Set up nft ipsec rules

This commit is contained in:
Pau Espin 2024-02-19 19:37:59 +01:00
parent 4121ef6686
commit 7d62176b1f
3 changed files with 58 additions and 0 deletions

View File

@ -0,0 +1,6 @@
---
- name: reload nftables
service:
name: nftables
state: reloaded

View File

@ -39,3 +39,14 @@
notify: reload networkd
when: net_method == "networkd"
- name: configure ipsec fwmark (nft)
template:
src: nftables.conf.j2
dest: /etc/nftables.conf
notify: reload nftables
- name: enable and start nftables.service
ansible.builtin.systemd_service:
name: "nftables"
enabled: yes
state: "started"

View File

@ -0,0 +1,41 @@
#!/usr/sbin/nft -f
# {{ ansible_managed }}
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
meta ipsec exists oifname != "{{ epdg_tun_interface }}" counter drop comment "All decoded ipsec traffic must be forwarded to osmo-epdg"
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip mangle {
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
meta ipsec exists meta mark set {{ epdg_ipsec_traffic_fwmark }} comment "Route incoming ipsec decoded pkts to osmo-epdg"
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
}