59 lines
1.6 KiB
YAML
59 lines
1.6 KiB
YAML
---
|
|
|
|
# deploy nftables rules
|
|
- name: "firewall - nftables rules"
|
|
ansible.builtin.template:
|
|
src: "nftables.nft.j2"
|
|
dest: "/etc/nftables.nft"
|
|
mode: "0600"
|
|
owner: "root"
|
|
group: "root"
|
|
notify: "restart nftables"
|
|
|
|
# load nf_conntrack module
|
|
- name: "firewall - load nf_conntrack module"
|
|
community.general.modprobe:
|
|
name: "nf_conntrack"
|
|
state: "present"
|
|
|
|
# configure nf_conntrack hashsize
|
|
- name: "firewall - configure nf_conntrack hashsize"
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/modprobe.d/nf_conntrack.conf"
|
|
line: "options nf_conntrack hashsize=16384"
|
|
create: true
|
|
mode: "0644"
|
|
owner: "root"
|
|
group: "root"
|
|
|
|
# load nf_conntrack at boot
|
|
- name: "firewall - load nf_conntrack at boot"
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/modules"
|
|
line: "nf_conntrack"
|
|
create: true
|
|
mode: "0644"
|
|
owner: "root"
|
|
group: "root"
|
|
|
|
# set nf_conntrack hashsize at runtime
|
|
- name: "firewall - set nf_conntrack hashsize runtime"
|
|
ansible.builtin.shell:
|
|
cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize"
|
|
changed_when: false
|
|
|
|
# configure nf_conntrack sysctl settings
|
|
- name: "firewall - configure conntrack sysctl settings"
|
|
ansible.posix.sysctl:
|
|
name: "{{ item.name }}"
|
|
value: "{{ item.value }}"
|
|
state: "present"
|
|
sysctl_file: "/etc/sysctl.conf"
|
|
reload: false
|
|
loop:
|
|
- name: "net.netfilter.nf_conntrack_max"
|
|
value: "16384"
|
|
- name: "net.netfilter.nf_conntrack_tcp_timeout_established"
|
|
value: "3600"
|
|
- name: "net.netfilter.nf_conntrack_generic_timeout"
|
|
value: "120"
|