From fc5551b90f4317ccdf2d8c6b6a331647d676e138 Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Tue, 3 Jan 2023 14:35:21 +0100 Subject: firewall: move from iptables to firewalld (nftables) --- roles/webserver/tasks/main.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) (limited to 'roles/webserver') diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml index e2624c4..7838896 100644 --- a/roles/webserver/tasks/main.yml +++ b/roles/webserver/tasks/main.yml @@ -29,22 +29,12 @@ # Use 'z' to shared-ly relable selinux contexts. - "{{ DATA_ROOT }}/nginx/www:/www:ro,z" -# All services run in rootless-podman and nginx is the only entry point from -# the outside acting as webserver and reverse proxy. -# Since we dont want to lower the *unprivileged* port start (1024) we install -# two forwarding routes from -# 80 -> 8080 -# 443 -> 8443 - name: Forward port 80/443 to 8080/8443 - ansible.builtin.iptables: - table: nat - chain: PREROUTING - protocol: tcp - match: tcp - destination_port: "{{ item.from }}" - jump: REDIRECT - to_ports: "{{ item.to }}" - comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}" + ansible.posix.firewalld: + rich_rule: "rule family=ipv4 forward-port port={{ item.from }} protocol=tcp to-port={{ item.to }}" + permanent: yes + immediate: yes + state: enabled become: true loop: - { from: 80 , to: 8080 } -- cgit v1.2.3