add nftables config and deployment tasks for resolv-dns host

deploy.yaml

@@ -4,6 +4,26 @@
   roles:
     - base_config
 
+- name: Ensure nftables configuration
+  hosts: resolv-dns
+  tasks:
+    - name: deploy nftables config
+      ansible.builtin.copy:
+        src: "resources/{{ inventory_hostname }}/files/nftables.conf"
+        dest: /etc/nftables.conf
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Restart nftables service
+      become: true
+      
+  handlers:
+    - name: Restart nftables service
+      ansible.builtin.service:
+        name: nftables
+        state: restarted
+      become: true
+
 - name: Deploy DHCP server
   hosts: dhcp
   tasks:

resources/resolv-dns/files/nftables.conf

@@ -0,0 +1,26 @@
+#!/usr/sbin/nft -f
+
+# only flush tables managed by this file
+table inet filter
+flush table inet filter
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		ip protocol icmp accept
+		ip6 nexthdr icmpv6 accept
+		iifname lo accept
+		ct state related,established accept
+
+		tcp dport 22 accept
+		tcp dport 53 accept
+		udp dport 53 accept
+	}
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+		ct state related,established counter accept
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}