From c1aafd19c1d3710ef47b713163b3418c860d0c26 Mon Sep 17 00:00:00 2001 From: Simon Cornet Date: Tue, 17 Feb 2026 08:44:28 +0100 Subject: [PATCH] feat: add incoming fw rules, fixed routes and improved docs --- defaults/main.yaml | 3 ++ handlers/main.yaml | 6 +-- readme.md | 76 ++++++++++++++++++++++++++++++++++++++ templates/nftables.conf.j2 | 6 +++ 4 files changed, 87 insertions(+), 4 deletions(-) diff --git a/defaults/main.yaml b/defaults/main.yaml index d62df46..74cfc4b 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -9,3 +9,6 @@ nat_port_forwards: [] # static routes static_routes: [] + +# incoming firewall rules +incoming_firewall_rules: [] diff --git a/handlers/main.yaml b/handlers/main.yaml index 90a6954..e305b8a 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -7,12 +7,10 @@ state: "restarted" # apply local routes -- name: "apply routes" +- name: "apply routes - add static routes" ansible.builtin.shell: cmd: | {% for route in static_routes %} - ip route replace {{ route.destination }} via {{ route.gateway }} - {% if route.interface is defined %}dev {{ route.interface }}{% endif %} + ip route replace {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }}{{ ' metric ' + route.metric if route.metric is defined else '' }} {% endfor %} when: "static_routes | length > 0" - changed_when: false diff --git a/readme.md b/readme.md index 4a69754..a4d4d6d 100644 --- a/readme.md +++ b/readme.md @@ -16,3 +16,79 @@ This role configures router functionality on Alpine Linux. | `routing` | Configure routing and iptables | | `firewall` | Configure firewall rules | | `performance` | Configure performance tuning | + +## Role Variables + +### Interfaces + +```yaml +wan_interface: "eth0" +lan_interface: "eth1" +``` + +### Static Routes + +```yaml +static_routes: + + - name: "route to internal network 10.0.0.0/8 via 192.168.1.1" + destination: "10.0.0.0/8" + gateway: "192.168.1.1" + + - name: "route to dmz with custom metric" + destination: "172.16.0.0/12" + gateway: "192.168.1.254" + metric: 100 + + - name: "route with specific interface" + destination: "192.168.100.0/24" + gateway: "192.168.1.1" + interface: "eth1" +``` + +### Incoming Firewall Rules + +```yaml +incoming_firewall_rules: + + - name: "allow ssh from lan" + source: "192.168.1.0/24" + protocol: "tcp" + port: 22 + + - name: "allow https from lan" + source: "192.168.1.0/24" + protocol: "tcp" + port: 443 + + - name: "allow dns from lan" + source: "192.168.1.0/24" + protocol: "udp" + port: 53 + + - name: "allow ping from lan" + source: "192.168.1.0/24" + protocol: "icmp" + port: 0 +``` + +### NAT Port Forwards + +```yaml +nat_port_forwards: + + - name: "forward http to web server" + dst: "192.168.1.10" + port: 80 + protocol: "tcp" + + - name: "forward https to web server" + dst: "192.168.1.10" + port: 443 + protocol: "tcp" + + - name: "forward ssh to internal server" + dst: "192.168.1.20" + port: 2222 + protocol: "tcp" +``` diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index ec6e04f..d2df6af 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -15,6 +15,12 @@ table inet filter { # Allow LAN management access iif {{ lan_interface }} accept + # Allow incoming firewall rules +{% for rule in incoming_firewall_rules %} + # {{ rule.name }} + iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept +{% endfor %} + # Allow ICMP ip protocol icmp accept ip6 nexthdr ipv6-icmp accept