Use nftables instead of iptables

Closes #27

ansible/roles/configure/tasks/main.yml

@@ -3,14 +3,15 @@
 - name: Update apt packages cache and install needed packages
   # apt-transport-https is needed for docker apt repo
   # curl and git is needed for helm plugin install
-  # iptables-persistent for persistant firewall rules
+  tags:
+    - firewall
   apt:
     state: present
     name:
       - apt-transport-https
       - curl
       - git
-      - iptables-persistent
+      - nftables
       - snapd
       - unattended-upgrades
     # Update again after 1 day

ansible/roles/prepare_node/tasks/main.yml

@@ -2,35 +2,40 @@
 
 - name: Load kernel bridge module
   tags:
-    - iptables
+    - firewall
   modprobe:
     name: "br_netfilter"
   become: true
 
-- name: Process bridged packets with iptables
+- name: Deploy /etc/nftables.conf
   tags:
-    - iptables
-  sysctl:
-    name: "net.bridge.bridge-nf-call-iptables"
-    value: "1"
-  become: true
+    - firewall
+  template:
+    dest: /etc/nftables.conf
+    src: nftables.conf
+    mode: '0755'
 
-- name: Allow external access to kubernetes apiserver
+- name: Enable and start nftables service
   tags:
-    - iptables
-  iptables:
-    chain: "INPUT"
-    protocol: "tcp"
-    destination_port: 6443
-    jump: "ACCEPT"
-  become: true
+    - firewall
+  service:
+    name: nftables
+    state: started
+    enabled: yes
 
-- name: Save changes to iptables rules
+- name: Remove iptables-persistent package
   tags:
-    - iptables
-  shell: netfilter-persistent save
-  become: true
-  changed_when: false
+    - firewall
+  package:
+    state: absent
+    name: iptables-persistent
+
+- name: Remove iptables-persistent config directory
+  tags:
+    - firewall
+  file:
+    state: absent
+    path: "/etc/iptables/"
 
 - name: Install docker if necessary
   import_tasks: "docker.yml"

ansible/roles/prepare_node/templates/nftables.conf

+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+  chain INPUT {
+    type filter hook input priority 0; policy drop;
+
+    # accept any localhost traffic
+    iifname "lo" counter accept
+
+    # accept traffic originated from us
+    ct state related,established counter accept
+
+    # Ports open from the outside
+    # 22:    ssh
+    # 80:    http
+    # 443:   https
+    # 6443:  kubernetes API
+    # 9100:  prometheus node-exporter
+    # 10250: prometheus kubelet exporter
+    tcp dport { 22, 80, 443, 6443 } counter accept
+
+    # Ports only open from within the cluster
+    ip saddr 10.0.0.0/8 tcp dport 9100 counter accept
+    ip saddr 10.0.0.0/8 tcp dport 10250 counter accept
+
+    # respond to ping
+    icmp type echo-request counter accept
+
+    # Uncomment this line to log dropped packages
+    # log
+  }
+
+  chain FORWARD {
+    type filter hook forward priority 0; policy accept;
+  }
+
+  chain OUTPUT {
+    type filter hook output priority 0; policy accept;
+  }
+}

ansible/roles/setup/tasks/main.yml

@@ -3,6 +3,5 @@
 - import_tasks: rke.yml
 - import_tasks: tiller.yml
 - import_tasks: cert-manager.yml
-- import_tasks: prometheus.yml
 - import_tasks: helmfiles.yml
 - import_tasks: krew.yml

ansible/roles/setup/tasks/prometheus.yml

----
-- name: Allow internal access to node-exporter metrics
-  tags:
-    - iptables
-  iptables:
-    chain: "INPUT"
-    protocol: "tcp"
-    # We'll allow the whole private IP space for 10.0.0.0/8 here
-    # because calico might use different IPs in this space to
-    # contact the node-exporter
-    source: "10.0.0.0/8"
-    destination_port: 9100
-    jump: "ACCEPT"
-  become: true
-
-- name: Allow internal access to kubelet metrics
-  tags:
-    - iptables
-  iptables:
-    chain: "INPUT"
-    protocol: "tcp"
-    # We'll allow the whole private IP space for 10.0.0.0/8 here
-    # because calico might use different IPs in this space to
-    # contact the node-exporter
-    source: "10.0.0.0/8"
-    destination_port: 10250
-    jump: "ACCEPT"
-  become: true