add nftables config and deployment tasks for resolv-dns host
This commit is contained in:
parent
f9689ac665
commit
024cec9401
SSH key fingerprint:
SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
2 changed files with 46 additions and 0 deletions
20
deploy.yaml
20
deploy.yaml
|
|
@ -4,6 +4,26 @@
|
|||
roles:
|
||||
- base_config
|
||||
|
||||
- name: Ensure nftables configuration
|
||||
hosts: resolv-dns
|
||||
tasks:
|
||||
- name: deploy nftables config
|
||||
ansible.builtin.copy:
|
||||
src: "resources/{{ inventory_hostname }}/files/nftables.conf"
|
||||
dest: /etc/nftables.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart nftables service
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- name: Restart nftables service
|
||||
ansible.builtin.service:
|
||||
name: nftables
|
||||
state: restarted
|
||||
become: true
|
||||
|
||||
- name: Deploy DHCP server
|
||||
hosts: dhcp
|
||||
tasks:
|
||||
|
|
|
|||
26
resources/resolv-dns/files/nftables.conf
Normal file
26
resources/resolv-dns/files/nftables.conf
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
# only flush tables managed by this file
|
||||
table inet filter
|
||||
flush table inet filter
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
ip protocol icmp accept
|
||||
ip6 nexthdr icmpv6 accept
|
||||
iifname lo accept
|
||||
ct state related,established accept
|
||||
|
||||
tcp dport 22 accept
|
||||
tcp dport 53 accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
ct state related,established counter accept
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority filter;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue