add firewall role

playbooks/securing.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Securing
+  hosts: all
+  vars_files:
+    - ../group_vars/all/vault.yml
+  roles:
+    - securing
+  tags:
+    - securing

roles/securing/tasks/firewall.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Install nftables
+  ansible.builtin.apt:
+    state: present
+    update_cache: true
+    pkg:
+      - nftables
+
+
+- name: Add nftables configuration
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    nftables_reload

roles/securing/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Firewall
+  remote_user: ansible
+  become: true
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Fail2ban
+  remote_user: ansible
+  become: true
+  ansible.builtin.import_tasks: fail2ban.yml

roles/securing/templates/nftables.conf.j2

@@ -0,0 +1,37 @@
+table ip6 filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		iifname "lo" accept
+		log prefix "Dropped ipv6:  " flags all drop
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain output {
+		type filter hook output priority filter; policy drop;
+		iifname "lo" accept
+		log prefix "Dropped ipv6:  " flags all drop
+	}
+}
+
+table ip filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		ct state established,related accept
+		ip protocol icmp icmp type echo-request accept
+		icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+		tcp dport { 22, 80, 443, 10000 } accept
+
+		log prefix "Dropped ipv4:  " flags all drop
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain output {
+		type filter hook output priority filter; policy accept;
+	}
+}