROUTING ACCEPT [0:0]
-      # NAT masquerade from LAN to WAN
-      -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
-      {% for forward in nat_port_forwards %}
-      # {{ forward.name }}
-      -A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }}
-      {% endfor %}
-      COMMIT
-
-      *filter
-      :INPUT DROP [0:0]
-      :FORWARD DROP [0:0]
-      :OUTPUT ACCEPT [0:0]
-      # Allow established/related
-      -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-      -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-      # Allow loopback
-      -A INPUT -i lo -j ACCEPT
-      # Allow LAN management access
-      -A INPUT -i {{ lan_interface }} -j ACCEPT
-      # Allow forwarding from LAN to anywhere
-      -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
-      {% for forward in nat_port_forwards %}
-      # {{ forward.name }}
-      -A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT
-      {% endfor %}
-      COMMIT
-  notify: "restart iptables"
-
+  notify: "restart nftables"
 
 # load nf_conntrack module
 - name: "firewall - load nf_conntrack module"