97 lines
2.7 KiB
YAML
97 lines
2.7 KiB
YAML
|
---
|
|||
|
|
- name: Настройка nftables с белым списком портов и VIP адресами
|
|||
|
|
hosts: hip
|
|||
|
|
become: yes
|
|||
|
|
gather_facts: yes
|
|||
|
|
|
|||
|
|
vars:
|
|||
|
|
# VIP адреса (полный доступ)
|
|||
|
|
vip_addresses:
|
|||
|
|
- "192.168.1.100"
|
|||
|
|
- "10.10.10.50"
|
|||
|
|
- "172.16.0.10"
|
|||
|
|
|
|||
|
|
# Белый список TCP портов
|
|||
|
|
white_list_tcp_ports:
|
|||
|
|
- 35130 # SSH
|
|||
|
|
- 80 # HTTP
|
|||
|
|
- 443 # HTTPS
|
|||
|
|
- 5432 # PostgreSQL
|
|||
|
|
- 8080 # Jenkins/Proxy
|
|||
|
|
- 8443 # Alternative HTTPS
|
|||
|
|
|
|||
|
|
# Белый список UDP портов
|
|||
|
|
white_list_udp_ports:
|
|||
|
|
- 53 # DNS
|
|||
|
|
- 123 # NTP
|
|||
|
|
- 1194 # OpenVPN
|
|||
|
|
|
|||
|
|
# Дополнительные настройки
|
|||
|
|
enable_ip_forwarding: true
|
|||
|
|
nftables_log_prefix_input: "[nftables-input] Dropped: "
|
|||
|
|
nftables_log_prefix_forward: "[nftables-forward] Blocked non-whitelist port: "
|
|||
|
|
|
|||
|
|
tasks:
|
|||
|
|
- name: Установка nftables
|
|||
|
|
apt:
|
|||
|
|
name: nftables
|
|||
|
|
state: present
|
|||
|
|
update_cache: yes
|
|||
|
|
|
|||
|
|
- name: Создание директории для шаблонов (если не существует)
|
|||
|
|
file:
|
|||
|
|
path: /etc/nftables
|
|||
|
|
state: directory
|
|||
|
|
mode: '0755'
|
|||
|
|
|
|||
|
|
- name: Копирование конфигурации nftables из шаблона
|
|||
|
|
template:
|
|||
|
|
src: templates/nft/nftables.conf.j2
|
|||
|
|
dest: /etc/nftables.conf
|
|||
|
|
mode: '0644'
|
|||
|
|
backup: yes
|
|||
|
|
notify: restart nftables
|
|||
|
|
|
|||
|
|
- name: Включение IP forwarding (если нужно)
|
|||
|
|
sysctl:
|
|||
|
|
name: "{{ item }}"
|
|||
|
|
value: '1'
|
|||
|
|
sysctl_set: yes
|
|||
|
|
state: present
|
|||
|
|
reload: yes
|
|||
|
|
loop:
|
|||
|
|
- net.ipv4.ip_forward
|
|||
|
|
- net.ipv6.conf.all.forwarding
|
|||
|
|
when: enable_ip_forwarding
|
|||
|
|
|
|||
|
|
- name: Убеждаемся что nftables запущен и включен
|
|||
|
|
systemd:
|
|||
|
|
name: nftables
|
|||
|
|
state: started
|
|||
|
|
enabled: yes
|
|||
|
|
|
|||
|
|
- name: Проверка синтаксиса конфигурации
|
|||
|
|
command: nft -c -f /etc/nftables.conf
|
|||
|
|
register: nft_check
|
|||
|
|
changed_when: false
|
|||
|
|
|
|||
|
|
- name: Вывод результата проверки
|
|||
|
|
debug:
|
|||
|
|
msg: "✅ Конфигурация nftables валидна"
|
|||
|
|
when: nft_check.rc == 0
|
|||
|
|
|
|||
|
|
- name: Применение правил (если не были применены при старте)
|
|||
|
|
command: nft -f /etc/nftables.conf
|
|||
|
|
when: nft_check.rc == 0
|
|||
|
|
notify: restart nftables
|
|||
|
|
|
|||
|
|
handlers:
|
|||
|
|
- name: restart nftables
|
|||
|
|
systemd:
|
|||
|
|
name: nftables
|
|||
|
|
state: restarted
|
|||
|
|
|
|||
|
|
- name: validate nftables
|
|||
|
|
command: nft -c -f /etc/nftables.conf
|
|||
|
|
listen: "restart nftables"
|