feat: add incoming fw rules, fixed routes and improved docs

2026-02-17 08:44:28 +01:00 · 2026-02-17 08:44:28 +01:00 · c1aafd19c1
commit c1aafd19c1
parent b92f2c6175
4 changed files with 87 additions and 4 deletions
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -9,3 +9,6 @@ nat_port_forwards: []

 # static routes
 static_routes: []
+
+# incoming firewall rules
+incoming_firewall_rules: []
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@ -7,12 +7,10 @@
    state: "restarted"

 # apply local routes
- name: "apply routes"
+- name: "apply routes - add static routes"
  ansible.builtin.shell:
    cmd: |
      {% for route in static_routes %}
-      ip route replace {{ route.destination }} via {{ route.gateway }}
-      {% if route.interface is defined %}dev {{ route.interface }}{% endif %}
+      ip route replace {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }}{{ ' metric ' + route.metric if route.metric is defined else '' }}
      {% endfor %}
  when: "static_routes | length > 0"
-  changed_when: false
--- a/readme.md
+++ b/readme.md
@ -16,3 +16,79 @@ This role configures router functionality on Alpine Linux.
 | `routing` | Configure routing and iptables |
 | `firewall` | Configure firewall rules |
 | `performance` | Configure performance tuning |
+
+## Role Variables
+
+### Interfaces
+
+```yaml
+wan_interface: "eth0"
+lan_interface: "eth1"
+```
+
+### Static Routes
+
+```yaml
+static_routes:
+
+  - name: "route to internal network 10.0.0.0/8 via 192.168.1.1"
+    destination: "10.0.0.0/8"
+    gateway: "192.168.1.1"
+
+  - name: "route to dmz with custom metric"
+    destination: "172.16.0.0/12"
+    gateway: "192.168.1.254"
+    metric: 100
+
+  - name: "route with specific interface"
+    destination: "192.168.100.0/24"
+    gateway: "192.168.1.1"
+    interface: "eth1"
+```
+
+### Incoming Firewall Rules
+
+```yaml
+incoming_firewall_rules:
+
+  - name: "allow ssh from lan"
+    source: "192.168.1.0/24"
+    protocol: "tcp"
+    port: 22
+
+  - name: "allow https from lan"
+    source: "192.168.1.0/24"
+    protocol: "tcp"
+    port: 443
+
+  - name: "allow dns from lan"
+    source: "192.168.1.0/24"
+    protocol: "udp"
+    port: 53
+
+  - name: "allow ping from lan"
+    source: "192.168.1.0/24"
+    protocol: "icmp"
+    port: 0
+```
+
+### NAT Port Forwards
+
+```yaml
+nat_port_forwards:
+
+  - name: "forward http to web server"
+    dst: "192.168.1.10"
+    port: 80
+    protocol: "tcp"
+
+  - name: "forward https to web server"
+    dst: "192.168.1.10"
+    port: 443
+    protocol: "tcp"
+
+  - name: "forward ssh to internal server"
+    dst: "192.168.1.20"
+    port: 2222
+    protocol: "tcp"
+```
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@ -15,6 +15,12 @@ table inet filter {
        # Allow LAN management access
        iif {{ lan_interface }} accept

+        # Allow incoming firewall rules
+{% for rule in incoming_firewall_rules %}
+        # {{ rule.name }}
+        iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept
+{% endfor %}
+
        # Allow ICMP
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept