Ansible Role - NFTables Add-Ons

Role to deploy Addons for NFTables on Linux servers.

Molecule Logs: Short, Full

Tested:

• Debian 11
• Debian 12

Install

# latest
ansible-galaxy role install git+https://github.com/ansibleguy/addons_nftables

ä from galaxy
ansible-galaxy install ansibleguy.addons_nftables

# or to custom role-path
ansible-galaxy install ansibleguy.addons_nftables --roles-path ./roles

Documentation

• NFTables: Wiki
• Check out the Example!
• Ansible-manage all of NFTables: ansibleguy.infra_nftables

Functionality

• Configuration

  • Default config:

    • Systemd Timer to run the addons
    • Logging to Syslog
    • Appendix for IPv6 variables: '_v6'
      • Per example: variable 'repo_debian' => 'repo_debian_v6'
    • Timers
      • DNS => updated every 15 minutes
      • IP-List => updated twice a day
    • Systemd
      • Syslog ID: 'nftables_addon_{ addon }'
      • Service/Timer Prefix: 'ansibleguy.addons_nftables-'

  • Default opt-ins:

    • Timer to automatically update variables
    • Systemd Timer
    • Adding include into '/etc/nftables.conf'

  • Default opt-outs:

    • Add-Ons
      • DNS
        • DNS IPv6 processing
      • IP-Lists
        • IP-List IPv6 processing
    • Cron-Job Timer

Info

• Note: this role currently only supports debian-based systems

• Note: Most of the role's functionality can be opted in or out.

  For all available options - see the default-config located in the main defaults-file!

• Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

• Note: Every defined variable will be created as a missing one might break your config!

  If a DNS-record cannot be resolved or no entry is returned - a fallback value (IPv4: 0.0.0.0, IPv6: ::) will be set.

Usage

You can manage the NFTables base-config using the ansibleguy.infra_nftables role!

Config

You can find a more detailed example here: Example!

Define the config as needed:

nftables_addons:
  enable:
    dns: true  # enable DNS-addon
    dns_v6: true  # enable IPv6-processing of DNS-addon
    iplist: true  # enable IPList-addon
    iplist_v6: true  # enable IPv6-processing of IPList-addon
    # timer: true  # you could disable the timer-management if you want to do it yourself
    # systemd: true  # update addons using a systemd-timer
    # cron: false  # update addons using a cron-job
    # include: true  # disable auto-include of addons in /etc/nftables.conf

  config:
    iplists:
      iplist_tor_exit_nodes:  # var-name
        urls: ['https://check.torproject.org/torbulkexitlist']
        separator: "\n"
        comment: '#'
    dns_records:
      ntp_servers: ['0.europe.pool.ntp.org', '1.europe.pool.ntp.org']
      repo_debian: ['deb.debian.org', 'debian.map.fastlydns.net', 'security.debian.org']

  ext: 'nft'  # extension used by nftables config-files
  path:
    base:
      config: '/etc/nftables.conf'
      dir: '/etc/nftables.d'
    addon:
      dir: '/etc/nftables.d/addons'

  timer:
    systemd:
      dns: '*:0/15'  # update every 15min
      iplist: '*-*-* 00,12:00:00'  # update twice a day

    # cron:
    #   dns:  # every 15min
    #     minute: '*/15'
    #   iplist:  # twice a day
    #     minute: '0'
    #     hour: '0,12'

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

There are also some useful tags available:

• dns
• iplist
• config (only update addon-config)

To debug errors - you can set the 'debug' variable at runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes